Cyber security assurance

Bulb seems like a cool and lively company with lots to recommend it.

However before switching a core utility to a little company, I’d like to be confident that my data will be secure, and that any compromise to Bulb’s systems could not cause harm to me as a customer…

Does Bulb have any independent accreditation of its information security which would give customers added confidence - eg certified to Cyber Essentials Plus (using a firm approved by the National Cyber Security Centre), or independently certified to ISO27001/2/etc?

@anonymouse

We do not have ISO27001 security certification. However, we have performed a risk assessment in line with the ISO27005 standard. This is the standard required for Smart.

We are also a member of the Cyber Security Information Sharing Partnership run by the National Cyber Security Centre.

Thank you. Those are good things, but fall short of an independent certification which gives new customers more confidence. Do you have plans to obtain an independent certification of some kind?

Cyber Essentials Plus, which covers basic technical steps towards good cyber security, is an independent accreditation which many companies now mandate for all suppliers. Is this on your roadmap?

Thank you. Those are good things, but fall short of an independent certification which gives new customers more confidence. Do you have plans to obtain an independent certification of some kind?

Cyber Essentials Plus, which covers basic technical steps towards good cyber security, is an independent accreditation which many companies now mandate for all suppliers. Is this on your roadmap?

I fail to see what info Bulb really have that could cause you harm? Worst case is your name and address? I think they use someone else for processing payments. It’s not like Bulb are actually providing the infrastructure the power goes goes over.

I fail to see what info Bulb really have that could cause you harm? Worst case is your name and address?
Yes you are right there are multiple parties involved in supply (and risks are much higher elsewhere eg in generation and on the grid). But there are interfaces between the parties. Just for illustration, start by assuming you had control of Bulb’s systems and imagine what hostile actions you could take: - an intruder uses their systems to instruct the grid to cut off power/gas (eg giving notice that you had moved out) - an intruder issues a series of false direct debits on customer bank accounts causing loss for customers or their banks - an intruder issues a large outbound payment to a fake supplier causing Bulb to run out of cash - once smart meters are operational, an intruder issues instructions to the meter causing power loss - an intruder steals and sells smart meter data which provides a profile of what times I am home - an intruder steals and sells the documentation you provided to Bulb when opening an account - this is used for identify theft or as part of a package of personal information to gain access to your bank account - ... and so on All just speculation of course, and Bulb will have controls against these risks and many more. The key point is that any service provider, large or small, has an obligation to protect their systems against appropriate risks - and one might argue tiny providers are particularly at risk because their IT has been assembled rapidly and without the detailed security reviews, intrusion testing, physical and personnel controls, and other specialist IT work which a large company can afford. This is why accreditation schemes like Cyber Essentials Plus exist: so customers can see evidence of assurance.

@anonymouse We don’t have any plans in place at the moment for independent accreditation but are looking into better understanding what additional standards will be required when we grow and the and risks involved.