Smart Grid Privacy for Real

I find I like reading stuff by Jeff St. John at Greentech Media, because he covers all the bases. Almost a month ago he did a piece around San Diego Gas & Electric (SDG&E)'s use of the Ontario's "Privacy by Design" principles to ensure proper protections for their customers, and hopefully, in-so-doing, meet the requirements of the California PUC's privacy rules for the big 3 Investor Owned Utilities (IOUs).

I'll give him a little grief for this section:

... customers ... are worried that their smart meters will allow hackers, data thieves or other nefarious parties to know when they’re home and when they’re away, or to piece together other personal information. Sure, people tend to give away lots more personal information when they’re surfing the internet -- but they do so by choice, whereas smart meters are being installed on their homes without their direct permission. 

IMHO the additional behavioral information that can be gleaned from Smart Meters is incremental, not a game changing tidal wave of previously unknowable, super personal dirty laundry. And though no one, including the government, is making people: buy computers and smart phones, and no one is forcing them to use the web to buy things, consume entertainment, stay in touch with loved ones, get educated, find new friends, share secrets, do their banking, and even adjust their electrical plans, it would take an army to take that all away from folks now.

Survey after survey says they demand more self service, more flexibility and more options from their service providers. Smart Meters will eventually enable all of that and then some, so for me saying their having the meters forced on them is a bit of a rhetorical red herring. Like saying ATMs were forced on people. You want them gone too cause you weren't asked up front?

But I began by saying I generally like Jeff's stuff and this article is no exception. He handles citations from Ontario's Privacy Commissioner, Ann Cavoukian, with aplomb. I particularly like this one:

... the real threat utilities should be worried about is the dreaded privacy breach, Cavoukian said. Measured against the public relations and political ramifications for the smart grid of the possibility of a major loss or theft of customer data, “utilities shouldn’t be asking how much money it costs -- they should be asking how much money it will save,” to invest in privacy protection upfront, she said.

I won't throw numbers at you here, but suffice it to say that when you read about the weekly exposure of personal account information from successful cyber breaches of banks, retails, credit card companies, etc., one thing the public isn't exposed to are the amazing (and amazingly expensive) gyrations those companies go through to try and make things right. Picture boatloads of attorneys. Picture the mass combustion of 55 gallons drums worth of midnight oil. In other words, Cavoukian's got a point.

This is an interesting international collaboration between a Canadian province and an entity regulated by a US state. One thing they have in common is that both are very forward leaning in a number of ways, not the least of which is in their enthusiasm for modernizing the grid and grid systems. It's good to see that both acknowledge the responsibility to their citizens that comes with that.

And by the way, the other 2 California IOUs, Southern California Edison (SCE) and Pacific Gas & Electric (PG&E) are moving out on privacy and protection of customer data as well.

I'll leave it at that for now. Best thing you can do is read St. John's article yourself which you can do by clicking HERE. And be careful about what you put on Facebook ...

Tweeting from GridSec conference this week

Howdy from Dallas. This is the evolution of Mike Ahmadi's Smart Grid Security East and West events, which have been running twice a year since the fiest one in San Jose in 2010. Will shoot to summarize key messages in a post when it's over, but also will blurt out the occasional tweet on the fly using the #GridSec hash tag on Twitter.

Conference Alert: EnerSec Smart Grid Security Summit West 2011

This conference series, the first ever dedicated to Smart Grid Security and Privacy, had a great start last year in San Jose and now returns to California with a head of steam after robust attendance and some very strong content earlier this year in Knoxville.

The lineup keeps getting stronger and this session promises a compelling mix of workshops on day 1, followed by days 2 and 3 with regulator and industry updates, round table discussions and lots of back and forth with what has been in the past a very energized audience.

You can expect a bunch of utilities will be present, and not just the big 3 from California, plus state regulators from CA and TX, fed folks from DOE, NERC, FERC and NIST.  Also, owing to proximity to one of the largest USN bases in the world, we'll likely see some energy-minded sailors present too.

Here's the basic facts for you:

• Dates: 3-5 Oct 2011
• Location: San Diego
• Venue: Town and Country Hotel - click HERE to reserve a room
• For more info and to register for the conference, click HERE

Next week I plan on throwing a few trivia questions at you. Correct answers may earn you a significantly reduced rate for the conference, or at the very least, hearty congratulations.

Photo credit: http2007 on Flickr.com

NERC and NIST Ramp Up Risk Management Collaboration

There are security-related ISO, IEC and IEEE electric grid standards galore, but these are technical standards. I know it's more complicated than this, but I submit that the easiest way to tell regular folks about grid and Smart Grid security standards is to say there are really only two that matter in 2011, and they are:

• NERC CIPs, version 3
• NISTIR 7628, version 1

The first covers cyber security protections of only the most critical generation and transmission assets in the bulk electric system (BES) and has little to do with protecting new Smart Grid systems, most of which deploy in the distribution network, far from the BES. The second boldly attempts to describe how to secure the whole enchilada, albeit at a high level. In short, there isn't a heck of lot the two standards/guidance documents have in common.

We've described each ad nauseum on this blog, so let's look at something more soothing. With the next version of the above standards still over the horizon, let's consider the nascent collaborative effort between NERC and NIST, confirmed by language pulled from a draft budget document submitted by an SGSB reader:

... NERC is collaborating with DOE and the National Institute of Standards and Technology (NIST) to develop comprehensive cyber security risk management process guidelines for the entire electric grid, including the bulk power and distribution systems. This initiative is particularly important with the increasing availability of smart grid technologies. While the majority of technology associated with the smart grid is found within the distribution system, vulnerabilities realized within the distribution system could potentially impact the bulk power system.

So, it seems that some folks in high places have realized the disconnect, and seek to build a risk management bridge between the CIPs and the NISTIR. This is good news, right? Here's the draft NERC 2012 business plan and budget, if you're into this kind of thing.