This posted to smartgrid@ostp.gov by Aaron Burstein, UC Berkeley; Ari Schwartz and Longhao Wang, Center for Democracy & Technology.
Response to Q1 -- Any analysis of the privacy, security, and innovation issues raised by making the smart meter into the home’s primary energy data gateway must begin with a recognition that states that have led the way in Smart Grid deployment have already endorsed this architecture.
The California Public Utilities Commission (CPUC), for example, has approved plans by the three major investor-owned utilities in the states to deploy smart meters that have an embedded controller for devices within the home,3 implying that the meter will serve as a gateway usage data, price data, and demand response signals.
Other regulations lay the groundwork for utilities to collect home energy usage data with increasing frequency as the state’s smart meter initiative matures. Similarly, in a rule adopted by the Texas Public Utilities Commission requires advanced meters that provide a “capability to communicate with devices inside the premises, . . . through a home area network (HAN), based on open standards and protocols that comply with nationally recognized non-proprietary standards such as ZigBee , Home-Plug, or the equivalent.”
The privacy risks in this architecture are still unclear; they depend in large part on future decisions by consumers, utilities, and state regulators. On one hand, utilities are the most likely recipients of this data, making it relatively easy for consumers and regulators to monitor their privacy practices. On the other hand, if utilities are granted exclusive access to this data, they will not be subject to other energy management services that may compete on privacy and other dimensions. Much to its credit, the CPUC has modified rulemaking to extend to data privacy, but it will necessarily develop these rules after millions of smart meters containing data gateways are already in place.
Other states will presumably follow California’s lead, but state-by-state decisions could impose duplicative costs and create inconsistent rules. Moreover, though public utilities commissions have broad expertise in consumer protection issues, it is less clear that they possess specific, deep expertise in data privacy. Two further points about making smart meters into energy data gateways bear on both privacy and innovation.
First, utilities and device manufacturers will use this data to control device behavior. This creates a need to designate which devices will respond to demand response signals, and how. In use cases considered within prominent standards and in state Smart Grid proceedings, the utility is often responsible for registering consumers’ devices. This not only constrains the choices available to device manufacturers but also creates the possibility that utilities (and, perhaps, third parties they authorize) will have access to device-specific usage data. This would further exacerbate the privacy risks entailed in collecting highly temporally resolved, household-specific usage data. Second, the choice between on-meter and off-meter gateways need not be binary.
Even if consumers are served by utilities that deploy smart meters with embedded gateways, they should be able to choose to use third-party gateways. A full analysis of the privacy risks of both architectures would help inform these choices. Federal agencies such as NIST could marshal the efforts of all stakeholders to analyze the privacy risks in this architecture.
A comment filed by the Center for Democracy & Technology on NIST’s draft Smart Grid cybersecurity requirements provides a start by laying out how widely Fair Information Practice Principles (FIPPs) apply to Smart Grid data. As that comment notes, however, additional work, such as developing privacy use cases, is necessary to fully understand the privacy risks of smart meters with an embedded gateway. This analysis would provide valuable guidance to technology firms and state policymakers.
Response to Q2 -- Considering an alternative architecture—routing Smart Grid through a home Internet connection, for example—gives a sense of the relative risks to privacy, innovation, and cybersecurity. An off-meter gateway could help protect consumers’ privacy by limiting the amount of information that is sent beyond the boundaries of the home. For instance, a gateway that is separate from the meter could receive incoming price and demand response signals, send them to an in-home energy management system (EMS), and, in conjunction with the EMS, manage devices solely through in-home communications. This architecture would obviate any need to register appliances and other devices with a utility, further limiting the disclosure of information from inside the home.
The smart meter, of course, would still be able to measure and report energy consumption to the utility. Still, fully understanding the privacy risks of such this architecture requires a more detailed analysis of specific technologies and their uses. Again, relevant policy considerations include:
(1) whether consumers have ongoing choices about how much data to disclose about their energy use;
(2) what type(s) of entities that receive and process this data; and
(3) which regulators (if any) have jurisdiction over those entities.
It is possible that neither a data gateway outside the smart meter nor the entities that provide services based on data flowing through that gateway will be subject to state utility commission authorities. Though this could give rise to competition among device and service providers, it also raises the question of how to encourage those firms to build privacy into their products. Comparing the cybersecurity risks of these two architectures is also difficult to do in the abstract. Maintaining the availability of electricity service is a fundamental requirement of the Smart Grid. The integrity of price, usage, and demand response data is crucial for consumers and utilities. The price and demand response signals that consumers receive must be correct.
Likewise, the usage data that utilities receive must be free from corruption, whether introduced by malicious attacks or accidental errors, in order to manage load and to bill customers correctly. However, certain security benefits of separating the smart meter from demand response and home area network traffic are evident: this architecture would isolate the meter from devices in the home. It would also simplify the functional requirements of the smart meter, which should make the task of securing this critical Smart Grid element easier. Evaluating the security of different architectures and implementations is an enormously complex task. But this complexity lends itself to a simple point: statements about the Smart Grid security are most meaningful when they pertain to a specific system, are explained through a clearly stated threat model, and are supported by an analysis that is open to scrutiny.
Aaron Burstein, Ari Schwartz and Longhao Wang
No comments:
Post a Comment