Monday, February 22, 2010

An Informed Public and an Informed Grid

"Secrecy is the enemy of efficiency, but don't let anyone know it."

Privacy advocates, forward-thinking utility CIO's and all manner of security folk are getting increasingly charged up over the influx of consumer information required to improve the efficiency and flexibility of the grid. Because there has been so much public scrutiny in cases of accidental or malicious revelation of private data in other industries, it's understandable that people are wary about adding yet another place where their privacy can be invaded.

In the case of banking, retail, and health care, the integration of private information was intended to provide personalized access to information, to trinkets, and to better medical care. This included very sensitive personal details about our bodies and behaviors. And the loss of it is always jarring, particularly when we are required to suffer the consequences of credit monitoring, ID theft, or the knowledge that our illnesses or treatments might become known to complete strangers. It has not been a pleasant road. All of these public exposures have left us feeling that our privacy is no longer truly our own, and we have yet to feel that an industry has taken adequate precautions to protect us.

Unfortunately, the Smart Grid requires even more information to make any sense at all. Without usage and identification information, the new grid cannot interact with us meaningfully. It cannot help us to understand and change our consumption behaviors, and it cannot treat us uniquely in our use or production of power. What's more disconcerting is that this consumption information is as intimately woven with every part of our lives as is our use of power, whether we are talking about our cars, our televisions, our homes, or our laundry. So what can be done differently, this time? Here are a few ideas for you.

Focus on Action, not just Awareness
The Smart Grid is already happening all around us. Historically, emphasis on security has been on creating an informed public, capable of making informed decisions about whether or not to share their records (HIPAA), to visit a website, or to use a bank's online systems. Because the Smart Grid's evolution is driven by information, and because that evolution is underway as we speak, informing the public is necessary, but it is not nearly enough. A good example of disclosure with little recourse can be found in privacy statements everywhere. Here is an example from an actual energy company website. I have redacted the name of the company in question:
Remote Monitoring Information Collected Automatically
The monitoring service itself includes an automated, Internet-based process of receiving transmissions from the XXXXXXX XXXX monitoring equipment about your solar equipment, its output, efficiency, and other variables. This information is recorded and preserved by XXXXXXX XXXX on our company computer storage facilities, and may be accessed by you, if you subscribe to our remote monitoring service, and by us whether or not you subscribe to that Service. The XXXXXXXXXXX Management Unit ("XMU"), once connected to the Internet, immediately begins reporting this information to XXXXXXX XXXX and will continue to do so as long as the XMU is connected to the Internet. By having your XXXXXXX XXXX XMU connected to the Internet, you consent to this automatic information reporting. We retain this information indefinitely, and we may use it for any purpose, in our sole discretion, including but not limited to quality assurance, engineering performance comparisons, and product improvements. If you purchase our remote monitoring service, you may also choose to provide others with access to this information, including the installation company which installed and/or which services your solar energy equipment.
This is not a bad privacy policy, nor is it inappropriate. It tells a story that will be repeated over and over again in the new world of the Smart Grid. Unlike traditional website privacy statements, however, the absolute requirement for customer acquiescence to these conditions removes any real ownership of the decision from the client, and places an enormous responsibility on the providers themselves. By requiring this information, they are committing to do what they must to protect it.

Be Reasonable
While both sides of the privacy debate position very strong arguments either for or against the sharing of data, there is clearly a middle ground to be reached. There is a good description of the potential damages resulting from over-exposure of private data by Rebecca Herrold, at While each of us can consume and understand these issues as raised, they will be most productively considered as scenarios to prevent, than as reasons to avoid the sharing itself. As well, each needs to be tempered with the likelihood and potential impact of occurrence in preparing a plan to prevent it.

Similarly, the Smart Grid does not need to know everything, all the time, and does not need to share everything with everyone involved. While consumers may accept the need to share more, in order to achieve the benefits described, there are many shades of grey when it comes to how much of that information needs to be stored, tagged, transmitted, or aggregated. Nowhere is this more clear than in the NIST 7268 discussion of information sharing. Take a look at this diagram (click to enlarge):

As shown in this figure, there are all kinds of systems, with all kinds of data, and all kinds of likely connections. There must be a construction of a new data-sharing paradigm, much like "least privilege", that relates to "least sharing".
  • No data element should be shared, at all, unless necessary to a specific function
  • No data element should be tagged with identifying information, unless necessary to a particular function
  • No data element should be stored without a compelling reason, it should otherwise be destroyed
  • If a data element is stored, the security of that storage should be appropriate to the data's characteristics, and not to some perception of likelihood of attack or compromise
Thinking Smaller to Make Protection Bigger
Because the Smart Grid and its requirements for information are changing so quickly, it will be foolish to think that data privacy can be completely figured out in the next 12 to 24 months. Individual states have varying regulations around ownership of customer data. The final set of information to be gathered or shared has not yet been described, and all of the systems that will be permitted to touch it are far from being designed or even adequately described. As such, draw no conclusions about which data elements can be automatically combined and sent or stored together. The easiest mistake to make in these early days will be to insufficiently separate the data elements. By better understanding and describing security characteristics of individual components, it is much easier to tailor and measure the security necessary to protect that element and it's particular security needs.

Is it so different?
These privacy challenges are not so different than those that could have been envisioned in other industries, but which were overlooked. On this blog, we often write about taking the opportunity to learn from past IT security mistakes in order to improve the future IT world of the Smart Grid, and there are definitely lessons to learn here, about planning, design, and resolution of security concerns early in the cycle.

In the past, when customer profiles or patient records have been treated monolithically, the breach of any accessing system has been enough to expose all. It is not simple to segregate the data, and to assess security policy for all elements. If it is done upfront with consistency, the benefits will definitely outweigh the costs, particularly as these systems and their exposure necessarily become at once more pervasive and more critical in our lives.

Images courtesy of:

No comments: