While Protecting Consumer Data
By Moin Shaikh and Lynnàƒ©a Culhane, ICF INTERNATIONAL
|Figure 1: Elements of the grid and their interconnections. Source: ICF International|
In the smart, interconnected grid, as envisaged in the U.S. Department of Energy’s (DOE’s) 2030 roadmap, “2014 Smart Grid System Report,” power flows from generators to consumers on a seamless grid. Decisions about allocating generation assets to produce and consume power depend upon the real-time cost of available power at certain grid locations. This future grid relies upon the uninterrupted flow of information between consumers and power generation, transmission and distribution companies. This exchange of real-time information, however, is susceptible to cyber tampering from hackers and malicious actors.
Utility efforts to modernize the bulk electric system risk new vulnerabilities for communications and information that affect everyone from consumers to critical infrastructure asset owners. Distributed generation, Internet of Things, demand response and home automation drive the need to interconnect various elements of the power grid.
Every step of the electrical power supply chain, from power generation to bulk energy transmission to distribution to the customer, increasingly relies on different networking technologies vulnerable to cyberthreats. Protection of each supply-chain step, in addition to securing consumer data, is essential if electrical energy is to be available 24/7.
Bulk energy cannot be completely stored; therefore, generation, transmission and distribution systems must sync with each other. Cybersecurity vulnerabilities can disrupt any step of the supply chain and severely impact the power grid’s reliability, which is based on real-time communication. The grid’s reliability depends on two essential elements: 1) ensuring the protection of consumer data; and 2) securing the integrity of communication between each step of the electrical delivery supply chain.
Smart homes are not just for science-fiction movies and novels. Smart-home functionality requires these fundamental infrastructure components: cheap and reliable electricity, connectivity with a network, and computational capability to analyze large amounts of data. Necessary technologies and components, such as smart sensors, appliances and Wi-Fi-based networking, enable creative and unique uses of these components.
Smart-home interconnectivity also creates vulnerabilities and security challenges. Consumers’ desires to reap the benefits of these technologies depend upon how much privacy they will sacrifice voluntarily. Personal information about their accounts, their daily habits, what equipment they use and how they consume and use power can be mined and analyzed from data available on smart grids and the Internet to develop patterns.
As reported in the February 2012 Congressional Research Service article “Smart Meter Data: Privacy and Cybersecurity,” there are privacy and security concerns related to information protection of data. One type of useful raw data comes from various end devices, including home appliances, lighting and other electronic equipment. Equipment manufacturers and service providers use this data to determine valuable diagnostic information about device condition. Consumer packaged goods companies, online and offline chain stores, healthcare companies and others use consumers’ daily power usage data related to home devices for marketing objectives. Another kind of useful data is raw operational data that, when analyzed and contextualized, explains consumer behavior patterns and can be useful for consumer decision-making.
The lack of proper security measures and controls on networks allows hackers to steal this useful data as it travels through common network mediums and is stored in various locations accessed on the Internet. Utilities can protect the data, physically and in the cyber realm, by building their own data centers, but more than likely they will depend on outside vendors and solution providers to succeed. Data in the cloud makes it harder to know the data’s physical location and how to control access to it.
Standards and system frameworks exist to provide guidance on how to protect data on smart grids. These include the North American Electric Reliability Corp. Critical Infrastructure Protection (for Advanced Metering Infrastructure AMI Headend) standard (NERC CIP); NISTIR 7628-Guidelines for Smart Grid Cybersecurity; Electricity Subsector Cybersecurity Capability Maturity Model; and AMI-SEC Smart Grid Security Guidelines.
The U.S. Constitution’s Fourth Amendment and federal statutes also protect consumer data privacy. Federal statutory protections that apply include:
- Electronic Communications Privacy Act of 1986
- Stored Communications Act of 1986
- Computer Fraud and Abuse Act of 1986
- Federal Trade Commission Act of 1914, as amended
- Federal Privacy Act of 1974
Although consumers may assume that these statutory protections ensure data privacy, utilities and other grid participants must continuously work to make sure they understand and are complying with the laws as technology evolves.
Reducing the need to buy or build expensive generation, transmission and distribution equipment saves utilities and customers money. Shifting peak demand to off-peak periods through demand response reduces investments in less frequently used power generation assets and distribution capabilities, as well as investments in electrical system constraints.
More bulk energy storage and distributed generation will require consumers to make real-time decisions about where they get their power and when to use high-output appliances. Consumers will rely on the grid only when their power demands cannot be met from their own generation capabilities, which are more cost effective and based on renewable methods, like wind and solar power. Consumers also can use demand response and an understanding of their own energy habits to save themselves money, help utilities improve efficiency of their operations, and reduce environmental hazards. Grid reliability is enhanced with energy conservation and management and delivery optimization and automation. Utilities can provide eco-friendly products to consumers, allowing them to choose power sources. Increased connectivity through these offerings, however, escalates the need to assess the impact of newly introduced vulnerabilities.
Distributed Energy Generation
Distributed generators are a demand response asset for electric utilities. They can be bid in the power markets as non-spinning reserves, provide contingency power and offset capacity shortages. Utilities can gain a deeper understanding about aggregate customer demand by analyzing the information gathered from smart meters and customer power usage behavior. At the same time, utilities can introduce and bid chunks of power, directed from power generated by the multiple customer-owned generators, in the energy markets.
Substation automation equipment provides monitoring and control capabilities to ensure a swift response to real-time events, helping maintain uninterrupted power services. Protection and control at this level depends on equipment, like smart relays, that switch services to alternate power sources or completely isolate grid sections with faulty sources. They also function as isolation devices. If a fault happens, therefore, it affects only certain sections of the distribution systems and does not cascade throughout the whole system. To aid in decisions on where and when to take necessary actions, protection and control devices require uninterrupted internal communications to perform their functions and to communicate with adjacent devices and power networks.
Industrial Control Systems
Industrial control systems normally are not connected to the Internet. They are shielded, therefore, from exposure on network connections. However, asset owners are beginning to connect more systems to the Internet that monitor industrial processes and the health of plant operations, as well as share data with vendors and suppliers to monitor critical equipment and observe system performance.
While compromise of this system data may not directly affect operations, compromise of communications between asset owners and operators can lead to loss of communications integrity. Many utilities implement perimeter security as a measure to counter cyberthreats. As the industry increases its use of automated systems, the need to be vigilant about vulnerabilities introduced into the overall network is necessary. An example is the 2015 event in Ukraine where the power grid in the Ivano-Frankivsk region was attacked and 1.4 million people were without power for six hours.
Data Protection Solutions
Asset owners must understand different levels of controls and data, along with the interdependencies of the system, to generate and distribute electricity. They must protect critical consumer data and at the same time meet customers’ demands. They must uniformly apply cybersecurity controls to all devices and networks in which a weak link could compromise the stability of the complete supply chain.
Risk-management frameworks, self-assessment compliance tools and improvements to the cybersecurity posture of an enterprise are not one-time activities-they are part of a continuous process and methodology for an organization to evaluate and assess evolving cybersecurity threats. Asset owners must ask: “What are we protecting?” and “What are the real threats and vulnerabilities to mitigate?”
The costs of compliance and cybersecurity will escalate if asset owners do not discriminately quantify the maximum number of controls and risks to ensure systems security. As the interconnected grid matures, new tools are required to assess systemic vulnerabilities. Asset owners must consider the interconnections and dependencies of various systems to ensure that the grid gets smarter, not unreliable and less secure.
Moin Shaikh is a multi-disciplined technologist at ICF Internatinal with more than 15 years of engineering experience in the areas of industrial automation and controls, project management and cyber security regulatory compliance. He is currently supporting DOE smart-grid security program.
Lynnàƒ©a Culhane is a technical writer at ICF International. She has worked in federal government consulting for over five years and provides content management, writing and editing, and project management for enterprise cyber and physical security specialists.