Although much of the focus in the SPARKS project, for which I'm the technical director, has been on cybersecurity's role in minimizing the risks and costs of power disruption, the project has also been concerned with identifying and mitigating risks to privacy that may be entailed by the deployment of Smart Grid. One of the key areas in this regard is the smart meter, because it is the focus of concern for many consumers. The SPARKS team will be looking specifically at consumer attitudes regarding smart meters in an upcoming survey of household preferences related to security and privacy, discussed in the SPARKS 2015 deliverable Understanding the Societal Cost of Cyber Attacks.
There are a number of reasons to focus on this issue of privacy related to Smart Grid, not least of which is the approval of the EU General Data Protection Regulation (EU 2016/679) and the EU Network and Information Security Directive (EU 2016/680). As called out the provisions of the directive, this regulation has a number of implications for entities that collect personal data: not only securing that data against unlawful access (paragraph 53), but also ensuring that the data is accurate (47), ensuring that it is used only for the purposes for which it was collected (35), ensuring that the entity is transparent with respect to what personal information is being collected (26), and ensuring that the persons to who the information corresponds has access to that data (paragraph 43). Data breaches must be reported and are subject to significant fines (61). Any damage that a person suffers as a result of a data breach may be subject to compensation (88).
That these implications represent real risks for Smart Grid is already evident. Criminals in Puerto Rico accessed and reprogrammed both residential and industrial smart meters across the island in a massive fraud campaign (described by Marc Goodman in Future Crimes, page 321). Access to a smart meter can provide a wide range of personal information to attackers, including behavioral patterns, physical presence, and socio-economic status.
But smart meters are not just a liability in terms of privacy. Smart meters are an essential component in the comprehensive sensor network required for protecting privacy. They provide a critical data source for the kind of analytics and automated response that we are focusing on in our RSA Security Operations capabilities and in the SPARKS sub-projects, Those capabilities are essential to rapidly detecting and responding to risks - whether those risks are related to cyber attacks, operational issues, user error or changes in business strategy. As the NIS directive calls out, protecting personal information requires understanding the risks inherent in the processing of such information and implementing measures to mitigate those risks (60). Collecting and analyzing data across the Smart Grid is indispensable in responding to this risk.