Security in the Home Energy Management System (HEMS)

I posed two questions last week to a number of Smart Grid-related groups organized within LinkedIn®.  The questions were:  “What do you consider to be the most important security challenges in protecting consumer data in a HEMS application, and what are the most important privacy challenges?”

I asked this question because this n application will be ubiquitous in homes in the next few years.  The answers I received included an R&D shop’s solution (which might be proprietary), feedback about sensitivity of usage data, and a reference to the UtilityAMI Home Area Network System Requirements Specification.

Let’s talk about the sensitivity of usage data – how much energy you use.  This is often cited as a security concern – if people can capture the data about the electricity you are consuming, they can tell if you are home or not.  I guess that’s true, but they would have to know an awful lot about my typical electricity use.  What if I’m a careless energy consumer that leaves computers, TVs, cell phone chargers, and lights on all the time – whether I’m home or not?  In this example, will there really be a significant difference in my KWh if I leave town for a week?  Maybe from a stratospheric bill to merely sky-high.

In a world with more microgrids, the bad guys looking at my usage data would not know that a sudden decrease in my energy bills might be due to my brand new mini-wind turbine and solar panel installation.

I do think people would be very touchy about the confidentiality of this information – I might not want my neighbors to know that I’m an electricity guzzler.  However, I don’t think extrapolating my usage data is a worthwhile criminal enterprise for people looking to make an illegal buck.

More malicious activities would involve comprising the integrity of my usage data.  Although I can’t see what monetary gain a hacker would reap from modifying this data, they could certainly stress me out if my next utility bill was in the stratosphere.  Ditto if they messed with my microgrid data, depriving me of that cash that I was expecting from the utility based on their purchase of my microgrid’s generating capacity.

So usage data may not be the most important data to secure in a HEMS application.  However, financial data and personal identification data like Social Security Numbers might be connected somewhere in a HEMS application to a utility, and therefore may be vulnerable to unauthorized access or compromised integrity.  That could be a problem.  We read stories all too often of the global criminal networks engaged in buying and selling credit cards and identification information.  This is a potentially huge liability for utilities, but they are working to address it through groups like the UtilityAMI OpenHAN Task Force.

The UtilityAMI OpenHAN (Home Area Network) Task Force has defined 4 sections under the security category for guidelines that promote open, standards-based interoperable HANs.  Any HEMS application would be part of the HAN, and governed by the security guidelines under development by this group and other knowledgeable organizations.  The OpenHAN Task Force defines the following four subcategories: Access – the control and confidentiality of data and information; integrity – the ability to ensure protection of data (in storage and in transit) from unauthorized users; accountability – the date/time/user event info to audit a system; and, registration – the authentication of identities that are established within a HAN and known to a utility.   This is a great construct for utilities and vendors to ensure that all software is designed and deployed to ensure security as well as interoperability.

This Task Force takes a utility-centric view, which is perfectly reasonable considering that utilities have a great deal at stake in getting the right specifications defined for future Smart Grid operations.   The work that this Task Force has been doing is also shared with the ongoing work that NIST is taking in conjunction with EPRI to develop interoperability and security standards.

I’ll lead a discussion about software characteristics – especially at the user interface in HEMS applications – for the Smart Grid at the Green Software Unconference on August 19th in Mountain View, CA.   .   Join me there – click here to learn more about the agenda and how to register.