Data on the Grid
Utility companies, including electricity, gas, and water providers, have undergone a significant digital transformation. Smart meters, SCADA systems, IoT sensors, customer information systems, and network management platforms all generate and store data that includes customer usage patterns, billing information, infrastructure operational data, and increasingly granular consumption analytics. When this IT and operational technology reaches end of life, the data requires proper destruction.
What Utility IT Systems Store
Customer information systems hold personal details, billing histories, payment information, and account management records. Smart meter infrastructure stores granular consumption data that can reveal detailed information about household activity patterns, including when occupants are home, sleeping, cooking, and using appliances. Meter data management systems aggregate and process smart meter readings for billing and analytics.
SCADA (Supervisory Control and Data Acquisition) systems manage the operational technology that controls utility infrastructure, containing network topology data, equipment configurations, and control parameters. GIS (Geographic Information System) platforms store the physical location of infrastructure assets including underground cables, pipes, and customer connection points. Field workforce management systems hold technician schedules, customer visit records, and access information.
Smart Meter Privacy Concerns
Smart meter data deserves particular attention because of its granularity. Advanced metering infrastructure (AMI) can record electricity consumption at intervals as short as 15 minutes, creating a detailed profile of household energy use. Research has demonstrated that this data can be used to infer occupancy patterns, appliance usage, and lifestyle habits.
In Victoria, where the rollout of smart electricity meters is well advanced, the management of smart meter data is governed by the Privacy Act, the National Electricity Rules, and guidelines from the Australian Energy Regulator (AER). The Victorian Government has also established specific privacy protections around the use and disclosure of smart meter data.
When smart meter infrastructure equipment is decommissioned, the stored consumption data must be sanitised to prevent recovery of these detailed usage profiles.
SCADA and OT Security
Operational technology (OT) systems like SCADA present unique disposal challenges because of their critical infrastructure role. SCADA servers and controllers contain configuration data that reveals the physical topology and control logic of utility infrastructure. If this information were recovered from disposed equipment, it could potentially be used to understand vulnerabilities in the utility’s infrastructure.
SCADA equipment often runs specialised or legacy operating systems and may use proprietary storage configurations. Standard IT wiping tools may not be compatible with all OT equipment. For SCADA systems, consult the equipment manufacturer’s decommissioning guidance and consider physical destruction of storage components for the most assured outcome.
Regulatory Requirements
Utility companies operate under sector-specific regulations in addition to general privacy law. The National Electricity Law and National Electricity Rules govern the handling of customer data by electricity distributors and retailers. The Essential Services Commission (ESC) in Victoria regulates energy and water companies and sets standards for customer data management.
As operators of critical infrastructure, utility companies may also be subject to the Security of Critical Infrastructure Act 2018, which imposes obligations around the security of critical infrastructure assets including their IT systems. Data destruction practices should align with the risk management requirements of this legislation.
Sanitisation Approach
For standard IT systems (billing servers, CRM platforms, workstations), NIST 800-88 compliant sanitisation methods apply. For smart meter management systems containing detailed consumption data, Purge-level sanitisation is recommended. For SCADA and OT systems, physical destruction of storage components provides the most assured protection against recovery of infrastructure configuration data.
Field devices including smart meters, data concentrators, and communications modules should be factory reset before disposal. These devices typically contain embedded flash storage that may not support standard sanitisation tools.
Utility companies sit at the intersection of customer privacy and critical infrastructure security. Data destruction practices must address both dimensions to protect customers and maintain the security of essential services infrastructure.