I have had the great opportunity to participate in the NIST Smart Grid privacy standards group since July…

Thank you, Gal Shpantzer, for inviting me! 🙂
During this time I’ve learned so much about the plans for the Smart Grid, and I’ve welcomed having the chance to identify the many different privacy issues and concerns involved with the Smart Grid.
Along with working with Gal in the group, I’ve met and have enjoyed working with many others.
As part of the privacy group work, I suggested doing a high-level privacy impact assessment (PIA) for a portion of the Smart Grid plans, and I was happy to lead that effort with the assistance and input of Dr. Christopher Veltsos and Ward Pyles. Thank you, guys!
This high-level PIA addressed the consumer-to-utility portion of the Smart Grid. It is important to understand that the possibilities for this scope are MANY based upon each utility, and also the associated meters used. The PIA focused on the *general issues* regarding the information items involved, the ways in which the meters gathered, processed, possibly stored, transmitted and retained the information, along with the entities with which the information might be shared.
The draft PIA report we created was 22 pages long. I submitted it to the group right before I left for the IAPP Privacy Academy conference last week.
Ironically, as I was at the IAPP Privacy Academy, offline most of the week, submerged in many diverse discussions about privacy, I was not able to participate in probably the most critical activity related to this first draft; the final reviews and modifications to how much of the PIA information was included within the 1st published draft.
Wow, have I learned A LOT about what is involved with getting such types of papers and work okayed and published through the government! 🙂
The portion of the PIA that was included within the first draft is 7 pages long. Much of the heart of the privacy details and related issues were removed, and I understand why.
I blame myself for not understanding the amount of bureaucracy and need for discussion and explanation necessary, well in advance of report publication, to make sure that all of the folks not only within the NIST work group, but also the officials at NIST, including their lawyers, to make sure all information that (I firmly believe) is important is included.
Our group leader (I’m not sure if I can publish her name or not, so T, I’m not trying to dis you, but I just don’t want to get you in trouble with NIST) took the time yesterday to explain to our privacy work group some of the thought that went into the draft cuts. Much had to do with the wording, and also verifying that the information provided within the full PIA was accurate as written, or if it needed to be modified. Also, the 25 recommendations understandably needed more discussion around feasibility, along with related impacts of such recommendations to not only utilities, but also consumers, and meter vendors.
It is definitely helpful going forward with work on the next version of the draft to know that such details need a lot of discussion with folks not only in the group, but also outside the group, and often even more research. The public comment period for the report (once it is published) will be very valuable from gathering such feedback.
I can understand about the inability to make recommendations that cannot feasibly be done. However, even if it is not (politically) possible currently, isn’t it worth considering such recommendations, if they are good and support privacy, as an improvement going forward? Why do we need to continue doing what has always been done if it doesn’t work well, or if it significantly impedes privacy?
I know, I know…I’m not a politician! Just trying to make recommendations for improving privacy in ways that seem like common sense changes. 🙂
One of my recommendations that was cut was:

Again, I understand why such a recommendation needs much more discussion before NIST would want to put their name on it. And, NIST may not even have the authority to make such a requirement. However, I sincerely hope that this ultimately gets approved by whatever power has the authority, and is implemented in a valuable way!
To help with the ongoing work within this group, I want to make some of the information that was cut from the report available for you to look at and give you the opportunity to let me (or any others in the NIST group) know what you think. I’ll provide just one section now.
So, for just one of the cut portions of the PIA cut, I have posted a table I created, with valuable feedback and comments from Dr. Veltsos and Mr. Pyles, to show the 10 major ways in which the Smart Grid consumer-to-utility information exchanges and uses can impact privacy. Please take a look at it, “SmartGrid Privacy Concerns” and let me know what you think!
A simple listing of the 10 privacy concerns follows:
1. Identity Theft
2. Determining Personal Behavior Patterns
3. Determing Specific Appliances Used
4. Performing Real-Time Surveillance
5. Revealing Activities Through Residual Data
6. Targeted Home Invasions
7. Providing Accidental Invasions
8. Activity Censorship
9. Decisions and Actions Based Upon Inaccurate Data
10. Revealing Activities When Used With Data From Other Utilities
See the table for accompanying discussion of each.
In your opinion, are all of these privacy concerns valid? Some not feasible? Is there a privacy concern not listed? Let me know.
I will write more about Smart Grid privacy as our work continues.
In the meantime, here are some more ways to track progress of the Smart Grid and the associated privacy and security group:

• The draft of the report, “NIST Framework and Roadmap for Smart Grid Interoperability Standards Release 1.0 (Draft)” was released yesterday, 9/24/2009.

See page 83 for section 7.3.4 “Privacy Issues in the Smart Grid,” crafted on short notice late last week by the brilliant Dr. Christophe Veltsos and additionally brilliant Mr. Gal Shpantzer to summarize our privacy group’s research and work…BTW, ALL OF US ARE VOLUNTEERING OUR TIME…over the past three months so far. Dr. Veltsos, kudos and a hat-tip to you for so eloquently turning the phrase, “The major benefit provided by the Smart Grid, i.e. the ability to get richer data to and from customer meters and other electric devices, is also its Achilles’ heel from a privacy viewpoint.” 🙂

• The actual report with the 7 pages of the 22 original! 🙂 The NIST Interagency Report (NISTIR 7628) Smart Grid Cyber Security Strategy and Requirements is set to be published today (9/25).

Note that privacy was included within the formally titled cyber security strategy report. I’m happy that privacy is being addressed as much as it is; a welcome change from what has occurred previously! And certainly privacy depends upon security controls. However, as all my privacy friends out there know, there is SO much more involved with protecting privacy. This is a good start! Perhaps privacy can get an entirely separate report as more entities and leaders understand the very broad issues involved.

Tags: awareness and training, Christophe Veltsos, Gal Shpantzer, IAPP, Information Security, IT compliance, IT training, NIST, NISTIR 7628, personally identifiable information, PIA, PII, policies and procedures, privacy impact assessment, privacy training, security training, Smart Grid, SmartGrid

This entry was posted on Friday, September 25th, 2009 at 10:55 am and is filed under Information Security, Privacy and Compliance. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.