April 28, 2014
The smart grid is the first and largest application of the Internet of Things (IoT). Utility companies have been installing solid-state electricity meters that can report data on consumption on a nearly real-time basis. These smart meters allow consumers to access their consumption data so they can better manage their electricity usage.
The smart grid enables utilities to lower the cost of data collection (since meters report their data automatically); provide quicker reaction to outages, leading to less lost-revenue downtime; better monitor electricity theft; and better link the actual costs of generation with consumption through time-of-use pricing and demand-response products. In addition, smart grid technology allows utilities to better monitor transmission lines and manage substations, and integrate microgeneration (such as solar or wind). As a result, utilities benefit from more uptime, less capital expenses, and improved efficiency and reliability.
A byproduct of smart grid technology is the massive collection of data on consumers and their energy needs. Utilities routinely obtain and keep personal customer information, sometimes including their name, address, telephone number, utility account numbers, payment information data and billing information — and even their Social Security numbers on some occasions. Additionally, these meters generate data about a customer’s specific usage of electricity on an interval basis. This detailed customer information is in high demand from third parties, including colleges and universities; governmental entities; and other nonprofit, noncommercial research entities and potential utility competitors. Advanced metering infrastructure (AMI), net metering, peak-time rebate programs and certain rate design filings required by various state statutes have led to the need for utilities to share certain customer-specific information with third parties under controlled circumstances. On a case-by-case basis, this sharing may conflict with state personal privacy laws and customer utility usage privacy laws. Adequate information security and access controls are required to walk the fine line between privacy protection and authorized or mandated disclosure. In California, for example, utilities must have the customer’s consent to share energy usage data, and state law requires that utilities use “reasonable security procedures” that including encryption to protect usage data. A recent addition to the law (effective Jan. 1, 2014) extended the same requirements to any Internet Service Provider (ISP) or other business that handles smart meter data.
Compliance is made even more complex by the security questions surrounding a smart grid. For example, telecommunications associated with smart meters can be intercepted. A compromised smart grid network enables hackers to infiltrate and modify utility communication networks in order to cause massive underreporting of electricity consumption or allow the hacker to falsify sensor data to induce a power shutdown. While most utility communications now use standard cryptography to protect the data and commands on the utility network, there is an alarming lack of standards to address the protection of the secret keys or the life cycle of embedded smart grid devices. Cryptography is a good first step to ensure secure communications networks, but alternative attack points are likely. An attacker might try to get communication keys by physically inspecting a smart meter. Moreover, a number of remote, distributed sensors and control devices are deployed in unsupervised locations.
However, history teaches that human negligence and error create the most widespread risk to data. Major utilities, like nearly all other industries, are vulnerable to negligence, human error and the lack of an adequate written information security program. When devices are communicating with each other, even slight human interaction, tampering and wrong decisions may occur, sometimes with catastrophic results.
The potential vulnerability of smart grid systems and the diverse demands for private smart grid information from third parties have caused great concern for legislators and regulators. As a result, utilities are confronted by ever-increasing litigation demands to adequately secure their information. Consider the outcomes in three relatively recent cases.
In FTC v. TRENDnet (September 2013), the FTC entered into the world of IoT. In TRENDnet, hundreds of home security cameras were hacked and videos of children in their bedrooms were taken and posted on the Web. The hackers were able to bypass users’ login credentials and access live feeds from theTRENDnet wireless cameras. The FTC found that this vulnerability was in contrast to the company’s marketing materials, which assured consumers that their systems were secure. In its settlement, the FTC sanctioned TRENDnet for its unfair and deceptive trade practices. Thus, precedent exists for the same types of sanctions against utilities that overpromise the security of their smart grid network.
The willingness of courts to evaluate and require demonstrable security steps has become more aggressive. In Patco Construction v. People’s United Bank (1st Cir. July 2012), hackers used malware to masquerade as the construction company and fraudulently withdraw over $588,000 from the company’s bank account. Initially a federal district court in Maine upheld the disclaimer of liability terms in the contract between Patco and the bank, and found in favor of the bank. However, in July 2012, the 1st Circuit overturned the district court and found that, while the bank was fully aware that its electronic banking was “high risk,” and implemented enhanced security as a result, it had neglected to effectively use its own security systems by failing to adopt security measures that, according to the court, were available and commercially reasonable under the circumstances.
The lessons from the above cases are clear:
The appropriate security vehicle is a written information security program (WISP) that protects sensitive information and at the same time proves that the organization has taken reasonable steps to protect private information.
WISP is not a new concept — many U.S. federal and state laws require security programs. These include GLB security regulations (Fed, OTC, FDIC, OCC) – 2001, GLB security regulations (FTC) – 2002, FTC enforcement actions – 2002-present, FISMA (government agencies) – 2002, HIPAA security regulations (HHS) – 2003, Oregon (as a safe harbor) – 2007, Massachusetts regulations – 2010, New Jersey regulations (proposed) — 2008 4 AG enforcement actions and developing case law. Internationally, WISP requirements exist in Argentina, Austria, the EU Data Protection Directive, Iceland, Italy, the Netherlands, Norway, the Philippines, Poland, Portugal, Spain and other countries. Perhaps the best and certainly the most inclusive WISP is the international one created by the payment card industry data security standard (PCI DSS).
From a very practical approach, a WISP provides a company with “court provable security.” Security is a relative concept and it is unreasonable to expect that a “one size fits all” approach will provide the best protection. The important fact, as reflected in the TRENDnet and Patco cases, will be that the company holding the data has anticipated the threats from hostile technology and complied with privacy restrictions placed on it by state and federal law.