panel: security and data protection as a key enabler of ...security and data protection as a key...
TRANSCRIPT
Panel: Security and Data Protection as a Key enabler of Mass Adoption for the Smart Grid: Operationalize Privacy by Design into Your Smart Grid Initiatives
Moderator: Michelle Chibba, Director, Policy Information& Privacy Commissioner, Office of Ontario (IPC)
• Linda Evers, Partner and Chair, Energy Group. Stevens & Lee
• Lee S. Krevat, Director, Smart Grid, San Diego Gas & Electric
• Christopher Villarreal, Regulatory Analyst, Policy and Planning Division, California Public Utilities Commission
Security and Data Protection Panel Discussion
Security and Data Protection as a Key Enabler of Mass Adoption of the Smart Grid
Lee Krevat, Director, Smart Grid, SEMPRA/SDG&E
Michelle Chibba, Director, Policy, Information and Privacy Commissioner of Ontario (IPC)
Chris Villareal, Regulatory Analyst, California Public Utility Commission (CPUC)
Linda Evers, Chair, Energy, Communications & Public Utility Group, Esquire, Stevens & Lee
SDG&E’s Smart Grid Lee Krevat, Smart Grid Director
Factors Driving Urgent Need for Energy System Changes
• Customer Empowerment – Choice, Control, Convenience
– Smart Appliances, Smart Charging, Smart Rates
• Centralized renewables – Intermittent availability issues
– Increased volume threatens grid stability
• Distributed renewables (rooftop solar) – No control, can’t see it, no communication
– Power quality issues will increase
• Electric vehicles – Current electric grid cannot manage potential volume
– Overall consumption may rise significantly
5
Job of managing grid getting more complex;
need to leverage technology
Background
• Installing 1.4 million smart electric meters and adding module to existing 850,000 gas meters for all customers by December 2011
• Install 1.4 million smart electric meters for all customers
– Solid-state electric meter technology with ZigBee Chip
– Electric interval data reads:
• Residential: hourly, Commercial/Industrial: 15-minutes
Customer Benefits
• Enhances reliability and outage detection, and speeds restoration
• Gives customers more control over their everyday
energy usage, opportunity for lower bills
• Reduced need to access property, more privacy
Currently over 2.2 Million meters installed (over 95%)!
Customer Empowerment Smart Meter
Tools and Programs • SDG&E Online Tools • Demand Response • Dynamic Pricing – future offering • Home Area Network Pilots
Awards and Recognitions
• SDG&E’s Smart Meter program was awarded ‘Best in Quality”, by Chartwell, Inc. for customer service
• Recognition of being a “gold standard” utility by CPUC Commissioner Ryan in 2010
• Second year in a row the honor of “Smartest Utility in the in Nation” by Intelligent Utility Magazine and IDC Energy Insights.
Customer Empowerment Data Available to Customers
7
8
The Connected Home of the Future
Energy Storage Smart Appliances Interactive User Portal Electric Vehicle Charging Station HVAC Programmable Gateway Communicating Thermostat Pool Pump SmartMeter In Home Energy Display Solar Panel
Considerations: Environmental Customer benefits Vendor compatibility
Security (Attack vectors, Vulnerabilities, Threats)
Reliability Issues Changing San Diego Energy Mix
Values are for illustration purposes and do not represent forecasts
9
Energy mix for 2015 and 2020 are subject to substantial uncertainty
10
Distributed Renewable Growth
0
5
10
15
20
25
30
35
40
45
50
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Tota
l nu
mb
er
of
MW
at
year
en
d
Residential Distributed Generation
1MW PV: 10 Minutes on a Cloudy Day
Extreme voltage fluctuation results
Reliability Issues Solar & Electric Vehicle Customers
12
13
Electric Vehicle Charging – charging at peak versus charging off-peak
Source: EPRI
Power demand from “badly” controlled
charging – a new, potentially disruptive peak
Controlled overnight charging
could result in no increase in
peak load
Many drivers share patterns and
arrive home near the same time A typical level 2 EV charge, 220V
@ 30a could draw 6.6kW power
14
15
Questions?
Lee Krevat
Director, Smart Grid
www.sdge.com/smartgrid/
Thank You
Privacy by Design: A Key Enabler of Mass Adoption of the Smart Grid
Michelle Chibba, Information and Privacy Commissioner’s Office, Ontario, Canada
Privacy Defined
• Right of an individual to exercise a measure
of control over the collection, use and
disclosure of their personal information
• Definition of personally identifiable
information (PII) - any information, recorded
or otherwise, relating or linked to an
identifiable individual
• Privacy is contextual / think of privacy as an
aspect of CRM (Customer Relationship
Management)
What privacy is not
Privacy Security
Security is, however, vital to privacy
Fair Information Practices
• Why are you asking?
– Collection; purpose specification
• How will the information be used?
– Primary purpose; use limitation
• Any additional secondary uses?
– Notice and consent; prohibition against unauthorized disclosure
• Who will be able to see my information?
– Restricted access from unauthorized third parties
Personal Information on the Smart Grid
• Modernization of the current electrical grid will involve end-user components and activities that will lead to increasing the
collection, use and disclosure of personal information
by utility providers, as well as third-parties • What constitutes “personal information” on the Smart Grid is the
subject of much discussion
• In the context of the Smart Grid, the linkage of any personally
identifiable information with energy use would render the
linked data as personal information and privacy considerations immediately apply
SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of
Electricity Conservation
“The smart grid is certainly a good idea, which I strongly support. But the focus has been so singularly on controlling energy use that I think the privacy issue is a sleeper – it is not top-of-mind.”
— Commissioner Cavoukian,
Toronto Star, Smart grid saves power, but can it thwart hackers? August 3, 2009
www.privacybydesign.ca
Smart Grid: Privacy Risks
• An electricity usage profile can translate into a source of
detailed behavioural information
• Digital data is vulnerable to unauthorized access, copying, matching, merging and widespread
dissemination for secondary purposes without
the consent of the consumer
Why Consumer Confidence and Trust is Essential
“There are sound reasons why energy consumers
should remain in control of the energy consumption
information they produce, even if there isn’t a law
that requires this. The underlying rationale is that
consumer confidence and trust in the Smart Grid,
and in one’s local electricity distributors, is vital in
achieving the vision of a more energy efficient
electrical grid.”
— Commissioner Cavoukian,
Electric Light & Power Magazine
www.elp.com
Why We Need Privacy by Design
Most privacy breaches remain undetected – as
regulators, we only see the tip of the iceberg
Regulatory compliance alone, is unsustainable as
the sole model for ensuring the future of privacy
Privacy by Design The 7 Foundational Principles
1. Proactive not reactive; 2. Privacy as the default setting; 3. Privacy embedded into design; 4. Full functionality; positive-sum
not zero-sum 5. End-to-end security: full lifecycle
protection 6. Visibility and transparency: keep
it open 7. Respect for user privacy: keep it
user-centric
Privacy by Design
• Privacy by Design seeks to build in privacy – up front, right into the design specifications; into the architecture; embed privacy
into the technology used – bake it in;
• Data minimization is key: minimize the routine collection and use of personally identifiable information – use encrypted or coded information whenever possible;
Privacy by Design:
The Trilogy of Applications
Information Technology
Accountable Business Practices
Physical Design & Infrastructure
Examples of Privacy by Design in Smart Grid guidance
“…the “Privacy by Design” methodology offers a promising approach to ensuring that data practices promote privacy, not just in the FIP of data minimization, but in all aspects of privacy planning.”
- California Public Utility Commission in Rulemaking 08-12-009 decision adopting rules to protect the privacy and security of customer electricity usage data
“… this need to build privacy protections into systems and processes, along with the resulting benefits, is provided within the “Privacy By Design” methodology.”
- National Institute of Standards and Technology in NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid
“The Smart Grids Task Force has agreed that a ‘privacy by design’ approach is needed. This will be integrated in the standards being developed by the ESOs [European Standards Organizations].”
- European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, April 12, 2011
Conclusion: Where the IPC Stands on Smart Grid
• We must take care not to sacrifice consumer privacy amidst a sea of enthusiasm for electricity reform
• Privacy is necessary for consumer confidence and trust in the Smart Grid
• Principles of Privacy by Design must be part of the overall design for smart grid data flows
IPC Resources • SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of
Electricity Conservation
• Privacy by Design: Achieving the Gold Standard in Data Protection for the Smart Grid
• Operationalizing Privacy by Design: The Ontario Smart Grid Case Study
• Privacy by Design: The 7 Foundational Principles - Implementation and Mapping of Fair Information Practices
• FAQ – Smart Grid Privacy – From Smart Meters to the Future
• Privacy by Design Resolution – 32nd International Conference of Data Protection and Privacy Commissioners, 27-29 October 2010, Jerusalem, Israel
• “Assets Beyond the Meter – Who Should Own Them?” by Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario. In Electric Light & Power, September/October 2010, pgs. 55 & 58
www.privacybydesign.ca
How to Contact Us Michelle Chibba, Director, Policy and Special Projects
Information and Privacy Commissioner’s Office of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario, Canada
M4W 1A8
Phone: (416) 326-3333 / 1-800-387-0073
Web: www.ipc.on.ca
E-mail: [email protected]
CPUC’s Privacy Decision Chris Villarreal, California PUC
California Actions on Privacy
• California has a long history of promoting privacy
– California Constitution, Article 1, Section 1 includes right to privacy
• SB 1476- signed into law on September 29, 2010
– Utilities and their contractors must maintain customer privacy
– Utilities and contractors do not need customer approval for “system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs…” (i.e., primary purposes)
– BUT…customer information cannot not be used for “secondary purposes” without customer consent
• CPUC issued D.11-07-056 on July 29, 2011 to implement SB 1476
– http://docs.cpuc.ca.gov/PUBLISHED/FINAL_DECISION/140369.htm
D.11-07-056 • Began deliberations on privacy rules in August 2010.
• Held two days of workshops, and several rounds of comments.
– One round of comments focused on Commission jurisdiction over third parties
• Many parties participated- notably, Center for Democracy and Technology and Electronic Frontier Foundation
• For the most part, process was not controversial, and parties agreed on most of the rules.
• Decision relies upon and adopts Fair Information Practice Principles. – Transparency (Notice) – Purpose Specification – Individual Participation (Access and Control) – Data Minimization – Use and Disclosure Limitation – Data Quality and Integrity – Data Security – Accountability and Auditing
Privacy Rules Summary • Rules apply to utilities, utility third party contractors and third parties accessing
customer information directly from the utility.
• Rules do not apply to third parties accessing information from customer (e.g., from the meter).
• Customer consent not required for “primary purposes” such as utility operations, energy efficiency, demand response or energy management programs. All other purposes are considered “secondary purposes” and require customer authorization.
• Availability of aggregated or anonymized data does not require customer authorization
• Utilities given 90 days to file an Advice Letter with CPUC with whatever changes are necessary to implement this decision.
• New phase to determine applicability of rules upon natural gas companies, other electric utilities, community choice aggregators or electric service providers.
Customer Access Actions in D.11-07-056 • All three IOUs should make information available to customers in a
consistent manner.
• Provide customers with approximate electricity price, actual usage and bill estimate, updated daily.
• Also provide bill-to-date, bill forecast data, projected month-end tiered rate, and notification of crossing tiers; all prices should be “all in” price for electricity.
• Directs utilities to work with CAISO to determine best ways to provide customers with wholesale prices.
• Directs utilities to work with Staff and other parties on ways to provide prices (retail and wholesale) in real-time to customers.
• Utilities must allow third party access via the utility’s back-haul when authorized by a customer. (Application due in January)
For Further Information
CPUC Smart Grid webpage: http://www.cpuc.ca.gov/PUC/energy/smartgrid.htm
Chris Villarreal Policy and Planning Division Phone: (415) 703-1566 Email: [email protected]
Linda R. Evers, Esq. Stevens & Lee
Regulatory Proceedings Related to Smart Grid Privacy
• Federal
– Department of Energy Report
– Federal Energy Regulatory Commission • NIST/SGIP Report
– National Association of Regulatory Energy Commissioners
• Resolution on Smart Grid Principles
– Electric Consumer Right to Know Act “e-Know Act” • Senate Bill 1029 gives customers the right to control energy usage
information
• Allows the attorney general of a state to bring a civil suit against electric utilities
Regulatory Proceedings Related to Smart Grid Privacy (cont’d)
• States – California-Docket No. R.08-12-009 – Colorado- Docket No. 11R-799E A Recommended Decision was recently issued that includes a Consent to
Disclose Utility Customer Data form (Exhibit B) and a Data Freeze Form (Exhibit C)
– Ohio-See Case No. 11-277-GE-UNC PUCO held smart grid privacy workshops and published a Consumer Privacy
and Customer Data Access Issues list
– New York- See Case No. 10-E-0285 Commission issued a Smart Grid Policy Statement
– Texas- See Project #34610 Implementation Project Relating to Advanced Metering
Smart Grid Best Practices
What is your privacy policy
– Who will you share the data with?
– Will you sell it, if so, in what form?
Review contracts with Vendors
– Collection companies
– Low income program administrators
– Energy efficiency program coordinators
– Consultants
For More Information Smart Grid Best Practices (cont’d)
• What’s the smart grid?
• What’s a smart meter?
• How do the meters work? – What can you do remotely?
– What will you do remotely?
• Privacy? – What is your policy?
– 3rd party vendors?
– New players
• Need to be able to explain the value of your smart grid program to customers
For More Information
• Linda R. Evers, Esquire Stevens & Lee, Lawyers & Consultants 111 North Sixth Street P.O. Box 679 Reading, PA 19603-0679 610-478-2265 [email protected] www.smartgridlegalnews.com