Wanted: Federal Legislation To Access Electricity Data & Protect Grid From Cyber Threats
There are many state rules and regulations governing electricity usage data access and cybersecurity for the electric grid. Congress should play a more proactive role on these issues by passing legislation that allows for some uniformity across the nation to increase options for customers, enable businesses to operate efficiently, and to protect the electric grid from cyber threats.
Electricity ratepayers want to be more engaged when it comes to managing electricity usage and costs. Electricity data allow consumers to manage their usage better and keep costs within their budget. Phone applications or home energy management systems inform consumers of how and when they use electricity so that customers can easily understand what to do to better manage usage and decrease costs.
For instance, smart meters provide customers with information through in-home displays and other devices that encourages consumers to use less electricity. When electricity is in high demand during peak times today, costs increase because expensive electricity generation methods must be placed online quickly and blackouts or brownouts may occur. Smart meters permit utilities to offer dynamic pricing models to incentivize off-peak electricity use, an important strategy to support grid resilience by shifting demand, especially in urban areas and during the hottest days of summer.
This information also provides third parties with the information they need to produce innovative energy products and services. Two examples of how companies need electricity data for energy solutions are Opower, which provides software services for consumers to reduce electricity consumption, and First Fuel, which offers energy analytics to reduce service costs. Companies like these are dependent on electricity data to run algorithms that evaluate energy use, creating high-quality jobs and promoting economic growth by stimulating innovation and technological leadership.
Currently, utilities collect and store energy consumption data to bill customers for electricity use. The amount of usage data will increase as states such as California adopt more distributed resources, such as electricity storage and electrical vehicles, to enhance grid resiliency and reliability. Such data is valuable when integrating diverse technologies into the grid.
The distribution system is where electricity is carried from the transmission networks to individual consumers, and is operated by utilities. State utility commissions regulate the retail side of electricity, which includes distribution and sales. As a result, states have different laws and rules regarding consumer and third party access to electricity data.
For instance, customers in Texas can access their energy usage data on the Smart Meter Texas portal or grant a third party access to analyze data. In California, investor-owned utilities are required to provide third parties access, upon the customer’s consent.
Even though the Obama Administration created the Green Button initiative to provide electricity customers access to their energy usage, more than half of U.S. states have no legislation or rules in place that require utilities to release electricity usage data to customers or third parties. Since so many states lack policies for customers to access and share their data with third parties, federal legislation may give them the nudge they need to provide customers with access to their data and reap the benefits. This would also permit utilities and businesses to operate more efficiently since some standards would exist among states.
Federal legislation should include flexible options to allow consumers to choose whether to share their usage information with other parties. If utilities were to organize electricity usage data in a standardized, machine-readable format and store it on the cloud, perhaps that would make it easier to share information and keep costs low.
When a utility transfers customer data to a third party, legal responsibility should be handed over to that third party. Utilities should no longer be liable since the information is out of their control. There also should be some discussion as to whether and when authorized third parties would be certified to handle customer data.
Some attention must be given as to when third-party providers should be required to obtain consent before sharing customer energy usage data with parties interested in customer usage data for other reasons. For instance, landlords could use the information to support claims that a tenant is in violation of a lease, and appliance and car manufacturers can use the data to determine validation of warranties. Health insurance companies could also use such data to determine if an insured person has an unhealthy lifestyle, and divorce attorneys could use it as evidence to discredit the opposing party.
Another issue that varies among states is protection of the electrical distribution system from cyber threats. For instance, New Jersey asks utilities to take an active role in protecting the grid against cyber threats. In Pennsylvania, utilities are required to maintain physical security, cybersecurity, emergency response, and business continuity plans, and report cyber and physical attacks that cause more than $50,000 in damage or interrupt service. In Texas, an independent meter data-management organization specifies cybersecurity standards and the public utilities commission conducts annual security audits.
GridEx III, a mock cyberattack exercise in November 2015 hosted by the North American Electric Reliability Corporation, found improvements need to be made to distribution-system cybersecurity including better communication and information sharing within agencies and clear priorities for reestablishing power after a major outage. The exercise included more than 4,400 individuals from 364 North American utilities, law enforcement and government agencies.
Currently, federal legislation exists for cybersecurity standards of the bulk power system, but is lacking for the distribution system. The Energy Policy Act of 2005 put the Federal Energy Regulatory Commission (FERC) in charge of developing reliability and cybersecurity standards for the bulk power system. The bulk power system includes facilities and control systems necessary for operating an interconnected grid and electric energy from generation facilities needed to maintain transmission system reliability. The distribution system is outside of FERC jurisdiction because investor-owned utilities are typically operated under the jurisdiction of the state public utility commissions.
Federal legislation is needed because cybersecurity threats and attacks on the distribution system could have implications for the bulk power system and for broader national security and economic interests. Because distribution systems deliver electricity to pipelines, water systems, telecommunications and other critical infrastructure, including critical government and military facilities, cyber attacks could disrupt electricity service to such facilities resulting in devastating economic and security consequences.
Lawmakers should require standard performance criteria to ensure utilities are protected from cyber threats. However, stakeholders must be aware that creating standards may take a while and may not be able to keep up with the latest cyber threats. Detailed cybersecurity evaluations of individual facilities should be conducted to identify strengths and weaknesses, and distribution employees ought to be trained and accredited to enhance cybersecurity of the system. Since distribution cyber attacks could affect the bulk power system, it may be best to eliminate the jurisdictional divide and expand FERC’s role. An agreement must also be reached as to which party or parties will be responsible for paying for these activities.
Provisions should continue to be developed to encourage information sharing among federal agencies and industry. A repository that stores cyber threat information, such as malicious IP addresses, on the electric grid could help protect the electrical infrastructure. This could allow cyber threat information to be shared anonymously by the federal government, industry and utilities, and the data would also be stored, aggregated, and analyzed to increase shared awareness about current and historical cyber risk conditions. The Department of Homeland Security is currently conducting a pilot that is exploring the utilization of a repository that stores voluntary information to identify cyber risks.
Congress is able to play a more proactive role in modernizing the electric sector by passing legislation to create some general standards for electricity data access and cybersecurity of the grid. At this time, states either have divergent policies on these issues or have no policies at all. Some uniformity across states may help customers access their electricity usage data and allow businesses and operators that do business in multiple states to more easily abide by data access and cybersecurity requirements.
Find Archived Articles: