In Washington, where big brains often confront such matters, it's understood that a smart grid rollout could overwhelm current safeguards for privacy and data security. News that the government is working on it may calm some fears -- or might not, depending on one's faith in federal initiatives.

One of the solutions on the table is a strategy and requirements project managed by the National Institute of Standards and Technology, which this month released a report that makes the collective privacy and security recommendations of about 350 experts available for review and comment.

The 300-page draft, "Smart Grid Cyber Security Strategy and Requirements," identifies the types of personal and business information that can be collected via SG technology, suggests practices that could be codified to address security issues, describes the known actors and interfaces in the "logical architecture" of the SG, discusses various categories of vulnerability to the grid based on comments received on an earlier draft, and identifies security/privacy "thematic issues" requiring immediate research and development.

The NIST report's collective authorship includes representatives of vendors, service providers, academics, regulators and federal agencies convening as the Smart Grid Interoperability Panel.

The draft's focus on privacy coincides with mounting concern about the ability of data miners to piece together highly detailed information about individuals from unconnected and "anonymized" sources.

It cites the revelation of a 2000 study by Carnegie Mellon University researcher Latanya Sweeney, who obtained publicly available health insurance information on Massachusetts state workers that was stripped of names, addresses, social security numbers and other identifying information. Sweeney then purchased state voter rolls for Cambridge, including the name, ZIP code, address, sex and birth date of every registrant.

The insurance data showed that there were six people in Cambridge born on the same day as the governor:  half were men. The voter data allowed Sweeney to pinpoint the state's governor as the only one of those residing in a particular ZIP code in Cambridge. The corresponding health-insurance data included the governor's medical diagnoses and prescriptions.

Thus, Latanya managed to use two data sources to obtain personal information that couldn't be learned from either one alone.

The draft also cites a 2009 paper by Colorado-based analyst Elias Leake Quinn that demonstrated how the frequency and quality of SG load readings can be used to identify which appliances -- and therefore which activities -- are taking place behind the meter, and when.

"The ability to access, analyze and respond to much more precise and detailed data from all levels of the electric grid is critical to the major benefits of the smart grid, and it is also a significant concern from a privacy viewpoint," NIST says.

The takeaway is that mere anonymization of meter-specific data generated by the SG won't be sufficient to assuage privacy concerns -- or to protect customers' privacy, for that matter.

A "privacy impact assessment" conducted last year by a subgroup within the authoring panel found shortcomings at both the federal and state level.

"Comprehensive and consistent definitions of privacy-affecting information with respect to the smart grid typically do not exist at state or federal regulatory levels, or within the utility industry," the report asserts.

Standards Will Proliferate

NIST notes that at present, the North American Electric Reliability Council's Critical Infrastructure Protection standards are the only ones mandated for SG installations. The report identifies additional prospective requirements that its authors found to be either "directly relevant" to the SG or applicable to SG control systems.

Their draft "requirements list" includes more than 240 standards for developers that are derived from a catalog developed by the Department of Homeland Security.

"In addition, there are many security requirements that are common to all the logical interface categories" that make an SG installation, the report says. "The majority of these requirements are for governance, risk and compliance."

So far, the requirements list identified by the report's authors are to be considered as guidance rather than mandates. However, the document adds that "each organization will need to perform a risk assessment to determine the applicability of the recommended requirements."

Public comments on the draft are due to NIST by April 2. Ultimately, the consensus privacy and security standards will be the subject of a ruling to be issued by the Federal Energy Regulatory Commission.

Stephen Munro is a D.C.-based analyst and journalist specializing in state and federal utility regulation. Contact him on (202) 744-8553 or [email protected].