Security and Privacy in Smart Meters and Smart Grids EECE 512 Konstantin Beznosov
smart meter background what networked embedded systems use state measurement circuits that can record minute- or second-level profiles of energy usage (load profiles) promise: better efficiency & reliability dynamic pricing schemes remote meter reading improved power outage reporting load curtailment in emergencies how: self-monitoring self-diagnosis demand-response communication privacy concerns due to fine-grained energy consumption data monitoring the power consumption of several households to identify temporarily vacant homes and timing burglars' break-ins estimating the number of residents in a household based on the frequency of power switches turned and the number of appliances simultaneously in use monitoring the location of a resident inside the home based on the type of appliances being used tracking eating, sleeping, and to some extent exercise habits by monitoring household appliance usage identifying the TV channel or movies being watched since television power consumption changes with the image being displayed security concerns of integrity & authenticity of the reported data underreporting energy usage or inflating the utility bills of a neighbour!!2
Automatic Meter Reading autonomously collects the consumption and status data from utility meters (e.g., electric, gas, or water meters) and delivers the data to utility providers for billing or analysis purposes AMR Meters metering engine: measures the consumption Encoder-Receiver-Transmitter (ERT): microprocessor & low-power radio transmitter periodically reports information such as meter ID, meter reading, tamper status AMR Readers: handheld devices for field investigation or walk-by meter reading, highly sensitive mobile collectors for drive-by meter reading, a network of permanently installed collectors and repeaters for reporting AMR meter readings in real time from [1] [1] Ishtiaq Rouf, Hossen Mustafa, Miao Xu, Wenyuan Xu, Rob Miller, and Marco Gruteser. 212. Neighborhood watch: security and privacy analysis of automatic meter reading systems, In Proceedings of the 212 ACM conference on Computer and communications security (CCS 12). ACM, New York, NY, USA, 462-473. DOI=1.1145/2382196.2382246!3
reverse engineering AMR communications reverse engineering requires modest effort an ERT reader and programmable radio costing $1, no encryption bubble- up meters: anyone can eavesdrop on the real time consumption of customers with meters. wake-up meters: consumption data can be eavesdropped on at arbitrary rates using activation signals battery drain attacks: After receiving an activation signal, wake-up meters will immediately transmit a packet no authentication the ERT reader accepts any AMR transmission with a proper packet format no input validation When receiving multiple packets with the same meter ID but conflicting meter readings, the ERT reader will accept the packet with the strongest signal without reporting any warning.!4
decoding with and without low noise amplifier Meters decoded using LNA only. M Meters decoded without using LNA. Location of the RF sniffer and omni-directional antenna. 2 m Figure 6: An aerial view of the neighborhood where we performed our eavesdropping experiments. Each blue triangle or red star represents a group of four or five meters mounted in a cluster on an exterior wall. Using an LNA and a 5 dbi omnidirectional antenna, we were able to monitor all meters in the neighborhood. Some sniffed meters may be out of the scope of this view. area with sparse two-story independent houses and an urban area with several connected three-story apartment buildings plifies the received signal strength (RSS) of each packet and thus increases the likelihood of successful decoding. To il-!5
Nu (c) 12.5 MHz pph per meter what can (d) 12.5 one MHz learn from stats? gure 8: Histogram of received packets per hour ph) from each meter using a narrowband sniffer MHz) or a wideband sniffer (12.5 MHz). 3 from [1] no. of meter 2 1.5 1. 1.5 2. 2.5 3. kw gure 9: 27 The meters distribution exhibited of less electricity than 16Wh consumpn for meters hourly in the power author s consumption neighborhood. 27 eters exhibited less than 16Wh hourly power conmption, indicating 27 apartments unoccupied. onding apartment units were likely to be unoccupied at e time of our experiments. This is an example of potenlly sensitive information that can easily be obtained on is neighborhood scale. In this experiment, we were only le to receive a few packets per hour (pph) for a large porn of meters. Methods to increase received packet rates are ailable and therefore finer granularity data and additional sitive information from the neighborhood could likely be tained. We will examine this next. INFERRING HOUSEHOLD EVENTS We now study to what extent it is possible to infer detailed usehold activities and events from the obtained data are e risks similar to those of smart meters? The lower update daily routine from [1] Figure 12: An RF sniffer can collect data that suffice to infer daily routines, which could be misused by thieves. [Top to bottom] The electricity consumption over a 24-hour period that are collected using (1) a camera or an IR photodiode circuitry; (2) an ideal RF sniffer receiving all packets; (3) a real meter being studied; (4) a narrowband RF sniffer that eavesdrops on one channel only. kw kw kw 4 3 2 1 T 8 6 4 2 3am 6a 8 6 4 2 3am 6a Figure 13: The da sumption of a hous patterns.!6
redesign the protocol against spoofing radio fingerprinting anomaly detection AMR security manual checking to detect spoofing use wake-up mode rather than bubble-up privacy preserving jamming!7
Ishtiaq Rouf, Hossen Mustafa, Miao Xu, Wenyuan Xu, Rob Miller, and Marco Gruteser. 212. Neighborhood watch: security and privacy analysis of automatic meter reading systems, In Proceedings of the 212 ACM conference on Computer and communications security (CCS 12). ACM, New York, NY, USA, 462-473. DOI=1.1145/2382196.2382246!8
smart meters [2] Weining Yang, Ninghui Li, Yuan Qi, Wahbeh Qardaji, Stephen McLaughlin, and Patrick McDaniel. Minimizing private data disclosures in the smart grid. In Proceedings of the 212 ACM conference on Computer and communications security (CCS '12). ACM, New York, NY, USA, 415-427. DOI=1.1145/2382196.2382242
!1 risks risks & countermeasures with Non-Intrusive Load Monitoring (NILM), load profiles can be analyzed to reveal individual appliance usage sleep patterns number of occupants times of vacancy leakage to both utility companies and third parties countermeasures Battery-based Load Hiding (BLH) battery partially supplies the net demand load from the house to alter the external load strategy: flatten the load profile to a constant value as often as possible
!11 18 16 14 12 Power (kw) Power (kw) (volts) 1 8 6 4 2 9/16 : 9/16 12: 9/17 : 9/17 12: 9/18 : 9/18 12: 9/19 : 9/19 12: time (seconds) from [2]
!12 25 2 25 2 power(w) 15 1 power(w) 15 1 5 5 3 31 32 33 34 35 3 31 32 33 34 35 (a) Original demand load (b) External load by BE 25 25 2 2 power(w) 15 1 power(w) 15 1 5 5 3 31 32 33 34 35 3 31 32 33 34 35 (c) External load by NILL (d) External load by LS2