Number eight on our list of 10 Things to Know About Smart Grid Security was this: Utilities need much better privacy safeguards. While the massive amount of data that will be unleashed by adding digital intelligence to the power grid needs to be kept out of the hands of cyber-hackers who would use it to harm the network, just as important is making sure that consumers can keep their personal information private. This morning Ontario’s Information and Privacy Commissioner, Ann Cavoukian released research in collaboration with the Future of Privacy Forum that focuses on how privacy, like security, needs to be built into the foundation of the smart grid.
“Smart grid security” is most often discussed in the terms of national security — a hacker develops a worm that can jump across smart meters and black out neighborhoods, for example, or can make a generator blow up remotely. Privacy — keeping personal information in the hands of the consumer and away from advertisers, the utility or any other third party — is an entirely different concern that utilities have to be prepared for with the buildout of the smart grid. Most importantly it will shape the relationship between the consumer and the utility.
As Jules Polonetsky, co-author of the Ontario report puts it: “[T]he success of the grid will be completely dependent on consumers trusting that their data is being handled responsibly. If companies do not get privacy right from the start, billions will have been spent in vain.” The report says that the utility industry needs several key initiatives, including: “privacy laws, regulation and independent oversight; accountability and transparency; audit and assessment; market forces, education and awareness; data security; and fair information practices.”
Unfortunately privacy concerns seem to be taking a back seat to security concerns for the smart grid. The National Institute for Standards and Technology Smart Grid group found that utilities are lacking privacy policies and state utility commissions often lack formal privacy guidelines related to the smart grid. In addition if a state has privacy laws, they often aren’t specific to utility groups.
In response to these findings, NIST suggested these steps to ensure consumer privacy: 1). Appoint personnel to ensure privacy practices exist and are followed; 2). Explain clearly to consumers what and why any data is collected; 3). Give consumers choices for collecting their data and get consent; 4). Don’t collect more data than needed; 5). Only use the data for which it was intended to be collected; 6). Show consumers the data that is being collected and enable them to correct it if need be; 7). Protect data from security vulnerabilities.
All utilities need to do is to look at the modern problems with privacy in the digital age — namely people’s reactions to companies like Google — and they’ll see how important the problem is for the smart grid. The issue will also need to education for consumers as well, since as Stacey from GigaOM puts it: “personal privacy on the web is an illusion.”