-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decision Proposal 191 - Retailer to AEMO InfoSec Profile #191
Comments
Good afternoon, Would it be possible to have an extension to this Issues Proposal, in line with the end point issues paper to 9 August? Thank you |
Thanks for the opportunity to contribute. In principle AGL agrees DSB’s recommendation to adopt “Option 1 – AEMO e-Hub Security Profile, and Option A – Delegated Documentation” is compelling for the factors outlined in the decision proposal. However, AGL does believe there may be a decoupling advantage of a separate CDR Specific Security Profile from that of existing AEMO e-Hub Security especially if the underlying mechanisms in place in the e-Hub can be mostly leveraged. A CDR specific security profile can evolve independently and be protected from any future energy industry associated info-security changes such as those being considered as part of Australian Energy Sector Cyber Security Framework (AESCSF). Further consultation would also allow consideration of the “end point issues paper” as mentioned by @SelenaLiuEA |
Biza.io believes that this discussion is intrinsically linked to the discussions contained within DP182, NP200 and DP183 as well as more broadly related to the current Treasury Consultations on Rules V3. On this basis we intend to respond to all of these items with linked papers. As a consequence of the volume of considerations between these items we request the closure time for submissions be extended to 30 July 2021. |
By request this consultation is being extended until the 9th August. As stated in the proposal, early indication of feedback would be helpful due to timeframes. Late feedback that is significantly divergent to the proposal will be harder to accommodate. Note that to hit the October/November date for candidate level standards for the energy sector there will be less scope for long extensions. For the data clusters we have already been consulting on for over a year will be trying to hold to scheduled dates. |
Thanks for the opportunity to provide feedback on the topic - Retailer to AEMO InfoSec. Based on the consultation paper , the summary of DSB recommendations – This involves utilising the existing AEMO e-hub security profile. The CDR standards would require the use of the e-Hub platform and associated mechanisms for the requesting of data from AEMO by retailers. This would effectively delegate the ongoing management of this security profile to the existing AEMO mechanisms. The CDR standards would refer to this standard as a normative standard and delegate maintenance and clarification of implementation questions to AEMO. Origin’s feedback – Also, we are currently doing the review of the Decision Proposal 192 - AEMO Exposed End Points and if any impacts identified based on that, we will include it in our feedback for DP-192. |
Please find attached the Biza.io Response to Decision Proposal 191: Retailer to AEMO InfoSec Profile: In summary Biza.io does not support the adoption of the AEMO e-hub Security Profile unless the following recommendations are actioned:
|
Thank you for the opportunity to provide feedback. Energy Australia agrees with the recommendation provided in the consultation paper on AEMO InfoSec Profile which is to apply, specifically
This is based on the premise that there won’t be any changes to the security profile by AEMO and that documentation will be maintained by AEMO. |
For ‘options for retailer to AEMO information security profile’, Commonwealth Bank is supportive of 'Option 2 – CDR Specific Security Profile'. We would only support 'Option 1 - AEMO e-Hub Security Profile' if the security profile is uplifted. Specifically, the security profile for interactions between retailers and AEMO should be uplifted to the same security level as the rest of the CDR ecosystem. For example, changes to the security profile may include:
Broadly, we recommend aligning to FAPI as much as possible. While adoption of the entire profile may be impractical, the threat model used in FAPI should be addressed by the components of the FAPI profile where possible. For ‘options for level of specificity in Consumer Data Standards’, Commonwealth Bank recommends Option B – Light Documentation. The documentation should refer to the underlying standards (e.g. FAPI and OAuth) as much as possible, and aim to reduce any customization. |
In response to the feedback from Biza:
It is unclear why this would be of value considering the implementation costs for all retailers, for AEMO and for the CDR Register and the feedback does not appear to make a justifiable case. In addition, the concept of a trust chain for a certificate is important in the context of a transaction between two parties but the attempt to apply this across two independent transactions between different parties is not an industry standard approach and appears to be a misapplication of the concept.
If we were to adopt a CDR specific profile this would proposal would be a candidate approach to simplify implementation. In this situation, however, the existing participants (AEMO and the energy retailers) have already implemented an existing set of protocols and requiring them to align with the CDR adopted processes would actually make things more complex.
These items are outside of the control of the DSB. Overall this feedback indicates that Biza recommends defining a new, CDR specific, information security protocol for these transactions with specific requirements being applied. This would appear to align with Option 2 and Option C in the proposal. |
In response to the feedback from CBA
Similar to the response to the feedback from Biza, this would essentially mean defining a new profile for retailer to AEMO communication that does not take into account pre-existing relationships and implementations. Aligning with a specific international standard is not a rationale by itself and the feedback does not provide a justification as to why this approach should be preferred in the face of the additional complexity and cost for the implementing entities. Also, this does not misalign with the adoption of the recommended approach. If AEMO, through consultation with their client community, concurs that the adoption of OIDF related standards would be an appropriate roadmap then this could be achieved via their existing community consultation processes. |
In response to feedback from @gurchan-AGL The need for further consultation is understood. One possibility in this space is that we adopt a minimal approach initially but, in response to evolving need, we move to a more specific requirement. An adoption of option 1 at this point in time does not preclude that position changing in response to further consultation and experience as the standards progress as we approach November and also beyond that. |
After reviewing the feedback provided it would appear that there is strong support for the recommendation in the decision proposal, acknowledging that this position may need to change in the future as further consultation progresses. The DSB will prepare a decision document in alignment with the existing recommendation for consideration by the Data Standards Chair. |
Please find attached the final decision of the Chair: |
The attached decision proposal outlines options and recommendations for the information security profile for communication between Retailers and AEMO under the peer to peer model for energy.
The decision proposal is attached below:
Decision Proposal 191 - Retailer to AEMO InfoSec Profile.pdf
Feedback is welcome on this proposal. Consultation on this proposal will close on 9th August 2021.
Apologies for the relatively short consultation period. We are seeking initial feedback on direction with this proposal and still leave time for subsequent, more detailed consultations if they are required. Please indicate if more time for consultation is required.
The text was updated successfully, but these errors were encountered: