NIST Smart Grid, Vol. 2

Back in 2010, the National Institute of Standards and Technology (NIST) published its first interagency report on guidelines for smart grid cybersecurity. Since then, developments in technology and implementation have demanded a second draft. Enter Volume 2. Hopefully this will form the basis for state laws and corporate policies.

Four years ago, the NIST guidelines were focused on the theory, however new recommendations respond to the actual deployment of smart grid technologies, and those involved say the guidelines that have been particularly changed are those surrounding privacy.

This earlier draft concentrated on the fact that there would be privacy risks and what those risks might be. The new version identifies tactical and actionable steps that can be taken to mitigate those risks. It focuses on the need for utilities within the smart grid to create a privacy program; conduct privacy impact assessments; assign a person to privacy oversight, and create training and awareness opportunities, among others.

Major Changes

According to Rebecca Herold, in charge of NIST’s privacy subgroup since 2009, both the group and the process have transformed since their early days. “Back then, people weren’t too worried about privacy with regard to how it related to electricity usage,” she commented.

This changed as some well-known utility companies started to introduce smart meters, which recorded household energy consumption and communicate it back to power providers, without effectively communicating the kind of data those meters would collect, how granular it would be and who would have access to it.

Of course, after the documentary entitled “Take Back Your Power” was released, people panicked, believing that smart meters were infringing on their privacy and could lead to getting hacked. This served to highlight the need for better awareness and training on transitioning to the smart grid.

This is a positive step, because the privacy subgroup’s composition shifted from its 2009 roster and the release of the first report. At that time, it contained 95 to 100 members – many of them privacy advocates from groups like EPIC and the CDT and the FPF.

But it shrank to just 26 members once NIST stopped funding the group and it was put under the purview of the Smart Grid Interoperability Panel (SGIP). Upon that change, members of the subgroup were required to pay to get in. Now, there are about three privacy experts on board.

It was positive to note that the utilities were more receptive this time around, as they had a better understanding of privacy as a foundational part of implementation, rather than just an afterthought.

Smart Grid Privacy Concerns

Volume 2 identifies privacy concerns about the smart grid fall into one of two broad categories:

  1. Personal information not previously readily obtainable.
  2. Mechanisms that did not previously exist for obtaining (or manipulating) personal information.

It also took a look at new and emerging technologies and activities that were not yet widely deployed or in existence, but that were being discussed and could introduce different privacy challenges. These included:

  1. Customer energy usage data (CEUD) and personal consumer data being sent to smart phones and other mobile computing devices.
  2. CEUD and personal consumer data being sent to social media sites, or social media sites being used to control end devices.
  3. CEUD and personal consumer data being stored, managed, or otherwise accessed from cloud services.
  4. The creation of new applications that collect CEUD and personal consumer data.
  5. Smart meter reading capabilities for individual premises so that a home area network (HAN) or other device may monitor in smaller intervals, as well as in real-time.
  6. Including CEUD and energy consumer data into “Big Data” files and including in the associated analysis activities.
  7. Connecting smart appliances and HANs directly to the Smart Grid.
  8. Green Button developments that bring privacy risks.
  9. Linking or tracking consumer activities and movements with energy usage data.
  10. Sharing Smart Grid data across national borders.
  11. Wireless Smart Grid data transmissions, including near field communications (NFC) as well as wide area wireless communications.
  12. Linking biometrics with the Smart Grid.
  13. New types of malware within the Smart Grid.
  14. New risks created by adding other utilities (e.g. water, gas, etc.) into the Smart Grid.
  15. Ensuring “intelligent” systems that react to Smart Grid activities that do not invade privacy as an after-effect.


The NIST has just released its latest version of standards for Smart Grid cybersecurity. It is hoped that this will set the standard for state laws and corporate policies.

CIPP Exam Preparation                                      

In preparation for the Certified Information Privacy Professional/United States  (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Regulatory authorities (I.A.d.)
  • Federal enforcement actions (I.B.e.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>