CDT Comment NISTIR 7628 Draft 12-02-09 FINAL CORRECTED

icon

33

pages

icon

English

icon

Documents

Écrit par

Publié par

Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres

icon

33

pages

icon

English

icon

Documents

Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres

!!Before the Department of Commerce National Institute of Standards and Technology Request for Comments ) ) Draft NIST Interagency Report (NISTIR) ) Docket Number 0909301329-91332-01 7628, Smart Grid Cyber Security Strategy ) And Requirements ) !!COMMENTS OF THE CENTER FOR DEMOCRACY & TECHNOLOGY!! December 1, 2009 !!!! Jennifer M. Urban!Elizabeth Eraker ! Longhao Wang!! Samuelson Law, Technology & Public Policy Clinic !University of California, Berkeley School of Law! 585 Simon Hall!Berkeley, CA 94720-7200! (510) 642-7338!!! on behalf of the !Center for Democracy & Technology!!!December 1, 2009 ! Table of Contents!!Executive Summary……………………………………………………………………… 1!!I. Introduction………………………………..………………………... 2!!II. Smart Grid Consumer Data Flow and Applicable Standards Identified by NIST for Implementation…………………………..………………………………….... 4 A. Overview…………..………………….…………...……………………... 4 B. Data Flow in Standards Identified by NIST for Implementation………....7!1. ZigBee/HomePlug Smart Energy Profile…………………………7!2. Open Automated Demand Response (OpenADR)………………. 9 3. OpenHAN……………………………………………………......12 C. Data Flow in Real-World Products……………………………………....13 !III. Implications of Smart Grid Data Flow for Consumer Privacy…………………..14 A. Customer Data Concerning Home Activities Presents Privacy Risks !That Must Be ...
Voir icon arrow

Publié par

Langue

English



!
!
Before the
Department of Commerce

National Institute of Standards and Technology


Request for Comments )
)
Draft NIST Interagency Report (NISTIR) ) Docket Number 0909301329-91332-01
7628, Smart Grid Cyber Security Strategy )
And Requirements )


!
!
COMMENTS OF THE CENTER FOR DEMOCRACY & TECHNOLOGY!
!


December 1, 2009
!
!
!
!
Jennifer M. Urban!Elizabeth Eraker !
Longhao Wang!
!
Samuelson Law, Technology & Public Policy Clinic !University of California, Berkeley School of Law!
585 Simon Hall!Berkeley, CA 94720-7200!
(510) 642-7338!
!
!
on behalf of the !Center for Democracy & Technology!
!
!
December 1, 2009
!
Table of Contents!
!
Executive Summary……………………………………………………………………… 1!
!
I. Introduction………………………………..………………………... 2!
!
II. Smart Grid Consumer Data Flow and Applicable Standards Identified by NIST
for Implementation…………………………..………………………………….... 4
A. Overview…………..………………….…………...……………………... 4
B. Data Flow in Standards Identified by NIST for Implementation………....7!
1. ZigBee/HomePlug Smart Energy Profile…………………………7!
2. Open Automated Demand Response (OpenADR)………………. 9
3. OpenHAN……………………………………………………......12
C. Data Flow in Real-World Products……………………………………....13
!
III. Implications of Smart Grid Data Flow for Consumer Privacy…………………..14
A. Customer Data Concerning Home Activities Presents Privacy Risks !
That Must Be Addressed…………………………………………..……..14!
B. Longstanding Special Protections for Information about the Home and
Home Life, Combined with the Lack of Clear, Consistent Rules for the
Smart Grid, Highlight Privacy Risks and Create a Strong Need for
Privacy Protections to Be Included in Technological Design and
Service Provider Practices……………………………………………… 17

IV. Proposed Framework for NIST Privacy Principles…...……………………. 20
A. Privacy Principles Should Cover All Smart Grid Entities and Practices.. 21
B. Privacy Principles Should Cover “Household Energy Data”…………... 21
C. Privacy Principles for Household Energy Data Should be Grounded in
Comprehensive Fair Information Practice Principles (“FIPPs”)….……. 23
1. Transparency……………………………………………………. 24
2. Individual Participation…………………………………………. 24
3. Purpose Specification…………………………………………… 25
4. Data Minimization……………………………………………… 26
5. Use Limitation………………………………………………….. 27
6. Data Quality and Integrity……………………………………… 28
7. Security…………………………………………………………. 28
8. Accountability and Auditing……………………………………. 29

V. General Recommendations…………………………………………………. 29

VI. Conclusion………………………………………………………………...... 30 Executive Summary

We are grateful for and commend NIST’s vitally important work in developing a
Smart Grid Cyber Security strategy, and particular the effort to make recommendations
for protecting consumer privacy, in the NIST Interagency Report (NISTIR) 7628.

The Smart Grid promises great benefits to consumers and the environment. At the
same time, it presents new risks to privacy in its enhanced collection and use of highly
granular consumption data, which can reveal intimate details about activities within the
home. The entrance of new entities and technologies delivering energy services, the
speed at which this new infrastructure is being deployed, and the lack of clear governing
rules further support the need to address the privacy risks to consumers created by the
Smart Grid.

As part of NIST’s work to coordinate the development of a framework for a
modernized and interconnected grid, it should develop and recommend strong privacy
principles that can be incorporated into standards and technical requirements, and should
develop robust, rigorous use cases that illustrate privacy-affecting scenarios in Smart
Grid technologies and services, and show how privacy principles can be built into Smart
Grid architecture. Creating privacy-protective systems and technologies for the Smart
Grid should not require a tradeoff with functionality, but it will require thoughtful design.
In adopting a “privacy by design” approach, rather than attempting to tack on privacy at a
later point, NIST can support the most effective means of protecting consumer privacy in
the Smart Grid, and provide needed guidance to state regulators and industry players.
Developing effective privacy protections for the Smart Grid must be grounded in
a thorough examination of how the proposed technologies will affect consumer privacy
interests. In this Comment, we provide an overview of consumer data flow in the Smart
Grid under several proposed NIST standards and discuss the privacy risks and legal rules
implicated by the unprecedented collection of detailed information about customers’
energy and appliance use contemplated by Smart Grid technologies and services—
information traditionally afforded strong legal protection within the home. We proceed to
propose a specific framework for protecting privacy in the Smart Grid based on a robust
and comprehensive set of Fair Information Practice Principles (“FIPPs”), including who
should be covered, what types of data should be covered, and how a FIPPs-based
framework can ensure meaningful protections for consumers’ “Household Energy Data.”
All of the technical standards identified by NIST for implementation in the Smart Grid
should be evaluated against these principles, and NIST should make recommendations
regarding standards based upon them, and upon a rigorous set of use cases that can
inform standards bodies and the design of new Smart Grid technologies.




1
Before the
Department of Commerce

National Institute of Standards and Technology


Request for Comments )
)
Draft NIST Interagency Report (NISTIR) ) Docket Number 0909301329-91332-01
7628, Smart Grid Cyber Security Strategy )
And Requirements )


Comments of the Center for Democracy & Technology

December 1, 2009


The Center for Democracy & Technology (“CDT”) respectfully submits these
comments in response to the National Institute of Standards and Technology’s (“NIST”)
request for comments on the Draft NIST Interagency Report (NISTIR) 7628, Smart Grid
Cyber Security Strategy and Requirements (“Draft”). CDT is a nonprofit, public interest
organization dedicated to preserving and promoting openness, innovation and freedom on
the decentralized Internet.

I. Introduction

NIST’s work to develop a Smart Grid cybersecurity strategy, including
recommendations for protecting consumer privacy in the modernized grid, is a vitally
important effort. The transition to the Smart Grid promises great benefits for consumers,
including lowered energy costs, increased usage of environmentally-friendly power
sources, and enhanced security against attack and outage. At the same time, it presents
new risks to consumer privacy. At the core of the modernized grid’s functionality is fine-
grained household data; in order to enable more efficient energy use, and to more actively
engage individual consumers and their appliances in energy management, the Smart Grid,
as currently envisioned by proponents, depends on the collection and use of highly
1granular consumption data. Recent experiments using the simplest data mining and
pattern matching techniques reveal how easily this information can be analyzed to expose
2intimate details about activities within the home with a high degree of accuracy.

1 Patrick McDaniel and Stephen McLaughlin, Security and Privacy Challenges in the Smart Grid, IEEE,
May/June 2009.
2 Mikhail Lisovich, Deirdre K. Mulligan, and Stephen B. Wicker, Privacy Concerns in Upcoming Demand-
Response Systems,
http://wislsrv.ece.cornell.edu/~mikhail/Copy%20of%20Source%20Material/lisovich2007pci_v3.pdf.
2
From a consumer privacy perspective, we stand at a critical juncture in the
development of Smart Grid technologies for several reasons. First, the emergence of
increasingly sophisticated metering technologies are enabling the unprecedented
collection of energy consumption data, removing a “latent structural limitation” that
3previously protected the revelation of intimate details about household activities.
Whereas historically a consumer’s consumption data may have been collected once a
month or less frequently from a traditional meter fixed to the side of a house, in the Smart
Grid, sophisticated new demand response systems will collect a record of 750 to 3,000
data points a month, revealing variations in consumption that can reflect specific
4household activities such as sleep, work, and travel habits. Second, the transition to a
highly-interconnected and less-bordered electrical infrastructure is inviting participation
by new entities, such as third-party service providers offering new web-based portals for
managing energy use, who are utilizing consumer data in new ways and presenting the
need fo

Voir icon more
Alternate Text