By Sam Sciacca, SCS Consulting
Utilities for years have collected and stored sensitive personal customer information–names, addresses, phone numbers, bank-account numbers and power-usage data. So why is there heightened concern around data security and protection with the intensifying rollout of the smart grid?
The types of information being collected are not changing, but the data collection frequency has increased, enabling a much finer-resolution picture of customer behavior. And all of the information is being collected and stored electronically–a higher value format because it can be more easily manipulated and shared. These changes do not necessarily put individual customers at greater risk, but, from the perspective of corporate data management, they put a significantly greater burden on utilities to tighten cybersecurity and ensure the privacy of confidential information.
These are two different animals–cybersecurity and information privacy–that raise two different sets of questions about technology, requirements, influencers and pressure.
Cybersecurity is growing in importance for a range of reasons (regulatory, national security, security of critical infrastructure systems/power systems), and an organization’s approach must encompass an overall plan to addresses network communications, physical security and other aspects–and one which spans both data at rest and in motion. Furthermore, cybersecurity is a moving target. Not a one-off solution to be purchased and deployed, cybersecurity will have to continuously adapt to account for unforeseen threats.
Smart grid cybersecurity is no small challenge: It gets lots of visibility, is wide-ranging in scope and is fluid in nature. Fortunately, stakeholders across the global smart grid movement share a sense of urgency to address cybersecurity.
Consider the accelerated path to ratification of IEEE 1815 “Standard for Electric Power Systems Communications — Distributed Network Protocol (DNP3).” Given the rapid implementation of various smart grid projects, work on IEEE 1815 was fast-tracked to address a U.S. National Institute of Standards and Technology (NIST) call for a smart grid protocol from a recognized standards-development organization that would specify cybersecurity and interoperability broadly across operational systems and devices.
The standard underwent rigorous evaluation by both IEEE and the DNP Users Group in advance of approval by a diverse pool of more than 100 IEEE balloters. After a mere seven months of consensus building, IEEE 1815 was published in 2010. The result is a multi-layered protocol that expands upon widely used existing industry protocols and specifies an agile architecture designed to enable better optimized and more secure information gathering, exchange and use–particularly in supervisory control and data acquisition (SCADA) systems.
Another example of large-scale collaboration yielding actionable results is the 17-month effort leading to the 2010 release of the NIST “Guidelines for Smart Grid Cyber Security.” Prepared by the Smart Grid Interoperability Panel’s (SGIP’s) Cyber Security Working Group–encompassing 450 members, including participants from academia and both the public and private sectors–the NIST report is intended to inform organizations’ smart grid cybersecurity strategies for breach prevention, detection, response and recovery. The guidelines detail 189 high-level security requirements of either the entire smart grid or its segments.
“These advisory guidelines are a starting point for the sustained national effort that will be required to build a safe, secure and reliable smart grid,” said George Arnold, NIST’s national coordinator for smart grid interoperability, in a Sept. 2, 2010, press release.
“They provide a technical foundation for utilities, hardware and software manufacturers, energy management service providers, and others to build upon. Each organization’s implementation of cybersecurity requirements should evolve as technology advances and new threats to grid security arise,” he said.
While a number of such technical standards and guidelines have emerged to give the power industry guidance on smart grid cybersecurity, technology can do only so much to guarantee data protection. Ensuring privacy is more dependent on process, procedures, rules and state laws, and, in this arena, utilities will likely have to navigate rapidly shifting landscape for the next decades of smart grid rollout.
The power industry’s engagement with consumers is in its infancy and evolving; public service commissions and regulatory authorities will be dealing with an array of interesting questions in the coming years, including:
- What control do consumers have over the data that utilities collect and store? What is the utility allowed to do with the consumer information that it collects? Does the utility have to expressly obtain their customers’ permission in order to use it?
- Should the utility be able to assign that data to an individual consumer, or should aggregated consumer data be kept separate from consumer-based systems?
- What commercial value does the data have? How might data of different degrees of value be protected in different ways?
- What are the utility’s liabilities if data is lost or becomes unprotected? How should utilities perform risk analyses, and to how much risk do different data sets expose the utility?
The rules and regulations around these questions, by and large, are not yet in place because no broadly adopted consumer data standard exists. The U.S. has attempted to implement consumer privacy standards at the federal level but the effectiveness of those mandates has been diluted by exceptions or permanent waivers or both. Consequently, enforcement and regulation around these sorts of questions are likely to develop at the more fragmented state level.
Canada’s province of Ontario has created the position of Information and Privacy Commissioner, and the current officeholder, Dr. Ann Cavoukian, has created a philosophy and approach for embedding privacy into design specifications. Her “Privacy by Design” tenets have been operationalized by some providers of technology for the smart grid. In this way, the manufacturers have established a model for adapting their products and processes as the fledgling area of utility consumer data protection matures.
So, if cybersecurity is a sprawling and moving target and consumer data privacy is new ground for the power industry, how can a manufacturer produce technologies today that support the long-term data security and protection objectives of the smart grid? That remains the question.
What doesn’t work is to get near the end of a development project and declare, “Oh, yeah ” add security.”
Data security and protection must be weaved into plans and processes from the outset of product development and smart grid planning; they are not features or functionality that can be easily bolted on as an afterthought.
While consumers are not necessarily exposed to greater risk than ever before, utilities and the industry serving them face terrific pressure to deliver sufficient cybersecurity and data protection from the smart grid’s onset. Early missteps in these areas, in fact, would threaten the momentum of the greater movement. The gamut of stakeholders, consequently, is committed to getting data security and protection right from the smart grid’s start, but it’s a continuing process.
Sciacca is SCS Consulting’s president. SCS Consulting LLC is a global solutions provider for electrical utilities. Sciacca has over 25 years experience in substation and distribution automation. A professional engineer with a background in power system engineering, he sits on IEEE’s Standards Board and is a member of the Power and Energy Society (PES) Power System Relaying Committee and PES Substations Committee. He also is a member of the US National Committee Council of the IEC.
Power Engineerng Issue Archives
View Power Generation Articles on PennEnergy.com