This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.


A Cybersafety Culture Can Help Reduce Energy Usage Data Privacy Risks

Christine Hertzog's picture
Principal Technical Leader, Cyber Security Strategic Initiative Electric Power Research Institute

Christine Hertzog is a Principal Technical Leader focused on OT Cyber Security research at EPRI.  She conducts research on new technologies suitable for OT environments and informs industry...

  • Member since 2010
  • 286 items added with 143,425 views
  • Feb 4, 2015

data privacy and energy security

Thanks to M2M and Smart Grid technologies, new energy usage data can be invaluable to help intelligently manage energy and reduce utility operations costs and consumer costs. However, new data means new privacy risks for consumers (residential, commercial, industrial, and agricultural), utilities, their vendor communities, and other entities that collect, transmit, use, and/or store that data.

As noted in the new book Data Privacy for the Smart Grid*, the variety of entities with access to this data can blur privacy roles and responsibilities. Confusion about data privacy is not a good state of mind for consumers, utilities, vendors, or regulators. Privacy is an outcome of intelligent cyber and physical security technologies, policies and practices, and its protection has to become part of organizational cultures. Look at it this way. Utilities have worked diligently to instill “top of mind” safety procedures in their organizations, because of the many dangers associated with electricity, gas, and water services.

We use this analogy in our guidance to utilities and vendors regarding data privacy. A cybersafety culture has to be embedded within utilities and vendors with access to energy usage data. Like safety procedures, regular exercises that identify all potential privacy risk and their mitigations must become an important habit of a cybersafety culture. Think beyond energy usage data too. EV charging, vehicle telematics, and digital health applications produce new data that has considerable privacy implications. Smart Grid technologies that are applied to water can produce new data about water consumption and waste water production that will have similar privacy concerns and risks, as well as other data that delivers personally identifiable information.

How do you achieve a cybersafety culture? Here are three suggestions derived from our methodology:

  • Does your company have a privacy policy that explicitly describes treatment of energy usage data? If not, one should be developed. Why? Because consumers as data owners can voluntarily share their energy usage data with data managers that are not affiliated with utilities. Consumers need to exercise caution by carefully reading the privacy policies of the third parties they authorize to be data managers or custodians of their energy usage data.   And since we’re only human, this may not happen with the diligence nor frequency that would apply in a perfect world. The often blurry lines of privacy roles and responsibilities may lead consumers to believe their energy usage data is covered by the privacy policies of a utility when their selected data manager has completely different privacy policies. The lack of a good utility privacy policy ruins a perfectly good opportunity to build and maintain that trusted advisor relationship that is the apex of excellent consumer engagement.
  • Try the “chain of data custody” exercise. Can you accurately map out the sensitive data gathered, used, transmitted, or stored in your business processes and who has access to this data? The exercise results may astonish you.
  • Ask your employees who is the ultimate owner of energy usage data. If they don’t know, you have a training issue to address. The owner has ultimate control and decision-making authority over their data. Utility customers are explicitly identified as owners of energy usage data in some Sometimes energy usage data is narrowly defined as consumption data. As consumers transform into prosumers capable of generating kilowatts and negawatts (and new data), energy production data ownership must also be addressed.

These three steps help utilities and vendors develop cybersafety cultures that mitigate data privacy risks. And here’s one more suggestion – be prepared to over-communicate your energy usage data privacy policy. If you don’t have a policy, today’s the day to change that.

* Published by Taylor and Francis Group. Co authors: Christine Hertzog and Rebecca Herold. ISBN: 978-1-46-657337-6. Available for pre-sale now.

Photo Credit: Energy Data Privacy and Security/shutterstock

Christine Hertzog's picture
Thank Christine for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »