Skip to content

Data Security for the Utilities Industry

Utilities are connecting data from operational technology (OT)  environments to cloud applications, AI and API-driven services. Every connection creates exposure risk. Frameworks such as NIS2, NERC CIP, and GDPR set cybersecurity, data protection, and risk management obligations that apply wherever that data is processed and whoever handles it. 

StratoKey can reduce compliance scope and help secure sensitive information by tokenizing and encrypting it before it enters any cloud or third-party environment.

Utilities_Industry

The Growing Challenge of Cloud Risks in the Utilities Industry

 Utilities are increasingly pushing real-time telemetry, equipment performance metrics, grid topology data, customer records, and asset configurations from SCADA systems, historian platforms, billing systems, and asset management tools into cloud analytics platforms, SaaS ERP and billing systems, and OEM vendor monitoring portals. The standard cloud security controls were not designed for the sensitivity of that data and the growing regulatory expectations that come with critical infrastructure. 

Customer and Billing Data in Multi-Tenant Cloud Platforms as a Data Sovereignty Risk

Billing systems, CRM platforms, and advanced metering infrastructure generate large volumes of customer data that is processed in cloud environments. When these environments are multi-tenant or hosted in foreign jurisdictions, utilities face exposure to regulatory data residency obligations, and applicable privacy law. 

SaaS Providers' Encryption Can Undermine Data Sovereignty

When cloud providers handle encryption and decryption, plaintext is exposed in their environment during processing. For utilities storing operational or customer data in cloud platforms means sensitive data is accessible outside the utility's direct control.

AI Training Data and Sensitive Operational Information

 Cloud apps increasingly use customer data to train and improve AI models. For utilities, data flowing into cloud analytics, SaaS platforms, and vendor monitoring portals may include customer records and sensitive information. Without adequate controls, sensitive data processed in these environments can be ingested into AI training pipelines outside the utility's knowledge or consent. 

Operational Data Exposure Across IT/OT Boundaries

SCADA systems, energy management platforms, and historian software hold sensitive operational data that is connected to corporate IT networks and cloud services. As these environments converge, data that was once isolated within operational networks becomes exposed to a wider attack surface and to the compliance obligations that come with it.

Access to Critical Control System Data by Third-Party and Vendors

Utilities rely on external vendors for remote maintenance of grid assets, metering infrastructure, and industrial control systems. These can expose grid topology, asset configurations, control system credentials, and real-time operational data.

Legacy OT Systems Not Designed for Cloud Connectivity

Utilities operate legacy OT designed for isolated environments. As these systems are integrated with cloud platforms and vendor portals, they introduce data flows the original architecture never anticipated. Legacy SCADA systems, PLCs, and historian platforms often lack strong encryption or access controls, leaving sensitive operational data unprotected as it moves outside the controlled environment.

StratoKey Helps Utilities Organizations Secure Their Workflows

 StratoKey operates as a gateway between your users and on-premises systems to your cloud applications, encrypting or tokenizing sensitive data before it leaves your network and controlled boundary. The SaaS and cloud integration is only exposed to ciphertext or tokens keeping sensitive data within your control. 

  • FIPS 140-3-Validated Field Level Encryption: Encrypted end-to-end before data reaches any SaaS platform.
  • Field-Level Tokenization: Sensitive data is replaced with tokens and stored locally, keeping controlled content onshore and reducing compliance scope.
  • Secure APIs and AI: Applies tokenization and encryption at the API layer. Sensitive data is protected across every connection including AI-driven services and third-party APIs.
  • Legacy System Integration: The API Gateway applies tokenisation and encryption at the integration layer, protecting data as it leaves legacy SCADA systems, PLCs etc. before it reaches any cloud or third-party environment.
  • Customer-Controlled Keys: (BYOK / HYOK) Encryption keys never reside with the cloud provider.
  • Geofenced Access Controls: Restrict controlled data to local persons and approved locations to meet access requirements.
  • Audit Logging: Immutable logs for every access and decryption or detokenization event, supporting regulatory assessments and incident reporting.
  • Policy Enforcement and Monitoring: Centralized policy controls govern how sensitive data is handled across every connected system. Real-time monitoring provides visibility into data flows across cloud and third-party environments.
  • Application-Agnostic Works across SaaS applications and API-driven and AI-powered services. No changes required to existing application workflows.

 Global Regulatory Coverage for Utilities  

 As utilities push operational and customer data into cloud platforms, SaaS systems, and vendor portals, regulatory obligations follow that data across every jurisdiction you operate in. StratoKey reduces compliance scope by ensuring sensitive data never reaches those environments in plaintext. 

Utilities operating in the EU Union face mandatory cybersecurity and data protection obligations under NIS2 and GDPR. Both apply to energy and water utilities operating at scale across member states. Variations exist across member states 

NIS2 Directive (EU) 2022/2555

NIS2 designates energy and water utilities as essential entities under Annex I. That is the highest classification under the directive and carries the strictest obligations.

Specifically:

  • Electricity operators, gas suppliers, district heating and cooling operators, hydrogen suppliers, and oil infrastructure are all named in Annex I.
  • Drinking water and wastewater operators are also explicitly listed as separate essential entity categories.
  • Being classified as essential means direct supervision by national competent authorities, mandatory audits, and penalties up to 10 million euros or 2% of global turnover.

 Local Regulatory Reference 

Country Local Transposition Competent Authority Cloud and Data Protection
France NIS2 transposed under ANSSI supervision. Additional obligations for OIV and OSE under the Loi de Programmation Militaire ANSSI SecNumCloud sets security requirements for cloud providers handling sensitive data for critical infrastructure operators.
Germany NIS2 transposed via NIS2UmSUCG, in force December 6, 2025. KRITIS operators automatically classified as particularly important entities. Mandatory BSI audits every three years. BSI BSI C5 sets baseline requirements for cloud providers. StratoKey tokenizes data before it reaches the cloud environment, ensuring sensitive data never exists in plaintext regardless of provider C5 status.
Netherlands NIS2 transposed via updated Cbw. RDI (digital infrastructure), ACM (energy) NIS2 Article 21(2)(h) encryption and Article 21(2)(d) supply chain obligations apply directly to cloud and third-party environments.

GDPR Regulation (EU) 2016/679

Applies to all personal data processed by utilities including customer billing records, smart meter data, and consumption profiles. Article 32(1)(a) requires pseudonymization and encryption of personal data as an appropriate technical measure for securing processing. Article 32(1)(b) requires ongoing confidentiality, integrity, availability, and resilience of processing systems.

Article 34(3)(a) provides that where encryption or equivalent measures have been applied rendering personal data unintelligible to unauthorized persons, controllers are exempt from the obligation to notify affected individuals following a breach.

StratoKey replaces personal data with encrypted values or tokens before it reaches cloud or third-party systems. If a breach occurs, the data has no exploitable value and notification obligations under Article 34 may not apply.

Utilities operating in the United States face cybersecurity obligations across electric, water, and pipeline sectors. As operational and customer data moves into SaaS platforms these obligations follow the data. Utilities should also be aware that customer personal data including billing records, consumption profiles, and smart meter data may be subject to state-level data privacy laws.

NERC CIP

North American Electric Reliability Corporation Critical Infrastructure Protection Standards

Mandatory for electric utilities operating on the Bulk Electric System. As utilities push operational data into SaaS and vendor platforms, CIP-005 requires electronic access controls for any interactive remote access to BES systems. CIP-013 requires supply chain risk management for third-party products and services connected to high and medium impact systems. StratoKey enforces data-level access controls for vendor sessions and tokenizes sensitive operational data before it reaches third-party environments.

NIST SP 800-82 Rev 3

Guide to Operational Technology Security, NIST

The federal reference guide for OT security across electric, water, and pipeline sectors. Not mandatory but widely referenced in audits and vendor contracts. As utilities integrate historian and SCADA-adjacent data with cloud analytics platforms, SP 800-82 references SP 800-53 controls including SC-28 (data at rest) and SC-8 (transmission confidentiality). StratoKey tokenizes sensitive operational data at the point it crosses into cloud or enterprise environments.

America's Water Infrastructure Act 2018 (AWIA)

AWIA, EPA

Mandatory for water and wastewater utilities serving more than 3,300 people. Requires risk and resilience assessments covering cybersecurity threats to operational systems and customer data. As water utilities adopt cloud-based SCADA monitoring, billing, and asset management platforms, sensitive operational and customer data moves outside controlled environments. StratoKey reduces exposure by tokenizing customer and operational data before it enters SaaS platforms.

TSA Security Directives

TSA Cybersecurity Directives

Mandatory for pipeline operators. Require designation of a cybersecurity coordinator, incident reporting to CISA, network segmentation between IT and OT systems, access controls, and continuous monitoring. As pipeline operators adopt cloud-based monitoring and vendor platforms, sensitive operational data moves outside the controlled OT environment. StratoKey tokenizes pipeline operational data before it enters cloud or third-party systems, ensuring it has no exploitable value outside your environment. 

Utilities operating in Canada face NERC CIP obligations for grid operations and, if Bill C-8 is enacted, mandatory cybersecurity program requirements across federally regulated sectors. Canadian utilities must also consider PIPEDA and provincial privacy laws such as Quebec's Law 25 when moving customer data into cloud and SaaS environments. 

NERC CIP

North American Electric Reliability Corporation Critical Infrastructure Protection Standards

Applies to Canadian electric utilities connected to the North American Bulk Electric System. CIP-005 mandates electronic access controls for remote access. CIP-013 requires supply chain risk management for third-party products and services. StratoKey enforces data-level access controls for vendor sessions and tokenizes and encrypts sensitive operational data before it reaches external systems.

The Proposed: Bill C-8 /  Critical Cyber Systems Protection Act ( CCSPA)

An Act Respecting Cyber Security, Parliament of Canada

Currently before Parliament. Not yet enacted. If passed, designated operators in energy and pipeline sectors must establish a cybersecurity program within 90 days, manage supply chain risks, and maintain cybersecurity records on Canadian soil. StratoKey tokenizes sensitive data before it leaves controlled environments, supporting data residency obligations regardless of where downstream cloud platforms are hosted.

PIPEDA

Personal Information Protection and Electronic Documents Act

Governs how personal data including customer billing records, smart meter data, and consumption profiles is collected, used, and disclosed by federally regulated utilities. As customer data moves into cloud billing systems and SaaS platforms, PIPEDA safeguarding obligations follow that data. StratoKey secures personal data before it enters cloud or third-party environments, reducing breach impact and supporting PIPEDA accountability obligations.

 
 
 
 
 

Utilities operating in Australia face obligations under the SOCI Act and, for energy operators specifically, the Australian Energy Sector Cyber Security Framework. Australian utilities must also consider the Privacy Act 1988 and the Australian Privacy Principles (APPs) when moving customer data including billing records, smart meter data, and consumption profiles into cloud and SaaS environments. The Office of the Australian Information Commissioner (OAIC) enforces these obligations.

Security of Critical Infrastructure Act 2018 (SOCI Act)

Security of Critical Infrastructure Act 2018

Designated critical assets in electricity, gas, and water sectors are subject to positive security obligations and enhanced cyber security obligations under the 2022 amendments. As utilities push operational and customer data into cloud platforms and vendor portals, those data flows fall within the scope of positive security obligations. StratoKey tokenizes and encrypts sensitive data before it enters cloud or third-party environments, reducing the data footprint across the supply chain.

Australian Energy Sector Cyber Security Framework (AESCSF)

Australian Energy Market Operator — AEMO

The operational cybersecurity framework for Australian energy sector participants. Control domains cover access management, data protection, and information asset management. As utilities integrate historian data, grid telemetry, and customer records with cloud analytics and SaaS platforms, AESCSF data protection controls apply. StratoKey's Identity Gateway enforces least-privilege access controls aligned to AESCSF requirements. Tokenization and encryption protects sensitive operational data at the point it enters cloud and vendor environments.

Privacy Act 1988 and Australian Privacy Principles

Office of the Australian Information Commissioner

Applies to utilities with annual turnover above $3 million. Governs how customer billing records, smart meter data, and consumption profiles are collected, used, and disclosed. As utilities move customer data into cloud billing systems and SaaS platforms, the Australian Privacy Principles require that data remains protected regardless of where it is processed. StratoKey secures personal data before it enters cloud or third-party environments, reducing breach impact and supporting Notifiable Data Breaches obligations.

Utilities operating in the United Kingdom face obligations under the UK NIS Regulations 2018 and UK GDPR. The UK is not bound by NIS2 following Brexit. The Cyber Security and Resilience Bill, published in late 2025, proposes to strengthen and expand the NIS Regulations but has not yet been enacted. Customer personal data is governed by UK GDPR and the Data Protection Act 2018, enforced by the ICO

UK NIS Regulations 2018

The Network and Information Systems Regulations 2018

Enforced by Ofgem (energy) and Ofwat (water) as competent authorities, with NCSC providing technical guidance through the Cyber Assessment Framework (CAF).

CAF Objective B3 covers identity and access control. CAF Objective B6 covers data security including protection of data at rest and in transit. StratoKey's Identity Gateway supports least-privilege access and controls aligned to CAF B3. Tokenization and Encryption protects sensitive operational and customer data in storage and transit, supporting CAF B6.

UK GDPR / Data Protection Act 2018

 UK GDPR | Data Protection Act 2018

The UK GDPR and Data Protection Act 2018 form the UK's data protection framework, enforced by the ICO. The UK GDPR sets the core obligations. The DPA 2018 supplements it with UK-specific provisions. Together they apply to all personal data processed by utilities including customer billing records, smart meter data, and consumption profiles. Article 32(1)(a) requires pseudonymization and encryption of personal data. Article 32(1)(b) requires ongoing confidentiality, integrity, availability, and resilience of processing systems. Article 34(3)(a) provides that where encryption renders personal data unintelligible to unauthorized persons, controllers may be exempt from notifying affected individuals following a breach. StratoKey tokenizes personal data before it enters cloud or third-party systems. If a breach occurs, tokenized data has no exploitable value and notification obligations under Article 34 may not apply. 

StratoKey Works With Utilities to Help Meet Data Privacy and Industry Compliance Regulations

  SaaS platforms and cloud integrations are where sensitive data is most exposed. StratoKey tokenizes and encrypts before transmission to SaaS, so the data that reaches those environments has no exploitable value. Get in touch with StratoKey to keep customer data secure and meet a wider range of regulatory requirements.

 

Get in Touch to Learn More About Securing Sensitive Data With StratoKey

Please provide your details so we can get in touch about your inquiry.