Smart Grid Draft Framework -- Comments of EPIC

COMMENTSOFTHEELECTRONICPRIVACYINFORMATIONCENTER to

THENATIONALINSTITUTEOFSTANDARDSANDTECHNOLOGY "NISTFrameworkandRoadmapforSmartGridInteroperabilityStandardsRelease

1.0(Draft)" November9,2009

BynoticepublishedintheFederalRegisteronOctober9,2009,theNational

InstituteofStandardsandTechnology(NIST)announceditseekspubliccommentonthe

draftframeworkandroadmapforSmartGridinteroperabilitystandards.1NISTseeks

(1)Commentsontheoveralldocumentandthecontentsofallchapters, exceptChapter4,StandardsIdentifiedforImplementation;and(2) Commentson...``StandardsIdentifiedforImplementation''(Chapter4);the NIST-proposed``GuidanceforIdentifyingStandardsforImplementation''; andrecommendationsforaddingorremovingstandardsandspecifications onthelistofstandardsidentifiedforimplementation(Table2),referencing relevantguidancecriteria.Inaddition,NISTrequestscommentsonthe standardsinTable3--additionalstandardsNISThasidentifiedforfurther review.2

PursuanttothisnoticetheElectronicPrivacyInformationCentersubmitsthe

followingcommentstoNISTregardingtheprivacyimplicationsofthedraftframeworkand

roadmap.

TheElectronicPrivacyInformationCenter(EPIC)isapublicinterestresearchcenter

inWashington,D.C.EPICwasestablishedin1994tofocuspublicattentiononemerging

civillibertiesissuesandtoprotectprivacy,theFirstAmendment,andconstitutionalvalues.

EPIChasalong-standinginterestinprivacyandtechnologyissues.3EPIChasaspecialized

1NISTFrameworkandRoadmapforSmartGridInteroperabilityStandardsRelease1.0

(Draft),74Fed.Reg.52,181-83(October9,2009),availableat

. 2 Id. 3 Available at .

EPICComments

1

NIST

Nov.9,2009

SmartGridStandards

areaofexpertiseregardingdigitalcommunicationtechnologiesandprivacypolicy.4EPIC hasaparticularinterestintheprivacyimplicationsoftheSmartGridstandardsaswe anticipatethatthischangeintheenergyinfrastructurewillhavesignificantprivacy implicationforAmericanconsumers.5Inothersimilarareas,EPIChasconsistentlyurged federalagenciestominimizethecollectionofpersonallyidentifiableinformation(PII),and toestablishprivacyobligationswhenPIIisgathered. Background

TheEnergyIndependenceandSecurityActof2007(EISA)6directedNISTtotake "primaryresponsibilitytocoordinatedevelopmentofaframeworkthatincludesprotocols andmodelstandardsforinformationmanagementtoachieveinteroperabilityofSmart Griddevicesandsystems...."7Accordingly,NISTpublishedthe"NISTFrameworkand RoadmapforSmartGridInteroperabilityStandardsRelease1.0(Draft)."8TheDraft Frameworkstatesthatit:

describesahigh-levelreferencemodelfortheSmartGrid,identifiesnearly 80existingstandardsthatcanbeusednowtosupportSmartGrid development,identifies14highprioritygaps,pluscybersecurity,forwhich neworrevisedstandardsareneeded,documentsactionplanswith aggressivetimelinesbywhichdesignatedStandardsDevelopment

4 Available at . 5 Available at .

6Id.at52,182;Pub.L.No.110-140,121Stat.1492(codifiedasamendedinscattered

sectionsof42U.S.C.). 7 EISA ? 1305.

8 NationalInstituteforStandardsandTechnology,NISTFrameworkandRoadmapfor

SmartGridInteroperabilityStandardsRelease1.0(Draft)5(2009)[hereinafterDraft

Framework].

EPICComments

2

NIST

Nov.9,2009

SmartGridStandards

Organizationsaretaskedtofillthesegaps,anddescribesthestrategybeing pursuedtoestablishstandardsforensuringcybersecurityoftheSmartGrid.9

TheNISTFrameworkisambitiousscope,coveringawiderangeofissues,butitmentions

privacyonlybriefly.Thefirstreferenceto"privacy"comesonpage74ofthe90page

document,afteralldiscussionofstandardsand"priorityactionplans."10

Onceprivacyisfinallydiscussed,itisthroughafleetingreferencetotheprivacy

implicationsoftheSmartGridunderasectiontitled"OtherIssuesthatMustbe

Addressed."11Thatsectionreferencesandsummarizesthefindingsofanotherreport,

entitled"SmartGridCyberSecurityStrategyandRequirements."12

Privacycannoteffectivelybeprotectedwhenitisanafterthought,andNISTcannot

purporttoestablishaSmartGridFrameworkwithoutweavingsecurityandprivacy

concernsintotheframeworkatafundamentallevel.Accordingly,NISTshouldfirstreview

commentsregardingthesecurityandprivacyoftheSmartGrid,andthenincorporatethose

commentsintoarevisedversionoftheDraftFramework.

EPIC'scommentswillfocusonthesignificantprivacyimplicationsoftheSmartGrid

proposalandaproposedframeworkforprivacyprotection.

9 Id. 10 Id. at 74. 11 Id. at 81. 12 National Institute of Standards and Technology, Smart Grid Cyber Security Strategy and

Requirements (2009).

EPICComments

3

NIST

Nov.9,2009

SmartGridStandards

EPIC'sCommentsandRecommendations 1. TheSmartGridHasSignificantPrivacyImplications Thecollectionofpersonallyidentifiableinformationwilldramaticallytransformthe

abilityofprovidersofpowerservicesintheUnitedStatestotracktheactivitiesof Americanconsumers.Someofthistrackingwillservetheimportantpurposeofreducing energyconsumption.Butotherformsoftrackingmaybecompletelyunrelatedtothestated goaloftheSmartGridprogram.Itisforthisreasonthatcomprehensiveprivacyregulations thatlimitthecollectionanduseofthisdataneedtobeestablished.

TheSmartGridmaythreatenprivacyinmanydifferentways.First,theSmartGrid couldrevealsensitivepersonalbehaviorpatterns.TheDraftFrameworkproposestocreate a"draftspecificationforfacilitatingcommonschedulingoperations."13Thatis,coordinate powersupplybasedontheschedulesofthepowerneedsofusersandtheavailabilityof power.Forinstance,[e]nergyuseinbuildingscanbereducedifbuilding-systemoperations arecoordinatedwiththeschedulesoftheoccupants."14However,coordinatingschedulesin rmationaboutapower consumer'sschedulecanrevealintimate,personaldetailsabouttheirlives,suchastheir medicalneeds,interactionswithothers,andpersonalhabits:"highlydetailedinformation aboutactivitiescarriedonwithinthefourwallsofthehomewillsoonbereadilyavailable formillionsofhouseholdsnationwide."15"Forexample,researchhasdelineatedthe

13 Draft Framework, supra note 8, at 51. 14 Id. at 52. 15 Elias Leake Quinn, Privacy and the New Energy Infrastructure 28 (2009), available at

(emphasis in original) [hereinafter Privacy and the New

Energy Infrastructure]; see Rebecca Herold, SmartGrid Privacy Concerns, available at

EPICComments

4

NIST

Nov.9,2009

SmartGridStandards

differencesinavailabilityathomeforvarioussocialtypesofelectricityconsumers

includingworkingadults,seniorcitizens,housewives,andchildrenofschoolage."16

Similarly,thedatacouldrevealthetypeofactivitythattheconsumerisengagingin,

differentiatingbetween,forexample,houseworkandpersonalhygiene,orevenrevealing

thataconsumerhasaseriousmedicalconditionandusesmedicalequipmenteverynight,

orthathelivesaloneandleavesthehousevacantallday.17

ThatconcernisfurtherexacerbatedbythefactthatSmartGridmeterdatamaybe

abletotracktheuseofspecificapplianceswithinusers'homes:

This,morethananyotherpartofthesmartmeterstory,parallelsShelley's fableofFrankenstein:whileresearchersdonotcurrentlyhavetheabilityto identifyeveryapplianceeventfromwithinanindividual'selectricityprofile, thedirectionoftheresearchasawholeandthesurroundingcontextand motivationsforsuchresearchpointdirectlytodevelopingmoreandmore sophisticatedtoolsforresolvingthepictureofhomelifethatcanbegleaned fromanindividual'selectricityprofile.Beforetheswitchisthrownandthe informationunleashedupontheworldforwhateveruseswilled,itmaybe prudenttolookintodataprotectionslesttheunforeseenconsequencescome backtohauntus.18

Theabilitytotrackapplianceusagedatahassignificantprivacyimplications:"Withthe

wholeofaperson'shomeactivitieslaidtobare,[appliance-usagetracking]providesa



[hereinafter Privacy Concerns]. 16 Privacy and the New Energy Infrastructure at 26-27; see A. Capasso et al., Probabilistic

Processing of Survey Collected Data in a Residential Load Area for Hourly Demand Profile

Estimation, 2 Athens Power Tech 866, 868 (1993). 17 Privacy and the New Energy Infrastructure at 27 ("differences in consumption vary with the

type of activity, and profiles of energy uses that differentiate between activities can be

constructed for things like leisure time, housework, cooking, personal hygiene"); see Capasso at

869. 18 Privacy and the New Energy Infrastructure at 28.

EPICComments

5

NIST

Nov.9,2009

SmartGridStandards

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download