Download pdf - Privacy in Smart Metering Systems - KU Leuven · Smart Metering Market I Global smart meters market is estimated to grow from $11.1 billion in 2014 to$18.2 billionby 2019, at a compound

Privacy in Smart Metering Systems

Deniz Gunduz1 Georgios Kalogridis2 Mustafa A. Mustafa3

1Imperial College London2Toshiba Research Europe (Telecommunicatios Research Lab).

3KU Leuven

IEEE WIFS 2015Rome, 16 Nov 2015

Scope

I What is the problem?I What are the implications of privacy issues in smart meters?I How to measure privacy in smart meter context?I Existing approaches and solutionsI Remaining challenges

Organization

1. Introduction

2. Smart Metering Privacy AnalyticsPrivacy MetricsKnowledge extraction

3. Privacy-Preserving Smart Metering TechniquesData modification: protocolsEnergy modification: Information-theoretic

4. Conclusions

Table of Contents

1. Introduction



4. Conclusions

Smart Grid

Smart grid refers to the future energy grid that exploitsinformation technologies

I to increase reliability,I to increase efficiency and reduce carbon footprint,I to incorporate renewable as well as traditional energy sources,I to provide security,I to introduce new services that cannot be foreseen today.

Introduction 5/100

Smart Grid EntitiesBulkGeneration

DistributionLines

Transmission Substation

Consumer

Smart Meter Appliances

In-HomeDisplay

Renewable EnergySource

Electric Vehicle

Electricity flow

Data flow

IndustrialConsumer

Home Consumer

DistributedGeneration

TransmissionLines

Distribution Substation

Final Distribution Substation

TransmissionSystemOperator

DistributionNetworkOperators

Energy Providers(Utilities)

Home Consumer

DistributedGeneration

Introduction 6/100

Smart Meters

Smart meters (SMs) are an essential component of smart grids;they enable many “smart” grid functionalities.

SMs introduce the ability to provide bi-directional communicationbetween consumers and the energy providers/ grid operator and topromote services that facilitate energy efficiency within the home1.

Introduction 7/100

Benefits for the Consumer

I Ability to track their own energy consumption near real time,which leads to better energy usage management,

I More accurate and timely billing services,I Possibility to benefit from demand flexibility and time-of-use

(ToU) pricing,I Possibility to introduce safety solutions of the household and

equipment through better power quality and breakdownmanagement,

I Home appliances failure detection, detection of waste,detection of unexpected activity or inactivity,

I Increase competition among energy providers due to ease ofswitching for customers.

Introduction 8/100

Benefits for the Energy Provider/ Grid Operator

I Reduced cost of meter readings and back office rebillingprocesses,

I Misuse and fraud detection,I Accurate sensing and monitoring capabilities to distribution

network operators (DNOs)I Possibility to introduce demand response management in

order to reduce peak loads,I Renewable integration and microgeneration management.

Introduction 9/100

Advanced Metering Infrastructure (AMI)AMI uses two-way communication to both transmit usageinformation and perform observation and maintenance tasks.

NAN Concentrator

WAN (5G, Fiber,

WiFi)

Concentrator

U4lity

NAN Concentrator

HAN

Appliances Thermostats

Solar panel Electric vehicle Introduction 10/100

AMI in Great Britain

. . .

RES

EVConsumer

EVSE SM Appliances

IHD

HAN

TSO

DNON

EPL

DataCommunications

Company

DNO1

EP1

Region N

. . .

. . .

Region 1

Introduction 11/100

Smart Metering Market

I Global smart meters market is estimated to grow from $11.1billion in 2014 to $18.2 billion by 2019, at a compound annualgrowth rate (CAGR) of 10.2% from 2014 to 2019.

I By 2024, there will be nearly 1.1 billion smart residentialmeters worldwide, with 57% market penetration.

I Directive of the European Parliement in 2009 required 80% ofEU households have a smart meter installed by 2020.

I In UK, installation of 53m smart meters in 30m households by2020 is expected to cost £10.9bn. Government estimatesroll-out of smart meters will deliver £7 billion net benefits toconsumers, energy suppliers and networks over 20 years.

Introduction 12/100

Smart Meter Privacy Concerns

I Netherlands: Senate voted against mandatory roll-out of SMs,found to be against European Convention on human rights

I 9000 consumers polled in 17 countries: 1/3 discouraged fromusing smart meters if it gave utilities greater access to dataabout their personal energy use

Introduction 13/100

Smart Meter Privacy: Technical Angle

Peak = 7.18 kW Mean = 0.49 kW Daily load factor = 0.07 Energy consumpAon = 11.8 kWh

Refrigerator

Toaster

KeFle

Washing Machine

KeFle

Time of day, h

Power, kW

I Non-intrusive load monitoring (NILM) techniques using highfrequency SM data

I Reveals information on user’s energy consumption behaviour:can track appliance usage patterns, home occupancy, even theTV channel user is watching ...Introduction 14/100

Smart Meter Privacy: Social Angle

I Patterns (behaviour profiling)I Watching too much TV?I Another microwave meal?

I Real-time surveillanceI Were you home last night?I Did your friend move in?

I Non-grid use of dataI Advertising and spamI InsuranceI Appliance warranties

I Information leakageI phishing, pharming, fraud

”Guidelines for Smart Grid Cyber Security,” National Institute of Standards and Technology (NIST), Privacyand the Smart Grid, vol. 2, NIST IR 7628 Rev. 1, Sep. 2014.

Introduction 15/100

Potential Risks

Who wants smart meter data? How could the data be used?Utilities To monitor electricity usage and load;

to determine billsAdvisory companies To promote energy conservation and awarenessInsurance companies To determine premiums based on

unusual behaviors that might indicate illnessMarketers To profile customers for targeted advertisementsLaw enforcers To identify suspicious or illegal activityCivil litigators To identify property boundaries

and activities on premisesLandlords To verify lease compliancePrivate investigators To monitor specific eventsThe press To get information about famous peopleCreditors To determine behavior that might indicate

creditworthinessCriminals To identify best times for a burglary, or

valuable appliances to steal

”Potential Privacy Impacts that Arise from the Collection and Use of Smart Grid Data,” NIST, vol. 2, pp. 30–32.Introduction 16/100

Smart Meter Security

I Security 6= PrivacyI Remote switching off capability of smart meters opens up new

vulnerabilities (Stuxnet type cyber attacks)I Meters can be hacked by consumers or third parties to

reduce/increase energy billI a utility in Puerto Rico lost $400 million in annual revenue after

criminals hacked into smart meters to under-report electricity usage.

I Smart meters are made to last (15-20 years). In many casesencryption mechanims are not adaptive, and cannot last aslong.

I Highly connected AMI allows spread of malwareI Wireless transmission of meter readings is prone to

eavesdropping and data injection attacks

Introduction 17/100

Smart Meter Security Problems

NAN Concentrator

WAN (5G, Fiber,

WiFi)

Concentrator

U4lity

NAN Concentrator

HAN

Appliances Thermostats

Solar panel Electric vehicle

I Many papers have reported serious security risks in the AMIarchitecture

I More recently: flaws in authentication meshanism of OpenSmart Grid Protocol

I K. Kursawe and C. Peters, “Structural Weaknesses in the OpenSmart Grid Protocol”, Cryptology ePrint Archive, Report 2015/088.

I P. Jovanovic and S. Neves, “Dumb Crypto in Smart Grids: PracticalCryptanalysis of the Open Smart Grid Protocol”, Aug. 2015.

Introduction 18/100

Security Measures against Attackers

I Authentication and authorisationI Secure networks and communication linksI Secure data storageI Secure multi-party computingI Encrypted functionsI Trusted platform moduleI Physically unclonable functions

Are these measures sufficient to protect privacy?

Introduction 19/100

Confidentiality and Authorisation vs. Privacy

Confidentialityset of rules that limit access or place restrictions on disclosure ofsome information, e.g., by means of encryption. Confidentialityensures that access to information is restricted to authorizedentities.

Authorisationlimits access to certain entities. Authorization is usually coupledwith authentication.

In smart meters, privacy is not only against third parties/ attackers,but also against the legitimate/ authorised receiver of data.

Introduction 20/100

Paradigm Shift: Privacy Against Energy Providers (EPs)/Grid Operators

I Focus of current SMs is on protection against manipulation bycustomers.

I Grid operators/ EPs can remotely update crucial meterparameters (e.g., cryptographic keys, sampling frequency),install new software, or disconnect energy.

I Measurement data collected and stored in database of theoperator.

I Trust in grid operators: consumers are protected mainly byguidelines, audits, codes of behaviour.

To protect privacy we first need to measure it.

Introduction 21/100

Table of Contents

1. Introduction



4. Conclusions

What is Privacy?Data privacy (OECD Glossary of Statistical Terms)It is the status accorded to data which has been agreed uponbetween the person or organisation furnishing the data and theorganisation receiving it and which describes the degree ofprotection which will be provided.

Personal data (EU Data Protection Directive)Any information relating to an identified or identifiable naturalperson should (among other things) a) “be collected for a specifiedpurposes and not be further processed for other purposes”, and b)“be merely adequate and not excessive for the purposes motivatingits collection”.

I Explains the notion of privacyI Does not specify how privacy protection can be appliedI To protect privacy we first need to measure it

Metrics 23/100

Privacy Measures for Smart Meters

I Privacy evaluation depends on the (data mining) task ofextracting knowledge from the communicated smart meteringdata. We distinguish two main privacy approaches as such:

I Data privacy evaluation – e.g. statistical analysis of aggregatedata.

I Knowledge privacy evaluation – e.g. analysis of inferreddisaggregated data.

Metrics 24/100

Privacy Metrics for Smart MetersI Relative entropy / Mutual information: used for computing

bounds on the achievable level of privacy, independent oftechnologic and computational capabilities of an attacker.

I Cluster classification: input data classified into clusters;known and hidden load cluster comparison may yield apossible privacy gain.

I Regression analysis: known and hidden loads are shifted untilthey align to their point of maximum cross-correlation.

I Residual features: features that appear both in the known andhidden profiles (i.e., an energy transition ).

I Exploratory Data Mining & Interestingness: ensures thatinteresting data mining patterns (e.g. atypical TV or sleeppatterns) remain hidden.

I Differential privacy: ensures that adding a single entry to adatabase (or deleting one from it) does not significantlychange the answer given to some queries.Metrics 25/100

Privacy and UndetectabilityProblem (Undetectability)Suppose G is an inference model that transforms a p(t) smartmetering trace into a hypothetical e′(t) event trace. Suppose thatwe would like to protect a real event trace, e(t). If G offers(purposefully or not) α privacy protection, then how much is α?

I Such a problem may be solved by means of evaluating theperformance of the inference model. E.g. we may calculatethe likelihood an event was occured given a recorded loadsignature.

I A different approach concerns the use of similarity metrics tosimply compare e(t) with e′(t).

I In the case of data perturbation, e(t) would be the p(t), ande′(t) would be the perturbed metering data p′(t).

I An event may be defined as a power edge:e′(t) = dp(t) = p(t)− p(t − 1). We also denote dpA(t) to bethe original (real) trace of power edges dp(t).Metrics 26/100

Similarity metric 1: Relative entropyThe relative entropy or Kullback Leibler distance is a well knowninformation theoretic quantity which can be used to compare twosources of information:

D(P||Q) =∫ xmax

xminfP(x) log fP(x)

fQ(x)dx .

I The bigger the D(P||Q) the better the privacy protection.

G. Kalogridis, C. Efthymiou, T. Lewis, S. Denic, and R. Cepeda, “Privacy for Smart Meters: Towards UndetectableAppliance Load Signatures”, IEEE SmartGridComm’10.

Metrics 27/100

Similarity metric 2: Cluster similarity

We consider a simple method of trace analysis to compute howclose dpA(t) is to dp(t).

1. Find the silhouette optimal n for dpA(t).

2. Classify dpA(t) into set of clusters A = {a1, . . . , an}.

3. Classify dp(t) into set of clusters B = {b1, . . . , bn}.

4. Ignore cluster values corresponding to insignificant powerchanges.

5. Compute the ratio of ‘correct’ classifications in B.

6. The smaller the cluster similarity the better the privacyprotection.


Metrics 28/100

Clustering-based graphical model similarityAn extension of clustering is to build a graphical model. Theoriginal and inferred graphical models may then be compared toevaluate privacy.

2 4 W

22 hrs

1 2 0 W

45 mins

1 4 %

1 4 4 W

8 mins

1 2 %

6 0 W

34 mins

6 4 %

1 9 2 W

22 mins

5 %

1 0 8 0 W

14 mins

0 %

6 9 6 W

9 mins

1 %

1 3 6 8 W

24 mins

0 %

7 %

4 7 %

4 0 %

3 %

0 %

0 %

0 %

0 %

7 5 %

2 %

2 0 %

0 %

0 %

0 %

4 9 %

3 6 %

7 %

3 %

0 %

0 %

0 %

0 %

8 %

6 2 %

7 %

2 %

1 4 %

3 %

1 %

1 %

4 %

1 3 %

3 0 %

4 9 %

3 %

1 %

6 %

4 4 %

1 7 %

2 4 %

3 %

4 %

1 %

1 9 %

4 2 %

2 8 %

Metrics 29/100

Similarity metric 3: Regression analysisWe may analyse the degree to which dp(t) ‘predicts’ dpA(t) byfitting the traces and measuring their ‘distance’ in the time domain.

1. Estimate the error sum of squares SSE =∑

t(dp(t)− dp(t))2

and the regression sum of squares SSR =∑

t(dp(t)− dp).

2. Compute the coefficient of determination:R2 = 1− SSE

SSR +SSE, 0 ≤ R2 ≤ 1.

I R2 = 1 ⇒ predictions arefully explained by the model

−0.5 0 0.5 1

−0.5

0

0.5

1

˙dp

A

˙dpA

−0.5 0 0.5 1

−0.5

0

0.5

1

dp1

˙dpA

−1 0 1−1

−0.5

0

0.5

1

dp4

˙dpA

B1 B4

I R2 → 0 ⇒ (higher privacy protection) whenI SSE � SSR (the noise increases), orI or when SSR → 0 (dp(t) is similar to dp).


Metrics 30/100

Exploratory Data Mining

I Purpose: Extract knowledge from or give insights about thedata without answering specific questions.

I Pattern type: Groups of features (time) that exhibit acommon power consumption profile.

I For example, such an exploration may follow the detection ofconsumption profiles (e.g. via clustering).

I This corresponds to finding cliques in a graph.

Metrics 31/100

Learning consumption profiles and featuresDensity based clustering and dynamic optimisation can helpextract consumption profiles and their features.

Metrics 32/100

Bi-partite graph of features

00-02h

02-04h

04-06h

06-08h

08-10h

10-12h

12-14h

14-16h

16-18h

18-20h

20-22h

22-00h

Washier

TV

Boiler

Cooker

Kettle

Swimmingpool

I Pattern type: Windows of timewith a common powerconsumption profile.

I This may be done with bi-cliquemining algorithms.

I This may provide insights tohiddent or interesting patterns.

I But how can this be interestingfrom a privacy point of view?

Metrics 33/100

Mining more complex (interesting) patterns00-02h

02-04h

04-06h

06-08h

08-10h

10-12h

12-14h

14-16h

16-18h

18-20h

20-22h

22-00h

Washier

TV

Boiler

Cooker

Kettle

Swimmingpool

Day 1

Day 7

...

Week 1

Week 52

...

5-10m

>2hrs

...

1-5m

Metrics 34/100

N-ary relationships

Consumption profile (appliance load)

Timeof the day

Dayof the week

Weekof the year

Durationof consumption

I Pattern type: Consumption profiles that appear in the samewindows of time at the same days of the week, for the samelength of time.

I Pattern syntax: find Maximal Complete Connected Subsets ofpatterns (MCCS).

I Simple pattern mining: divide and conquer depth 1st search.Metrics 35/100

Interestingness

I Interestingess of a pattern may be assessed as a trade-offbetween the self-information and the description length.

I Self information: this may be calculated by calculating theentropy of mutually exclusive subsets of the pattern.

I Description length: this measures how conceisely the patternconveys this information.

Interestingess(γ) = Self Information(γ)Description Length(γ)

Ranking patterns based on interestingness:

{TV}{Kettle} ↔ {02-04h} ↔ {Sat.} ↔ {30–60m}{Swimming Pool} {1–2h}

Metrics 36/100

Data mining for privacyI A variety of models may be used to infer information from the

data.I A variety of metrics to evaluate privacy . . .I A data mining / anomaly detection inspired method:

I Analyse the variability of activity occurrence probabilitydistributions with different time features.

I Focus on significant variability as an indication of anomaly andprivacy alert.

Metrics 37/100

Subset data mining

Example:I Detected appliance profiles: TV, Microwave, CookerI Event space: all possible subsets of {TV, Microwave, Cooker,

Zero/Other}I 2N − 1 subsets (excluding the empty set).I Data mining: sequential batch window.I Types of behaviour: 1) duration of appliance usage, and 2)

frequency of switch-ON appliance event.

Metrics 38/100

Prediction and atypicality

I We characterise a behaviour profile with an empiricalprobability distribution (EPD) of sets of concurrent events:there are 2M possible events.

I An interval EPD, Pp, and an expected EPD, Qp, may beobtained by counting across a constraint or a sufficiently largenumber of sample paths.

I Atypicality: Kdiv(Pp||Qp) :=∑

b Pp(b) log 2Pp(b)Pp(b)+Qp(b) .

I The probability of any given sequence of p is given by

Qnp(p) = |X |−n(H(Pp)+D(Pp ||Qp)),

where X is the set of all possible events, D(Pp||Qp) signifiesrelative entropy, and H(Pp) is the Shannon’s entropy.

G. Kalogridis and S. Denic, “Data mining and privacy of personal behaviour types in smart grid”, IEEEData Mining Workshops (ICDMW), pp 636–642, 2011

Metrics 39/100

Kdiv-inspired privacy metricI Is privacy protected when the atypicality is large?I Is privacy protected when atypicality is small?I Simple privacy alarms:

Crest factor(Kdiv) > th1 Max(Kdiv) > th2Anomaly detection Y NIncongruence N YData perturbation Y Y

G. Kalogridis and S. Denic, “Data mining and privacy of personal behaviour types in smart grid”, IEEEData Mining Workshops (ICDMW), pp 636–642, 2011

Metrics 40/100

Subset atypicalitiesAtypicality of all distinct bags of duration of operation (On-On)appliance events:

Day

Patterns

Atypicality of On-On patterns (house 1)

1 42 83 124 165 206 247 288 329 370 411

Cook

MicroTv

Zero

Tv,ZeroMicro,Zero

Micro,Tv

Cook,ZeroCook,Tv

Cook,MicroCook,Micro,Tv

Cook,Micro,Zero

Cook,Tv,ZeroMicro,Tv,Zero

Cook,Micro,Tv,Zero

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

I Explore the variability of atypicality in all possible eventspaces.

I Particular subsets produce higer atypicalities (darker color).I Continious high atypicality: incongruent data →

non-behavioural problem (false alarm).I Exclusion of the zero event intensifies atypicality.

Metrics 41/100

Example of an alarmI Suppose an alarm is triggered when atypicality exceeds a

threshold value (e.g. set to 0.5).I Privacy alarms of different bags of events for both the

appliance duration and switch-on events.I More frequent privacy alarms when the TV or microwave, and

no other appliance is considered.

House No. 1 2 3 4 5 6 7 8Cook 0 & 0 3 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Micro 0 & 0 3 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0TV 0 & 0 3 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Zero 8 & 0 15 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0TV,Zero 9 & 25 0 & 1 8 & 18 68 & 27 0 & 0 4 & 29 10 & 7 50 & 76Micro,Zero 0 & 25 15 & 15 0 & 0 27 & 27 0 & 0 11 & 22 15 & 15 125 & 24Micro,TV 4 & 0 0 & 0 33 & 33 54 & 14 0 & 0 4 & 28 8 & 0 20 & 105Cook,Zero 4 & 0 14 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Cook,TV 9 & 0 0 & 8 18 & 19 41 & 41 0 & 0 4 & 13 10 & 13 46 & 31Cook,Micro 7 & 0 11 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Cook,Micro,TV 0 & 0 3 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Cook,Micro,Zero 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Cook,TV,Zero 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Micro,TV,Zero 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 42 & 42 0 & 0 0 & 0Cook,Micro,TV,Zero 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0

Metrics 42/100

Differential Privacy

I Introduced to privately release statistical queries on data setsI Differential privacy measures privacy by parameter ε that

bounds the log-likelihood ratio of the output for twodatabases that differ in only a single entry.

DefinitionA probabilistic algorithm F taking values in set T providesε-differential privacy if

Pr(F (D) ∈ S) ≤ eε · Pr(F (D′) ∈ S)

for all S ∈ T , and all data sets D and D′ that differ in a singleentry.

C. Dwork, Differential privacy, in Automata, Languages and Programming, vol. 4052 of LNCS, 2006.

Metrics 43/100

Approximate Differential Privacy

DefinitionA probabilistic algorithm F taking values in set T provides(ε, δ)-differential privacy if

Pr(F (D) ∈ S) ≤ eε · Pr(F (D′) ∈ S) + δ

for all S ∈ T , and all data sets D and D′ that differ in a singleentry.

I Weaker than ε-differential privacy (equivalent when δ = 0)

C. Dwork, K. Kenthapadi, F. McSherry, I. Mironov, and M. Naor. Our data, ourselves: Privacy via distributednoise generation. In Proc. 25th International Cryptology Conference (EUROCRYPT), vol. 4004 of LNCS,pages 486–503. Springer, 2006.

Metrics 44/100

Machine Learning & Knowledge extraction

I The fundamental privacy metrics may also apply after smartmetering data is processed to extract knowledge.

I For example, knowledge may simply be represented as acategorical table with multiple dimensions (columns).

I A particularly important knowledge, from a privacyperspective, concerns metering data at an appliance level.

I This leads us to the problem of appliance disaggregation, thealter ego of privacy protection.

I This is also known as Non-intrusive Appliance LoadMonitoring (NIALM) and may be further distinguished intolow frequency NIALM and high frequency NIALM.

Metrics 45/100

High frequency signaturesHart (1992), Laughman (2003), Patel (2007), Gupta (2010), Reinhardt (2012).

I Original idea based on a clustering of active & reactive poweredges.

I Recent techniques based on Harmonics pattern recognition(∼90% accuracy).

I High frequency NIALM assumes specialised metering device.

Metrics 46/100

Low frequency (smart metering) NIALMI Machine Learning models; Input: 1”–15’ power readings.I Open source NIALM:https://github.com/nilmtk/nilmtk

I Typically runs in the backend (Energy provider).I Baranski (2004): Clustering and use of Viterbi algorithm.I Bergman (2011): Finite State Machine; Knapsack detection.I Kolter (2011): Supervised: Factorial HMM (FHMM).I Parson (2011): Supervised: Iterative HMM (IHMM).I Kim (2011): Supervised: Conditional Factorial Semi-HMM

(CFSHMM).I Kolter (2012): Additive Factorial HMM with an AF Maximum

a Posteriori Estimation (AFAMAP) algorithm.I Kelly (2015): Unsupervised learning with Deep Neural

Networks.Metrics 47/100

https://github.com/nilmtk/nilmtk

NIALM ML performanceI Depends on how performance is assessed.I A typical FHMM model may achieve 70-80% accuracy of the

task of appliance ON-OFF detection, assuming an averagehousehold energy usage profile.

I An active area of research; almost exponential increase ofresearch publicationis in recent years.

Metrics 48/100

Poor-man’s real-time & low-cost NIALM

Application of the knapsack algorithm (as opposed to expensiveHMM training):

I maximise W (t) =∑N

i=1∑s

j=1 wi ,j(t)zi ,j , subject to∆Qt − Qn ≤W (t) ≤ ∆Qt + Qn, where ∆Qt is the observedsmart meter power reading, N is the number of appliances,s = 2 the number of appliance states, Qn is a tolerance value,and wi ,j(t) takes values from {0, 1} with the constrain that∑s

i=1 wi ,j(t) = 1, for all j , at any time t.I We set Qn = x − L, where L is a detected minimum power

(vampire power), and 0 ≤ x ≤ xmax.

For real-time (fast) detection, we construct a lookup table bysorting the solutions that correspond to a choice of wi ,j(t) and theassociated W (t).

Metrics 49/100

NIALM and knowledge / privacy ramificationsI Appliance disaggregation may be used to infer Activities of

Daily Living (ADLs).I ADLs may furnish more sensitive personal data such as

healthcare.

Metrics 50/100

Table of Contents

1. Introduction



4. Conclusions

Main Approaches

1. Real energy consumption is not modified, meter data ismodified before being reported to EP.

I Anonymization with/ without TTP, i.e., using pseudonymsinstead of real identities.

I Aggregation with/ without trusted third party (TTP), i.e.summing measurements over a group of users,

I Obfuscation, i.e., adding noise to data,

2. Energy consumption is modified:I Through storage devices, i.e., filtering energy consumption,I Through alternative energy sources (renewables, uninterrupted

power supplies),I Sampling approach, i.e., reducing sampling rate of

measurements.

PP Techniques 52/100

Anonymization with Trusted Third Party (TTP)

EPConcentrator (TTP)

…

Smart meters

p, p, p, …

I SM readings sent to a TTP over secure links.I TTP removes the identities of users from the tuples received

and sends only the SM readings to EP.I EP learns the SM readings, but not their origin.I However, TTP learns the SM readings too.

A. Molina-Markham, P. Shenoy, K. Fu, E. Cecchet, and D. Irwin, “Private memoirs of a smart meter,” in ACMWorkshop on Embedded Sensing Systems for Energy-Efficiency in Building, New York, 2010, pp. 61-66.


Anonymization with STTP

EPConcentrator (STTP)

…

Smart meters

enc(pk,p), enc(pk,p), …

I SM readings are encrypted with the public key of EP.I Instead of real identities, users use pseudonyms.I STTP sends only the encrypted SM readings to EP.I EP decrypts and learns the SM readings, but not their origin.I STTP does not learn the SM readings nor the real identities

of users.R. Petrlic, “A privacy-preserving concept for smart grids,” in Sicherheit in vernetzten Systemen 18. DFNWorkshop, ser. Books on Demand GmbH, 2010, pp. 1-14.


Anonymisation: Customer Data vs. Technical dataI EU SM standards recommendation to define two types of data

for smart metering:I Customer data: Attributable data, e.g. for billing and account

management purposes → Low-frequency data, e.g. every fewdays/weeks.

I Technical data: “Anonymous” data, e.g. for power networkmanagement and demand response → High-frequency data,e.g. every few minutes.

I There is no real reason why the high-frequency data can’t beanonymous and still serve the purposes of the utility and thepower distribution network.

I Smart meter uses both eponymous and anonymous IDs (andrelated crypto keys) for customer and technical data,respectively.

I The utility knows that the anonymous ID is located within acertain area, but not which specific house.


Anonymisation evaluationI Anonymity level achieved depends on the size of the

“anonymity set”, i.e. how hard it is to associate a givenanonymous (ADP) with an eponymous customer (CDP)profile / security key.

I The use of random time intervals in the ADP setup protocolsis crucial.

C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smart metering data,” in IEEESmartGridComm conference, Maryland, USA, Oct. 2010, pp. 238-243.


Anonymization with off-line TTP

EPConcentrator

…

Smart meters

ADP, p, Sig(ADP, p), …

ADP = ANSM.CERT, EP.CERT, DNO.CERT

ANSM.CERT includes the HFID and the anonymous public key of the smart meter

TTP

I Each SM has two IDs, one for sending low frequency readings,LFID, and one for sending high frequency readings, HFID.

I Only TTP is aware of the connection between a validHFID/LFID pair.

I TTP is involved only in the SM registration (setup) stage.I EP knows only the connection between a valid LFID/real user

ID pair, but not the connection between HFID/LFID.C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smart metering data,” in IEEESmartGridComm conference, Maryland, USA, Oct. 2010, pp. 238-243.


Anonymization & Data Splitting

EP

Concentrator 1

…

Smart meters

Concentrator 2

p1=p11+p12

p2=p21+p22

p1=p11+p12

p2=p21+p22

I Each SM splits its data into shares and sends each share to adifferent concentrator.

I Each concentrator replaces the real ID of the user with apseudonym and forwards the data to EP.

I EP sums all the shares attached with the same pseudonym.I EP knows the SM readings, but not their origin.

C. Rottondi, G. Mauri, and G. Verticale, “A data pseudonymization protocol for smart grids,” in IEEE GreenComConference, Sept. 2012, pp. 68-73.


Aggregation with Trusted Third Party (TTP)


…

Smart meters

P

P = 𝑝

I SM readings sent to a TTP over secure links.I TTP reports to EP:

I sum consumption for a group of SMs (e.g., neighbourhood),I sum consumption of each user over billing period.

I EP learns exactly what it needs to learn, not more.I TTP does not need to know real identities of users, but has to

be trusted.J.-M. Bohli, C. Sorge, and O. Ugus, “A privacy model for smart metering,” in IEEE Int’l Conf. on Comm.Workshops, Cape Town, South Africa, May 2010, pp. 1-5.


Aggregation & Data Splitting

EP

Concentrator 1

…

Smart meters

Concentrator w

p1={p11, …,p1w}

p2={p21, …,p2w}

…

P = 𝑃𝑖

I Each SM splits its data into w shares using (w , t) secretsharing scheme; sends each share to a different concentrator.

I Each concentrator sums the received shares and sends theaggregated shares to EP.

I EP sums at least t of the received aggregated shares to obtainthe aggregated data of all SMs.

C. Rottondi, G. Verticale, and A. Capone. “Privacy-preserving smart metering with multiple data consumers.”Computer Networks 57, no. 7, 2013, 1699-1713.


Aggregation without Trusted Third Party (TTP)

I How to add a user’s data to the aggregate without revealing itto other users?

I SMs have trusted elements (e.g., smart card or secure USBstick) that cannot be controlled by the grid operator (i.e., itcannot change keys remotely).

I These trusted elements provide secure storage and basiccryptographic functionality

I Common tool: homomorphic encryption, thanks to itsadditive homomorphic property.

I Proposed approaches differ mainly in:I Who performs the aggregation,I How keys are managed.


Homomorphic Encryption with Aggregation done byCollector


…

Smart meters

C

C = 𝑐

P = 𝑝 = 𝑑𝑒𝑐(ℎ𝑠𝑘, 𝐶)

I Each SM encrypts its data with the homomorphic public keyof EP and sends the ciphertext to the collector.

I The collector aggregates the received ciphertexts and sendsthe aggregated ciphertext to EP.

I The EP decrypts the aggregated ciphertext to obtain theaggregated data of all SMs.

R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “EPPA: An efficient and privacy-preserving aggregation scheme forsecure smart grid communications,” IEEE TPDS, vol. 23, no. 9, 2012, pp. 1621-1631.


Homomorphic Encryption with Aggregation done by EPI Each SM chooses random key k of bihomomorphic encryption

scheme.I Keys are aggregated within SM group by electing random SM

as key aggregator (KA) through a secure channel thatprovides anonymity for every SM.

I KA computes aggregated key K and sends it to EP.I Every SM sends its data, encrypted with its key to EP via a

secure channel.I EP aggregates all received encrypted values, then obtains the

aggregated energy consumption by decrypting the aggregatedencrypted value using K .

I SMs updates their keys at every data reporting round suchthat K remains the same.

F.G. Marmol, C. Sorge, O. Ugus, and G.M. Perez, “Do not snoop my habits: preserving privacy in the smart grid,”IEEE Communications Magazine, vol. 50, no. 5, 2012, pp. 166-172.


Homomorphic Encryption & Data Splitting

I Neighbourhood groups of size N.I Each node prepares N shares of its measurements.I Encrypts one share with the public key of each user (N-1

users) and sends to the EP (except own share).I The EP, using the properties of homomorphic encryption,

sums all N − 1 ciphertexts intended for a user and sends theresulting ciphertext to her to decrypt.

I Each user adds its own share and sends the final result backto the EP unencrypted.

I EP sums all the received results.

F. D. Garcia and B. Jacobs, Privacy-friendly energy-metering via homomorphic encryption, in Proc. Int’l Conf. onSecurity and Trust Management, Berlin, Heidelberg, 2011, pp. 226-238.


Homomorphic Encryption & Selective Aggregation

TSODCC

EP𝑖

𝐶

Nep ∗ 𝐶 Nep ∗ 𝐶

ΣP

||r

Nep ∗ 𝐶

DNO𝑗

…𝐶

𝐶

𝐶

I SM data encrypted with DNO’s homomorphic public key.I At collectors ciphertexts are aggregated based on EP.I At DCC ciphertexts are aggregated based on DNO and EP.I DNO recovers the data and random number from ciphertexts,

sends both items to EP, sums all data and sends to TSO.I EP performs ciphertext-based verification of the data.

M.A. Mustafa, N. Zhang, G. Kalogridis, and Z. Fan “DEP2SA: A Decentralised Efficient Privacy-Preserving andSelective Aggregation Scheme in Advanced Metering Infrastructure,” in IEEE Access journal, 2015, to appear.


Zero-proof SM cryptosystemYet another fancy cryptosystem

Utility

Signed

& e

ncry

pted

read

ings

Certifi

ed P

olicy

Dynam

ic ra

tes p

er ½

hou

r

Certified Zero-knowledge Proof of correctness

Signed & encrypted readingsper ½ hour

Shared key

Decrypted readings donot leave the user device

Utility can verify correctness of computation

without access to secret readings!

I Computations executed by the customer without disclosingraw meter readings.

I Correctness can be guaranteed.I If the raw data is needed, secure aggregation can be used.

A. Rial, G. Danezis, “Privacy-preserving smart metering”, Proceedings of the 10th annual ACM workshop onPrivacy in the electronic society, pp 49–60, 2011.


Obfuscation

I Users add zero-mean independent noise to their readingsbefore forwarding to EP.

I Average sum consumption remains same at each period.I Goal: low confidence for individual measurements (high

variance noise component), and high-confidence for totalconsumption (too many uses aggregated together: 99.9%confidence requires aggregating 3.8 million users.)

I Meters should be tamper-proof.

J.-M. Bohli, C. Sorge, and O. Ugus, “A privacy model for smart metering,” in IEEE Int’l Conf. on Comm.Workshops, Cape Town, South Africa, May 2010, pp. 1-5.


Main Approaches

1. Real energy consumption is not modified, meter data ismodified before being reported to EP.

I Anonymization with/ without TTP, i.e., using pseudonymsinstead of real identities.

I Aggregation with/ without trusted third party (TTP), i.e.summing measurements over a group of users,

I Obfuscation, i.e., adding noise to data,

2. Energy consumption is modified:I Through storage devices, i.e., filtering energy consumption,I Through alternative energy sources (renewables, uninterrupted

power supplies),I Sampling approach, i.e., reducing sampling rate of

measurements.


Privacy - Utility Trade-off

Billing problemEP needs to bill users. Perfect attribution and exactness required.Low sampling frequency sufficient.

Grid management problemEnergy provide needs to manage the grid. High sampling frequencyrequired, attribution exactness not necessary (i.e., can work withaggregate meter readings).

Meter data can leak sensitive information that should be keptprivate. There is a trade-off between utility and privacy.


Information Theoretic SM Privacy

I Energy consumption of user is modeled as a sequence of realnumbers, X n.

I SM readings, Y n, represents information available to EP.I Privacy is measured by average information leakage, defined

as average mutual information between X n and Y n:

1n I(X n; Y n) = 1

n [H(X n)− H(X n|Y n)]

= 1n

∑(xn,yn)∈X n×Yn

p(xn, yn) log p(xn, yn)p(xn)p(yn)


Reporting Quantized Energy Consumption

I SM maps X n to a predefined set of meter readings:

Encoder :X n → SMR = {SMR1, . . . ,SMRM}

I No matter what real consumption is, EP will receiveY n ∈ SMR, one of M readings,

I The closer Y n to X n, the more useful it is for grid estimation/monitoring, and the more data is leaked.

I There is a fundamental trade-off between privacy and utilityof reported SM readings

Sankar et al., “Smart Meter Privacy: A Theoretical Framework,” IEEE Trans. Smart Grid, Jun. 2013.


Privacy- Utility Trade-off

I Utility: The closer the estimates, the higher the utility:

∆ = E[

1n

n∑i=1

d(Xi ,Yi )]

d(·, ·): given distortion measure (distance between real energyconsumption and EP’s estimation)

I Average information leakage:

I = 1n I(X n; Y n)

I Question: What is the set of feasible (∆, I) pairs?


Privacy- Utility Trade-offI For given utility ∆, minimum information leakage is obtained

by the rate-distortion function R(∆)I Rate-distortion function, R(D): Minimum number of bits per

symbol that should be transmitted to a receiver, so that thesource (input signal) can be approximately reconstructedwithin a given distortion, D (lossy data compression).

U"lity "Distortion

Privacy/ Informa"on leakage


Privacy Through Energy Consumption Manipulation

I Physical approach to privacy, rather than cyber.I Previous techniques assume grid operator depends solely on

SM readings for load monitoring.I However, grid operator owns the grid, and has many other

sensors, measuremetn mechanisms that can provide some levelof information

I Moreover, obfuscation, data aggregation, etc. limit operatorscapabilities to monitor grid for failures, energy qualitychanges, renewable integration, etc.

I Alternative solution: Consumers manipulate their energyconsumption over time by exploiting storage devices oralternative energy sources (renewable sources, uninterruptiblepower supply, etc.).


Alternative Energy Source

Appliances Energy

Management Unit (EMU)

Smart Grid

Alterna8ve Energy Source

X(t) Y(t)

X(t) – Y(t)

U8lity Provider

Smart

Meter

I Discrete time model:I Energy demand (input load): Xt

I Energy from grid (output load): Yt

I Remainder from alternative energy source(AES): Xt − Yt

I SM reads and reports YtD. Gunduz and J. Gomez-Vilardebo, Smart meter privacy in the presence of an alternative energy source, IEEE Int’lConf. on Comms. (ICC), Budapest, Hungary, Jun. 2013.


Simple alternative energy-based systemNaive (best-effort) privacy algorithm: Perturbs electrical eventswhile improving energy efficiency.


Battery friendly privacy algorithmAlgo 1 (selective use of battery):

I If a rare event occurs (e.g. kettle at 1am): discharge batteryto hide it.

I If an expected event does not occur (e.g. lights at 9pm):recharge battery to simulate it.

Algo 2 (selective allocation per appliance):I Allocate battery energy quotas to differen appliances (e.g.

protect privacy of TV, but not Kettle).I Detect appliance (e.g. NIALM algorithm)I Apply best-effort (water filling) algorithm for each appliance

and its allocated sub-battery resources.

G. Kalogridis, R. Cepeda, T. Lewis, S. Denic, andC. Efthymiou,“ElecPrivacy: Evaluating the Privacy Protectionof Electricity Management Algorithm”, IEEE Trans. onSmart Grid, 2011.


Utility friendly privacy algorithmEnergy Capping algo:

I Objective: consume a certain amount of energy (CAP) everyT = 30 minutes.

I If prediction > CAP, then battery power is used (best effort).I If prediction < CAP, then the battery is charged.I Benefits

I (Grid-scale effect) mitigate peaks & rebound peaksI (Uncertainty) reduce demand uncertainty,I complementary to demand response signal.

G. Kalogridis and S. Dave, “PeHEMS: Privacy enabled HEMSand load balancing prototype”, IEEE SmartGridComm12


Energy Management PolicyI Energy management policy: ft : X t × Yt−1 → Y, s.t.

0 ≤ Xt − Yt ≤ P

I Privacy: Information leakage rate

In ,1n I(X n; Y n)

I Average power from AES:

Pn = E

[1n

n∑t=1

(Xt − Yt)]

I For given P, pair (I, P) is achievable if there exist energymanagement policies with limn→∞ In ≤ I and limn→∞ Pn ≤ P.

I Privacy-power function, I(P, P), is the minimum achievableinformation leakage rate for given peak power P, and averagepower P.


Energy Management PolicyI Energy management policy: ft : X t × Yt−1 → Y, s.t.

0 ≤ Xt − Yt ≤ P

I Privacy: Information leakage rate

In ,1n I(X n; Y n)

I Average power from AES:

Pn = E

[1n

n∑t=1

(Xt − Yt)]

I For given P, pair (I, P) is achievable if there exist energymanagement policies with limn→∞ In ≤ I and limn→∞ Pn ≤ P.

I Privacy-power function, I(P, P), is the minimum achievableinformation leakage rate for given peak power P, and averagepower P.


Privacy- Power FunctionI Assume independent identically distributed (i.i.d.) input

power sequence X n with distribution pX

Theorem (Privacy-Power Function)Privacy - power function for an i.i.d. input load X with distributionpX (x) is given by

I(P, P) = infpY |X (y |x):E[X−Y ]≤P

0≤X−Y≤P

I(X ; Y )

LemmaPrivacy - power function is a non-increasing convex function of P.

I Optimal energy management policy is memoryless andstochastic: randomly generate output load based oninstantaneous input load.

D. Gunduz and J. Gomez-Vilardebo, Smart meter privacy in the presence of an alternative energy source, IEEE Int’lConf. on Comms. (ICC), Budapest, Hungary, Jun. 2013.


Rate-Distortion Interpretation

Privacy-power function is a rate-distortion function with differencedistortion measure:

d(x , y) ={

x − y if 0 ≤ x − y ≤ P,∞ otherwise.

I No digital interface: Y n is direct output of “encoder”, ratherthan the reconstruction of the decoder based on thetransmitted index

I EMU does not operate over blocks: Yt decidedinstantaneously based on previous input/output loads

I If all future energy demands were known, same privacy couldbe achieved by deterministic block-based energy managementpolicy


Numerical Analysis

I Continuous output alphabet: Infinitely many variables

TheoremWithout loss of optimality output load alphabet Y can beconstrained to input alphabet, i.e., Y = X .

I Discrete input/output alphabets: Convex optimizationproblem

I Blahut-Arimoto algorithm


Uniform Input Load

0 0.2 0.4 0.6 0.8 10

0.5

1

1.5

2

2.5

3

3.5

4

4.5

E

I(E

)

Optimal

Limit max output load

Time division

I Uniform demand over {0, c, 2c . . . , 20c}, such that E [X ] = 1I Time division: Either from AES or gridI Limit max output load: Y (t) ≤ C


Continuous Input Loads

I Continuous input and output alphabetsI No efficient numerical computation method (infinite

dimensional optimization problem)I Shannon Lower Bound (SLB):

I(P) ≥ (h(X )− ln (P))+ nats

I Not tight in generalI Exponential input load, X ∼ exp(λ): SLB is tight

I(P) =(

ln(λ

P

))+nats.

J. Gomez-Vilardebo and D. Gunduz, Smart meter privacy for multiple users in the presence of an alternative energysource, IEEE Trans. on Information Forensics & Security, vol. 10, no. 1, pp. 132-141, Jan. 2015.


Differentially Private BillingI Even billing information can reveal private data in the

presence of additional side informationI Users add noise (only positive) to meter measurements to

create privacyI Noise = Money: Users minimize noise (trade-off between

additional cost and privacy)I Discrete noise: Geometric distribution (instead of Laplacian)

I Geometric distribution maximizes uncertainty for given mean

I Rebates: With additional encrytion tools (zero-knowledgeproof, anonymous payment) added cost can be reimbursed tocustomer

I Negative noise can be possible by introducing depositpayment in advance

G. Danezis, M. Kohlweiss, A. Rial, Differentially Private Billing with Rebates. IACR Cryptology ePrint Archive,2011, p. 134.


Differentially Privacy + Modulo Encryption

I Group SMs into clusters.I X i

t : Consumption of user i at time slot tI Energy provider (EP) interested only in sum consumption of a

cluster within a time slot:∑N

i=1 X it

I Each user adds noise, and encrypts noisy measurement beforesending to EP.

G. Acs and C. Castelluccia, I have a DREAM! (DiffeRentially privatE smArt Metering), 13th Information HidingConference, 2011.


Distributed Noise AdditionI User i calculates X i

t = X it + Γ1(N, λ)− Γ2(N, λ) in slot t and

sends it to the aggregator.I Γ1(N, λ) and Γ2(N, λ) independently drawn from gamma

distribution with shape parameter 1/N and scale parameter λ.

N∑i=1

X it =

N∑i=1

X it +

N∑i=1

[Γ1(N, λ)− Γ2(N, λ)]

=n∑

i=1X i

t + [Γ1(1, λ)− Γ2(1, λ)]

=n∑

i=1X i

t + [Exp(λ)− Exp(λ)]

=n∑

i=1X i

t + L(λ), L(λ) : Laplace distribution.



Modulo Encryption

I Each SM is configured with a private key, and gets thecorresponding certificate from a trusted third party.

I Generate pairwise keys between each pair of SMs.I Modulo addition based encryption: EP can only decode noisy

aggregate data (since it does not know pairwise keys).I Aggregate noise enough to provide differential privacy to each

consumer.



Table of Contents

1. Introduction



4. Conclusions

In summary

I PEMS: Privacy-enabled Energy Management SystemI Data anonymisation (escrow protocol)I Secure aggregation, key management (network security)I Policy, Regulations, Access Control (Standards)

Conclusions 90/100

Smart Metering Standardisation I

Open Smart Grid Protocol (OSGP)European Telecommunications Standards Institute (ETSI) approved,OSGP Alliance (Mitsubishi, Schneider, Vattenfall, Ericsson, Oracle).Used with ISO/IEC 14908 control networking standard for smart gridapplications. Over 4 million OSGP based SMs deployed worldwide -mostwidely used standard.

IEEE 802.15.4gNeighborhood Area Networking (NAN) standard developed by IEEESmart Utility Networks (SUN) Task Group (Elster, Itron, Landis+Gyr,NICT, and Silver Spring Networks).

Telecommunications Industry Association (TIA)TR-51 engineering committee, Smart Utility Networks, is also developingair-interface, network and conformance standards to support smart grids.

Conclusions 91/100

Smart Metering Standardisation IIEU / ECEC set up Smart Grids Task Force (SGTF) in 2009. Keyrecommendations: User should have choice e.g. opt-in, opt-out. SGTFExpert Group 2 (EG2) and SGIS work-programme included Dataprotection impact assessment (DPIA) and Cyber-security assessment.

UKThe Department of Energy and Climate Change (DECC) has assessedthat the UK Data Protection Act (DPA) protection is not enough; PIA(privacy impact assessment): data storage, communication and accesscontrol should be protected by means of cryptography. Data may beaggregated. The consumer should choose in which way data shall beused and by whom, with the exception of regulated duties.

GermanyThe BSI, the federal agency for IT security, has developed a “smart meterprotection profile” specification (2010). Smart meter data are stored inhome Gateway. Stakeholders are authenticated and authorised by theGateway. The consumer may choose in which way consumption datashall be accessed and by whom, with the exception of regulated duties.Conclusions 92/100

Future Directions

I An exciting research fieldI Many open questions at the intersection of computer science,

power systems, control theory, signal processing andinformation theory.

I What is the relationship of different privacy definitions?I k-Anonymity.I Information leakage.I Anomaly detection & Atypicality.I Knowledge extraction (data mining & Machine learning).I Differential privacy.

I How else can privacy be defined and measured?I How much does the user care about privacy? What is the

future of privacy with IoT and big data?

Conclusions 93/100

Take away message

I Privacy is a fundamental value; in a future of complex (smartcity) systems, security and trust (policies) is not enough. . .

I To protect privacy we need to measure it.

I Diverse privacy preservation techniques may be based oninformation theory, multiple source energy engineering, andcryptographic network protocols. Which one to use?

Conclusions 94/100

THANK YOU!

Conclusions 95/100

References”Guidelines for Smart Grid Cyber Security,” National Institute of Standards andTechnology (NIST), Privacy and the Smart Grid, vol. 2, NIST IR 7628 Rev. 1,Sep. 2014.

”Potential Privacy Impacts that Arise from the Collection and Use of SmartGrid Data,” NIST, vol. 2, pp. 30–32.

K. Kursawe and C. Peters, “Structural Weaknesses in the Open Smart GridProtocol”, Cryptology ePrint Archive, Report 2015/088.

P. Jovanovic and S. Neves, “Dumb Crypto in Smart Grids: PracticalCryptanalysis of the Open Smart Grid Protocol”, Aug. 2015.

A. Molina-Markham, P. Shenoy, K. Fu, E. Cecchet, and D. Irwin, “Privatememoirs of a smart meter,” in ACM Workshop on Embedded Sensing Systemsfor Energy-Efficiency in Building, New York, 2010, pp. 61-66.

R. Petrlic, “A privacy-preserving concept for smart grids,” in Sicherheit invernetzten Systemen 18. DFN Workshop, ser. Books on Demand GmbH, 2010,pp. 1-14.

C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smartmetering data,” in IEEE SmartGridComm conference, Maryland, USA, Oct.2010, pp. 238-243.

Conclusions 96/100

ReferencesC. Rottondi, G. Mauri, and G. Verticale, “A data pseudonymization protocol forsmart grids,” in IEEE GreenCom Conference, Sept. 2012, pp. 68-73.

J.-M. Bohli, C. Sorge, and O. Ugus, “A privacy model for smart metering,” inIEEE Int’l Conf. on Comm. Workshops, Cape Town, South Africa, May 2010,pp. 1-5.

C. Rottondi, G. Verticale, and A. Capone. “Privacy-preserving smart meteringwith multiple data consumers.” Computer Networks 57, no. 7, 2013, 1699-1713.

R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “EPPA: An efficient andprivacy-preserving aggregation scheme for secure smart grid communications,”IEEE TPDS, vol. 23, no. 9, 2012, pp. 1621-1631.

F.G. Marmol, C. Sorge, O. Ugus, and G.M. Perez, “Do not snoop my habits:preserving privacy in the smart grid,” IEEE Communications Magazine, vol. 50,no. 5, 2012, pp. 166-172.

F. D. Garcia and B. Jacobs, Privacy-friendly energy-metering via homomorphicencryption, in Proc. Int’l Conf. on Security and Trust Management, Berlin,Heidelberg, 2011, pp. 226-238.

M.A. Mustafa, N. Zhang, G. Kalogridis, and Z. Fan “DEP2SA: A DecentralisedEfficient Privacy-Preserving and Selective Aggregation Scheme in AdvancedMetering Infrastructure,” in IEEE Access journal, 2015, to appear.

Conclusions 97/100

ReferencesM.A. Mustafa, N. Zhang, G. Kalogridis, and Z. Fan “MUSP: Multi-service, UserSelf-controllable and Privacy-preserving System for Smart Metering,” In IEEEICC, June 2015, pp.788-794.

C. Dwork, Differential privacy, in Automata, Languages and Programming, vol.4052 of LNCS, 2006.

C. Dwork, K. Kenthapadi, F. McSherry, I. Mironov, and M. Naor. Our data,ourselves: Privacy via distributed noise generation. In Proc. 25th InternationalCryptology Conference (EUROCRYPT), vol. 4004 of LNCS, pages 486–503.Springer, 2006.

Sankar et al., “Smart Meter Privacy: A Theoretical Framework,” IEEE Trans.Smart Grid, Jun. 2013.

D. Gunduz and J. Gomez-Vilardebo, Smart meter privacy in the presence of analternative energy source, IEEE Int’l Conf. on Comms. (ICC), Budapest,Hungary, Jun. 2013.

J. Gomez-Vilardebo and D. Gunduz, Smart meter privacy for multiple users inthe presence of an alternative energy source, IEEE Trans. on InformationForensics & Security, vol. 10, no. 1, pp. 132-141, Jan. 2015.

G. Danezis, M. Kohlweiss, A. Rial, Differentially Private Billing with Rebates.IACR Cryptology ePrint Archive, 2011, p. 134.

Conclusions 98/100

ReferencesG. Acs and C. Castelluccia, I have a DREAM! (DiffeRentially privatE smArtMetering), 13th Information Hiding Conference, 2011.

A. Rial, G. Danezis, “Privacy-preserving smart metering”, Proceedings of the10th annual ACM workshop on Privacy in the electronic society, pp 49–60, 2011.

G. Kalogridis, C. Efthymiou, T. Lewis, S. Denic, and R. Cepeda, “Privacy forSmart Meters: Towards Undetectable Appliance Load Signatures”, IEEESmartGridComm’10.

G. Kalogridis and S. Denic, “Data mining and privacy of personal behaviourtypes in smart grid”, IEEE Data Mining Workshops (ICDMW), pp 636–642,2011

G. Kalogridis, R. Cepeda, T. Lewis, S. Denic, and C. Efthymiou,“ElecPrivacy:Evaluating the Privacy Protection of Electricity Management Algorithm”, IEEETrans. on Smart Grid, 2011.

G. Kalogridis and S. Dave, “PeHEMS: Privacy enabled HEMS and loadbalancing prototype”, IEEE SmartGridComm12.

G. W. Hart. “Nonintrusive appliance load monitoring”. Proceedings of the IEEE,80(12):1870–1891, 1992.

Conclusions 99/100

ReferencesC. Laughman, et al., “Power signature analysis”, IEEE Power and EnergyMagazine, 1(2):56–63, 2003.

M. Baranski and J. Voss, “Genetic algorithm for pattern detection in NIALMsystems”, IEEE Systems, Man and Cybernetics, 2004.

D. Bergman et al., “Distributed non-intrusive load monitoring”, IEEE PES ISGT2011.

J. Z. Kolter and M. J. Johnson. “REDD: A public data set for energydisaggregation research”. 1st KDD Workshop on Data Mining Applications.

J. Z. Kolter and T. Jaakkola. “Approximate Inference in Additive FactorialHMMs with Application to Energy Disaggregation.” Int. Conf. on ArtificialIntelligence and Statistics, 2012.

O. Parson, S. Ghosh, M. Weal, and A. Rogers. “Non-intrusive load monitoringusing prior models of general appliance types”. In Proceedings of the 26th AAAIConference on Artificial Intelligence.

H. Kim, M. Marwah, M. F. Arlitt, G. Lyon, and J. Han. “UnsupervisedDisaggregation of Low Frequency Power Measurements”. In 11th SIAMInternational Conference on Data Mining, 2011.

J. Kelly and W. Knottenbelt, “The UK-DALE dataset, domestic appliance-levelelectricity demand and whole-house demand from five UK homes”, ScientificData Nature Publishing Group, 2015.

Conclusions 100/100