NIST releases drafts of computer security publications. Included are guidelines relating to privacy issues, legal and otherwise
October 31, 2013 |
The National Institute of Standards and Technology has released drafts of computer security publications. They are found here. They cover a range of topics being:
- Guidelines for Smart Grid Cybersecurity:SP 800-16 Rev. 1 (2nd draft)
- A Role-Based Model for Federal Information Technology / Cyber Security Training (2nd public draft)
Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations - Guidelines on Mobile Device Forensics
- CVSS Implementation Guidance
- Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
- Cryptographic Algorithms and Key Sizes for Personal Identity Verification
- Guide to Attribute Based Access Control (ABAC) Definition and Considerations
- Reference Certificate Policy
- Trusted Geolocation in the Cloud: Proof of Concept Implementation
- Guidelines on Hardware-Rooted Security in Mobile Devices
- Guidelines for Media Sanitization
- A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS)
- BIOS Protection Guidelines for Servers
- Guide to Intrusion Detection and Prevention Systems (IDPS)
- Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework
- Specification for the Asset Summary Reporting Format 1.0
- Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains
- Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2
- Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications
- CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture
- BIOS Integrity Measurement Guidelines
- Common Remediation Enumeration (CRE) Version 1.0
- Proposed Open Specifications for an Enterprise Remediation Automation Framework
- Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements
- Security Requirements for Cryptographic Modules (Revised Draft)
- PIV Data Model Conformance Test Guidelines
- Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)
- Guide to Enterprise Password Management
- Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems
- An Ontology of Identity Credentials, Part I: Background and Formulation
It is relevant to excerpt Chapter 5, Privacy and the Smart Grid in Guidelines for Smart Grid Cybersecurity: Vol. 2, Privacy and the Smart Grid.
It provides, absent charts and footnotes:
5.1 WHAT IS PRIVACY?
There is not one universal, internationally accepted definition of “privacy”; it can mean many things to different individuals. At its most basic, privacy can be seen as the right to be left alone.Privacy is not a plainly delineated concept and is not simply the specifications provided within laws and regulations. Furthermore, privacy should not be confused, as it often is, with being the same as confidentiality; and personal information is not the same as confidential information.
Confidential information is information for which access should be limited to only those with a business need to know and that could result in compromise to a system, data, application, or other business function if inappropriately shared.
Additionally, privacy can often be confused with security. Although there may be significant overlap between the two, they are also distinct concepts. There can be security without having privacy, but there cannot be privacy without security; it is one of the elements of privacy.
Security involves ensuring the confidentiality, integrity, and availability of data. However, privacy goes beyond having proper authentication and similar security protections. It also addresses such needs as ensuring data is only used for the purpose for which it was collected and properly disposing of that data once it is no longer needed to fulfill that purpose.
It is important to understand that privacy considerations with respect to the Smart Grid include examining the rights, values, and interests of individuals; it involves the related characteristics, descriptive information and labels, activities, and opinions of individuals, to name just a few applicable considerations.
For example, some have described privacy as consisting of four dimensions:
- Privacy of the person. This is the right to control the integrity of one’s own body. It covers such things as physical requirements, health problems, and required medical devices.
- Privacy of personal behavior. This is the right of individuals to keep any knowledge of their activities, and their choices, from being shared with others.
- Privacy of personal communications. This is the right to communicate without undue surveillance, monitoring, or censorship.
Most Smart Grid entities directly address the first dimension, because most data protection laws and regulations cover privacy of personal information. However, the other three dimensions are important privacy considerations as well; thus dimensions 2, 3, and 4 should also be considered in the Smart Grid context because new types of energy use data may be created and communicated. For instance, unique electric signatures for consumer electronics and appliances could be compared against some common appliance usage profiles to develop detailed, time- stamped activity reports within personal dwellings. Charging station information might reveal the detailed whereabouts of an electric vehicle (EV). This data did not exist before the application of Smart Grid technologies.
The Privacy Subgroup looked at how the Smart Grid, and the data contained therein, could potentially be used to infringe upon or otherwise negatively impact individuals’ privacy in the four identified dimensions and then sought ways to assist Smart Grid organizations in identifying and protecting the associated information. While many of the types of data items accessible through the Smart Grid are not new, there is now the possibility that other parties, entities or individuals will have access to those data items; and there are now many new uses for and ways to analyze the collected data, which may raise substantial privacy concerns. New energy usage data collected outside of smart meters, such as from home energy management systems, is also created through applications of Smart Grid technologies. As those data items become more specific and are made available to additional individuals, the complexity of the associated privacy issues increases as well.
The mission of the Privacy Subgroup is to recognize privacy concerns within the Smart Grid and to identify opportunities and recommendations for their mitigation. In addition, the group strives to clarify privacy expectations, practices, and rights with regard to the Smart Grid by—
- Identifying potential privacy problems and encouraging the use of relevant Fair Information Practice Principles;
- Seeking input from representatives of Smart Grid entities and subject matter experts, and then providing guidance to the public on options for protecting the privacy of—and avoiding misuse of—personal information used within the Smart Grid. This guidance is included in this chapter; and
- Making suggestions and providing information to organizations, regulatory agencies, and Smart Grid entities in the process of developing privacy policies and practices that promote and protect the interests of both Smart Grid consumers and entities.
To meet this mission, this chapter explores the types of data within the Smart Grid that may place individuals’ privacy at risk, and how the privacy risks related to the use, misuse, and abuse of energy usage data may increase as a result of this new, always-connected type of technology network.
Because “privacy” and associated terms mean many different things to different audiences, definitions for the privacy terms used within this chapter are found in Appendix E, and definitions for energy terms are included in Appendix K.
5.2 LEGAL FRAMEWORKS AND CONSIDERATIONS
Since this document was first published in 2010, the legislative frameworks, concepts, and themes have remained generally the same. However, additional Smart Grid-specific privacy laws and regulations have been passed. Further, an increase15 during this period in threats and public awareness of those threats adds a few considerations to the discussion of legal frameworks and privacy in the Smart Grid.
Utilities often store Social Security Numbers (SSNs) and financial account numbers in their payroll or billing systems and have been obligated to follow the associated legal requirements for safeguarding this data for many years. The sharing and storage capabilities that the Smart Grid network brings to bear creates the need to protect not only the items specifically named within existing laws, but in addition to protect energy usage data and associated personal information in ways that existing laws may or may not address.
Generally, privacy concerns include considerations related to the collection and use of energy consumption data. These considerations exist, unrelated to the Smart Grid, but Smart Grid aspects fundamentally change their impact.
5.3.1 General Privacy Issues Related to Smart Grid Data
The primary privacy issue related to the deployment of Smart Grid technologies is that the installation of advanced utility electric meters and associated devices and technology will result in the collection, transmittal and maintenance of personally identifiable data related to the nature and frequency of personal energy consumption and production in a more granular form. This concern arises when this type of data and extrapolations of this data are associated with individual consumers or locations. Utilities have routinely collected energy consumption and personal billing data from customers for decades. The new privacy issues associated with advanced metering infrastructure are related to the behavioral inferences that can be drawn from the energy usage data collected by the meter at more granular frequencies and collected intervals. Additionally, smart meter data also raises potential surveillance issues relating to the methods by which the data is collected and transmitted (electronic collection transmittal rather than manual meter reading and compilation).
The ability to determine specific appliances or customer patterns depends on how often the meter is collecting information and what data the meter is collecting. Collecting energy usage data at more frequent intervals (rather than monthly meter reads using traditional meters) may enable one to infer more information about the activities within a dwelling or other premises than was available in the past. At the time of this report, most residential smart meters in the United States are collecting either 15 minute interval or 1 hour interval consumption data. The data that is measured is total consumption (kWh) during a particular period of time; the availability of that total consumption data over a period of time, combined with the educated knowledge necessary to identify and analyze specific and/or unique appliance/equipment signatures contained within that more granular total consumption data, is what may enable a third party to identify particular appliances or usage patterns. The meter itself is only measuring consumption, and any ability to identify specific appliances or usage patterns would require the data to be compared or applied against a pre-determined set of usage patterns or portfolios; the data itself does not identify a specific appliance. The meter may be capable of collecting additional usage information, such as voltage or frequency, but the utility must enable the meter to measure it and make that data available to the utility, customer, or authorized third party.
In addition, although many smart meters come pre-equipped with a second radio in order to enable a Home Area Network (HAN), such meters are not necessarily paired with devices installed and located inside a premise by a customer or customer-authorized third party by default. When authorized by the utility, the HAN would be allowed to continuously poll th network, the customer would need to provision the HAN device to the smart meter using unique device-specific keys, MAC ID and installation code. The provisioning process may vary depending on the particular smart meter implementation at each utility. For example, in the Texas market, customers, and authorized customer agents (retail electric providers and other third smart meter and obtain data that could continually feed an in-home display with real-time meter information. The connection of a meter to a HAN simply allows for the data to be collected at more frequent intervals, but it is still limited to polling intervals dictated by the meter’s technical capability and/or what the meter is set up to provide. If a HAN device is given the polling capabilities of a meter, there could be programs developed to poll a meter for its usage or other readings in a way that may have not been technically enabled by the utility in accordance with the customer’s preferences. If so requested or required, one way to minimize the exposure to such programs is to enable all meters to push specific information to a paired HAN device or gateway based on an interval set by the utility or customer. The HAN operators would coordinate with the utility for the initial setup to pair the meter with the HAN using certificates or some form of mutual authentication. Once established, the customer would be required to alter the permissions granted to the HAN in order to actively request any additional data from the meter.
With the application of a HAN, it may be possible to access additional information, such as voltage or frequency readings in one-second increments and to identify a particular appliance through data disaggregation of those readings and profiles, provided the utility has activated that ability. Nevertheless, the ability to access this HAN-enabled data is dependent on both the utility enabling this ability and the customer installing the necessary technology. Access to meter data is dependent on the utility. Access to the HAN data is not usually dependent on the utility but rather on the customer’s HAN device/system.
Using nonintrusive appliance load monitoring (NALM) techniques, interval energy usage at different time periods can be used to infer individual appliances’ portions of energy usage by comparison to libraries of known patterns matched to individual appliances. .. NALM techniques have many beneficial uses for managing energy usage and demand, including pinpointing loads for purposes of load balancing or increasing energy efficiency. However, such detailed information about appliance use has the potential to indicate whether a building is occupied or vacant, show residency patterns over time, and potentially reflect intimate details of people’s lives and activities inside their homes.
The proliferation of smart appliances and devices from entities other than utilities throughout the Smart Grid means an increase in the number of devices that may generate data beyond the utility’s metering and billing systems. This data may also be outside the utility’s responsibility. The privacy issues presented by the increase in these smart appliances and devices on the consumer side of the meter are expanded if such appliances and devices transmit data outside of the HAN or energy management system (EMS) and do not have documented security requirements (e.g., a smart appliance being able to send data back to the manufacturer via telematics), thereby effectively extending the reach of the system beyond the walls of the premises. An additional consideration is that new third party entities may also seek to collect, access, and use energy usage data directly from customers, rather than from the utility (e.g., vendors creating energy efficiency or demand response applications and services specifically for smart appliances, smart meters, and other building-based solutions). The ability of the customer parties) are able to provision devices through the use of the Smart Meter Texas web portal. In other areas the provisioning process may be managed through utility-specific portals. Because the customer must first provision the HAN device to the smart meter, it is not currently possible for a HAN device to automatically join the associated smart meter network. And a smart meter that used the Zigbee Smart Energy Profile (SEP) cannot automatically join the customer HAN without the cooperation of the customer. It is important to note that a smart meter isn’t necessary for a customer to have a HAN; it is only necessary if the customer wants to access the real-time feed from their associated smart meter. This group will consider doing more in-depth research for this issue in the next version of NISTIR 7628 Volume 2 to understand these risks may require customers to be better educated and informed on the privacy consequences of decisions regarding these third party services.
An additional issue is that as Smart Grid technologies collect more detailed data about households, law enforcement requests to access that data for criminal investigations may include requests for this more detailed energy usage data, which heretofore has generally been neither of interest nor use to law enforcement. Law enforcement agencies have already used monthly electricity consumption data in criminal investigations. For example, in Kyllo v. United States, 533 U.S. 27 (2001), the government relied on monthly electrical utility records to develop its case against a suspected marijuana grower.
Unlike the traditional energy grid, the Smart Grid may be viewed by some as carrying private and/or confidential electronic communications between utilities and end-users, possibly between utilities and third parties, and between end-users and third parties. Current law both protects private electronic communications and permits government access to real-time and stored communications, as well as communications transactional records, using a variety of legal processes. Law enforcement agencies may have an interest in establishing or confirming presence at an address or location at a certain critical time, or possibly establishing certain activities within the home —information that may be readily obtained from energy usage data collected, stored, and transmitted by new, more granular Smart grid technologies, such as a HAN that accesses a smart meter capable of a real-time feed. Accordingly, these types of situations regarding smart grid data warrant review and consideration in comparison to similar restrictions on law enforcement access to other personal and private information under existing constitutional and statutory privacy requirements.
5.3.2 Existing Legal and Regulatory Frameworks
When considering the possible legal issues relating to Smart Grid privacy it is important to note that general privacy laws currently in effect may or may not already apply to personal information generated by the Smart Grid even if the laws do not explicitly reference the Smart Grid (including unique Smart Grid data and/or technology). On the other hand, existing state- level Smart Grid and electricity delivery regulations may or may not explicitly reference privacy protections.
While it is uncertain how general privacy laws may or may not apply to energy usage data collected, stored, and transmitted by Smart grid technologies, it is clear that the Smart Grid brings new challenges and privacy issues, which can lead to detailed information and additional insights about device usage, including medical devices and vehicle charging data that may be generated by new services and applications provided directly by third-parties to customers. These new data items, and the use of existing data in new ways, may require additional study and public input to adapt to current laws or to shape new laws and regulations.
To understand the types of data items that may be protected within the Smart Grid by existing non-Smart Grid-specific privacy laws and regulations it is important to first consider some of the most prominent examples of existing laws and regulations, that provide for privacy protection, which will be discussed in the following sections.
5.3.2.1 Overview of U.S. legal privacy protection approaches
There are generally four approaches in the U.S. to protecting privacy by law—
- Constitutional Protections and Issues: General protections. The First (freedom of speech), Fourth (search & seizure), and Fourteenth Amendments (equal protection), cover personal communications and activities.
- Data-specific or technology-specific protections, including direct regulation of public utilities by state public utility commissions. These protect specific information items such as credit card numbers and Social Security Numbers (SSN); or specific technologies such as phones or computers used for data storage or communication; or customer-specific billing and energy usage information used by public utilities to provide utility services. Other federal or state laws or regulations may apply privacy protections to information within the context of specific industries (e.g., Gramm-Leach-Bliley, HIPAA, etc.).
- Contractual and Agreement-related Protections and Issues: Specific protections. These are protections specifically outlined within a wide range of business contracts, such as those between consumers and businesses.
· Statutory, Regulatory and Case Law, both Federal and State
Even though some states and public utilities commissions (PUCs) have laws and/or regulations in place to protect energy consumption data in some manner, some states, such as California and Colorado, have passed or implemented rules and regulations specifically focused on the energy consumption data produced by smart meters. Energy consumption patterns have historically not risen to the level of public concern given to financial or health data because (1) electrical meters had to be physically accessed to obtain usage data directly from buildings, (2) the data showed energy usage over a longer time span such as a month and could not be analyzed to reveal usage by specific appliance, and (3) it was not possible or as easy for utilities to share this specific granular data in the ways that will now be possible with the Smart Grid. Public concerns for the related privacy impacts will likely change with implementation of the Smart Grid, because energy consumption data may reveal personal activities and the use of specific energy using or generating appliances, and because the data can be used or shared in ways that will impact privacy.
While some states have examined the privacy implications of the Smart Grid, most states had little or no documentation available for review by the privacy subgroup. Furthermore, enforcement of state privacy-related laws is often delegated to agencies other than PUCs, who have regulatory responsibility for electric utilities. However, state PUCs may be able to assert jurisdiction over utility privacy policies and practices because of their traditional jurisdiction and authority over the utility-retail customer relationship.