The insider's guide to the modernization and automation of electric power
Data Privacy and Security Issues for Advanced Metering Systems (Part 2)
By Mark F. Foley
Jul 1, 2008 - 8:00:00 AM
Why utilities must address privacy issues
As stated in Part 1, advanced metering systems inherently create data privacy and security risks because of the nature and volume of the information they collect. Utilities implementing advanced metering infrastructure (AMI) that fail to address these issues will find themselves constrained by consumer and political opposition, prevented from realizing the economic promise of AMI and/or faced with liability to angry regulators and customers.
Consumer and Utility Interests Converge
If customers believe a utility is itself abusing personally identifiable data, or is generally enabling the use of personal information beyond what they deem acceptable (whether or not legal), then they are likely to resist the implementation of AMI. Consumers may refuse to consent (where required), hide their data or awaken political opposition. Utilities may face customer liability claims or regulatory fines if inadequate privacy or security practices enable eavesdroppers, adversaries or bad-actors to acquire and use AMI data to a customer’s detriment. Utilities must take privacy and security concerns into account when designing AMI and must persuade consumers, regulators and politicians that privacy interests are adequately protected.
The first step is to adopt appropriate privacy policies defining what data may be collected and their permissible uses, disclosing those practices clearly and conspicuously, and obtaining consents where required. Since AMI data differ qualitatively from what utilities collected in the past, they will likely need new and stronger privacy and security policies. Consumers are interested primarily in controlling what information is collected, who has access to it, and how it may be used. These interests are often described in fair information privacy practices or core principles, such as the OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Once a utility establishes the permissible uses of AMI data, it is in its interest to assure that unauthorized uses do not occur. For example, if an electricity service provider is allowed to sell appliance related data to a manufacturer or retailer, the utility will want to protect its economic interest by preventing access or use by others who might become competitive data brokers. Every utility will want to avoid regulatory sanctions for violating express or implied privacy policies as well as damages claims based on compromised customer data or facilities.
A policy that appropriately limits the use of collected data provides no consumer protection if the data can be accessed by unauthorized persons or can be used by authorized persons for unauthorized purposes. Thus the utility’s second step is to establish systems for enforcement of the policies and control of the data through adoption of suitable security practices, training and audits.
As P. A. Subrahmanyam, et al., recognized early, in Network Security Architecture for Demand Response/Sensor Networks, the AMI architecture will determine the points of security vulnerability. Wireless sensor networks, for example, are subject to the general security problems of computer networks, ordinary wireless networks, and ad-hoc networks. The limited resources of common sensor nodes – slow CPUs and small memories – hinder the use of cryptography defenses. Packet jamming and insertion may occur over any network or link layer in the communication infrastructure. Adversaries may use simulated nodes, out-of-band channels, and modified or self-generated data to facilitate sinkhole attacks, acknowledgement spoofing, rushing attacks, HELLO floods, or blended attacks. These may result in denial of service to customers or utilities (e.g., access to billing information or energy usage), payment avoidance, system overload, reduced quality of service, and violation of power control protocols. Attacks may come from inside the network via disgruntled, negligent or untrained employees, or an outsider’s access to a compromised node or IP server. Indeed, AMI security weaknesses could enable penetration of presently secure systems. As
At least some utilities will likely adopt broadband over power line (BPL) to communicate AMI data. This introduces unique security issues. A BPL node could communicate with any device plugged into an electrical socket. Capture of a substation node would provide control over messages going to smart appliances or computing systems in homes and offices. A utility may also offer customers BPL as a separate revenue stream. This creates risks that AMI data could be read or modified over the internet or that common internet attacks could be brought against the electrical grid or individual customers.
Even if a utility uses only its own hardware for collection or transfer, it may outsource data collection, billing, customer support or web-services. Each time the data are entrusted or transmitted to a third party, additional privacy and security risks arise.
The upshot is that customer interest in having effective security to protect privacy interests converges with the utility’s need to protect its economic interests in the data and to secure its systems against malicious attacks. By recognizing that utility and consumer have convergent interests, the tension between AMI implementation and privacy interests fades.
Privacy and security laws vary widely from place to place. In the European Union, for example, the Privacy Directive 95/46 EC establishes a presumption that personally identifiable information belongs to the data subject. Such information may be processed only for specified, legitimate, and limited purposes where there is either valid consent from the data subject or a legitimate need of the data processor that outweighs the data subject’s general privacy interests. This general privacy right will extend to personally identifiable AMI data. In the United States, privacy and security rules arise out of a large number of federal and state laws regarding the processing of particular types of data or economic sectors, disposition of business records, utility tariffs, etc., but there is no general right of privacy in the European sense.
Which laws and regulations apply depends upon the system architecture. For example, if a utility collects and transmits AMI data via BPL and also offers consumers internet access, the utility may be subject to rules governing telecommunications service providers. If a utility sends AMI data to a billing firm in a different state, federal laws applicable to interstate commerce or the receiving state’s privacy laws may apply. If a utility sends personally identifiable information concerning EU residents to an outsourcer on another continent, the EU Privacy Directive limits on transborder data flows will apply. If personally identifiable data may have been compromised, breach notification laws may require the utility to send notices to data subjects in certain jurisdictions. Failure to adopt, disclose, or adhere to suitable privacy and security practices may result in U.S. Federal Trade Commission enforcement action against “unfair and deceptive trade practices.”
Utilities will need to consult legal counsel to determine how a contemplated AMI design may implicate various laws and whether the ramifications are acceptable. It is important to do this at the design stage, because it is always more expensive to revise systems after initial deployment.
Utilities can substantially reduce the data privacy and security risks inherent in AMI by adopting privacy and security best practices recognized in other contexts. These include:
· Consult with legal counsel to resolve privacy and security issues at the system design stage.
· Collect only the data you actually need for specified purposes.
· Retain data only for a reasonable period of time related to the purpose for which they were collected.
· Adopt privacy and security policies for internal and external access to and use of personally identifiable information that satisfy both legal requirements and fair information privacy principles.
· Define the data collection and use rights of customers, vendors, etc. in clear contractual language with strong privacy and security commitments and accountability for breach.
· Avoid resistance by permitting consumers to turn off or limit detailed data collection, especially during early research phases. Make “Off” the default mode for data transmissions.
· Design security into every collection, access, and transfer point. Create separate pathways for personally identifiable information. Use single hop networks to reduce transmission and storage vulnerabilities.
· Train all utility and third party employees who have access to AMI data or controls.
· Employ internal and external audits.
· Establish incident response and breach notification procedures.
· Establish Board of Directors and senior management oversight of data privacy and security practices.
Utilities will need to address these and other data privacy and security issues if they are to realize the economic potential of AMI implementation.
Subscribe to our FREE eMail News Alert!
Smart Grid Newsletter (SGN) is the insider's guide to the Smart Grid revolution. It consists of a FREE bi-monthly email summary, along with a companion Web site that contains the full stories and other helpful materials.
Benefits of subscribing: SGN is the only central source for all of the news, trends, research and marketplace information relevant to grid automation. In it, you will read about cutting edge technologies; successful pioneers and how they got ahead; regulatory changes that could unleash new markets; the latest research; and new opportunities for sales of grid-related products and services.
© Copyright 2008 SmartGridNews.com