ENISA Publishes New Guidelines for Smart Grid Cyber Security

Posted by Ezra Steinhardt on December 31, 2012

By Jacqueline Clover and Ezra Steinhardt

In December 2012, the European Network and Information Security Agency (ENISA) published a set of (non-binding) Guidelines titled, “Appropriate security measures for smart grids; Guidelines to assess the sophistication of security measures implementation”.  The Guidelines are intended to help EU Member States and smart grid stakeholders improve the resilience of smart grid cyber security systems against cyber threats and attacks, and follow on from a pair of European Commission initiatives that have called for improved security of European electricity networks:  the Commission’s Standardization Mandate to support European Smart Grid Deployment, released in March 2011, and the Commission’s Recommendation on the roll-out of smart metering systems, released in March 2012.  The latter document encourages EU Member State electricity network providers to consult the ENISA Guidelines when implementing smart grid security measures.

The Guidelines stress the importance of data privacy for smart grid stakeholders, and note that many such stakeholders “still have little experience in these areas”.  The Guidelines do not set out to address data privacy concerns per se, but the information security measures proposed by the Guidelines will also be of use to controllers, who must take adequate organizational and technical measures to protect personal data under European data protection law. 

The Guidelines aim to harmonise and establish minimum cyber security standards and best practices for European smart grids.  The Guidelines identify ten smart grid security issue areas and make security recommendations for each area.  To take into account different smart grid characteristics, such as the size of the grid or the types of services provided, and correspondingly different risk profiles, the Guidelines accommodate varying degrees of security measure implementation (“sophistication levels”).  Some security measures (or security issues) discussed by the Guidelines include:

  • Protection of sensitive information processing facilities;
  • Encryption methods for sensitive data during storage and transmission;
  • Controlling access to critical asset information, and the use of secure remote access methods;
  • Precautions against malware and viruses;
  • Timely technical upgrades to smart grid information systems;
  • Segregation of information services and information systems into groups and networks;
  • Protection of security audit information;
  • Security policies and monitoring of grid information systems;
  • Staff cyber security training programs, personnel risk assessments, and staff security responsibilities and oversight;
  • Third party agreements (e.g., with external suppliers and contractors) and monitoring of third parties to preserve confidentiality;
  • Communication with relevant authorities and cyber security interest groups (i.e., to stay ahead of the latest vulnerabilities and threats);
  • Maintaining updated inventories of all smart grid components and systems;
  • Management of authentication credentials, user names, etc.; and 
  • Policies for secure disposal of smart grid components and systems.

The smart grid provider should conduct a risk assessment when determining how to implement and maintain the above measures. 

 

Smart Grid Advocacy Group Seeks to Refute Privacy and Data Security Concerns

Posted by Shelton Abramson on August 21, 2012

The Smart Grid Consumer Collaborative (SGCC) recently published a fact sheet and released a web video to refute privacy and data security critiques of smart meter technology.  SGCC is a non-profit that seeks “to advance the adoption of a reliable, efficient, and secure smart grid.” Its membership includes electric utility and technology companies, universities, government agencies, and environmental advocacy groups.  Privacy and data security concerns have led some consumers to oppose the installation of smart meters, and even inspired lawsuits in states such as Maine and Illinois.  SGCC’s recently published materials suggest that many of these concerns are based on “myths” and “urban legend.”

Smart meter privacy concerns generally focus on the amount and type of data that smart meters collect from the homes or businesses where they are installed.  Some consumers are concerned that, by recording detailed information about electricity consumption, smart meters will provide electric utility companies with substantial information about their private activities. The SGCC fact sheet seeks to address these concerns, asserting that “[s]mart meters measure how much energy you use, based on time of day, not how you use that energy.”  A consumer would need to have a home energy management system installed to enable more detailed data collection about whether a specific appliance is being used.  Other consumer groups have expressed concern that utility companies will sell the personal information that they collect from consumers.  SGCC refutes this concern by arguing that “[u]tilities adhere to strict policies, following state laws that regulate the use of personal information for business functions like billing and customer service.”  Utilities already have considerable information on electricity consumption which they do not sell, and the introduction of smart meters will not change this.

Continue Reading

Maine Supreme Court Upholds Dismissal of Smart Meter Privacy Challenge

Posted by Shelton Abramson on August 19, 2012

The Maine Supreme Court recently upheld a state agency’s dismissal of a privacy challenge to the installation of smart meter technology in Maine homes and businesses.  Smart meters use wireless technology to collect and transmit data to utility companies about how and when customers use electricity. While smart grid advocates argue that the use of smart meters will promote energy efficiency and customer savings, privacy advocates have raised concerns about the nature of the data that is collected. In Friedman v. Public Utilities Commission et al., Maine consumers argued, inter alia, that a utility company’s collection of information via smart meters represented a violation of the Fourth Amendment, that the Maine Public Utilities Commission had not adequately considered their privacy concerns, and that utilities could not impose extra fees on customers who opt out of using a smart meter.

The Commission issued two orders in mid-2011 requiring that the Central Maine Power Company (CMP) provide customers with an option to opt out of smart meter installation.  However, under the Commission’s order, consumers who opted out would be subject to extra fees, including an initial charge and recurring monthly charges. The plaintiffs in Friedman filed a complaint with the Commission, expressing privacy and Fourth Amendment concerns, and challenging the charges on consumers who opted out of using smart meters as a “discriminatory action against those with legitimate privacy and trespass concerns.”  The Commission dismissed these claims without a hearing, finding that it had already investigated and addressed the consumers’ concerns in response to prior complaints.  Plaintiffs appealed to the state supreme court.

Continue Reading

Older Posts