NIST, smart grid privacy and social networking for security pros

Last month, the National Institutes of Standards and Technology (NIST) outlined a framework for building more intelligence and interoperability into the electrical system of the United States. Such a system is generally known as the “smart grid.” Commerce Secretary Gary Locke released a plan for smart grid interoperability that’s meant to lead to a “secure, more efficient and environmentally friendly” system. A draft of the report from NIST is available for download as a PDF: “NIST Framework and Roadmap for Smart Grid Interoperability Standards Release 1.0″

Building more intelligence and efficiency into the network, however, has relevance to more than energy policy. As a working group of information security professionals determined over the course of the summer, there are significant smart grid privacy concerns to consider.

These considerations can be neatly summarized in the following excerpt from the NIST report: “The major benefit provided by the Smart Grid, i.e. the ability to get richer data to and from customer meters and other electric devices, is also its Achilles’ heel from a privacy viewpoint. Privacy advocates have raised serious concerns about the type and amount of billing and usage information flowing through the various entities of the Smart Grid … that could provide a detailed time-line of activities occurring inside the home.”

As privacy expert Rebecca Herold explains on her blog, smart grid privacy needs to be considered as utilities move to a next-generation infrastructure. Those implications were concisely listed by Herold as follows:

1. Identity theft.
2. Determining personal behavior patterns.
3. Determining specific appliances used.
4. Performing real-time surveillance.
5. Revealing activities through residual data.
6. Targeted home invasions.
7. Providing accidental invasions.
8. Activity censorship.
9. Decisions and actions based upon inaccurate data.
10. Revealing activities when used with data from other utilities.

Sarah Cortes, a contributor for SearchCompliance.com, was the project manager for the Privacy Sub-group of the NIST’s Cyber Security Coordination Task Group.

Key points in the current release of the smart grid privacy document include the following issues, according to Cortes:

1. Enforcement of state privacy-related laws is often delegated to agencies other than public utility commissions.
2. State utility commissions currently lack formal privacy policies or standards related to the smart grid.
3. The lack of consistent and comprehensive privacy policies throughout the entities that will be involved with the smart grid creates a privacy risk.
4. Comprehensive and consistent definitions of personally identifiable information do not typically exist.

The body of the privacy groups work may be found in this draft: NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements (PDF).

Social networking and distributed collaboration sped up report writing for infosec team

One aspect of the report’s generation is worth recognizing: the role that the various collaborative technologies and social networking platforms played in gathering, synthesizing and producing the final deliverable for NIST. As Cortes explained in an email, preparing the current release of the Smart Grid privacy document included the following considerations:

1. Ensuring adequate input from each of the 50 state NARUC energy commissions and other sources in a very short time frame.
2. Aligning recommendations with the plethora of existing laws.
3. Documenting concrete privacy risks.
4. Separating privacy risks from security and other risks.

According to Christophe Veltsos, a Midwestern-based information security professional who participated in the NIST CSCTG, the team used the suite of collaborative technologies common to many enterprises in late 2009.

“Gal Shpantzer and I used Google Docs to do live edits, both of us working at the same time,” said Veltsos. “We used either a live phone line or GChat to help facilitate the conversation.” The team members, including Herold, also used email, free conference-calling websites and tweets to send quick bursts of info/updates to each other.

Cortes also said NIST involved Twitter users from the start.

UPDATE: Christophe Veltos wrote to correct the record on the central role that DC-based information security consultant Gal Shpantzer played in organizing the CSCTG. Veltsos points out that “while Sarah was the project manager, Gal was the catalyst and is considered by NIST to be the team leader of the privacy group.”

“When forming the group, NIST staff turned to the industry professionals they most respected across the U.S.: members of Twitter’s online information technology privacy, compliance and security community,” she explained. ”One by one, Gal recruited respected members of the IT professional community, met with prospective members in person at times, and sought out suggestions for additional members. All prospective members could quickly and easily be thoroughly checked out as far as qualifications, accomplishments, and references, all informally through common Twitter features. The breadth and depth of advisory group members was substantial compared to similar panels formed with more traditional methods taking far longer.

”All meetings were organized by conference call, and drafts of the Smart Grid Privacy policy documents and project plans were exchanged by email. In between meetings, members interacted informally on Twitter, similar to running into colleagues in the hall when everyone works physically in the same building. These informal Twitter dialogues facilitated relationship-building among the team and problem-solving between meetings.”

According to Cortes, “Twitter has become the medium of choice for networking IT professionals for a few reasons, among them:

1. If you’re in IT and you’re not comfortable with Twitter, you are lacking a basic technical skill.
2. Twitter enables members of the IT community to check out each other’s static Web pages and credentials, but then get to know members of their own industry over time through their communications streams. How professional and informative is this person, over a period of time? How respected are they by other well-respected professionals, apparent through the interlocking web of followers? How many others respect this person, apparent from absolute numbers of followers, quality of followers, and mentions by others?
3. Twitter communication allows personality to come through and thus enables people to feel comfortable with each other much more quickly than other mediums.
4. It allows for a combination of private and public messages, allowing swift reaction to breaking industry developments.
5. It allows professionals to get a quick response to a technical question.
6. It enables professionals to know at a glance whether they are up to date on developments on our field or out to lunch, a constant problem in this field. What are other respected IT professionals talking about each day? What are they not talking about?”

If you have thoughts and comments about either smart grid privacy or the utility of social networking for collaboration between compliance and security professionals, please leave them in the comments. Or, if you like, @reply on Twitter. You’ll find SearchCompliance.com there under @ITcompliance, as well as this author as @digiphile.