Tuesday, April 12, 2011

Day 2 of UTC Smart Grid Policy Summit: All About Cybersecurity, Customer Data Protection

April 12, 2011: The sessions in the second day of the Utilities Telecom Council Smart Grid Policy Summit took a hard look at two real hot-button issues of the moment: cybersecurity and customer data protection/privacy. These two issues are troubling and perplexing to many industries besides utilities, and I found it interesting to identify similarities and differences between the utility perspective and what I know about these issues from the telecom perspective. The Smart Grid is presenting some truly monumental challenges to how the utility industry has traditionally dealt with cybersecurity and consumer data protection, and effective solutions will definitely take ongoing discussions and collaboration across the utility and telecom industries, with regulators in both industries, with law enforcement and other government agencies, and with consumers. These two topics are especially interesting because it is very easy for providers and consumers to get wrapped up and carried away in paranoid fantasies about doomsday scenarios of terrorists attacking and crippling the entire utility grid and ex-boy/girlfriends stalking you by accessing your energy usage data from your smart meter (just two of the many doomsday scenarios, use your imagination or read Cyber War for more). In all reality though, these extreme situations can and will happen at some point if the utility industry does not implement measures to protect their critical infrastructure and protect their customer's personal identification information. Let's see what the experts had to say...

Session 1 (Day 2): Cybersecurity Requirements: Does Compliance Really Equal Security?
Panelists: Keith Porterfield (Moderator, Georgia System Operations Corp.), Annabelle Lee (Electric Power Research Institute), Lynne Ellyn (DTE Energy), Chris Villarreal (CA PUC), Anup Goyal (AT&T)
As I mentioned yesterday, I am currently learning about Smart Grid cybersecurity in my Energy Communications class, so I was really excited to hear from industry experts about the current issues and challenges in utility cybersecurity. This panel, which debated if simply complying with cybersecurity requirements actually protects critical infrastructure networks, largely agreed that compliance does not equal adequate security. So, compliance is important: you have to start somewhere, and high level cybersecurity guidelines or requirements are definitely necessary. However, each utility provider must identify its own unique risks and vulnerabilities, then build upon industry-wide compliance requirements to develop a dynamic, tailored end-to-end solution. Utilities need to learn from the lessons of the past--like the infamous Stuxnet worm situation--that attackers can just as easily come from an internal, "under the radar" source as they can swoop in from beyond the balancing authority in the form of a terrorist attack or full scale Cyber War. The new cybersecurity buzz-term is "Advanced Persistent Threats" which is a very realistic description--the threats are indeed highly advanced and constantly evolving. The panelist from DTE (Ellyn, who I found to be extremely interesting throughout the discussion) argued that not only is a focus on just prevention insufficient, but it is probably impossible. Therefore, utilities need to focus on anticipating and detecting threats, and reacting appropriately. Compliance with standards and regulations is not a one-time fix-all, it will be a continuous process. A great comment to illustrate this point was, "hackers do not have a checklist." Utilities cannot just expect to check off compliance measures, sit back, and wait for a disaster to occur (we all know it is not "if," but "when"). Compliance requirements that were implemented today but developed last year are not going to protect utilities (or telecom for that matter) from tomorrow's threats. One issue that is quite specific to the utility industry--that I find particularly interesting--is that much of the utility infrastructure is very old, 30-50 years old in some cases. How do you protect these assets from cyber attacks? How do you make sure analog, previous generation equipment does not create an entry point for attackers? In some cases, is analog infrastructure more secure than the smart grid? If so, will utilities delay or reject grid modernization? These are definitely questions that are troubling the industry right now, and it will be interesting to see the direction that utility providers take to ensure their critical assets are protected. Finally, utilities, regulators and vendors/suppliers need to foster a culture of cybersecurity, where the harsh realities of cyber attack are understood but there are ample incentives and opportunities to develop effective, dynamic solutions.

Session 2 (Day 2): Cybersecurity Overload: Meeting the Challenges of Implementation and Communication
Panelists: Michael Hyland (Moderator, American Public Power Association), Troy West (Cleco Corporation), Robert McClanahan (Arkansas Electric Cooperative), John Roukema (Silicon Valley Power), Tim Roxey (NERC), Paul De Martini (Cisco Systems)
I was extremely engaged in this panel as it addressed telecom cybersecurity issues and included panelists from small electric providers (and a cooperative!). This session addressed the challenge that utilities face in dealing with the impending explosion of "smart" devices and subsequent explosion and imposition of regulatory requirements--I think of this like the explosion of smartphones in the wireless industry and the subsequent explosion of cybersecurity fears. I really enjoyed the panelist from the electric cooperative (McClanahan), who commented that the greatest challenge to utilities besides trying to predict threats is trying to predict what the regulators will do next! Sir, we can relate in the telecom industry, where regulatory uncertainty is especially burdensome for the small providers. Basically, the onslaught of cybersecurity threats is only a fraction of the concerns--timely access to accurate information about threats and ongoing regulatory uncertainty greatly contribute to the overall cybersecurity anxiety attack. Disseminating information about attacks is particularly tricky because there are different security clearance levels for different types of information. One panelist candidly pointed out that some utility companies might not even have someone on staff who can get security clearance. According to Roxey (from NERC, another very engaging panelist), information sharing is extremely important but ultimately very difficult. Regarding telecom's role in utility cybersecurity, it is important to understand that cybersecurity is a threat for everyone. I am interested in learning more about the potential liabilities that a telecom company who provides service to utilities may face in situations where a network is breached resulting in an attack on the grid. I imagine this is partially why many utility providers are reluctant to trust commercial telecom providers--but--telecom providers have their own set of parallel cybersecurity challenges as well, where no telecom provider can safely leave any part of its network vulnerable to attack. There is indeed some fascinating interdependency between telecom and utilities in the cybersecurity arena. My favorite comment from this panel, by McClanahan, was "I don't have warfighters on my staff." In the face of a significant national security cyber threat, what role does a utility have to protect its assets and beyond? Do all utilities need to become national security mercenaries just because they are vulnerable to threats that could trigger a massive attack to the national grid infrastructure? Definitely some good food for thought here... I have no doubt that these are the precise issues that keep many utility managers and regulators awake at night.

Session 3 (Day 2): Managing the Mounds of Data: Get Ready for the New Energy Information Marketplace
Panelists: David Owens (Moderator, Edison Electric Institute), Lillie Coney (Electronic Privacy Information Center), Robin Lunt (NARUC), Mark Carpenter (Oncor), Rona Newmark (EMC Corp.), Kevin Messner (Association of Home Appliance Manufacturers)
I was very impressed by this panel--it ended up being the surprise hit of the summit for me. I am actually planning to continue this topic in a future post, because there is some research that I want to do to become more educated about telecom's Customer Proprietary Network Information ("CPNI") requirements and if they would be a good model for utilities to use going forward. This session was an extremely lively debate about how to ensure privacy and protection for utility customer information. There are increasing concerns that the Smart Grid will enable all kinds of malicious behavior if bad actors get ahold of Personally Indentifiable Information ("PII"). The common stereotype is the stalker who gets his or her hands on smart meter data and can then figure out when his or her prey is at home and what they are doing at every second. Although this scenario is not outside the scope of reality, if a stalker has access to smart meter information then they are probably already breaching the victim's privacy in some other way--smart meter data might not really add anything profound. There are clearly many more concerns in this topic, but the "stalker scenario" is definitely the most colorful and common example of smart meter privacy fears. There were some....*radical*... suggestions thrown around on this panel (that the government should require the equivalent of a "driver's license" for all Internet users, and each state should have its own set of data privacy regulations), and I kept thinking to myself "Isn't there some requirement in telecom that makes customer information protection really simple and straightforward?" Yes- CPNI. For some really rough background information, CPNI requirements were a priority for the FCC since 1998, but became reality after a "pretexting scandal" in 2006. Basically, CPNI requirements:
  • Apply to ALL communications providers
  • Carry serious consequences for noncompliance
  • Serve as a compliance guideline, but encourage providers to tailor additional measures specific to their businesses 
  • Encourage providers to go way above and beyond the minimum requirements to protect customer information
Even with this minimum amount of knowledge about CPNI, I can clearly see that this model might be attractive to utilities, with some tweaks of course. Is there a significant difference--from a consumer perspective--in the information contained on a phone bill (the number of calls made in a day, and to whom the calls were made), versus the information that could be gathered from smart meter data (when the washing machine was used, how long the living room TV was on, etc.)? Both sets of data are "personally identifiable information," and both sets of data can be used both maliciously and profitably by corporations, consumers themselves, and the service provider. There are some interesting implications here in terms of the culture of personal information (people have no problem posting intimate details on Facebook, but if a service provider missuses the same information then all hell breaks loose), and the culture of the utility industry (which has traditionally been a unidirectional service where the relationship between customer and utility goes no further than a commercial exchange of energy for money). I think telecom has a lot of experience in customer information protection, and utility providers and regulators can learn a great deal from the CPNI model. For my new utility readers, I found this sample of a telecom provider's CPNI manual which you may find interesting. 

My Final Thoughts:
I really enjoyed this conference and I met many interesting people, and I hope to attend and participate in future smart grid policy conferences. Coming from the telecom world almost exclusively, I gained a tremendous amount of knowledge about the utilities industry. There are so many topics that I hope to learn more about and monitor as the smart grid modernization efforts progress.  I will definitely continue studying the overlays between telecom and utilities in the Smart Grid arena, and I intend to spend some time in the near future learning more about the utility regulatory process in general.

Many thanks to the Utilities Telecom Council for the wonderful opportunity to attend this conference!

Cassandra Heyne

No comments:

Post a Comment