1.4.1.3 Security as Information Protection
Security as information protection involves measures taken to ensure the anonymity of electronic information, both in transit and when stored on digital systems; of primary importance is information related to protecting personal information related to utility customers and information about the electric power system that may be of interest to parties who wish to harm the utility or its customers [Nordell 2012].
The four interrelated dimensions to energy security are described as physical, cyber, supply, and conflict‐related as defined in [DOE 2015a]:
Physical security risks are related to damage to energy supply, storage, and delivery infrastructures, such as the electric grid, pipeline networks, and rail and marine systems.
Cybersecurity risks are related to the compromise of ICT‐based controls that operate and coordinate energy supply, delivery, and end‐use systems.
Supply security risks are related to price shocks and international supply disruptions of energy commodities, critical materials, and/or equipment.
Conflict‐related security risks are associated with unrest in foreign countries linked to, or impacting, energy.
Therefore, multiple definitions of security need to be explored to find some common thread that can help ensure the success of the pursuit of a smarter electrical grid while maintaining security – in all of its various meanings [Nordell 2012].
Grid security and the privacy of people including consumers are of vital importance in the energy sector. If there is any compromise of the personal data or security of the power service, it can undermine everything. An incident would not only create a breach of privacy or security, but it might also compromise the potential future markets the technology might have been able to create if the service had been secure.
1.4.2 Privacy
Similar to security, privacy has many definitions for use on different contexts, cultures, and jurisdictions. One definition is provided as [Dictionary 1994]:
The condition of being secluded from others; secrecy.
Generally, privacy means a state in which an individual is not observed or disturbed by others.
Privacy refers to protection of personal data. Personal data means any information relating to an identified or identifiable individual (data subject) [Shei 2013].
In the Internet and Web context, where users exchange private data via Web or email with organizations or other users, sometimes unknown users, users experience many concerns:
What personal information can be shared with whom.
Whether and how one can share information anonymously.
Thus, users are concerned with privacy as it relates to personally identifiable information (PII). This is associated with collection, ownership, access control, integrity control, distribution, modifications, repurposing, reconstruction, and disposition of relating to an individual.
In some situations, an individual might choose to withhold their identity to be publicly unknown or anonymous. In protecting the PII, one option is anonymity. Anonymity is a result of not having identifying characteristics (such as a name or description of physical appearance) disclosed. More concepts and principles related to privacy are available at [OECD 2016]. Therefore, privacy rights are defined in constitutional and common law. Privacy laws deal with the regulation of personal information about individuals that can be collected, stored, and used by governments and other public as well as private organizations.
There is not one universal, internationally accepted definition of privacy; it can mean many things to different individuals. At its most basic, privacy can be seen as the right to be left alone. Privacy terms are defined differently among various industries, groups, countries, and even individuals. Furthermore, privacy should not be confused, as it often is, with being the same as confidentiality, and personal information is not the same as confidential information. Confidential information is information for which access should be limited to only those with a business need to know and that could result in compromise to a system, data, application, or other business function if inappropriately shared.
Additionally, privacy can often be confused with security. Although there may be significant overlap between the two, they are also distinct concepts. There can be security without having privacy, but there cannot be privacy without security; it is one of the elements of privacy.
1.4.2.1 Privacy in the Smart Grid
It is important to understand that privacy considerations with respect to a Smart Grid include examining the rights, values, and interests of individuals; it involves the related characteristics, descriptive information, and activities [NISTIR 7628r1]. Thus, data privacy is impacted by the practices of customers who supply personal data and all entities that gather or handle that data.
Also, new energy usage data collected outside of smart meters, such as from home energy management systems (EMS), is also created through applications of Smart Grid technologies. As those data items become more specific and are made available to additional individuals, the complexity of the associated privacy issues increases as well.
Another perspective on privacy is described as consisting of four dimensions [NISTIR 7628r1]:
Privacy of personal information involves the right to control when, where, how, to whom, and to what extent an individual shares his/her own personal information, as well as the right to access personal information given to others, to correct it, and to ensure it is safeguarded and disposed of appropriately.
Privacy of the person is the right to control the integrity of one’s own identity and body (physical requirements, health problems, and required medical devices).
Privacy of personal behavior is the right to keep any knowledge of their activities, and their choices, from being shared with others.
Privacy of personal communications is the right to communicate without undue surveillance, monitoring, or censorship.
Privacy as a strategy for Smart Grid applications should include all four dimensions [NISTIR 7628r1]. Most Smart Grid entities directly address the personal information dimension, but the other dimensions are not included. There is a gap in the laws and regulations. Therefore, the other dimensions should also be considered in the Smart Grid context because new types of energy use data may be created and communicated. Unique electric signatures for consumer electronics and appliances could be compared against some common appliance usage profiles to develop detailed, time‐stamped activity reports within personal dwellings. Charging station information might reveal the detailed whereabouts of an EV/PEV/PHEV. This data did not exist before the application of Smart Grid technologies. Smart Grid applications may reveal details (energy usage patterns or other type of activities), either explicitly or implicitly, about an individual’s household dwelling or other type of premises.
Although many of the types of data items accessible through the Smart Grid are not new, there is now the possibility that other parties, entities, or individuals will have access to those data items, and there are now many new uses for and ways to analyze the collected data, which may raise substantial privacy concerns. The reputation of an energy service provider might also be impacted by gaps in customer data privacy protection.
1.4.3 The Need for Security and Privacy
Security has a wide base and addresses specific issues regarding computers, information, and organizations. The continuous growth of cybersecurity threats and attacks including