A letter to Senate Majority Leader Reid (D-NV), cosigned by 30 privacy and civil liberties advocacy groups, has raised serious concerns about the lack of privacy protections in regard to personally identifiable  information shared with government under cybersecurity legislation soon to be taken up by the Senate. This issue is yet another hurdle to getting the 60 votes needed for the Senate to proceed to Floor consideration of the bill, and may prove to be a major factor whether cybersecurity legislation is enacted this year.

The Cybersecurity Act of 2012, sponsored by Sens. Lieberman (I-CT) and Collins (R-ME) would give the Department of Homeland Security lead authority to oversee the flow of information, including sharing information provided by the private sector to the National Security Agency. The 30 cosignatories of the letter believe this gives the intelligence community the ability to access and collect individual personal information. Moreover, the bill allows the government to use the information for criminal investigations and prosecution unrelated to cybersecurity, and provides overly broad immunity for those sharing the information.

The bill recently passed by the House, the Cyber Intelligence Sharing and Protection Act of 2012, came under similar criticisms and, even though amendments were added that sought to address those concerns before passage, there is continuing debate whether they went far enough.In addition to privacy concerns, there is a great deal of disagreement whether DHS should be put in charge of the nation's cybersecurity efforts and enforcement. The Lieberman bill would give DHS the authority to conduct risk assessments of “covered critical infrastructure” – sectors which are considered most critical to the nation’s economy and security, such as the electric grid and water systems – and impose mandatory risk-based performance standards enforced through thi^rd party audits. An alternative approach, sponsored by Sen. McCain, focuses on incentivizing voluntary information sharing between the government and the private sector to address the cyber threat, similar to the bill passed by the House last month. Majority Leader Reid hopes to bring the cybersecurity measure to the Floor late May or early June.

In the meantime,  White House officials including DHS and the National Security Council, provided a Senate briefing on cyber attacks on natural gas pipelines. The attacks involved spear phishing using an email attachment to allow a hacker to enter the computer network. The email appeared to be sent from someone known to the recipient. It has also been reported that the pipeline companies were aware of the exploit, notified authorities, and were told to allow the attack to continue so that proper forensics and attribution could be conducted. Caitlin Hayden, a spokeswoman for the White House National Security Council, said senior administration officials met with Senate staffers on Monday to brief them on the cyber threats facing critical infrastructure. Hayden noted that the briefing was "intended to provide staff with an appreciation for the cyber threat facing the nation as the Senate prepares to consider new legislative authorities that could help the United States Government prevent and more quickly respond to cyber intrusions and attacks.The White House has endorsed the Lieberman bill.

(Washington, DC)  The Department of Energy’s (DOE) examinations of two big smart grid-related issues, consumer data access and privacy and utility communications needs, are now complete, DOE General Counsel Scott Blake Harris said today in announcing the top-line findings of these wide-ranging examinations.  Both of the DOE proceedings on this topic stem from the Federal Communications Commission’s (FCC) National Broadband Plan, released last spring, which asked the DOE to dig deeper into the central questions of consumer energy data usage and the future of utility communications in the smart grid era.

Data Access and Privacy

Speaking at a forum hosted by the Joint Center for Political and Economic Studies, Harris outlined the major conclusions of the DOE’s report on smart grid data access, third party use and privacy issues.  In general, the various commenters in the data access and privacy proceeding were in very broad agreement, Harris said.  Among the areas of agreement for the various utility, telecom, technology, government and public interest groups who filed comments are: Read more »

All too often, I hear smart grid discussions started by someone suggesting that we really ought to come up with a definition for smart grids. Frankly, that makes me wonder how we ended up with so many people who claim to not know what smart grids are telling us what we should be doing about smart grids.

Seriously, if you don't know what smart grids are, either (a) be quiet and listen to those who do or (b) don't diminish what you do have to contribute to the discussion by highlighting what you don't understand about smart grids. Read more »

The Federal Communications Commission’s Public Safety and Homeland Security Bureau (PSHSB) seeks public comment on the creation of a Cybersecurity Roadmap, as recommended by the National Broadband Plan. The deadline for comments is September 23, 2010.

The notice rightly states that cybersecurity is a vital topic for the Commission because of the risk that unchecked vulnerabilities in the communications infrastructure pose for safety and privacy. The Plan calls for the Roadmap to identify the five most critical cybersecurity threats to the communications infrastructure and its end users, and to establish a two-year plan on how to address those threats. The Roadmap aims to identify vulnerabilities to communications networks or end-users and to develop countermeasures and solutions in preparation for, and response to, cyber threats and attacks in coordination with federal partners.

The Roadmap is an opportunity for utilities to comment on the high level of reliability and security required to run their internal communications networks that support the nation’s critical infrastructure. This effort to outline cybersecurity standards is one of the many being undertaken by the government as cybersecurity gets a larger focus. The Department of Energy and the National Institute of Standards and Technology (NIST) are also drafting guidelines for cybersecurity principles for the industry. Additionally, utility customer experiences with security will determine their adoption and demand of smart grid enabled energy data management technologies.

Ensuring consumer privacy and ability to control access to their energy usage information to be given highest priority, declares recent resolution by the National Association of Regulatory Utility Commissioners (NARUC) at their Summer committee meetings.  With Congress and the U. S. Department of Energy currently looking at the issue of consumer data, privacy and access, NARUC stepped forward to voice it's opinion.  NARUC recognized the needed balance of ensuring privacy of consumer data while allowing for the benefits the deployment of smart grid promises.  NARUC also resolved that utilities, subject to State commission oversight,  need to make cost-effective decisions while at the same time safeguarding their customer's privacy, and that authorized third parties have responsibilities to protect this information and the privacy of consumers.  Finally, NARUC resolved that any Congressional or federal agency action should respect and incorporate State rules and ongoing State authority to protect ratepayers' privacy and ability to control access to their energy usage information.

Balancing benefits of consumer access to their own consumption data with the costs anticipated by the various approaches was stressed by UTC comments filed in DOE’s request for information on data access, third party use, and privacy. UTC noted that the innovative deployment by energy utilities of smart meters and smart control systems will create a smart energy grid that will unlock the value of what has been called the Energy Information Economy. Smart energy grids will create an environment in which consumers will have greater abilities to manage their own energy usage and utilities will have new tools to affect grid-wide energy efficiencies never before possible. The key to all this is data. How to provide secure access to it for customers and their agents is the crux of this RFI’s questions and the focus of UTC’s responses. Read more »

(Washington, DC) Consumer privacy and access to consumption data are two key components to ensuring continued consumer support for smart grid deployments, participants said today during the Department of Energy's (DOE) Roundtable discussion on its Privacy and Data Access Request for Information (RFI). A group representing utilities, technology vendors and consumer advocates responded to a wide range of questions from DOE General Counsel, Scott Blake Harris. The bottom line consensus among the participants is that ensuring the privacy and security of consumer data is essential to consumer acceptance of the smart grid. Read more »

At the annual conference of the American Business Media yesterday, Rep. Rick Boucher (D-VA) outlined the provisions of a data privacy bill he expects to release today. The bill would provide consumers the right to opt out of having their personal information, including internet surfing habits, social networking sites visited, and the products and services they purchase, collected by companies engaged in behavioral targeting.

It would apply to the collection of personal information from consumers both online and offline and "initially require that all Web sites that collect information from consumers give consumers notice with respect to what information is collected, how it is used, who it is shared with, and the circumstances under which it is shared," Boucher said. Unaffiliated third party websites that collect data from multiple unaffiliated websites as well as those seeking to use sensitive personal information such as medical or financial data would be required to have the consumer's specific consent before using and collecting the information from them.

A letter cosigned by the Consumer Federation of America, Electronic Frontier Foundation, Privacy Rights Clearinghouse and the U.S. Public Interest Research Group decried the inclusion of the “opt out” provision as “a blow to consumer protection” by allowing firms to collect and use data unless consumers specifically request that it not be collected. The letter also called for the right for consumers to review and correct the information and to prevent the linking of an individual’s name or address through an IP address, cookie or other identifier.

More on the implications of bill concerning the collection and use of data on a consumer’s energy use provided by SG meters will be determined once the bill is released.

(Washington, DC) As smart grid technologies take hold, two key technical challenges, maintaining consumer privacy and network security, will require constant diligence by utilities, experts told attendees today at UTC's Smart Grid Policy Summit. "I've told people to focus on what is unique to the smart grid," National Institute of Standards and Technology (NIST) Senior Cyber Security Strategist Annabelle Lee said. NIST is charged with developing cyber security requirements that will be adopted as industry requirements by the Federal Energy Regulatory Commission.

"The difference with the smart grid is the granularity of the information," she said. "The functionality will not change with the smart grid. We'll still get electricity and a bill every month." Read more »

(Washington, DC) The utility industry is poised at the intersection of energy and broadband as it builds smart grids, a key Administration technology official said today here at UTC's Smart Grid Policy Summit. "This is ground zero," Andrew McLaughlin, Deputy U.S. Chief Technology Officer, Executive Office of the President told Summit attendees.

"The fusion of information flows with the electrical system is one of the great transformations that we will see over the next several decades," McLaughlin said. Government should avoid a top-down approach when it comes to smart grid, he advised. "The strength of the U.S. system is decentralized processes." Read more »