Panel: Security and Data Protection as a Key enabler of Mass Adoption for the Smart Grid: Operationalize Privacy by Design into Your Smart Grid Initiatives

Moderator: Michelle Chibba, Director, Policy Information& Privacy Commissioner, Office of Ontario (IPC)

• Linda Evers, Partner and Chair, Energy Group. Stevens & Lee

• Lee S. Krevat, Director, Smart Grid, San Diego Gas & Electric

• Christopher Villarreal, Regulatory Analyst, Policy and Planning Division, California Public Utilities Commission

Security and Data Protection Panel Discussion

Security and Data Protection as a Key Enabler of Mass Adoption of the Smart Grid

Lee Krevat, Director, Smart Grid, SEMPRA/SDG&E

Michelle Chibba, Director, Policy, Information and Privacy Commissioner of Ontario (IPC)

Chris Villareal, Regulatory Analyst, California Public Utility Commission (CPUC)

Linda Evers, Chair, Energy, Communications & Public Utility Group, Esquire, Stevens & Lee

SDG&E’s Smart Grid Lee Krevat, Smart Grid Director

Factors Driving Urgent Need for Energy System Changes

• Customer Empowerment – Choice, Control, Convenience

– Smart Appliances, Smart Charging, Smart Rates

• Centralized renewables – Intermittent availability issues

– Increased volume threatens grid stability

• Distributed renewables (rooftop solar) – No control, can’t see it, no communication

– Power quality issues will increase

• Electric vehicles – Current electric grid cannot manage potential volume

– Overall consumption may rise significantly

5

Job of managing grid getting more complex;

need to leverage technology

Background

• Installing 1.4 million smart electric meters and adding module to existing 850,000 gas meters for all customers by December 2011

• Install 1.4 million smart electric meters for all customers

– Solid-state electric meter technology with ZigBee Chip

– Electric interval data reads:

• Residential: hourly, Commercial/Industrial: 15-minutes

Customer Benefits

• Enhances reliability and outage detection, and speeds restoration

• Gives customers more control over their everyday

energy usage, opportunity for lower bills

• Reduced need to access property, more privacy

Currently over 2.2 Million meters installed (over 95%)!

Customer Empowerment Smart Meter

Tools and Programs • SDG&E Online Tools • Demand Response • Dynamic Pricing – future offering • Home Area Network Pilots

Awards and Recognitions

• SDG&E’s Smart Meter program was awarded ‘Best in Quality”, by Chartwell, Inc. for customer service

• Recognition of being a “gold standard” utility by CPUC Commissioner Ryan in 2010

• Second year in a row the honor of “Smartest Utility in the in Nation” by Intelligent Utility Magazine and IDC Energy Insights.

Customer Empowerment Data Available to Customers

7

8

The Connected Home of the Future

Energy Storage Smart Appliances Interactive User Portal Electric Vehicle Charging Station HVAC Programmable Gateway Communicating Thermostat Pool Pump SmartMeter In Home Energy Display Solar Panel

Considerations: Environmental Customer benefits Vendor compatibility

Security (Attack vectors, Vulnerabilities, Threats)

Reliability Issues Changing San Diego Energy Mix

Values are for illustration purposes and do not represent forecasts

9

Energy mix for 2015 and 2020 are subject to substantial uncertainty

10

Distributed Renewable Growth

0

5

10

15

20

25

30

35

40

45

50

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

Tota

l nu

mb

er

of

MW

at

year

en

d

Residential Distributed Generation

1MW PV: 10 Minutes on a Cloudy Day

Extreme voltage fluctuation results

Reliability Issues Solar & Electric Vehicle Customers

12

13

Electric Vehicle Charging – charging at peak versus charging off-peak

Source: EPRI

Power demand from “badly” controlled

charging – a new, potentially disruptive peak

Controlled overnight charging

could result in no increase in

peak load

Many drivers share patterns and

arrive home near the same time A typical level 2 EV charge, 220V

@ 30a could draw 6.6kW power

14

15

Questions?

Lee Krevat

Director, Smart Grid

LKrevat@semprautilities.com

www.sdge.com/smartgrid/

Thank You

Privacy by Design: A Key Enabler of Mass Adoption of the Smart Grid

Michelle Chibba, Information and Privacy Commissioner’s Office, Ontario, Canada

Privacy Defined

• Right of an individual to exercise a measure

of control over the collection, use and

disclosure of their personal information

• Definition of personally identifiable

information (PII) - any information, recorded

or otherwise, relating or linked to an

identifiable individual

• Privacy is contextual / think of privacy as an

aspect of CRM (Customer Relationship

Management)

What privacy is not

Privacy Security

Security is, however, vital to privacy

Fair Information Practices

• Why are you asking?

– Collection; purpose specification

• How will the information be used?

– Primary purpose; use limitation

• Any additional secondary uses?

– Notice and consent; prohibition against unauthorized disclosure

• Who will be able to see my information?

– Restricted access from unauthorized third parties

Personal Information on the Smart Grid

• Modernization of the current electrical grid will involve end-user components and activities that will lead to increasing the

collection, use and disclosure of personal information

by utility providers, as well as third-parties • What constitutes “personal information” on the Smart Grid is the

subject of much discussion

• In the context of the Smart Grid, the linkage of any personally

identifiable information with energy use would render the

linked data as personal information and privacy considerations immediately apply

SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of

Electricity Conservation

“The smart grid is certainly a good idea, which I strongly support. But the focus has been so singularly on controlling energy use that I think the privacy issue is a sleeper – it is not top-of-mind.”

— Commissioner Cavoukian,

Toronto Star, Smart grid saves power, but can it thwart hackers? August 3, 2009

www.privacybydesign.ca

Smart Grid: Privacy Risks

• An electricity usage profile can translate into a source of

detailed behavioural information

• Digital data is vulnerable to unauthorized access, copying, matching, merging and widespread

dissemination for secondary purposes without

the consent of the consumer

Why Consumer Confidence and Trust is Essential

“There are sound reasons why energy consumers

should remain in control of the energy consumption

information they produce, even if there isn’t a law

that requires this. The underlying rationale is that

consumer confidence and trust in the Smart Grid,

and in one’s local electricity distributors, is vital in

achieving the vision of a more energy efficient

electrical grid.”

— Commissioner Cavoukian,

Electric Light & Power Magazine

www.elp.com

Why We Need Privacy by Design

Most privacy breaches remain undetected – as

regulators, we only see the tip of the iceberg

Regulatory compliance alone, is unsustainable as

the sole model for ensuring the future of privacy

Privacy by Design The 7 Foundational Principles

1. Proactive not reactive; 2. Privacy as the default setting; 3. Privacy embedded into design; 4. Full functionality; positive-sum

not zero-sum 5. End-to-end security: full lifecycle

protection 6. Visibility and transparency: keep

it open 7. Respect for user privacy: keep it

user-centric

Privacy by Design

• Privacy by Design seeks to build in privacy – up front, right into the design specifications; into the architecture; embed privacy

into the technology used – bake it in;

• Data minimization is key: minimize the routine collection and use of personally identifiable information – use encrypted or coded information whenever possible;

Privacy by Design:

The Trilogy of Applications

Information Technology

Accountable Business Practices

Physical Design & Infrastructure

Examples of Privacy by Design in Smart Grid guidance

“…the “Privacy by Design” methodology offers a promising approach to ensuring that data practices promote privacy, not just in the FIP of data minimization, but in all aspects of privacy planning.”

- California Public Utility Commission in Rulemaking 08-12-009 decision adopting rules to protect the privacy and security of customer electricity usage data

“… this need to build privacy protections into systems and processes, along with the resulting benefits, is provided within the “Privacy By Design” methodology.”

- National Institute of Standards and Technology in NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid

“The Smart Grids Task Force has agreed that a ‘privacy by design’ approach is needed. This will be integrated in the standards being developed by the ESOs [European Standards Organizations].”

- European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, April 12, 2011

Conclusion: Where the IPC Stands on Smart Grid

• We must take care not to sacrifice consumer privacy amidst a sea of enthusiasm for electricity reform

• Privacy is necessary for consumer confidence and trust in the Smart Grid

• Principles of Privacy by Design must be part of the overall design for smart grid data flows

IPC Resources • SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of

Electricity Conservation

• Privacy by Design: Achieving the Gold Standard in Data Protection for the Smart Grid

• Operationalizing Privacy by Design: The Ontario Smart Grid Case Study

• Privacy by Design: The 7 Foundational Principles - Implementation and Mapping of Fair Information Practices

• FAQ – Smart Grid Privacy – From Smart Meters to the Future

• Privacy by Design Resolution – 32nd International Conference of Data Protection and Privacy Commissioners, 27-29 October 2010, Jerusalem, Israel

• “Assets Beyond the Meter – Who Should Own Them?” by Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario. In Electric Light & Power, September/October 2010, pgs. 55 & 58

www.privacybydesign.ca

How to Contact Us Michelle Chibba, Director, Policy and Special Projects

Information and Privacy Commissioner’s Office of Ontario

2 Bloor Street East, Suite 1400

Toronto, Ontario, Canada

M4W 1A8

Phone: (416) 326-3333 / 1-800-387-0073

Web: www.ipc.on.ca

E-mail: info@ipc.on.ca

CPUC’s Privacy Decision Chris Villarreal, California PUC

California Actions on Privacy

• California has a long history of promoting privacy

– California Constitution, Article 1, Section 1 includes right to privacy

• SB 1476- signed into law on September 29, 2010

– Utilities and their contractors must maintain customer privacy

– Utilities and contractors do not need customer approval for “system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs…” (i.e., primary purposes)

– BUT…customer information cannot not be used for “secondary purposes” without customer consent

• CPUC issued D.11-07-056 on July 29, 2011 to implement SB 1476

– http://docs.cpuc.ca.gov/PUBLISHED/FINAL_DECISION/140369.htm

D.11-07-056 • Began deliberations on privacy rules in August 2010.

• Held two days of workshops, and several rounds of comments.

– One round of comments focused on Commission jurisdiction over third parties

• Many parties participated- notably, Center for Democracy and Technology and Electronic Frontier Foundation

• For the most part, process was not controversial, and parties agreed on most of the rules.

• Decision relies upon and adopts Fair Information Practice Principles. – Transparency (Notice) – Purpose Specification – Individual Participation (Access and Control) – Data Minimization – Use and Disclosure Limitation – Data Quality and Integrity – Data Security – Accountability and Auditing

Privacy Rules Summary • Rules apply to utilities, utility third party contractors and third parties accessing

customer information directly from the utility.

• Rules do not apply to third parties accessing information from customer (e.g., from the meter).

• Customer consent not required for “primary purposes” such as utility operations, energy efficiency, demand response or energy management programs. All other purposes are considered “secondary purposes” and require customer authorization.

• Availability of aggregated or anonymized data does not require customer authorization

• Utilities given 90 days to file an Advice Letter with CPUC with whatever changes are necessary to implement this decision.

• New phase to determine applicability of rules upon natural gas companies, other electric utilities, community choice aggregators or electric service providers.

Customer Access Actions in D.11-07-056 • All three IOUs should make information available to customers in a

consistent manner.

• Provide customers with approximate electricity price, actual usage and bill estimate, updated daily.

• Also provide bill-to-date, bill forecast data, projected month-end tiered rate, and notification of crossing tiers; all prices should be “all in” price for electricity.

• Directs utilities to work with CAISO to determine best ways to provide customers with wholesale prices.

• Directs utilities to work with Staff and other parties on ways to provide prices (retail and wholesale) in real-time to customers.

• Utilities must allow third party access via the utility’s back-haul when authorized by a customer. (Application due in January)

For Further Information

CPUC Smart Grid webpage: http://www.cpuc.ca.gov/PUC/energy/smartgrid.htm

Chris Villarreal Policy and Planning Division Phone: (415) 703-1566 Email: crv@cpuc.ca.gov

Linda R. Evers, Esq. Stevens & Lee

Regulatory Proceedings Related to Smart Grid Privacy

• Federal

– Department of Energy Report

– Federal Energy Regulatory Commission • NIST/SGIP Report

– National Association of Regulatory Energy Commissioners

• Resolution on Smart Grid Principles

– Electric Consumer Right to Know Act “e-Know Act” • Senate Bill 1029 gives customers the right to control energy usage

information

• Allows the attorney general of a state to bring a civil suit against electric utilities

Regulatory Proceedings Related to Smart Grid Privacy (cont’d)

• States – California-Docket No. R.08-12-009 – Colorado- Docket No. 11R-799E A Recommended Decision was recently issued that includes a Consent to

Disclose Utility Customer Data form (Exhibit B) and a Data Freeze Form (Exhibit C)

– Ohio-See Case No. 11-277-GE-UNC PUCO held smart grid privacy workshops and published a Consumer Privacy

and Customer Data Access Issues list

– New York- See Case No. 10-E-0285 Commission issued a Smart Grid Policy Statement

– Texas- See Project #34610 Implementation Project Relating to Advanced Metering

Smart Grid Best Practices

What is your privacy policy

– Who will you share the data with?

– Will you sell it, if so, in what form?

Review contracts with Vendors

– Collection companies

– Low income program administrators

– Energy efficiency program coordinators

– Consultants

For More Information Smart Grid Best Practices (cont’d)

• What’s the smart grid?

• What’s a smart meter?

• How do the meters work? – What can you do remotely?

– What will you do remotely?

• Privacy? – What is your policy?

– 3rd party vendors?

– New players

• Need to be able to explain the value of your smart grid program to customers

For More Information

• Linda R. Evers, Esquire Stevens & Lee, Lawyers & Consultants 111 North Sixth Street P.O. Box 679 Reading, PA 19603-0679 610-478-2265 LRE@StevensLee.com www.smartgridlegalnews.com

Questions?

Linda R. Evers, Esq.

Stevens & Lee LRE@stevenslee.com

Thank You