Читать книгу Building an Effective Security Program for Distributed Energy Resources and Systems - Mariana Hentea - Страница 96

As new capabilities are included in the Smart Grid, potential new privacy concerns will emerge for which no legal mitigation currently exists. A significant number of privacy breaches occur not because of an attack but through noncompliance with privacy policy or having no policy. For example, a laptop that has a copy of PII data becomes a privacy breach if the laptop is improperly disposed of, lost, or stolen. Hence, measures for protection of privacy have to be designed and implemented too. Thus, a privacy program should be planned, designed, implemented, and maintained. Factors that should be considered in design of a security program include the following:

 Privacy rights continue to evolve by legislation, litigation, and regulation, and the data gathered will be subject to the relevant jurisdiction(s).

 AnonymizationIf private information is not properly anonymized, even data like electrical appliance usage or electric vehicle charging schedules may constitute a privacy violation. In electrical sector, the ownership and rights associated with PII varies by jurisdiction. In some jurisdictions, the person owns their data, while in other jurisdictions, ownership is less clear. For example, a utility that gathers contact and other information for billing purposes may be restricted in use of the PII for any other purposes without consent of the customer – possession of the data is not the same as ownership.

 Technologies and capabilitiesThe advancing of technologies such as data mining and pattern recognition can be used on identifying the identity of persons when customer data and energy data is analyzed. Recognizing electric signatures of smart appliances and developing detailed, time‐stamped activity reports, utilities, or third‐party service providers can determine lifestyle details that could be legitimately characterized as PII in most jurisdictions.

  Dedicated privacy group with its own managementAlthough in many organizations, security group is supporting the privacy requirements, the future commands for more responsibility and accountability for the implementation of data privacy specifically in smaller‐size enterprises, and need for establishment of a dedicated privacy group with its own management [Shei 2013]. The organizations have to understand that security is only one aspect of privacy and privacy protection implies organization and business decisions.

Ensuring privacy requires a bundle of technologies, policies, culture, regulations, and harmony between many business units from security to legal to human resources to employees [Shei 2013]. Examples of guidelines and recommendations for the protection of privacy data and harmonization of disparities in national privacy regulations are documented in [OECD 2013].

Currently, many countries, organizations, and associations support efforts to empower and educate people to protect their privacy, control their digital footprint, and make the protection of privacy and data a great priority in their lives. In the United States, National Cyber Security Alliance mandates that [NCSA 2014]:

Everyone – from home computer users to multinational corporations – needs to be aware of the personal data others have entrusted to them and remain vigilant and proactive about protecting it.

This document [NISTIR 7628r1] provides definitions, requirements, safeguards, and use case impacts of privacy breaches. Privacy considerations with respect to the Smart Grid include four aspects: privacy of personal information, privacy of the person, privacy of personal behavior, and privacy of personal communications.

A privacy policy framework for the Smart Grid and for smart homes is suggested in [GridWise 2011]. This framework is limited and addresses only consumer privacy issues that arise from the collection, use, and retention of such data no matter from what source it is collected.

In this book, we do not focus on engineering a privacy program, although some approaches used in engineering the security program could be used for building a privacy program.