Nor-Cal Controls, like many industry leaders, recognizes that the conversation around “AI”—most prominently Generative AI like Large Language Models (LLMs), image/video diffusion algorithms, and robust audio synthetization has been consistently prominent for years. For the power generation industry, and in renewables especially, the adoption of generative AI has more than doubled in the last year alone. For professionals working to integrate and optimize wind, solar, and battery storage projects, these tools have become increasingly common. One study of power generation and transmission companies estimated that 32% of traditional power professionals were using generative AI in their work, while another found nearly 75% of renewable-sector professionals were doing the same.
AI tools offer incredible potential for increasing efficiency. Many people now routinely use these tools to help write emails, documents, and, when combined with other tools like Grammarly, to actively proofread work. While some of us may find that AI-generated text lacks a specific organizational “voice,” the ability of these tools to summarize dozens of forums and tutorials when finding a starting point for obscure and poorly documented processes has proven invaluable in accelerating development.
This wide adoption demonstrates that AI is a vital tool for boosting efficiency when done right. The key phrase, however, is when done right. When misused, abused, or even when used correctly but without awareness, AI tools can pose a significant risk to data security and tribal knowledge.
“When people use AI to augment their thinking, they grow more capable and efficient. But when they outsource their thinking altogether, they forget how to think at all.”
In this post, with specific regard to the power controls industry and the sensitive information involved in deploying renewable energy assets, the focus will be on AI’s effects on data security. We will examine some of the risks of generative AI and writing-aid tools in the office and outline safe practices to ensure the highest level of security standards.
Using AI in a Safe, Smart Way
The critical question for professionals in the power sector becomes: “What can be done to get the maximum use out of AI while protecting the company and our customers?”
It is important to note that the following studies and information are intended to provide basic insight into the security risks of AI, while offering solutions that allow continued use without compromising integrity and security.
For the following examples, commonly used AI-powered services will be referenced: LLMs (such as ChatGPT, Gemini, or Grok) and Word Aid Services (such as Grammarly, Writer, or WordTune). These best practices can, however, apply to any AI service, such as Microsoft’s CoPilot.
The Data AI Collects
Applications like Grammarly, Writer, ProWritingAid, and WordTune are popular, AI-powered writing-assistance tools. Grammarly, for example, has been around for years, predating the modern LLM “boom.” Initially, these tools used basic filters and databases to analyze work. While data transfer was a concern, LLM training and the re-use of customer data were not.
However, these services now heavily rely on AI tools for analyzing data as well as LLMs to help generate suggestions and context-aware fixes as users write. (Note: For simplicity, these tools will be referred to as “Grammarly” moving forward.)
Grammarly is often used when writing emails, documents, and as a browser extension for entries into browser-based ERPs, CRMs, and similar systems. It analyzes email and document data for desktop applications and records keystrokes in browser-based applications.
As an AI-powered tool, Grammarly is not hosted on a local network. Instead, all the email data, document text, recorded keystrokes, and personalized user data are packaged and sent to the service’s AWS (Amazon Web Services) servers. The data is stored, analyzed, and then sent back to the user’s machine for visual feedback.
This means that every email containing a legal contract, network information, or other sensitive proprietary data that isn’t sent with a specialized secure tool (like the tools Nor-Cal uses, such as LetsEncrypt or SendSafely) is being tokenized and sent to a server somewhere in the world. Furthermore, this data is not simply processed and deleted. In Grammarly’s terms of service, users grant permission to “store, reproduce, use, publish, and publicly display…modify, and create derivative works of… your User Content.” They also mention its use for “Operating, providing, improving, troubleshooting, and debugging our products (for example, your acceptance or rejection of suggestions may help train our suggestion engine)”).
In layman’s terms, any data sent to Grammarly—including emails, documents, or keystrokes—is not just stored, but can be used for “derivative works,” published, and utilized to further train their LLM. While it is stated that attempts are made to omit sensitive information like passwords and credit card data, the filter is not foolproof and may not flag for legal contracts, purchase orders, OPC paths critical to controls, or network maps essential for the power industry.
Security Concerns: Breaches and Contamination
Online services like Grammarly and ChatGPT are typically very secure, with data exclusively transferred between the user and their servers. However, this does not eliminate the chance of a breach. For example, in 2020, the widely used IT/security management company SolarWinds was hacked, leading to significant data leaks from over 18 thousand customers, including private organizations and government entities.
While the data collected from emails and keystrokes may be different than a comprehensive IT management hack, the sentiment remains: the more third parties entrusted with data, the higher the chance of a data leak. This risk was highlighted in 2018 when a significant vulnerability in Grammarly was found that could expose user account data, allowing unauthorized access to user documents. Though the breach was mitigated, it emphasizes the need for users to be aware of the potential risks when using any third-party tool for sensitive information.
What makes AI tools, specifically LLMs, particularly concerning is data contamination.
Data contamination occurs when an LLM is trained on user-specific data, and that proprietary information is then inadvertently regurgitated in another user’s session. Most corporate-owned deep LLMs are designed to prevent this, and typically, what is entered into a chat is only stored in “chat form.” However, if the AI organization chooses to use the chats when training their models, that data becomes a “permanent” part of the LLM, like an unchangeable memory (Cornell:1).
This is especially prevalent with uncommon and unique text in a process called “bleeding.” In the energy industry, where extensive, uncommon terminology and unique technical specifications are used, the potential for data contamination is higher than average.
Almost all AI tools train on user data by default. ChatGPT, for example, automatically ‘opts-in’ free and plan users, so any data sent over the chat can be used to train their model. A simple way to prevent data contamination and “bleeding” is to simply ‘opt-out’ of training (in ChatGPT, this is done in Settings -> Data Controls -> ‘Improve the Model for Everyone’, and toggling ‘off’).
The concern is less that data is stored as tangible documents on a server. Instead, the concern is that the data becomes part of the “black box” that is an AI’s “brain.” While understanding of AI function is deeper now, the actual “memories” and “thoughts” of AI are effectively unreadable and can only be changed via more training. This means that “deleting” trained data is not possible in the traditional sense; once a model is trained with data, that data will likely be a part of it forever.
Currently, there is no historical precedent to compare against, but research papers show that the possibility of data contamination is very real. Because of this, companies must proactively protect their assets, employees, and customers by employing safe AI practices.
Tips for Safe AI Practices
The following suggestions are applicable for personal use of AI agents as well as in the office or on the jobsite. Applying these steps will significantly secure data compared to using AI without awareness.
Tip #1: Don’t Intentionally Send Sensitive Information to AI Services.
This may seem obvious, but a combination of ignorance and apathy often causes this simple rule to be ignored. According to one report, “almost 50% of employees are using generative AI tools in the workplace and 77% of those users are pasting internal data into them” (Cyera:1). This indicates that this is not as common-sense as one might assume.
Tip #2: Define a Company-Wide Policy and Maintain Well-Informed Employees
Nor-Cal and our other industry leaders find that awareness is a major step in ensuring safe practices. Informing employees where AI is being used, how to use it, and what not to send to AI can decrease the number of users passing data from 77% to 0%. At Nor-Cal, maintaining well-informed and security-conscious employees upholds the promise of reliability and integrity.
Providing a concrete set of guidelines regarding AI use gives employees a “playbook” of allowed practices, empowering them to use AI effectively with a clear set of allowed and disallowed use cases. Furthermore, providing a clear, judgment-free pipeline for employees to use when unsure about specific cases gives those employees the tools they need to safely integrate new collaborative ideas.
Tip #3: Learn How to ‘Control’ What Data is Seen
Tools like Grammarly are very client-friendly and customizable. For example, a user can disable Grammarly for a period. Enterprise users can also use “confidential mode” to apply labels to certain applications and domains (such as an ERP endpoint) for Grammarly to ignore.
When writing a contractual document, putting together a network diagram for a solar site, or entering data into an ERP, users can choose to disable most AI tools to prevent data from being analyzed or transported. Furthermore, many of these applications allow users to delete data from their endpoint. While this does not prevent already-ingested data contamination, it can prevent further training or “transformation” of the data associated with the account.
Note that tools like ChatGPT still retain data even if it is deleted, with a 30-day retention policy. If legal exceptions apply or if it is marked for use in training, it can persist past those 30 days. Finally, if the data is already incorporated into the model via training, it can never be fully removed.
By controlling what data can be ingested and pruning data that has already been saved, users can proactively ensure that potential breaches of data cannot happen to the company, by the nature of there being no data to breach.
Tip #4: Think Before You Paste—Better Yet, Avoid Pasting at All!
Before asking an AI for help or looking up an error message, users should double-check the data about to be pasted. This applies to general searches but is especially critical given the volume and type of data sent to an AI chat.
Consider an XML file with sensitive data points (e.g., “MyData1” through “MyData40”) that needs to be formatted into a CSV. If the data values themselves are not sensitive, a user could easily do a “replace all” and change the tag names to something like “ObfuscatedDataName” before asking an AI for formatting help. If the data is sensitive, the user could ask ChatGPT to help write a genericized formula or PowerShell script to translate the data, which could then be used for a similar function indefinitely on a local machine, never sending any data outside the secure network.
This example shows that the same result (XML to CSV conversion) can be achieved without exposing data, or even data patterns, to any third party. Taking this proactive “should I paste this” approach ensures that data is always kept internal, secure, and reliable.
Just like in Tip #2, employing a company-wide policy with examples of how to ‘sanitize’ data, prompt examples that can aid in avoiding data-pasting, and examples of “do-nots” can all contribute to maximizing the security and integrity of the workplace.
Tip #5: Use Common Sense!
The most important tip is simply to be skeptical about AI and AI-powered tools. This does not mean villainizing or being afraid of these tools—quite the contrary. Instead, when using an AI tool, users should think about the project goal, what data should remain confidential, and then make a game plan accordingly. If 90% of an email can be written with Grammarly, and then the tool is turned off for 10 minutes while “more sensitive” information is provided, productivity is maximized while risk is minimized.
The previous tips all feed into this: use the tools available. If a document or email has sensitive information, disable the Writing Assist until done. If the data to be formatted is private, do not paste it. If a user is unsure but thinks AI could help, they should refer to the AI policy. If still unsure, they should seek clarification from a supervisor or HR.
Finally, a good rule of thumb is simply to assume ALL data is sensitive. By consistently obfuscating, never pasting, and being conservative with AI use in writing aid, any employee can be a key asset in protecting their own, their company’s, and their customers’ data.
Introducing Nor-Cal’s Sage of SCADA
While the industry navigates the risks of external AI tools, Nor-Cal is demonstrating how to deploy internal, secure AI to maximize efficiency. Nor-Cal introduces the Sage of SCADA, a powerful, specialized AI Knowledge Partner designed to support our customers and partners.
The Sage of SCADA, which lives on our website’s Knowledge Base page, embodies the safe AI principles discussed:
- Customized and Focused Knowledge: The Sage is a specialized, knowledge-based chatbot trained exclusively on our public-facing, approved documentation (blog posts, white papers, case studies, etc.). This eliminates the risk of data contamination from external or sensitive sources.
- Data Privacy Built-In: In line with Tip #3 and the goal of controlling data, the Sage of SCADA does not collect or store any personal data. Conversations are anonymous and used only to improve the chatbot and our documentation, ensuring customer data remains secure.
- Maximized Efficiency, Minimized Risk: Instead of sifting through dozens of documents, users can ask the Sage questions in natural language and get concise, accurate, relevant summaries of information in seconds. This allows for a more efficient way to access knowledge without employees resorting to less secure, general-purpose LLMs for company information.
Using AI in a responsible and targeted way that protects user privacy and content integrity, Nor-Cal is actively paving a path for safe AI adoption in the power controls sector.
Data is at the core of the power generation industry. Engineering, Procurement, and Construction (EPC) firms, Asset owners, O&Ms, third-party contractors, and Controls Providers all share the burden of ensuring that data—from project schedules to renewable energy asset performance data—is protected at each point.
Additionally, AI is here, and it is likely here to stay in some form. Unless there are means to block all AI tools perpetually, employees in the power sector will be using AI (and the majority are already using it, according to the previous studies). With this in mind, we at Nor-Cal are taking action by providing employees with the resources they need to succeed, ensuring those who handle data are well-informed and responsible, and maintaining the highest company-wide integrity with emphasis on quality and comprehensive results.
The industry is navigating these new AI waters together, learning the limits, risks, and rewards of these tools. Working together to blaze a new trail in the smartest way possible, protecting everyone in the power industry as we forge ahead into the Artificially Intelligence future, is the collective goal. Ready to find reliable SCADA answers without compromising security? Reach out to discuss your upcoming project.