As utility companies across the state roll out new Internet-connected electrical meters, Smithfield Township supervisors are calling on Met-Ed to show how they’re protecting customers’ information. The Board of Supervisors penned a letter this week to FirstEnergy Corp., Met-Ed’s parent company, and state regulatory officials asking what protections are in place to keep private consumer data from unwanted eyes.
“What limits have been placed on data collection and permissions for data collection beyond monthly billing cycle totals?” it says in the letter, dated Nov. 14, to FirstEnergy’s president, regional president, state president, the state Office of Consumer Advocates and the Pennsylvania Public Utility Commission. “The notice sent to our residents makes no mention of this, yet is it is of prime concern to us in order to protect and secure data of our residential households.”
“What security is in place, how is it administered, and who monitors its effectiveness in regards to preventing hacking of the system and the possibility of denial of service incidents?” the letter continues. “We strenuously urge that both of these issues be addressed before smart meter technology is allowed to progress.”
Pennsylvania Act 129 of 2008 requires large power companies in the state to install Internet connected monitoring devices, or smart meters, by 2023 or sooner. The mandate was enacted in an effort to increase efficiency, as the smart devices increase system-wide control and improve data availability for both utility providers and consumers by transmitting energy usage wirelessly.
Installations have begun in some households already. Met-Ed began its rollout for the greater Stroudsburg service area in June, and the company plans to transition its entire Monroe County service area by March of 2019, according to Met-Ed’s most recent deployment schedule.
On Friday, Met-Ed spokesman Aaron Ruegg said the company was making every effort to protect customers’ privacy.
“FirstEnergy places the utmost importance on the security and protection of all aspects of our electric system and associated sub systems,” he said in a Friday afternoon email. “Our communication network is a high security environment that uses multiple layers of protection from unwanted access — including the use of passwords, firewalls, data encryption, continuous monitoring and other security controls.”
The smart meters, which are in many ways similar to their unconnected counterparts, only monitor how much energy is used in total — not how it used within the household, he also said. Smart meters also do not store or transmit any personally identifiable customer information such as names or address.
“We follow the cybersecurity guidelines established by the National Institute of Standards and Technology,” Ruegg said. “FirstEnergy takes the responsibility to protect the privacy and security of our customers very seriously. And, we protect your information in the same way under current privacy protection laws, regardless of meter type.”
The National Institute of Standard and Technology declined to comment on its guidelines for cybersecurity. Experts within the NIST could not discuss any related threats without technical knowledge of the utility company’s implementation details, spokesman Chad Boutin said on Friday.