Smart Grid Summit in Miami: Protecting personal information in the smart grid era is going to be a monumental challenge. Not only will utilities have to ensure customer information is stored securely, but they will also have to guard against information leakage from both legal and illegal activities.
Ward Pyles, senior security analyst at Southern Company, subscribes to the keep-it-simple model. He noted utilities tend to “over-think” the privacy issue when in fact, it’s better to simplify the process. “The difference is getting everyone on the same page and understanding what that is. First and foremost you have to keep it simple,” he said during the Personal Privacy: Who left the fridge door open? session at the Smart Grid Summit in Miami earlier this month.
New technologies are often not helping the matter, he noted, saying that “they’re not coming together creating any solution that is sound and ideal for us in some cases. So we’ve got to get out of the way of looking at it from a cool toy perspective and actually say what can we implement that’s going to add value to our bottom line and our customers.”
Pyles suggested that working closely with third-party partners is going to produce a solution that is workable and accepted by the customer. “It really takes us and the third parties stepping up coming together, saying this is how it should be designed, this is how it should be implemented because this best way possible for operational functionalization as well as for the protection of privacy of our customers,” he said.
Cullen Jennings, distinguished engineer in the voice technology group at Cisco Systems Inc., said the massive amount of consumer information arising from the smart grid is going to open the doors to new business models. He suggested this type of data would be able to provide advertisers with a true, and more granular, picture of consumers’ home lives. For example, Jennings says, utilities will be able to determine how long the fridge door was open based on the appliance’s energy draw.
“So the message will not be the fridge door is open, the message will be ‘Joe left the fridge door while getting his third beer while watching the Super Bowl.’ So that’s the level of how this is trying to connect together,” he said.
In this type of scenario, protecting personal information becomes critical. “We need to think about what data is collected, why we collect it, what alternatives there are to collecting it, how long do we store it and consent,” he said.
Jennings noted that consent is going be problematic in the future because “lots of people are going to believe that if we have a user click a check box and mark that they have consented to this that that’s okay. But when you’re option is take it or leave it, it’s not really consent. And that’s going to become more true over the next 10 years, I think you’ll see a lot of revolt around that.”
Where is the data stored?
There are three options available for utilities when it comes to storing personal information: internally, in the Cloud or a mix of the two. None of them will be perfect and each has their own set of challenges.
Southern Company opted for the first option and currently stores all personal identifiable information (PII) in its own databases. Pyles said that since the company made a significant investment in IT infrastructure and resources, the company opted to leverage that investment.
Jennings said the Cloud model will be used by utilities and based on the experience of other sectors such as healthcare, some will use this model extensively. He noted that while some organizations will see good data storage and privacy practices, others will be “absolutely awful.”
Some companies will choose to store certain parts of the data with a particular company, which will then send it to a billing company in another country. In turn, this latter company will have its databases run by yet another company.
“You won’t even be able to figure out which datacenter or which country the data is in,” he explained. “You certainly won’t be able to figure out which system administrator at which of probably 30 companies could access your database.”
The issue of privacy will also likely enter the legal realm at some point, particular as it relates to alleged illegal activities. Jennings suggested, however, that the industry should be more concerned about legal activities.
“Probably the worst privacy things don’t involve the illegal ones, they involve the legal ones,” he said. “When you’re talking about wiretap laws, most law enforcement agencies will tell you the first people that will help will be the security people within the enterprise. And it’s an interesting question. When a law enforcement agency asks some power company to hand over subscriber data, do they challenge that? I don’t know the answer to that. I know that when you go and ask Internet service providers that question, you get very depressing answers.”
Create Your Own Webinar Free, Today!