The term "smart grid" itself suggests that deploying intelligent infrastructure necessarily must be better than continuing to use existing infrastructure: Don't be dumb, deploy a smart grid. As utility companies are learning from various smart grid deployments, however, the value to be gained by deploying a smart grid is highly dependent upon both the design and the deployment of the infrastructure upgrades. Like any tool, a smart grid is only beneficial if it is used correctly to achieve a specific and obtainable goal.
The promise of smart grids lies in the ability to gather more detailed data about the performance of the utility network and to permit much greater control -- by both consumers and the utility -- of the utility network. Of course, these benefits are even greater for smart grids that are designed to be flexible so that the utility can efficiently adapt to changes over time.
Consumer trust
Consumer trust is paramount, because few factors can spoil the deployment of a smart grid faster than rejection by the public. Transparency and honesty are keys to building consumer trust: say what you do, and do what you say, as early as possible in the deployment. Also, while marketing and education about a smart grid deployment are important, they are no substitute for a clear vision for a smart grid that yields tangible benefits to the public. Successful deployments of smart grids typically reflect an understanding by the public of the benefits of the equipment deployed and data collected, or at the very least, trust that the utility will not misuse consumer information to the detriment of the public.
Data collection, processing and retention
With respect to data, more is not always better. Indeed, gathering data that you do not use increases risk without adding any value. Unused, or worse yet unusable, data is a liability, not an asset. A flood of data that might be useful in the future can distract utilities from information upon which they can act today. All data that a utility collects must be zealously protected, and the greater the volume of data collected, the greater the consequences likely will be in the event of a breach. But the collection of data that a utility is not using can erode or destroy consumer trust even in the absence of a breach, because consumers, and regulators, are wary of data collection that cannot be linked directly to consumer benefits.
For these reasons, utilities should collect only the data they need today in order to secure specific and tangible benefits, and retain it only as long as absolutely necessary. Minimization of data collection not only reduces risk, but it also makes it far easier for a utility to explain how the smart grid works and why the associated data collection benefits the public. At the early stages of a smart grid deployment, many utilities simply are not able to process or use all of the data that the smart grid could collect. As such, it is wise not only to deploy the most capable equipment possible, but also to phase in activation of capabilities only after the utility is ready, willing and able to process the data collected as a result of the activated capability to the benefit of the public. As a utility phases-in deployment of more capabilities, it should notify and educate the public about the new capabilities and the benefits that they will bring.
Data collected from a smart grid should be accessible only as needed to secure the specific benefits that the utility has identified as justifying the collection of the data. The time that a utility spends to limit and manage access to an only-as-needed basis is well worth it, because providing unnecessary access to the data creates risk without any accompanying benefit. Employees and any subcontractors must be trained with respect to the access policies and acceptable uses for the data, and there must be consequences from violations of the associated policies.
The sharing of data with third parties should be undertaken with extreme care, particularly to the extent that sharing is not necessary to secure a tangible and direct benefit for the consumers from which the data was collected. While the sharing of anonymized data -- permanently converting personally identifiable information (PII) into non-identifying data -- raises fewer concerns, regulators and the public are wary of the selling or sharing of data under circumstances that do not directly benefit those from who the data was generated. These concerns are based, in part, on the practice of some to "de-anonymize" or "re-identify" data as well as circumstances under which the anonymized data itself can be PII because hackers know the significance of anonymized characters and can use techniques to recover the missing information. Accordingly, even where applicable law permits the sharing of data collected by a smart grid with a third party, utilities should carefully consider the potential consequences associated with any type of data sharing, including the potential damage to consumer trust that can occur even where there is in fact very little risk of harm to the consumer.
The lesson to be learned from past smart grid deployments is that utilities should be deliberate about the amount and type of data they collect, the ways in which they use the data, the technical, procedural and physical means they use to protect the data, the length of time they retain the data, the ways in which they share the data, and how they explain these issues and the benefits of the smart grid to consumers and regulators. Smart choices about how a smart grid is designed to collect and use data will increase its value to the utility and its consumers.
Data and utility network security
Protecting the nation's utility networks from attacks and outages, whether caused by man or by natural disasters, is a critical national security issue. The capabilities that a smart grid enables can either help make a utility network more secure and stable, or it can create new pathways to insecurity and outages. Unfortunately, the frequency and intensity of natural disasters has seemingly increased during past years, and it is no secret that cyber attacks on key utility networks are increasing. Efforts to address cybersecurity are dispersed among private initiatives and various federal, state and local agencies, but more must be done to improve cybersecurity.
With respect to the US bulk power system, for example, mandatory federal reliability standards include some cybersecurity protections. Specifically, critical infrastructure protection (CIP) standards developed by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC) cover critical cyber asset identification, security management controls, personnel and training, electronic security, physical security, systems security, incident reporting and response planning, and recovery plans. Smart grids should be designed not only to facilitate compliance with mandatory requirements like these, but also to facilitate best practices for risk-management and developing efforts to share information as needed to improve security across the industry. The smart grid should be designed to provide a depth of defense so that attacks can be identified earlier rather than creating new points of weakness that can be exploited. As with data, a deliberative approach to designing security into the smart grid from the beginning will yield big benefits over time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
