By Gary Michor and Dick Brooks
In today’s digital age, finding energy data is like searching for a needle in a haystack. Utilities seem to think that energy users can’t do anything with it, yet our society thrives on social interactions through the internet, where data is the new gold. The reality is that almost everyone willingly hands over certain components of their personal data in order to use apps and innovative solutions, fueling a multi-billion-dollar industry.
Compared to other industries, the energy sector is a laggard. Since the 1990s, banking and telecommunications have seamlessly integrated digital communications, making our lives more convenient and connected. Innovation continues to evolve, making it possible to withdraw $20 with a simple tap anywhere in the world or to install virtual eSIMs on our phones, allowing us to use internet data globally at a fraction of the cost from just a year ago. These advancements have become so ingrained in our daily lives that we no longer see them as groundbreaking. But what about the energy industry? Are we still stuck in the 1980s? If so, why have we allowed this to happen? What can we do to help the energy industry reap the benefit of becoming a digital utility?
The transition to becoming a “Digital Utility” requires diligent thinking about how to safely apply digital solutions that will benefit the consumer, utility, its shareholders and regulators. This will require a “balancing act” that will keep the bad guys from using the “digital ecosystem” to cause harm. Cyber Risk Management policies and practices are vitally important to the success of a Digital Utility.
Still today, our industry is missing the point. We need to focus on attacks on the grid by foreign threats and our PII (Personally Identifiable Information) data from criminal organizations looking for financial gain. Some of us may think the risk of PII data creating financial reward is low. Yet energy utilities have focused on our PII data for their own self-interest. There are over 100 million smart meters in North America alone. Is this a risk? Yes, but it is manageable with modern technology. Initiatives to share data from these meters have been ongoing since the early 2000s when the first smart meters were installed. They were paid for by the ratepayer with promises of reducing our costs, but the truth is that utilities wanted to install them to reduce their own costs of manual reading. The only real value seen in most places is that utilities were able to reduce their operating costs and replace them with capital costs where they can get a return on investment. Talk about a smart move!
The issue is that the overall infrastructure within the utility sector is aging, and these interactions and the vendors that operate these systems lock in this data for their own financial gain. In fact, many utilities have teamed up with or created affiliated businesses to make money off the data, and these business associations themselves are the largest risk due to their internal interactions with mission-critical systems. It’s like letting the fox guard the henhouse!
Today’s Cyber Risk Management practices are not your father’s “cybersecurity thinking”. Cyber Risk Management goes well beyond cybersecurity and defense against hacker threats to include a more holistic approach that considers what must be done to ensure that the cyber ecosystem is resilient and does not represent a “weak link” that can impact reliability and resilience of our critical infrastructure and business operations. One important distinction is the need to secure the software supply chain that system operators and Utilities need to run their grids and their businesses. In the United States, the Cybersecurity Infrastructure and Security Agency (CISA) provides valuable services, for free, and practical guidance to help critical infrastructure operators identify risk and determine the trustworthiness of their digital ecosystem. CISA’s Secure by Design principles and CISA’s Secure Software Acquisition Guide provides effective guidance that Utilities should use to prevent harmful software from being installed and exploited to cause harm. Utilities can use CISA’s Software Acquisition Guide spreadsheet to determine which vendors are following Secure by Design principles and practices.
On the other hand, strong solutions that use today’s technology, like OAuth2, to authorize, authenticate, and communicate the sharing of data have started to trickle into the energy industry. According to Michael Murray, co-founder and president of Mission:data Coalition, a non-profit advocate for energy data portability, about 36 million electric meters in the U.S. are subject to a mandate for data-sharing. “There has been a lot of progress over the past five years or so, but we still see a lot of utilities using ancient or non-standard authorization approaches,” said Murray. His website, the Green Button Explorer (explorer.missiondata.io), tracks permission-based data portability across North America on an interactive map and grades the utilities on how well their systems operate. It’s too bad that, for most utility ratepayers, electronically sharing their utility meter and sometimes billing data to innovators is clumsy and unstandardized. New technology and standards are not being used to improve the interaction that exists between the siloed systems within the utility. It’s like having a shiny new car but only using it to drive to the mailbox!
The Australian government has produced a useful guide for Officers and Board of Director (BoD) members to implement Cyber Risk Management policies and practices, which you can find here. This guide provides insights as to how cybersecurity relates to, and is part of, holistic Cyber Risk Management.
A great example of what can be an enormous opportunity for innovation, energy cost reduction, and sustainability is in Ontario, where there are 50+ electric and natural gas utilities that have rolled out an infrastructure to share bill and meter data with third parties, with the utility account holder’s permission through an OAuth2 standard build for energy data. Screaming Power has built a modern toolset and service (EZGB) that acts like a hub for public, private, and not-for-profit organizations, as well as universities. Clients include consultants, advisors, energy retailers, system integrators, sustainability companies (e.g., GHG KPI management firms), large multi-site organizations, green generation firms, researchers, and the utilities themselves so everyone can work together. Out of the box, EZGB provides a solution that retrieves and monitors the collection of meter and bill information from utilities. EZGB also has the capability to troubleshoot data issues with Ontario’s electric and natural gas utilities in the quickest way possible. EZGB removes the burden for our customers to manage each utility system separately. It’s like having a personal assistant for your energy data!
There is a risk for any company that interacts with PII data, yet many of these new innovators have built software with modern technology and processes that can adapt to the changing landscape of risk. Utilities look at this new data-sharing opportunity as a threat from the known external parties that are officially onboarded with them and interact on their turf. It’s like inviting someone to your party and then getting nervous when they actually show up!
Facts are facts, and not understanding the new environment in which Utilities are being forced to work is causing potential disaster. To this day, utilities still live in a culture of outdated times where the internet lived side by side with the fax machine. Many utilities and policy makers unknowingly protect legacy vendors they have golfed with for 20+ years and have legacy agreements that restrict data access even to the utilities themselves. It’s like they’re stuck in a time warp!
Let’s be clear, the real truth is that it’s not the utilities’ fault. It’s the tactics of others who use conferences and junkets to entice the utilities’ own subject matter experts, convincing them that change will cause lost opportunity or affect their own jobs. Allowing the utilities and policy makers to sit on standards groups that pay for them to work for years on changes that, by the time they are done, are no longer relevant because the markets around them change standards and innovate to keep up with the bad guys. This means you need to be agile and change your strategy and technology at least every few months. It’s like trying to keep up with the latest dance craze—by the time you learn it, there’s a new one! Our industry is just not equipped to dance because we are still relying on outdated practices and what they are comfortable with.
This issue of sitting on your hands so you don’t cause a distraction no longer works in the new Internet of Things. It causes the legal departments to misunderstand where the true risk lies, and the cybersecurity departments or advisors, who are those same legacy vendors, believe that the risk is with the friendly parties that want to use the data for good. The fact is, why would you change something that works when it will create more work for you? It’s like trying to convince someone to switch from a comfy old couch to a new one—they’re just not having it!
It’s clear that our industry needs work and we need to look at the great things that are happening around us. You only need to look as far as your smart phone to see what smart is becoming. When we see that utilities have trouble testing their own systems and data, it’s pretty bad. But when we see that the interactions we as third parties need to have with them are blessed with some utilities not being able to provide standard interfaces that are mobile-enabled or require the new third parties themselves to test the utilities in-production environments and demonstrate utility-related bugs or communication issues through third-party logs because the utility has none available, it’s like… where the heck did basic software practices go? Where are the policymakers and regulators and are they actually equipped to manage and oversee this evolution on interoperability? Where is the money being spent within the utilities, and why are some of the utilities themselves making money off the chaos? It boggles the brain that there is no vision for the future in the energy industry when all of us use social media, pay bills, and travel with our phones to connect to other businesses. You have to wonder if innovation has a space in our energy world.
Clearly, we are all learning to adjust to this new paradigm marked by digitalization across many functions that accompany the energy transition but we are decades behind everyone else. There is no silver bullet or big bang solution that can turn a utility into a Digital Utility overnight. But that comfy couch we have settled into is no longer quite so comfortable because change is rapidly encroaching on our comfort zone and we are facing the need to change due to regulatory needs and the risks that come with traveling on the Information Super Highway that is the domain of hackers and bad actors looking to take advantage of the trusting nature of our local town utility companies.
Keep in mind; Risk always exists, but trust must be earned and awarded.
Be safe out there,
Gary Michor Dick Brooks