The NIST Smart Grid Collaboration Site has many interesting files, including a spreadsheet of all the related privacy concerns, laws, regulations and standards.
The latest meeting notes, for example, highlight that consumers can purchase a device and monitor a power signature without a smart meter or access to the grid.
Nevada’s Senate Bill 227 came into effect January 1, 2010. It sets a new pace for regulations by defining encryption as “protection of data in electronic or optimal form, in storage or in transit”
(b) “Encryption” means the protection of data in electronic or optical form, in storage or in transit, using:
(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and
(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.
Strange that they leave it open-ended what an established standards setting body might include. They will leave it to lawyers to decide, I suppose.
Also strange is that this is far more specific than the Nevada state breach law, SB 347, which requires data only to be made unintelligible (based on the definition in NRS 205.4742).
The law forbids the transfer of personal information or data storage device containing personal information without the appropriate encryption. Devices that must use encryption include cell phones, computers, computer drives and magnetic tape. Compliance with other standards such as PCI DSS, HIPAA, GBLA or FISMA will not be considered sufficient for SB 227.
Step in the right direction? Yes. Perfect? No.
I wrote about undisclosed or silent patches earlier, with regard to Microsoft and Google.
Another consulting firm now has made a public announcement about the same issue.
Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said today.
Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as “important,” its second-highest threat ranking.
I still give Microsoft credit for improving its practices significantly over the years. This is only a slight twist on that same issue. The risk determination is what the consulting firm is complaining about, rather than a patch with no evidence or notice as in the case of Google. The firm contends that Microsoft “‘misrepresented’ and ‘underestimated’ the criticality” of a patch. Microsoft has countered that the fixes were documented and would have been installed within the larger group of released patches.