In February, the National Institute of Standards and Technology (NIST) — a federal technology agency that works with industry to develop and apply technology, measurements and standards — released a draft report (pdf) with recommendations for implementing the smart grid, noting the “potential for compromise of data confidentiality, including the breach of customer privacy.” Now, the Smart Grid Interoperability Panel, a subgroup of NIST’s Cyber Security Working Group, has released “Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid.” This sets out guidelines “for individuals and organizations who will be addressing cyber security for Smart Grid systems. This includes, for example, vendors, manufacturers, utilities, system operators, researchers, and network specialists; and individuals and organizations representing the IT, telecommunications, and electric sectors,” NIST says. From the report’s abstract:
The Smart Grid brings with it many new data collection, communication, and information sharing capabilities related to energy usage, and these technologies in turn introduce concerns about privacy. Privacy relates to individuals. Four dimensions of privacy are considered: (1) personal information— any information relating to an individual, who can be identified, directly or indirectly, by that information and in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, locational or social identity; (2) personal privacy—the right to control the integrity of one’s own body; (3) behavioral privacy—the right of individuals to make their own choices about what they do and to keep certain personal behaviors from being shared with others; and (4) personal communications privacy—the right to communicate without undue surveillance, monitoring, or censorship.
Most Smart Grid entities directly address the first dimension, because privacy of personal information is what most data protection laws and regulations cover. However, the other three dimensions are important privacy considerations as well and should be considered by Smart Grid entities.
When considering how existing laws may deal with privacy issues within the Smart Grid, and likewise the potential influence of other laws that explicitly apply to the Smart Grid, it is important to note that while Smart Grid privacy concerns may not be expressly addressed, existing laws and regulations may still be applicable. Nevertheless, the innovative technologies of the Smart Grid pose new issues for protecting consumers’ privacy that will have to be tackled by law or by other means.
The Smart Grid will greatly expand the amount of data that can be monitored, collected, aggregated, and analyzed. This expanded information, particularly from energy consumers and other individuals, raises added privacy concerns. For example, specific appliances and generators can be identified from the signatures they exhibit in electric information at the meter when collections occur with great frequency as opposed to through traditional monthly meter readings. This more detailed information expands the possibility of intruding on consumers’ and other individuals’ privacy expectations.