Building an Effective Security Program for Distributed Energy Resources and Systems. Mariana Hentea
Чтение книги онлайн.

Читать онлайн книгу Building an Effective Security Program for Distributed Energy Resources and Systems - Mariana Hentea страница 46

СКАЧАТЬ

      2.7.2 Privacy Program

      As new capabilities are included in the Smart Grid, potential new privacy concerns will emerge for which no legal mitigation currently exists. A significant number of privacy breaches occur not because of an attack but through noncompliance with privacy policy or having no policy. For example, a laptop that has a copy of PII data becomes a privacy breach if the laptop is improperly disposed of, lost, or stolen. Hence, measures for protection of privacy have to be designed and implemented too. Thus, a privacy program should be planned, designed, implemented, and maintained. Factors that should be considered in design of a security program include the following:

       Privacy rights continue to evolve by legislation, litigation, and regulation, and the data gathered will be subject to the relevant jurisdiction(s).

       AnonymizationIf private information is not properly anonymized, even data like electrical appliance usage or electric vehicle charging schedules may constitute a privacy violation. In electrical sector, the ownership and rights associated with PII varies by jurisdiction. In some jurisdictions, the person owns their data, while in other jurisdictions, ownership is less clear. For example, a utility that gathers contact and other information for billing purposes may be restricted in use of the PII for any other purposes without consent of the customer – possession of the data is not the same as ownership.

       Technologies and capabilitiesThe advancing of technologies such as data mining and pattern recognition can be used on identifying the identity of persons when customer data and energy data is analyzed. Recognizing electric signatures of smart appliances and developing detailed, time‐stamped activity reports, utilities, or third‐party service providers can determine lifestyle details that could be legitimately characterized as PII in most jurisdictions.

        Dedicated privacy group with its own managementAlthough in many organizations, security group is supporting the privacy requirements, the future commands for more responsibility and accountability for the implementation of data privacy specifically in smaller‐size enterprises, and need for establishment of a dedicated privacy group with its own management [Shei 2013]. The organizations have to understand that security is only one aspect of privacy and privacy protection implies organization and business decisions.

      Ensuring privacy requires a bundle of technologies, policies, culture, regulations, and harmony between many business units from security to legal to human resources to employees [Shei 2013]. Examples of guidelines and recommendations for the protection of privacy data and harmonization of disparities in national privacy regulations are documented in [OECD 2013].

      Currently, many countries, organizations, and associations support efforts to empower and educate people to protect their privacy, control their digital footprint, and make the protection of privacy and data a great priority in their lives. In the United States, National Cyber Security Alliance mandates that [NCSA 2014]:

      Everyone – from home computer users to multinational corporations – needs to be aware of the personal data others have entrusted to them and remain vigilant and proactive about protecting it.

      This document [NISTIR 7628r1] provides definitions, requirements, safeguards, and use case impacts of privacy breaches. Privacy considerations with respect to the Smart Grid include four aspects: privacy of personal information, privacy of the person, privacy of personal behavior, and privacy of personal communications.

      A privacy policy framework for the Smart Grid and for smart homes is suggested in [GridWise 2011]. This framework is limited and addresses only consumer privacy issues that arise from the collection, use, and retention of such data no matter from what source it is collected.

      In this book, we do not focus on engineering a privacy program, although some approaches used in engineering the security program could be used for building a privacy program.

      A revised NIST document [NISTIR 7628r1] promotes a new cybersecurity framework to protect the Smart Grid. A current list of standards is available. Many accelerated standards and guidelines are focused on topics such as:

       Metering

       Data usage information

       Electric vehicles

       Pricing

       Demand response

       Substation communication

       Energy storage

       Renewables.

      2.8.1 Electricity Sector Guidance

      In the United States, the DOE envisions a robust, resilient energy infrastructure in which continuity of business and services is maintained through secure and reliable information sharing, effective risk management programs, coordinated response capabilities, and trusted relationships between public and private security partners at all levels of industry and government [DOE 2015c].

      NERC developed the critical infrastructure protection (CIP) standards [NERC CIP], which FERC approved in 2008. The NERC CIP standards suite is composed of a whole family of standards that are continuously revised and changed. These standards were originally devised and implemented to prevent big blackouts – so they are considered both rigorous and heavily enforced only for bulk power systems (generation and transmission).

      However, NERC cybersecurity standards and supplementary documents are often similar to guidance applicable to federal agencies [GAO 2011] and do not apply to all power grid functions. In addition, the standards adoption by the electric power industry is lacking coordination and a consistent approach in monitoring industry compliance with voluntary standards. FERC is responsible for regulating aspects of the electric power industry, which includes adopting cybersecurity and other standards it deems necessary to ensure Smart Grid functionality and interoperability.

      2.8.2 International Collaboration

      An essential element of Smart Grid developments around the globe is coordination for the development of international standards. As the United States and other nations construct their Smart Grids, use of international standards ensures the broadest possible market for Smart Grid suppliers.

      NIST is devoting considerable resources and multilateral engagement with other countries to cooperate in the development of international standards for the Smart Grid. In addition, NIST and the International Trade Administration (ITA) have partnered with the DOE to establish the International Smart Grid Action Network (ISGAN), a multinational collaboration of 23 countries and the European Union.

      ISGAN complements the Global Smart Grid Federation, a global stakeholder organization, which serves as an association of associations to bring together leaders from Smart Grid stakeholder organizations around the world. This organization supports Smart Grid solutions emerging to address the economic, policy, and regulatory challenges of variable renewables. Similarly, the Clean Energy Solutions Foundation СКАЧАТЬ