GISFI_IoT_20110677

mundanemushroomsΗλεκτρονική - Συσκευές

21 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

92 εμφανίσεις

Global ICT Standardization Forum for India (GISFI)


-

1

-

Title:


Privacy
Requirements

of User Data
in Smart Grids

Author:


Jaydip Sen


Company:

Tata Consultancy Services Ltd.

Purpose:

Discussion and
Approval

Doc number:

IOT5
--

2011
0002

Meeting:

GISFI#
5
,
Hyderabad
, India,
June 20



22
, 201
1


1.

Abstract


Embracing
a positive
-
sum model whereby privacy and energy conservation may be achieved in unison is
key to ensuring consumer confidence in electricity providers, as Smart Grid projects are initiated.
Customer adoption and trust of Smart Grid energy savings programs
is an integral factor in the success
of energy conservation.



What constitutes “personal information” on the Smart Grid is the subject of much discussion. Personal
information is defined by the
Freedom of Information and Protection of Privacy Act
(
FIPPA
)
and the
Municipal Freedom of Information and Protection of Privacy Act
(
MFIPPA
), as “recorded information
about an identifiable individual.” Once it becomes apparent that a Smart Grid technology, system or
project will involve the collection of personal in
formation, privacy considerations begin to apply, such as
limiting the amount of personal information collected, used or disclosed, and the safeguarding of that
information. The digitization of smart meter information has an impact on privacy experienced i
n other
areas where traditional paper records are being transferred into digital form. Digital smart meter data,
like all digital data, is vulnerable to accessing, copying, matching, merging and massive dissemination.


The changing nature and vast increase

of information gathered on the Smart Grid is also resulting in

changes in the nature of utilities as power providers. Lack of integration between various systems in

the
area of communications, operations and information systems, is a significant gap withi
n which

challenges may arise for utilities. Utilities should be aware of the gaps and opportunities to
integrate
privacy technologies
into these systems, such as the introduction of smart transformers and power line

monitors, and the centralization and int
egration of data and processes.


Integration of privacy in system design
exte
nds to a “t
rilogy” of encompassing applications: 1) IT
systems; 2) accountable

business practices; and 3) physical design and networked infrastructure.
It may
be

accomplished by p
ractic
ing

the following seven fundamental principles
:


1.

Smart Grid systems should feature privacy principles in their overall project governance
framework and proactively embed privacy requirements into their designs in order to prevent
privacy
-
invasive eve
nts from occurring.

2.

Smart Grid systems must ens
ure that privacy is the default
--

the “no action required” mode of
protecting one’s privacy


its presence is ensured.

Global ICT Standardization Forum for India (GISFI)


-

2

-

3.

Smart Grid systems must make pr
ivacy a
core functionality in the design and architecture
of
Smart Grid systems and practices


an essential design feature.

4.

Smart Grid systems must avoid any unnecessary trade
-
offs between privacy and legitimate
objectives of Smart Grid projects.

5.

Smart Grid systems must build in privacy end
-
to
-
end, throughout th
e entire life
-
cycle of any
personal information collected.

6.

Smart Grid systems must be visible and transparent to consumers


engaging in accountable
business practices


to ensure that new Smart Grid systems operate according to stated
objectives.

7.

Smart Gr
id systems must be designed with respect for consumer privacy, as a core foundational
requirement.


Each best practice can be applied by utilities in the planning of their Smart Grid activities. Thi
s

is
illustrated through two uses case scenarios describin
g the implementation of privacy design principles
into Smart Grid projects in the areas of: (1) customer information access, and (2) customer enablement.
The customer information access uses case scenario shows how all customers must be authenticated,
and
how multiple consecutive access failure attempts will disable the account. In the first scenario,
protecting access to customer information will foster trusting relationships


allowing the customer to
trust the utility, and therefore increasing the likeli
hood of his/her participation to realize the benefits of
the Smart Grid. The customer enablement use case scenario examines how privacy concepts m
a
y be
built into the core design, directly involving customers in the dynamic management of the electrical
gri
d.

2.

Introduction
:

While the Smart Grid has the potential to deliver substantial value, it represents a significant endeavor

that will require privacy risk mitigation measures to be taken. Many technologies and standards

are
still in their early stages of d
evelopment, and not all will move into commercialization or reach

a
suitable practice point for mass deployment. The costs and time required, as well as the benefits

attained, will depend on the scope and pace of implementation, technology trends, and cons
umer

acceptance and adoption. Utilities have an interest in ensuring that consumer adoption of Smart

Grid
energy saving programs is not impeded by fears relating to privacy. Electricity providers must

embrace
a new positive
-
sum business model


one that is

protective of privacy


or risk losing

consumer
confidence and the public’s trust

[
1]
.



Privacy standards are needed against which utility stakeholders can map their Smart Grid
developments

and implementation

[2]
.

The purpose of this
technical report
is
to put forward
a standard
design procedure for privacy for adoption in
Smart Grid implementation, in order to protect
consumer
data privacy.
The purpose of this document is to identify the privacy issues in Smart Grids and propose
some approaches to tackle

some of these issues.




Global ICT Standardization Forum for India (GISFI)


-

3

-

3.

A Typical Smart Grid System

Smart metering provides the anchor tenant for improved communications across the distribution

system; communications provide for the convergence of information technologies with the delivery of

power.
T
he
numerous that
this convergence provides is labeled
as
the “Smart Grid”
. A Smart grid is
defined as

[3]
: “The advanced information exchange systems and equipment that when utilized together
improve the flexibility, security, reliability, efficiency, and

safety of the integrated power system and
distribution systems, pa
rticularly for the purposes of



a)

enabling the increased use of renewable energy sources and technology, including generation
facilities connected to the distributed systems,

b)

expanding oppo
rtunities to provide demand response, price information and local control to
electricity customers,

c)

accommodating the use of emerging, innovative and energy
-
saving technologies and system
control applications, or

d)

supporting other objectives that may be pre
scribed by regulations

.


While exactly what will comprise the Smart Grid in the future is unknown, major components will
include advanced metering infrastructure, time
-
of
-
use pricing, demand management, and the creation
of a Smart Metering Entity. In orde
r to implement time
-
of
-
use prices, electricity distribution companies
must achieve four things:
(i)
install smart meters,
(ii)
enroll those smart meters with the Meter Data
Management Repository (“
repository”) maintained by the independent electricity syst
em o
perator
(IESO),
(iii)
incorporate time
-
of
-
use prices within their services, and
(iv)
file

their program with the
energy board (
EB)

of the city or the state
.


Electricity distributors
will be
required to adhere to functional specification criteria when

installing
smart meters, metering equipment, systems and technology.

The specifications require a

minimum
functionality of hourly meter reads, and the ability to transmit this information without

field visits.
Smart meters contain an advanced metering com
munication device, and each has a

visible display that
includes its identification number and meter serial number. Transmission of meter

reads may be as
frequent as necessary to meet requirements, and must be done using an approved

protocol and file
struct
ure. Distributors with advanced metering control computers may store up

to 60 days worth of
meter reads, and must not aggregate meter reads into rate periods or calculate

consumption data prior
to sending the information to the IESO’s repository. The smart

meter system

must also report on
confirming data linkages between the advanced meter communication device,

the meter serial number
and the customer’s account. The smart meter system, including some parts

the repository must also log
successful transfer of

meter reads as well as log unsuccessful attempts,

including the cause and status of
such attempts. In addition, the system must confirm the accuracy

of meter readings and report
suspected cases of meter theft, tampering or interference.


Global ICT Standardization Forum for India (GISFI)


-

4

-

An Advanced Meter
ing Infrastruc
ture (AMI) is required to have
security features to prevent

unauthorized access to the AMI and meter data and to ensure authentication to all AMI elements.

The
IESO will
use

a unique ID for each electricity point of delivery (physical or virt
ual), including

individual
residences or multiple meters. The repository maintains internal links that relate each

point to metered
quantities. The master directory links all points, meters, and utilities. Meter reads

are stored in the
repository including

interval consumption data and billing quantity data. It can

support meter reads
from 5 to 60 minute intervals. Meter data is aggregated for reporting and analysis.

The repository can
flag data as outdated and schedule it for re
-
aggregation when it is requ
ired. The

repository supports
overrides to allow for the utility to update inaccurate information.


The
AMI
will also need to
meet all applicable federal, provincial

and municipal laws, codes, rules,
directions, guidelines, regulations and statutes, includ
ing

requirements of regulatory authorities and
agencies
.


Smart
G
rid Communication Requirements


Assessing communications needs of various Smart Grid applications require an understanding of: (1)
the control loop timeline of the application, (2) the amount

of data that need

to be transferred at any
particular time, (3) the number of devices with which communication must be maintained, and (4) the
overall communication capacity of the proposed system. An application’s timeline and tolerance for
latency in tr
ansferring and analyzing data or control signals are critical for determining appropriate
communication capability. For example, the gathering of metering data for daily meter collection can
tolerate a latency period of many hours (and even a period of sev
eral days in the case of monthly billing).
But real
-
time, control
-
oriented applications such as volt/VAr control, integration of distributed
generation resources, and distribution switching require latency periods of no more than two seconds
[
4
].


Contempo
raneous consideration must also be given to the consistency or predictability of a particular
application’s activity. For example, a utility generally can schedule the collection of metering data and
gradually perform such collection throughout the day or
night in order to smooth out any data peaks.
Many of the applications with the

most stringent latency needs (i
.e., outage alerts, system control
applications

etc.
), however, are asynchronous in nature and their activity therefore, cannot be
scheduled. A ut
ility’s full analysis of its communication needs must address all such application
timelines, latency tolerances, and application predictability, including consideration of simultaneous
activity from multiple applications.


Determination of communication
needs also includes analyzing the data transfer requirements of the
various Smart grid applications, including all necessary security overhead data that can dramatically
increase the amount of data as well as the overall number of data exchanges that are r
equired. Many
such applications, including communication of identifying information and limited sensor readings or
Global ICT Standardization Forum for India (GISFI)


-

5

-

control commands, require the transfer of only a few hundred bytes of data to or from nay single node.
Other applications, however, require t
he transfer of significantly larger amount of data. For instance, a
day’s worth of meter interval data can amount to there or five kilobytes if 15
-
minute intervals are being
used and multiple parameters, such as voltage and power quality, are collected. Fu
rther, action such as
initial association of any device with the network and downloads of software updates to meters or other
widely deployed devices may require transfer of significantly more volume of data.


Upon d
e
termin
in
g the communication needs of it
s desired
Smart G
rid applications, a utility can analyze
various communication modalities for their ability to meet the utility’s application demands. In
determining the communication architecture of a particular Smart Grid system, a utility must account
f
or the total capacity needed to support its near


and long
-
term Smart grid needs. For instance,
contemplation of a wireless mesh network system that provides several dozen
kilobits per second of real
throughput should include determining the number of nod
es in a single collector’s cell in order to
evaluate the system’s ability to deliver the necessary performance. Further, the number of nodes that
are participating in a given application must be part of the analysis because large number of
communicating no
des can adversely affect the system performance.


Table 1 provides an overview of various Smart Grid applications and their basic latency tolerances, data
transfer requirements, and the extent to which they can be pre
-
scheduled. These requirements must
dr
ive any analysis of Smart Grid communication needs.


Table 1: Smart Grid applications and their data rates, latencies and scheduling characteristics


Application

Basic description

Upstream
data per node

Downstream
data per node

Allowable

latency

Whether
s
cheduled?

Meter readings
--


daily collection

Collection of daily
interval readings of
individual meters. May
include consumption as
well as power quality or
other parameters.

2


㄰1hB

㔰R
J
㐰〠批瑥s

rp 瑯t U
桯h牳

奥v

䵥j敲e牥rdi湧s

J
J

潮⁤敭慮d

A 牥r略ut

潦 i浭敤i慴e
p慲慭整敲猠 獵捨c as
捯湳畭p瑩潮o 潲o 瑨e
p牥獥s捥c潦 p潷敲e

㄰〠


R〰
批b敳

㔰R


㄰〠批t敳

rp 瑯t U
桯h牳

奥v

a敭慮d
牥獰潮獥s


扲潡d捡獴c潦 d慴a

A 獹獴敭
J
wide
扲潡d捡獴s 潦 d慴愠 to
d敭慮d 牥獰潮獥s or

J
h潭攠 敮敲e礠 display
畮i瑳t

㐰4
J
㄰〠批瑥s

R
〰M


㈰〰
批b敳

1
J


獥捯湤s

奥v

Global ICT Standardization Forum for India (GISFI)


-

6

-

Demand
response


di牥捴敤 捯湴c潬
潦 i湤i癩du慬
p牥ri獥s

ai牥捴ed 捯湴牯l
浥獳慧敳a 瑯t d敶i捥猠 at
捵c瑯浥m p牥ri獥献
䥮clude猠捯湦i牭慴i潮o潦
d敬i癥v礮

㐰4


㄰〠批t敳

㈰〠


R〰
批b敳





獥捯湤s



l畴慧攠d整e捴ion

A m
e獳慧攠 indi捡cing
l潳猠 潦 敬散e物挠 獵pply
f牯r 愠杩癥渠d敶i捥c

㄰〠批瑥s

〠批be





獥捯湤s



c慵l琠d整散ti潮

A 浥獳慧攠i湤i捡ci湧n a
f慵l琠 h慳 潣o畲牥d and
i湣ludi湧n 獯浥m 扡獩c
浥慳畲敭敮琠
p慲慭整敲s

㄰〠


P〰
批b敳

〠批be





獥捯湤s



ai獴物s畴uo

獷楴捨s捯湴牯n

Co湴牯氠 浥獳慧攠 瑯
獷楴s桥h 潲o 潴桥r
d敶e捥c i渠 瑨e
di獴物扵瑩潮

獹獴sm
E扥瑷敥渠瑨攠獵b獴慴ion
慮d 瑨攠 捵獴潭sr
p牥ris攩K

㔰R


㌰P
批b敳e

㈵〠


ㄵ〰
批b敳


J

獥捯湤s



ai獴物s畴ud
来湥牡gi潮o


p牥
J
disp慴a栠
牥r潲oi湧

䵥j獡来猠瑯t di獴si
扵ted
来湥g慴楯渠 牥獯s牣rs
E獵c栠慳 獯sa爠pa湥n猠潲
mibs猩s 瑯t p牥p慲攠 for
p潳獩扬攠 来湥牡nion
di獰慴捨c

㔰〠


㈰〰
批b敳

㄰〰1


㌰〰
批b敳





獥捯湤s



ai獴物s畴ud
来湥牡gi潮o


di獰慴捨

䵥j獡来猠 瑯t di獰慴ch
di獴物扵瑥d 来湥牡nion
牥獯畲捥献

㄰〠


O〰
批b敳

㄰〠


O〰
批b敳





獥捯湤s



ai獴物s畴ud
来湥牡gi潮o


獴慴s猠s数o牴i湧

oep潲oi湧n潦 獴慴畳 f牯m
di獴物扵瑥d 来湥牡nion
牥獯畲捥猠 du物湧n 瑨敩r
潰敲慴楯n

㈵〠


㄰〰
批b敳

㔰R


㈰〠批t敳


J

獥捯湤s



p潦瑷慲攠
d潷nl潡d

a潷湬o慤 潦 湥w
獯晴w慲攠 f
潲o d敶楣e猠 in
瑨攠fi敬dK

㄰1
J
㄰〠1B

㄰に戠





< ㈴O桯h牳

奥v


Global ICT Standardization Forum for India (GISFI)


-

7

-

4.

Personal Information on the Smart Grid


P
ersonal information” is defined in the
Freedom of Information and Protection of Privacy

Act
(
FIPPA
)
and the
Municipal Freedom of Information and Pr
otection of Privacy Act
(
MFIPPA
) as

“recorded
information about an identifiable individual
”[5].

FIPPA
and
MFIPPA
provide a range of non
-
exhaustive

examples of what personal information can include. For example, “personal information”

includes the
address a
nd telephone number of an identifiable individual and the individual’s name

where it appears
with other personal information relating to the individual or where the disclosure of

the name would
reveal other personal information about the individual

[6]
. Al
so, personal information

can include any
identifying number, symbol or other particular assigned to the individual

[7]
.



The collection, use and disclosure of aggregated or de
-
identified personal information raise little,

if any,
privacy issues. It is out
side the scope of this
report

to provide guidance on de
-
identification

practices for
Sma
rt Grid energy consumption data. H
owever there is sufficient basis in, for example,

the health
sector’s experience to suggest that utilities should be cautious when ano
nymizing personal

information
and in concluding that that information is in fact anonymized

[8]
. For example, it is

possible in some
cases that removing identifiers such as name and address do not guarantee that

personal information is
de
-
identified

[9]
.



While there is much discussion regarding what would constitute personal information on the Smart

Grid, a determination that a particular set of data is personal information does not prevent the

collection, use and disclosure of information that is necessa
ry for the administration of Smart Grid

programs. Rather, it serves to indicate that certain considerations in relation to that data must be

taken
into account. For example, considering the purpose for which the information was collected

(called
“primary p
urpose”) is essential in determining appropriate disclosures of personal information.

For
example, the IESO’s
in Ontario
repository limits use and disclosure in the following manner

[10]
:




Customers may only view data relating to their own consumption;



Uti
lities may only see data relating to their own customers;



Retailers may only see data relating to their own customers;



Billing agents may only have access to view billing quantities;



Utilities may have the ability to edit Meter Reads for only their custome
rs
;



Some users may not have the ability to view data;



Only appropriately authorized users may have the ability to modify data.


The OEB’s
Affiliate Relationships Code for Electricity Distributors and Transmitters
prohibits the
release

of consumer informati
on (which could include personal information) to a utility’s affiliate
without

the written consent of the consumer. An affiliate can be, for example, a subsidiary corporation
under

the utility or the utility’s parent corporation. If there is more than

one
subsidiary corporation,
the
n

those corporations are also each other’s affiliates

[11]
. The Code states that consent for disclosure
Global ICT Standardization Forum for India (GISFI)


-

8

-

must

be obtained from the consumer, except to the extent that the disclosure is permitted by the utility’s

license. Also, the

code states consent is not required where the personal information is required to

be
disclosed for, e.g., billing purposes, law enforcement purposes, to comply with a legislative or

regulatory
requirement, or to process past due accounts that have been pa
ssed to a debt collection

agency.
Consumer information (which could include personal information) that has been sufficiently

aggregated
so that information relating to any individual consumer cannot reasonably be identified

may also be
disclosed to an affi
liate. The distribution licenses for utilities contain similar provisions

regarding
disclosure of consumer information to any other party which would include a utility’s

affiliate or any
other person or entity.


Digitization of Smart Meter Information

The
Smart Grid’s impact is being compared to the advent of the Internet, which was built without

privacy in mind, and which now faces an extreme impediment and very high levels of scrutiny

regarding
privacy. In fact, the scope of issues in relation to Internet

privacy is so huge that they

threaten its future
viability. Almost all online activities require identity information to be given from

one party to another.
If one counts cookies and IP addresses as personal information, then Internet

users leave behind a

trail
of personally identifiable information everywhere they’ve been


and

they have little idea how that data
may be used or how well it is protected

[12]
. However, unlike the

Internet, consumers cannot opt out of
the Smart Grid.


Information systems use
d by utilities in their 100 year history range predominantly from those that

are
paper driven to those that are highly automated and interactive. Increasingly, utilities are using

information to plan, design, and implement integrated information sharing sy
stems. These systems

enhance the ability to collect, access, and use information, including personal information, and

introduce the potential for information to be entered once but used multiple times across and between

many different systems. When informa
tion is digitized (i.e. taken from a paper
-
based medium to

electronic), the implementation of electronic information collection and sharing capabilities increases

and results in concerns over the use, or potential misuse, of personal information contained
in these

systems. Digitized information, unlike paper
-
based information, can be massively disseminated,

matched and merged, and used with ease for purposes far beyond those for which the information

was
originally collected in the first place

[13]
. While i
t is true that someone can sit outside a home and

determine when the occupants are home, or read a meter posted outside the home, this only involves

one
meter and one individual collecting the information. Digital smart meter data, like all digital

data, i
s
vulnerable to copying and sending, and therefore lends itself to the possibility for a much

larger
dissemination of “comings and goings.” Much like the creation of electronic health records,

several
privacy considerations arise as a result of digitizatio
n

[14]
.


Changes Experienced by Utilities in Implementing the Smart Grid

Leading the charge to the changing energy landscape is the shifting nature of information demands

for
utilities as power providers. The change is in part due to the large amount of in
formation that

utilities
Global ICT Standardization Forum for India (GISFI)


-

9

-

will be collecting from devices as a result of advancements towards the Smart Grid, such as

the
installation of smart meters and Intelligent Electronic Devices (
IEDs). It is predicted that “a
Smart Grid
is expected to generate up t
o eight orders of magnitude more data than today’s traditional

power
network


[15].

Identified impacts of the Smart Grid on utility functions as it relates to consumers

include the primary operation areas of home energy management, metering, and demand
-
sid
e

management

[16]
. Concern exists that utilities in other jurisdictions may be rushing ahead with Smart

Grid implementation without fully considering the impacts on business processes

[17]
.


One key challenge in achieving the Smart Grid as envisioned relat
es to the fact that there are many

communications, operational and information systems, and as a result there can be challenges with

the
level of integration between systems to achieve suitable utilization of the available information.

The
amount of data a
vailable from smart metering and Smart Grid devices will grow substantially and

may
require a significantly more robust means of validating, storing and filtering this data for optimal

use.
Additionally, two
-
way, high
-
data volume and frequency, and low
-
lat
ency communications, may

be
required to support many of the Smart Grid operations, protections and control functions.


New technologies
will be needed for the
changes experienced by utilities in implementing

the Smart
Grid. In some instances this may invol
ve using specific smart devices to monitor and/or

adjust voltage
levels and similar power conditions across lines and connection points. Smart energy

regulators,
capacitors, switches and power line monitors are technologies that can be used to support

ener
gy
conservation by reducing energy losses, distributed generation penetration, plug
-
in vehicles,

and
improved reliability and management of utility assets. For Smart field devices challenges may

lie in
integrating diverse existing systems as well as applyi
ng information into new systems and

services.


In addressing challenges arising from changes experienced by utilities in implementing the Smart

Grid,
utilities
must integrate privacy issues in the system design when introducing
new technologies,

integrati
ng communications, operational and information systems, as well as when updating business

processes.

5.

Privacy Recommendations
for

Smart Grids

The following practices are recommended
for privacy preservation
of consumer information
in smart
grids.


1.

Smart g
rid systems should feature privacy principles in their overall project governance
framework and proactively embed privacy requirements into their designs, in order to
prevent

privacy
-
invasive events from occurring.

2.

Smart grid systems must ensure that priva
cy is the default


the “no action required” mode of
protecting one’s privacy


its presence is ensured.

3.

Smart Grid systems must make privacy a core functionality in the design and architecture of
Smart Grid systems and practices


an essential design feat
ure.

Global ICT Standardization Forum for India (GISFI)


-

10

-

4.

Smart Grid systems must avoid any unnecessary trade
-
offs between privacy and legitimate
objectives of Smart Grid projects.

5.

Smart Grid systems must build in privacy end
-
to
-
end, throughout the entire life
-
cycle of any
personal information collected.

6.

Sma
rt Grid system must be visible and transparent to consumers


engaging accountable
business practices


to ensure that new Smart grid systems operate according to stated
objectives.

7.

Smart grid systems must be designed with respect for consumer privacy, as
a core foundational
requirement

6.

Privacy in Smart Grid


Use Case Scenarios

Two use case scenarios are provided here to illustrate methods of incorporating
privacy in Smart Grids.
The

two use cases are: 1) Customer Information Access and 2) Customer Enablem
ent.

We first give a
background description of privacy considerations in wireless mesh networks.


Background: Wireless Mesh Networks


Co n s i d e r t h e s c e n a r i o wh e r e a u t i l i t y h a s a f u l l y f u n c t i o n a l s ma r t me t e r d e p l o y me n t a c r o s s t h e

ma j o r i t y
o f i t s c l i e n t b a s
e. T h e s e s ma r t me t e r s c o mmu n i c a t e i n f o r ma t i o n b a c k i n t o t h e u t i l i t y t h r o u g h

a me s h e d
wi r e l e s s c o n f i g u r a t i o n, wh e r e d e s i g n a t e d me t e r s a n d r e p e a t e r s a c t a s s e c u r e g a t e wa y s, a n d

t h e
d a t a

c o l l e c t o r s a g g r e g a t e i n f o r ma t i o n f o r t r a n s mi s s i o n b a c k i n t o t h e u t i l i t y ’
s d a t a c e n t r e. Du r i n g

t h i s i n i t i a l
p h a s e, u t i l i t i e s wi l l ma k e t h i s i n f o r ma t i o n a v a i l a b l e t o t h e i r c u s t o me r s t o a s s i s t t h e m i n

ma n a g i n g t h e i r
p o we r c o n s u mp t i o n. As p a r t o f t h e n e x t p h a s e i n g r i d mo d e r n i z a t i o n, t h e u t i l i t y

wo u l d wo r k wi t h i t s
s ma r t me t e r s u p
p l i e r t o p i l o t d e r i v a t i v e me t e r s t h a t c a n mo n i t o r t r a n s f o r me r

p e r f o r ma n c e. I n f o r ma t i o n
f r o m t h e s e t r a n s f o r me r me t e r s c a n b e u s e d b y t h e u t i l i t y t o b a c k
-
c h e c k

t h e a c c u r a c y o f s ma r t me t e r s,
d r a wi n g e a r l y wa r n i n g s o f t r a n s f o r me r o v e r l o a d o r p o we r t h e f t.


P r o v
i d i n g c u s t o me r s a c c e s s t o t h e i r me t e r r e a d i n g i n f o r ma t i
o n h a s ma n y c h a l l e n g e s
--

registration,
authentication and data protection. The information needs to be presented

in a simple and
easy
-
to
-
understand manner that is useful in helping customers manage th
eir energy

needs efficiently.

The greatest challenge to a

utility
provider w
ill
be h
ow to best design information flows

to mitigate
potential future customer privacy concerns. Since the smart meter information is broadcast

wirelessly
over the air, the obvi
ous first level of security would be to encrypt the information. The

second is to
ensure that the smart meter network does not broadcast any sensitive customer information

over the
wireless environment.

Since the user privacy is the major issue,
a unique n
umeric ID and consumption
data is all that needs

to be transmitted. The smart meter
-
to
-
customer correlation is only performed
securely back in the

utility’s data centre.


The utility can take the assessment to an even higher level by considering whether tr
ansformer meters

should communicate over a different wireless network than the smart meters. The rationale for this

is
that if the smart meter network were ever to be compromised, malicious third parties
would not be able
Global ICT Standardization Forum for India (GISFI)


-

11

-

to
perform the same transformer
-
to
-
smart meter correlation, as could
be done by
the utility

provider
. By
segregating the

information over dual networks, the correlation could only be done by being in
possession of both

sets of information, which would only be available in the utility’s own

data centre.


Use Case Scenario 1: Customer Information Access

When a utility wishes to provide access to information, it must consider how to identify the customer
during registration and upon each subsequent visit. This step is extremely important beca
use
unauthorized access to customers’ information will erode trust and result in a loss of consumer
confidence. Such customer access may be required, for example, in order to provide additional
information to assist them in making choices around energy, co
st, carbon footprint, and privacy.
For
e
nsuring that the registrant to the customer information access service is indeed the owner of the

utility
account, and that unauthorized access attempts are kept to a minimum,
requirements
are depicted in
Figure
2
.

C
ustomer Enrolment and Customer Authentication are

requirements defined by the utility.
These two requirements will have supplemental requirements

that may be traced to the features which
apply privacy constraints upon them.

















Figur
e 2
: Customer Information Access Requirements



Figure 3

illustrates how a supplem
entary requirement such as an “access failure t
hreshold” can

be
incorporated and traced within the design of a Customer Information Access program, which

would then
be revie
wed by the Smart Grid project team to ensure that it meets their business

needs.




All registration
processes require
multiple disparate
personal identifiers

Supplementary


Requirements:

Registration
Authentication

Stake Holder


Requirements:

Customer Information
Access

Supplementary


Requirements:

Access Failure
Threshold
Auth
entication

Feature


Requirement:

Customer Enrolment

Feature


Requirement

Customer
Authentication

Identify maximum
number of failed
access attempts

Global ICT Standardization Forum for India (GISFI)


-

12

-


















Figure 3
: Use Case Tracing for Customer Information Access


The requirement definition stage of any adopted Smart Grid project methodology involv
es the

creation
of one or more use cases to satisfy core foundational
privacy requirements, such as “a
ccess

failure
t
hreshold,” showing interactions between various actors (people and systems), as well as

the
functionality that will be delivered by the sys
tems involved. The utility
provider
must then document all
flows of information that would occur during customer

authentication. The sequence presented
in figure
4 shows a successful access request.










Figure 4
: Sequence Diagram fo
r Customer Information Access


The steps in figure 4 represent the following activities:


1.

The customer provides his/her unique identifier and their challenge information.

3.

Record
Result

Stake Holder


Requirements:

Custo
mer Information
Access

Supplementary


Requirements:

Access Failure
Threshold
Authentication

Feature


Requirement

Customer
Authentication

Feature


Requirement

Customer
Authentication

Identify maximum
number of failed
access attempts

Customer

Customer Information Access

Security System

Customer Information

1.

Request
Ac
cess

2
. Authenticate

4.

Retrieve Customer Information

5. Present Welcome Page

Global ICT Standardization Forum for India (GISFI)


-

13

-

2.

The customer information access will require that the identifier and challenge infor
mation be
verified. If correct and the account has NOT been disabled due to multiple access attempt
failures, then the customer is considered to be authenticated.

3.

The successful access is recorded.

4.

The basic information regarding the authenticated customer

is then retrieved.

5.

The customer is now presented with welcome information.


Use Case Scenario 2: Customer
Enablement

A utility is in the process of rolling out smart meters and billing system changes to support time
-
of

use

billing, and expects that futur
e Smart Grid programs will include further customer enablement.

Examples of future customer enablement include demand
-
response programs, conservation programs,

voluntary curtailment, advanced device management, in
-
home di
splays, and many others. For this u
se
case
, consider the case of customers choosing to participate in demand
-
response

programs, such as when
there is a peak in power
-
demand and some customers have opted to

switch
-
off some devices.
Within
customer enablement, the concept of involving the cus
tomers in the dynamic management of

the
electrical grid provides opportunities for all stakeholders
.
However, it also introduces new challenges,
particularly in the realm of privacy and security. The

success of a customer engagement program hinges
on the u
tility’s ability to empower willing customers

to become active participants in t
heir energy use
and generation, and it
covers the end
-
to
-
end scope of a customer’s interaction with the utility’s
technology

systems and processes. Ther
e
are
three basic activi
ties

in this case
:


1.

Enrolment


the ability
of

an
authorized
customer to enroll and define
his mode of

participation
in programs offered by the utility.

2.

Usage


the active operation and management of participating customers. This refers to the
daily functi
oning of systems and processes for the utility to deliver the service.

3.

Termination


the ability
of

a customer to terminate
its

active participation.













Figure 4: Customer Demand Response Requirement Example

Supplementary


Requirement
:

Data Retention

Stake Holder
Requirement:

Customer DR Program
Registration

Registration
Authentication

Supplementary


Requirements:

Limit Data

Feature

Requirement:


Terminate Enrolment

Feature Requirement:


Provide List of
Eligible Registrants for
DR Actions

Registration
Authentication

Global ICT Standardization Forum for India (GISFI)


-

14

-

Note that the features bein
g delivered are based on the business requirements to permit demand

response registrants to terminate their enrolment and to provide eligible device information to a

demand response program. Both of these have supplementary requirements placed on them to

w
hich the
design and development teams must adhere. These supplementary requirements establish

requirements for data retention, and requirements for what perso
nal information is to be shared.


Figure 5
illustrates how a supplementary requirement such as “Li
mit Data” can be incorporated

and
traced within the design of a demand management program, which would then be reviewed by

the

Smart Grid project team to ensure that it
also meets their business needs.



















Figure 5: Requirement Types f
or demand Response Registrants


The requirement definition stage of any adopted Smart Grid project methodology involves the

creation
of one or more use cases to satisfy core foundational privacy requirements, such as “limit

data,” showing
interactions betw
een actors (people and systems), as well as the functionality that

will be delivered by
the systems involved.
The utility
provider
must then document all flows of information that would occur
in a demand response

program
described in Figure 6
as follows.


1.

Configure


operators need to configure a program. This will allow the utility provider to
configure the behavior of the demand response program when an event is received from the
Smart Grid Management system.

2.

Alert


the Smart Grid continually monitors th
e stability of the network and events are
generated whenever problems occur (i.e., if demand exceeds supply).

Stake Holder
Requirement:

Customer DR Program
Registration

Supplementary


Requirement:

Limi
t Data

Feature Requirement:

Provide List of Eligible
Registrants for DR
Action

Use Case:

Retrieve Eligible
Devices

Global ICT Standardization Forum for India (GISFI)


-

15

-

3.

Retrieve Devices


based on configured rules in the demand response program, the system will
determine how many consumer thermostats are needed to

be adjusted to meet the DR need. At
this point, the system is completely agnostic to specific customer data. It will retrieve device
information from the registration system and will be limited to the device identifier and user
constraints (e.g., minimum/

maximum temperature).

4.

Notify Device


the demand response system will request all the devices where the tolerances
are allowable to change their temperature settings.

5.

Deliver to Device


the Smart Grid ensures that the device is authenticated and the messa
ge is
delivered securely to the device.

6.

Respond


depending on the technology, a response will be provided to the request.

7.

Deliver Response


the Smart Grid ensures that the response is delivered to the demand
response program system. The information is li
mited to an acknowledgement and state of action
required.

















Figure 6: Sequence Diagram for Usage (Part of Customer Enablement in the Smart Grid)


In this example, the fundamental concept that underlies the entire f
low is that the operating system
executing demand response operations is completely blind to any of the specific, identifiable details of a
given individual. Personally identifiable information is a function of program enrolment, but

this
association opera
tes separately from device management. In other words, the system running the Smart
Grid, only knows the rules for the management of devices based on the program it is associated with,
and is completely agnostic to the particular details of a given custome
r.


In the proposed approach, t
he segregation of

data is proactively embedded directly into the system
design


it is not a reactionary after
-
thought or

mechanism that is tacked on to the initial solution.
7
. Deliver
Response

6. Respond

5. Deliver to Device

4.
Notify Device
Devices

2
.
Alert

3.Retrieve Devices

Grid Mgmt. Sys.

Registered Dev.

Program System

Program Operator

Smart Grid

Device

1. Configure

Global ICT Standardization Forum for India (GISFI)


-

16

-

Similarly, privacy is the default


not something

that must be asked for by the customer or initiated
separately by the utility. Not only is this an elegant

solution, but the most efficient option from an
operations perspective; it also achieves the utility’s

goal of demonstrating a strong respect for use
r
privacy.


Finally, all use case designs and implementation artefacts must be reviewed to ensure compliance

with
this requirement and any supplementary requirements. When the system is delivered, test cases

specifically aligned with the use cases will be
developed and exercised. If the implementation deviates

from the design artefacts, then it will be identified as a defect, requiring remediation. Thus, privacy

is
not only embedded into the design of the system, it is verified after it is built (trust but
verify),

and then
tested along with other requirements.

7.

Conclusion

Utilities will face many challenges in their transformative role of revamping our current electricity

system into a truly “Smart” Grid. We acknowledge that while a significant portion of th
e Smart Grid

implementation will not involve consumer information, the amount of personal information being

collected and the digital nature of that information will precipitate internal changes within utilities

that
go well beyond individual IT department
s.
Hence privacy will be playing a crucial role in deployment of
such Smart Grids. The document proposes an integrated approach for system design taking into
consideration user security and privacy issues.

References

[1]

Accenture New Energy World Survey, Mar
ch 9, 2010. Url: http://newsroom.accenture.com.

[2]

SustainableBusiness.com News, November 23, 2009.
Url: http://www.sustainablebusiness.com/index.cfm/go/news.printerfriendly/id/19288.

[3]

Ontario Electricity Act, 1998, S.O. 19
98, c. 15, Sched. A, s. 1.3.

[4]

Implementation of smart Grid technology, NBP Public Notice# 2. 2009.

[5]

FIPPA &
M
FIPPA s. 2(1).

[6]

FIPPA & MFIPPA s. 2(1) (d) & (h).

[7]

FIPPA & MFIPPA s. 2(1) (c).

[8]

A. Cavoukian and K.E. Emam, “A positive
-
sum paradigm in action in the

health sector”. Url:
http://www.ipc.on.ca/image/Resources/positive
-
sum
-
khalid.pdf.

[9]

IPC orders P
-
722 and MO
-
2291.

[10]

IESO, Meter Data Management and Repository (MDM/R) Functional Specification, Issue 2.0, pp.
27. Url: http://www.smi
-
ieso.ca/MDMR_Specificatio
n/MDMR_Functional_Specification_v2.0.pdf.


[11]

Affiliate Relationships Code for Electricity Distributors and Transmitters at 1.2, definition of
affiliate.

[12]

A. Cavoukian, “7 Laws of identity: The Case for Privacy
-
Embedded Laws of Identity in the
Digital Age. Ur
l: http://www.ipc.on.ca/images/Resources/up
-
7laws_whitepaper.pdf.

[13]

IPC Order MO
-
1366.

Global ICT Standardization Forum for India (GISFI)


-

17

-

[14]

A. Cavoukian and P.G. Rossos, “Personal Health Information: A practical Tool for Physicians
Transitioning from Paper
-
Based records to Electronic Health Records”.
Url:
http
://www.ipc.on.ca/images/Resources/phipa
-
toolfor physicians.pdf
.

[15]

Url:
http://newsroom.accenture.com/article_display.cfm?article_id=4971
.

[16]

V. Pothamsetty and S. Malik, “Smart Grid: Leveraging Intelligent Communications to Transform
the Power Infrastructure,

February 2009, pp. 9.

[17]

J. Feblowitz and L. Goransson, “From Customer Service to Customer Engagement: Are utilities
Prepared for the Smart Grid Experience?”, February 2010, pp. 1.