On February 23, 2011, from 8:00 am to 5:00 pm at ERCOT Austin, 7620 Metro Center Drive, Austin, TX, the NIST Smart Grid Cyber Security Working Group (“CSWG) Outreach Team will be available to answer questions regarding the lengthy NIST Interagency Report, Guidelines for Smart Grid Cyber Security 7628. This report will guide the industry  through the many layers of Smart Grid Cyber Security issues. In addition to discussing technical issues, such as Security Architecture and Cryptography, the hot topic of Smart Grid Privacy will also be touched upon as part of the day’s agenda.

The CSWG privacy subgroup performed a Privacy Impact Assessment (PIA) for the consumer-to-utility aspect of the Smart Grid. The following questions navigated the process of performing the consumer-to-utility PIA:

  1. What personal information may be generated, stored, transmitted, or maintained by components and entities of the Smart Grid?
  2. How is this personal information new or unique compared with personal information in other types of systems and networks?
  3. How is the use of personal information within the Smart Grid new or different from the uses of the information in other types of systems and networks?
  4. What are the new and unique types of privacy risks that may be created by Smart Grid components and entities?
  5. What is the potential that existing laws, regulations, and standards apply to the personal information collected by, created within, and flowing through the Smart Grid components?
  6. What could suggested standardized privacy practices look like for all entities using the Smart Grid so that following them could help to protect privacy and reduce associated risks?

Although not exhaustive, Table 5- 2 from the report provides a snapshot of some of the concerns. With only your imagination as the limit, there are many potential uses for granular energy data when it is combined with personal information. This applies to businesses as well as residential customers.

Table 5-2 Potential Privacy Concerns and Description

Privacy Concern

Discussion

Categorization

Fraud

Attributing energy consumption to another location or vehicle (in the case of PEVs).

Type II: While fraud is an existing concern, the current system of reading consumer meters (either manual recording or electronically via “drive-by” remote meter reading systems) may allow less opportunity for data manipulation without collusion with the personnel collecting the data.

Determine Personal Behavior Patterns / Appliances Used

Smart meter and home automation network data may track the use of specific appliances. Access to data-use profiles that can reveal specific times and locations of electricity use in specific areas of the home can also indicate the types of activities and/or appliances used. Possible uses for this information include: Appliance manufacturers could use this information for product reliability and warranty purposes; Other entities could use this data to do targeted marketing.

Type I: The type of data made available by Smart Grid implementation may be both more granular and available on a broader scale.

Perform Real- Time Remote Surveillance

Access to live energy use data can reveal such things as if people are in a facility or residence, what they are doing, waking and sleeping patterns, where they are in the structure, and how many are in the structure.

Type II: Many methods of real-time surveillance currently exist. The availability of computerized real-time or near-real-time energy usage data would create another way in which such surveillance could be conducted.

Non-Grid Commercial Uses of Data

Personal energy consumption data storage may reveal lifestyle information that could be of value to many entities, including vendors of a wide range of products and services. Vendors may purchase attribute lists for targeted sales and marketing campaigns that may not be welcomed by those targets. Universities might purchase information to study student attributes and target a new student profile with simple application question profiling. Such profiling could extend to other types of profiling on employment selection, rental applications, and other situations that may not be welcomed by those targets.

Type II: Under the existing metering and billing systems, meter data is not sufficiently granular in most cases to reveal any detail about activities. However, smart meters, time of use and demand rates, and direct load control of equipment may create detailed data that could be sold and used for energy management analyses and peer comparisons. While this information has beneficial value to third parties, consumer education about protecting that data has considerable positive outcomes.