Protecting Grid Data Vital in Age of DERs, Regulators Warn

Utilities Must Safeguard Privacy While Maintaining Information Access

NARUC

Jul 22, 2021

Panelists at NARUC's policy summit discussed how to gather enough data to keep distributed energy resources running while respecting customers' privacy.

As distributed energy resources (DER) such as rooftop solar and battery storage spread throughout electric grids and even into utility customers’ homes, industry stakeholders must implement strong safeguards to ensure the data they collect does not fall into the wrong hands, panelists told the National Association of Regulatory Utility Commissioners’ (NARUC) Summer Policy Summit on Tuesday.

Speaking at the “Grid Data: Valuable or Vulnerable?” panel, representatives from industry, regulators and the academic community discussed the difficulty of balancing the need for accurate data about grid conditions — which allows for DERs to be managed safely — with protecting the privacy of those who depend on access to electricity.

“There’s always that tension: Is it an opt-in or is it an op-out kind of situation?” said Jay Balasbas, a member of Washington’s Utilities and Transportation Commission. “A few years ago, our legislature gave us the task of doing some consumer protections for community solar projects with customers, and … one of the questions we [had] in the rules was, how do we deal with that? How do the customers work with vendors and get that information? It’s a very interesting tension, and … it really can go a lot of different ways.”

In response to a question from moderator Dianne Solomon of New Jersey’s Board of Public Utilities about the role of state regulators in deciding what grid data can be made available, Balasbas discussed a Washington statute that mandates that data from customers be considered “valuable commercial information [that] can only be released in very limited circumstances.”

Matthew Green, CIO for PPL Electric Utilities (NYSE:PPL), said his company balances the needs of information and privacy by providing vendors with “contextual data that helps them achieve their goals.” PPL has achieved this balance through a platform that aggregates and anonymizes user information when necessary, so that DER vendors have the information they need for installing their projects but the risk of third parties gaining access to personally identifiable information is minimal.

“As a consumer, I’m sure you’re experiencing all this, where you search for something, and then all of a sudden you get targeted advertisements for that product or service for the next several weeks,” said Green. “I appreciate the ability of leveraging data to provide more customized experiences, but when I’m seeing those types of things without giving consent, I feel like that’s crossing a line.”

https://rtowww.com/wp-content/uploads/2023/06/140620231686785501.jpeg — Andy Bochman of Idaho National Labs attended the panel remotely. | *NARUC*

Andy Bochman, senior grid strategist at Idaho National Labs, said that reckless information sharing has problems beyond simply annoying customers. Improperly managing the flow of data can put customers at very real risk of exposure to malicious cyber actors. While utilities must make sure “the good people have access to the data that they need,” they must also make sure that information is “closely held” to protect against security lapses.

“When our folks start to look at … how you would target an entity, the first thing they do is a sweep of open source intelligence, which basically means … everything you can find on websites, from press releases … and elsewhere, where people are bragging about what they bought, how they deployed it, who they partnered with, and other details that maybe each on their own aren’t tremendously helpful, but pieced together can form a picture that can help the adversary,” Bochman said.

Following up on Bochman’s cybersecurity remarks, Trevor Rudolph, vice president for global digital policy and regulation governance at Schneider Electric, emphasized that grid operators and regulators cannot rely on their customers to manage their own cyber risk exposure to the extent that utilities can. Not only do most customers lack the expertise to know when their information is at risk, but also the sheer volume of cyber incidents coming to light may cause a kind of “attack fatigue” that leaves individuals feeling helpless to stop the next incursion.

“My perspective is that the government has a role from a regulatory standpoint … to improve security protections across the board, because I don’t believe that the market can … answer the problem alone,” Rudolph said. “When you have a state of the world where everyone just kind of assumes they’re going to be the next victim, that’s actually quite dangerous, because you fall into a state of complacency. That can put you in an even worse position.”