Raj Samani, CTO at McAfee, has responded to the government’s recently published decisions on rules for smart meter privacy and security.
Energy companies have always collected information about customer usage. Now with the enhanced capabilities of smart meters, customer questions surrounding this have intensified. Many have asked – How is my data being used? Who has access to my data and when? Why do you need to know?
This is a key issue. In fact, the British government has published rules around smart meter privacy, explaining that consumers will have choice on how often their energy supplier can access their energy consumption data and suppliers will not be able to use energy consumption data for marketing purposes unless they have explicit consent.
By greatly expanding the amount of data available related to energy consumption within the home through smart grid technology like smart meters, there is great opportunity, but also great risk. It is therefore imperative that not only security and privacy controls are built into smart meter systems from the design phase, but also that privacy assessments are conducted regularly to keep up with the evolving threat to landscape, research activities, and customer concerns.
Metering data is already being utilised by law enforcement for activities such as identifying suspected marijuana growers. In Ohio alone there are at least 60 subpoenas filed each month. The legality of such actions was also the basis of the court case between Kyllo v. United States, where utility records were used to develop a case against a suspected marijuana grower.
Although the legality of accessing smart meter data for law enforcement purposes is likely to come under further scrutiny, one thing is very clear, that the amount of data available through smart meters will be considerable and of value to more stakeholders than just law enforcement. Many third parties from marketers to hackers would find this data useful. Techniques known as Nonintrusive Appliance Load Monitoring (NALM) are able to identify individual appliances using libraries of known patterns. An Italian research study from 2002 using data from 15 minute intervals were able to pinpoint the use of washing machines, dishwashers and water heaters with an accuracy rate over 90%.
Utilities introducing smart meters to their customers should consider undertaking a detailed assessment to understand and analyse the privacy implications within a given system.
In the European Union, a privacy impact assessment, by following the Data Protection Impact Assessment (DPIA), is a recommended action through a number of authoritative sources.
In the United States, Volume 2 of NISTIR 7628 from The Smart Grid Interoperability Panel Cyber Security Working Group, recommends to ‘Conduct an initial privacy impact assessment before making the decision to deploy and/or participate in the Smart Grid.’
I don’t mean to suggest that these guidelines will eliminate all privacy risks of smart meter deployment. As we experience the proliferation of smart meters in our homes, it is also more than likely there will considerable research conducted to determine what additional information can be garnered. Just as we saw with the earlier example with the ability to detect what appliances are running within the home using energy signatures, there are likely to be equally surprising results in the future.
One thing for certain is that there is real concern from consumers about smart meters, with some individuals taking very severe actions to stop meters being installed on their homes. For example in Houston, Texas, Thelma Taormina recently posted signs on her home that read, ‘No smart meters are to be installed on this property.’
When a CenterPoint Energy worker ignored this advice attempting to replace her old electricity meter, Taormina drew her gun on the individual demanding they leave the property. She later commented, “Our constitution allows us not to have that kind of intrusion on our personal privacy. They’ll be able to tell if you are running your computer, air conditioner, whatever it is.”
Consumers are clearly, and based on recent research quite rightly, very concerned about the privacy implications associated with smart meters. Many in the industry believe that most concerns are a matter for consumer education. That may be so, but failure to protect our personal and behavioral data has the ability to not only slow down meter deployments but also possibly stop the roll-out altogether.