Privacy in Smart Metering Systems
Deniz Gunduz1 Georgios Kalogridis2 Mustafa A. Mustafa3
1Imperial College London2Toshiba Research Europe (Telecommunicatios Research Lab).
3KU Leuven
IEEE WIFS 2015Rome, 16 Nov 2015
Scope
I What is the problem?I What are the implications of privacy issues in smart meters?I How to measure privacy in smart meter context?I Existing approaches and solutionsI Remaining challenges
Organization
1. Introduction
2. Smart Metering Privacy AnalyticsPrivacy MetricsKnowledge extraction
3. Privacy-Preserving Smart Metering TechniquesData modification: protocolsEnergy modification: Information-theoretic
4. Conclusions
Table of Contents
1. Introduction
2. Smart Metering Privacy AnalyticsPrivacy MetricsKnowledge extraction
3. Privacy-Preserving Smart Metering TechniquesData modification: protocolsEnergy modification: Information-theoretic
4. Conclusions
Smart Grid
Smart grid refers to the future energy grid that exploitsinformation technologies
I to increase reliability,I to increase efficiency and reduce carbon footprint,I to incorporate renewable as well as traditional energy sources,I to provide security,I to introduce new services that cannot be foreseen today.
Introduction 5/100
Smart Grid EntitiesBulkGeneration
DistributionLines
Transmission Substation
Consumer
Smart Meter Appliances
In-HomeDisplay
Renewable EnergySource
Electric Vehicle
Electricity flow
Data flow
IndustrialConsumer
Home Consumer
DistributedGeneration
TransmissionLines
Distribution Substation
Final Distribution Substation
TransmissionSystemOperator
DistributionNetworkOperators
Energy Providers(Utilities)
Home Consumer
DistributedGeneration
Introduction 6/100
Smart Meters
Smart meters (SMs) are an essential component of smart grids;they enable many “smart” grid functionalities.
SMs introduce the ability to provide bi-directional communicationbetween consumers and the energy providers/ grid operator and topromote services that facilitate energy efficiency within the home1.
Introduction 7/100
Benefits for the Consumer
I Ability to track their own energy consumption near real time,which leads to better energy usage management,
I More accurate and timely billing services,I Possibility to benefit from demand flexibility and time-of-use
(ToU) pricing,I Possibility to introduce safety solutions of the household and
equipment through better power quality and breakdownmanagement,
I Home appliances failure detection, detection of waste,detection of unexpected activity or inactivity,
I Increase competition among energy providers due to ease ofswitching for customers.
Introduction 8/100
Benefits for the Energy Provider/ Grid Operator
I Reduced cost of meter readings and back office rebillingprocesses,
I Misuse and fraud detection,I Accurate sensing and monitoring capabilities to distribution
network operators (DNOs)I Possibility to introduce demand response management in
order to reduce peak loads,I Renewable integration and microgeneration management.
Introduction 9/100
Advanced Metering Infrastructure (AMI)AMI uses two-way communication to both transmit usageinformation and perform observation and maintenance tasks.
NAN Concentrator
WAN (5G, Fiber,
WiFi)
Concentrator
U4lity
NAN Concentrator
HAN
Appliances Thermostats
Solar panel Electric vehicle Introduction 10/100
AMI in Great Britain
. . .
RES
EVConsumer
EVSE SM Appliances
IHD
HAN
TSO
DNON
EPL
DataCommunications
Company
DNO1
EP1
Region N
. . .
. . .
Region 1
Introduction 11/100
Smart Metering Market
I Global smart meters market is estimated to grow from $11.1billion in 2014 to $18.2 billion by 2019, at a compound annualgrowth rate (CAGR) of 10.2% from 2014 to 2019.
I By 2024, there will be nearly 1.1 billion smart residentialmeters worldwide, with 57% market penetration.
I Directive of the European Parliement in 2009 required 80% ofEU households have a smart meter installed by 2020.
I In UK, installation of 53m smart meters in 30m households by2020 is expected to cost £10.9bn. Government estimatesroll-out of smart meters will deliver £7 billion net benefits toconsumers, energy suppliers and networks over 20 years.
Introduction 12/100
Smart Meter Privacy Concerns
I Netherlands: Senate voted against mandatory roll-out of SMs,found to be against European Convention on human rights
I 9000 consumers polled in 17 countries: 1/3 discouraged fromusing smart meters if it gave utilities greater access to dataabout their personal energy use
Introduction 13/100
Smart Meter Privacy: Technical Angle
Peak = 7.18 kW Mean = 0.49 kW Daily load factor = 0.07 Energy consumpAon = 11.8 kWh
Refrigerator
Toaster
KeFle
Washing Machine
KeFle
Time of day, h
Power, kW
I Non-intrusive load monitoring (NILM) techniques using highfrequency SM data
I Reveals information on user’s energy consumption behaviour:can track appliance usage patterns, home occupancy, even theTV channel user is watching ...Introduction 14/100
Smart Meter Privacy: Social Angle
I Patterns (behaviour profiling)I Watching too much TV?I Another microwave meal?
I Real-time surveillanceI Were you home last night?I Did your friend move in?
I Non-grid use of dataI Advertising and spamI InsuranceI Appliance warranties
I Information leakageI phishing, pharming, fraud
”Guidelines for Smart Grid Cyber Security,” National Institute of Standards and Technology (NIST), Privacyand the Smart Grid, vol. 2, NIST IR 7628 Rev. 1, Sep. 2014.
Introduction 15/100
Potential Risks
Who wants smart meter data? How could the data be used?Utilities To monitor electricity usage and load;
to determine billsAdvisory companies To promote energy conservation and awarenessInsurance companies To determine premiums based on
unusual behaviors that might indicate illnessMarketers To profile customers for targeted advertisementsLaw enforcers To identify suspicious or illegal activityCivil litigators To identify property boundaries
and activities on premisesLandlords To verify lease compliancePrivate investigators To monitor specific eventsThe press To get information about famous peopleCreditors To determine behavior that might indicate
creditworthinessCriminals To identify best times for a burglary, or
valuable appliances to steal
”Potential Privacy Impacts that Arise from the Collection and Use of Smart Grid Data,” NIST, vol. 2, pp. 30–32.Introduction 16/100
Smart Meter Security
I Security 6= PrivacyI Remote switching off capability of smart meters opens up new
vulnerabilities (Stuxnet type cyber attacks)I Meters can be hacked by consumers or third parties to
reduce/increase energy billI a utility in Puerto Rico lost $400 million in annual revenue after
criminals hacked into smart meters to under-report electricity usage.
I Smart meters are made to last (15-20 years). In many casesencryption mechanims are not adaptive, and cannot last aslong.
I Highly connected AMI allows spread of malwareI Wireless transmission of meter readings is prone to
eavesdropping and data injection attacks
Introduction 17/100
Smart Meter Security Problems
NAN Concentrator
WAN (5G, Fiber,
WiFi)
Concentrator
U4lity
NAN Concentrator
HAN
Appliances Thermostats
Solar panel Electric vehicle
I Many papers have reported serious security risks in the AMIarchitecture
I More recently: flaws in authentication meshanism of OpenSmart Grid Protocol
I K. Kursawe and C. Peters, “Structural Weaknesses in the OpenSmart Grid Protocol”, Cryptology ePrint Archive, Report 2015/088.
I P. Jovanovic and S. Neves, “Dumb Crypto in Smart Grids: PracticalCryptanalysis of the Open Smart Grid Protocol”, Aug. 2015.
Introduction 18/100
Security Measures against Attackers
I Authentication and authorisationI Secure networks and communication linksI Secure data storageI Secure multi-party computingI Encrypted functionsI Trusted platform moduleI Physically unclonable functions
Are these measures sufficient to protect privacy?
Introduction 19/100
Confidentiality and Authorisation vs. Privacy
Confidentialityset of rules that limit access or place restrictions on disclosure ofsome information, e.g., by means of encryption. Confidentialityensures that access to information is restricted to authorizedentities.
Authorisationlimits access to certain entities. Authorization is usually coupledwith authentication.
In smart meters, privacy is not only against third parties/ attackers,but also against the legitimate/ authorised receiver of data.
Introduction 20/100
Paradigm Shift: Privacy Against Energy Providers (EPs)/Grid Operators
I Focus of current SMs is on protection against manipulation bycustomers.
I Grid operators/ EPs can remotely update crucial meterparameters (e.g., cryptographic keys, sampling frequency),install new software, or disconnect energy.
I Measurement data collected and stored in database of theoperator.
I Trust in grid operators: consumers are protected mainly byguidelines, audits, codes of behaviour.
To protect privacy we first need to measure it.
Introduction 21/100
Table of Contents
1. Introduction
2. Smart Metering Privacy AnalyticsPrivacy MetricsKnowledge extraction
3. Privacy-Preserving Smart Metering TechniquesData modification: protocolsEnergy modification: Information-theoretic
4. Conclusions
What is Privacy?Data privacy (OECD Glossary of Statistical Terms)It is the status accorded to data which has been agreed uponbetween the person or organisation furnishing the data and theorganisation receiving it and which describes the degree ofprotection which will be provided.
Personal data (EU Data Protection Directive)Any information relating to an identified or identifiable naturalperson should (among other things) a) “be collected for a specifiedpurposes and not be further processed for other purposes”, and b)“be merely adequate and not excessive for the purposes motivatingits collection”.
I Explains the notion of privacyI Does not specify how privacy protection can be appliedI To protect privacy we first need to measure it
Metrics 23/100
Privacy Measures for Smart Meters
I Privacy evaluation depends on the (data mining) task ofextracting knowledge from the communicated smart meteringdata. We distinguish two main privacy approaches as such:
I Data privacy evaluation – e.g. statistical analysis of aggregatedata.
I Knowledge privacy evaluation – e.g. analysis of inferreddisaggregated data.
Metrics 24/100
Privacy Metrics for Smart MetersI Relative entropy / Mutual information: used for computing
bounds on the achievable level of privacy, independent oftechnologic and computational capabilities of an attacker.
I Cluster classification: input data classified into clusters;known and hidden load cluster comparison may yield apossible privacy gain.
I Regression analysis: known and hidden loads are shifted untilthey align to their point of maximum cross-correlation.
I Residual features: features that appear both in the known andhidden profiles (i.e., an energy transition ).
I Exploratory Data Mining & Interestingness: ensures thatinteresting data mining patterns (e.g. atypical TV or sleeppatterns) remain hidden.
I Differential privacy: ensures that adding a single entry to adatabase (or deleting one from it) does not significantlychange the answer given to some queries.Metrics 25/100
Privacy and UndetectabilityProblem (Undetectability)Suppose G is an inference model that transforms a p(t) smartmetering trace into a hypothetical e′(t) event trace. Suppose thatwe would like to protect a real event trace, e(t). If G offers(purposefully or not) α privacy protection, then how much is α?
I Such a problem may be solved by means of evaluating theperformance of the inference model. E.g. we may calculatethe likelihood an event was occured given a recorded loadsignature.
I A different approach concerns the use of similarity metrics tosimply compare e(t) with e′(t).
I In the case of data perturbation, e(t) would be the p(t), ande′(t) would be the perturbed metering data p′(t).
I An event may be defined as a power edge:e′(t) = dp(t) = p(t)− p(t − 1). We also denote dpA(t) to bethe original (real) trace of power edges dp(t).Metrics 26/100
Similarity metric 1: Relative entropyThe relative entropy or Kullback Leibler distance is a well knowninformation theoretic quantity which can be used to compare twosources of information:
D(P||Q) =∫ xmax
xminfP(x) log fP(x)
fQ(x)dx .
I The bigger the D(P||Q) the better the privacy protection.
G. Kalogridis, C. Efthymiou, T. Lewis, S. Denic, and R. Cepeda, “Privacy for Smart Meters: Towards UndetectableAppliance Load Signatures”, IEEE SmartGridComm’10.
Metrics 27/100
Similarity metric 2: Cluster similarity
We consider a simple method of trace analysis to compute howclose dpA(t) is to dp(t).
1. Find the silhouette optimal n for dpA(t).
2. Classify dpA(t) into set of clusters A = {a1, . . . , an}.
3. Classify dp(t) into set of clusters B = {b1, . . . , bn}.
4. Ignore cluster values corresponding to insignificant powerchanges.
5. Compute the ratio of ‘correct’ classifications in B.
6. The smaller the cluster similarity the better the privacyprotection.
G. Kalogridis, C. Efthymiou, T. Lewis, S. Denic, and R. Cepeda, “Privacy for Smart Meters: Towards UndetectableAppliance Load Signatures”, IEEE SmartGridComm’10.
Metrics 28/100
Clustering-based graphical model similarityAn extension of clustering is to build a graphical model. Theoriginal and inferred graphical models may then be compared toevaluate privacy.
2 4 W
22 hrs
1 2 0 W
45 mins
1 4 %
1 4 4 W
8 mins
1 2 %
6 0 W
34 mins
6 4 %
1 9 2 W
22 mins
5 %
1 0 8 0 W
14 mins
0 %
6 9 6 W
9 mins
1 %
1 3 6 8 W
24 mins
0 %
7 %
4 7 %
4 0 %
3 %
0 %
0 %
0 %
0 %
7 5 %
2 %
2 0 %
0 %
0 %
0 %
4 9 %
3 6 %
7 %
3 %
0 %
0 %
0 %
0 %
8 %
6 2 %
7 %
2 %
1 4 %
3 %
1 %
1 %
4 %
1 3 %
3 0 %
4 9 %
3 %
1 %
6 %
4 4 %
1 7 %
2 4 %
3 %
4 %
1 %
1 9 %
4 2 %
2 8 %
Metrics 29/100
Similarity metric 3: Regression analysisWe may analyse the degree to which dp(t) ‘predicts’ dpA(t) byfitting the traces and measuring their ‘distance’ in the time domain.
1. Estimate the error sum of squares SSE =∑
t(dp(t)− dp(t))2
and the regression sum of squares SSR =∑
t(dp(t)− dp).
2. Compute the coefficient of determination:R2 = 1− SSE
SSR +SSE, 0 ≤ R2 ≤ 1.
I R2 = 1 ⇒ predictions arefully explained by the model
−0.5 0 0.5 1
−0.5
0
0.5
1
˙dp
A
˙dpA
−0.5 0 0.5 1
−0.5
0
0.5
1
dp1
˙dpA
−1 0 1−1
−0.5
0
0.5
1
dp4
˙dpA
B1 B4
I R2 → 0 ⇒ (higher privacy protection) whenI SSE � SSR (the noise increases), orI or when SSR → 0 (dp(t) is similar to dp).
G. Kalogridis, C. Efthymiou, T. Lewis, S. Denic, and R. Cepeda, “Privacy for Smart Meters: Towards UndetectableAppliance Load Signatures”, IEEE SmartGridComm’10.
Metrics 30/100
Exploratory Data Mining
I Purpose: Extract knowledge from or give insights about thedata without answering specific questions.
I Pattern type: Groups of features (time) that exhibit acommon power consumption profile.
I For example, such an exploration may follow the detection ofconsumption profiles (e.g. via clustering).
I This corresponds to finding cliques in a graph.
Metrics 31/100
Learning consumption profiles and featuresDensity based clustering and dynamic optimisation can helpextract consumption profiles and their features.
Metrics 32/100
Bi-partite graph of features
00-02h
02-04h
04-06h
06-08h
08-10h
10-12h
12-14h
14-16h
16-18h
18-20h
20-22h
22-00h
Washier
TV
Boiler
Cooker
Kettle
Swimmingpool
I Pattern type: Windows of timewith a common powerconsumption profile.
I This may be done with bi-cliquemining algorithms.
I This may provide insights tohiddent or interesting patterns.
I But how can this be interestingfrom a privacy point of view?
Metrics 33/100
Mining more complex (interesting) patterns00-02h
02-04h
04-06h
06-08h
08-10h
10-12h
12-14h
14-16h
16-18h
18-20h
20-22h
22-00h
Washier
TV
Boiler
Cooker
Kettle
Swimmingpool
Day 1
Day 7
...
Week 1
Week 52
...
5-10m
>2hrs
...
1-5m
Metrics 34/100
N-ary relationships
Consumption profile (appliance load)
Timeof the day
Dayof the week
Weekof the year
Durationof consumption
I Pattern type: Consumption profiles that appear in the samewindows of time at the same days of the week, for the samelength of time.
I Pattern syntax: find Maximal Complete Connected Subsets ofpatterns (MCCS).
I Simple pattern mining: divide and conquer depth 1st search.Metrics 35/100
Interestingness
I Interestingess of a pattern may be assessed as a trade-offbetween the self-information and the description length.
I Self information: this may be calculated by calculating theentropy of mutually exclusive subsets of the pattern.
I Description length: this measures how conceisely the patternconveys this information.
Interestingess(γ) = Self Information(γ)Description Length(γ)
Ranking patterns based on interestingness:
{TV}{Kettle} ↔ {02-04h} ↔ {Sat.} ↔ {30–60m}{Swimming Pool} {1–2h}
Metrics 36/100
Data mining for privacyI A variety of models may be used to infer information from the
data.I A variety of metrics to evaluate privacy . . .I A data mining / anomaly detection inspired method:
I Analyse the variability of activity occurrence probabilitydistributions with different time features.
I Focus on significant variability as an indication of anomaly andprivacy alert.
Metrics 37/100
Subset data mining
Example:I Detected appliance profiles: TV, Microwave, CookerI Event space: all possible subsets of {TV, Microwave, Cooker,
Zero/Other}I 2N − 1 subsets (excluding the empty set).I Data mining: sequential batch window.I Types of behaviour: 1) duration of appliance usage, and 2)
frequency of switch-ON appliance event.
Metrics 38/100
Prediction and atypicality
I We characterise a behaviour profile with an empiricalprobability distribution (EPD) of sets of concurrent events:there are 2M possible events.
I An interval EPD, Pp, and an expected EPD, Qp, may beobtained by counting across a constraint or a sufficiently largenumber of sample paths.
I Atypicality: Kdiv(Pp||Qp) :=∑
b Pp(b) log 2Pp(b)Pp(b)+Qp(b) .
I The probability of any given sequence of p is given by
Qnp(p) = |X |−n(H(Pp)+D(Pp ||Qp)),
where X is the set of all possible events, D(Pp||Qp) signifiesrelative entropy, and H(Pp) is the Shannon’s entropy.
G. Kalogridis and S. Denic, “Data mining and privacy of personal behaviour types in smart grid”, IEEEData Mining Workshops (ICDMW), pp 636–642, 2011
Metrics 39/100
Kdiv-inspired privacy metricI Is privacy protected when the atypicality is large?I Is privacy protected when atypicality is small?I Simple privacy alarms:
Crest factor(Kdiv) > th1 Max(Kdiv) > th2Anomaly detection Y NIncongruence N YData perturbation Y Y
G. Kalogridis and S. Denic, “Data mining and privacy of personal behaviour types in smart grid”, IEEEData Mining Workshops (ICDMW), pp 636–642, 2011
Metrics 40/100
Subset atypicalitiesAtypicality of all distinct bags of duration of operation (On-On)appliance events:
Day
Patterns
Atypicality of On-On patterns (house 1)
1 42 83 124 165 206 247 288 329 370 411
Cook
MicroTv
Zero
Tv,ZeroMicro,Zero
Micro,Tv
Cook,ZeroCook,Tv
Cook,MicroCook,Micro,Tv
Cook,Micro,Zero
Cook,Tv,ZeroMicro,Tv,Zero
Cook,Micro,Tv,Zero
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
I Explore the variability of atypicality in all possible eventspaces.
I Particular subsets produce higer atypicalities (darker color).I Continious high atypicality: incongruent data →
non-behavioural problem (false alarm).I Exclusion of the zero event intensifies atypicality.
Metrics 41/100
Example of an alarmI Suppose an alarm is triggered when atypicality exceeds a
threshold value (e.g. set to 0.5).I Privacy alarms of different bags of events for both the
appliance duration and switch-on events.I More frequent privacy alarms when the TV or microwave, and
no other appliance is considered.
House No. 1 2 3 4 5 6 7 8Cook 0 & 0 3 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Micro 0 & 0 3 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0TV 0 & 0 3 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Zero 8 & 0 15 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0TV,Zero 9 & 25 0 & 1 8 & 18 68 & 27 0 & 0 4 & 29 10 & 7 50 & 76Micro,Zero 0 & 25 15 & 15 0 & 0 27 & 27 0 & 0 11 & 22 15 & 15 125 & 24Micro,TV 4 & 0 0 & 0 33 & 33 54 & 14 0 & 0 4 & 28 8 & 0 20 & 105Cook,Zero 4 & 0 14 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Cook,TV 9 & 0 0 & 8 18 & 19 41 & 41 0 & 0 4 & 13 10 & 13 46 & 31Cook,Micro 7 & 0 11 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Cook,Micro,TV 0 & 0 3 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Cook,Micro,Zero 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Cook,TV,Zero 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0Micro,TV,Zero 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 42 & 42 0 & 0 0 & 0Cook,Micro,TV,Zero 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0 0 & 0
Metrics 42/100
Differential Privacy
I Introduced to privately release statistical queries on data setsI Differential privacy measures privacy by parameter ε that
bounds the log-likelihood ratio of the output for twodatabases that differ in only a single entry.
DefinitionA probabilistic algorithm F taking values in set T providesε-differential privacy if
Pr(F (D) ∈ S) ≤ eε · Pr(F (D′) ∈ S)
for all S ∈ T , and all data sets D and D′ that differ in a singleentry.
C. Dwork, Differential privacy, in Automata, Languages and Programming, vol. 4052 of LNCS, 2006.
Metrics 43/100
Approximate Differential Privacy
DefinitionA probabilistic algorithm F taking values in set T provides(ε, δ)-differential privacy if
Pr(F (D) ∈ S) ≤ eε · Pr(F (D′) ∈ S) + δ
for all S ∈ T , and all data sets D and D′ that differ in a singleentry.
I Weaker than ε-differential privacy (equivalent when δ = 0)
C. Dwork, K. Kenthapadi, F. McSherry, I. Mironov, and M. Naor. Our data, ourselves: Privacy via distributednoise generation. In Proc. 25th International Cryptology Conference (EUROCRYPT), vol. 4004 of LNCS,pages 486–503. Springer, 2006.
Metrics 44/100
Machine Learning & Knowledge extraction
I The fundamental privacy metrics may also apply after smartmetering data is processed to extract knowledge.
I For example, knowledge may simply be represented as acategorical table with multiple dimensions (columns).
I A particularly important knowledge, from a privacyperspective, concerns metering data at an appliance level.
I This leads us to the problem of appliance disaggregation, thealter ego of privacy protection.
I This is also known as Non-intrusive Appliance LoadMonitoring (NIALM) and may be further distinguished intolow frequency NIALM and high frequency NIALM.
Metrics 45/100
High frequency signaturesHart (1992), Laughman (2003), Patel (2007), Gupta (2010), Reinhardt (2012).
I Original idea based on a clustering of active & reactive poweredges.
I Recent techniques based on Harmonics pattern recognition(∼90% accuracy).
I High frequency NIALM assumes specialised metering device.
Metrics 46/100
Low frequency (smart metering) NIALMI Machine Learning models; Input: 1”–15’ power readings.I Open source NIALM:https://github.com/nilmtk/nilmtk
I Typically runs in the backend (Energy provider).I Baranski (2004): Clustering and use of Viterbi algorithm.I Bergman (2011): Finite State Machine; Knapsack detection.I Kolter (2011): Supervised: Factorial HMM (FHMM).I Parson (2011): Supervised: Iterative HMM (IHMM).I Kim (2011): Supervised: Conditional Factorial Semi-HMM
(CFSHMM).I Kolter (2012): Additive Factorial HMM with an AF Maximum
a Posteriori Estimation (AFAMAP) algorithm.I Kelly (2015): Unsupervised learning with Deep Neural
Networks.Metrics 47/100
NIALM ML performanceI Depends on how performance is assessed.I A typical FHMM model may achieve 70-80% accuracy of the
task of appliance ON-OFF detection, assuming an averagehousehold energy usage profile.
I An active area of research; almost exponential increase ofresearch publicationis in recent years.
Metrics 48/100
Poor-man’s real-time & low-cost NIALM
Application of the knapsack algorithm (as opposed to expensiveHMM training):
I maximise W (t) =∑N
i=1∑s
j=1 wi ,j(t)zi ,j , subject to∆Qt − Qn ≤W (t) ≤ ∆Qt + Qn, where ∆Qt is the observedsmart meter power reading, N is the number of appliances,s = 2 the number of appliance states, Qn is a tolerance value,and wi ,j(t) takes values from {0, 1} with the constrain that∑s
i=1 wi ,j(t) = 1, for all j , at any time t.I We set Qn = x − L, where L is a detected minimum power
(vampire power), and 0 ≤ x ≤ xmax.
For real-time (fast) detection, we construct a lookup table bysorting the solutions that correspond to a choice of wi ,j(t) and theassociated W (t).
Metrics 49/100
NIALM and knowledge / privacy ramificationsI Appliance disaggregation may be used to infer Activities of
Daily Living (ADLs).I ADLs may furnish more sensitive personal data such as
healthcare.
Metrics 50/100
Table of Contents
1. Introduction
2. Smart Metering Privacy AnalyticsPrivacy MetricsKnowledge extraction
3. Privacy-Preserving Smart Metering TechniquesData modification: protocolsEnergy modification: Information-theoretic
4. Conclusions
Main Approaches
1. Real energy consumption is not modified, meter data ismodified before being reported to EP.
I Anonymization with/ without TTP, i.e., using pseudonymsinstead of real identities.
I Aggregation with/ without trusted third party (TTP), i.e.summing measurements over a group of users,
I Obfuscation, i.e., adding noise to data,
2. Energy consumption is modified:I Through storage devices, i.e., filtering energy consumption,I Through alternative energy sources (renewables, uninterrupted
power supplies),I Sampling approach, i.e., reducing sampling rate of
measurements.
PP Techniques 52/100
Anonymization with Trusted Third Party (TTP)
EPConcentrator (TTP)
…
Smart meters
p, p, p, …
I SM readings sent to a TTP over secure links.I TTP removes the identities of users from the tuples received
and sends only the SM readings to EP.I EP learns the SM readings, but not their origin.I However, TTP learns the SM readings too.
A. Molina-Markham, P. Shenoy, K. Fu, E. Cecchet, and D. Irwin, “Private memoirs of a smart meter,” in ACMWorkshop on Embedded Sensing Systems for Energy-Efficiency in Building, New York, 2010, pp. 61-66.
PP Techniques 53/100
Anonymization with STTP
EPConcentrator (STTP)
…
Smart meters
enc(pk,p), enc(pk,p), …
I SM readings are encrypted with the public key of EP.I Instead of real identities, users use pseudonyms.I STTP sends only the encrypted SM readings to EP.I EP decrypts and learns the SM readings, but not their origin.I STTP does not learn the SM readings nor the real identities
of users.R. Petrlic, “A privacy-preserving concept for smart grids,” in Sicherheit in vernetzten Systemen 18. DFNWorkshop, ser. Books on Demand GmbH, 2010, pp. 1-14.
PP Techniques 54/100
Anonymisation: Customer Data vs. Technical dataI EU SM standards recommendation to define two types of data
for smart metering:I Customer data: Attributable data, e.g. for billing and account
management purposes → Low-frequency data, e.g. every fewdays/weeks.
I Technical data: “Anonymous” data, e.g. for power networkmanagement and demand response → High-frequency data,e.g. every few minutes.
I There is no real reason why the high-frequency data can’t beanonymous and still serve the purposes of the utility and thepower distribution network.
I Smart meter uses both eponymous and anonymous IDs (andrelated crypto keys) for customer and technical data,respectively.
I The utility knows that the anonymous ID is located within acertain area, but not which specific house.
PP Techniques 55/100
Anonymisation evaluationI Anonymity level achieved depends on the size of the
“anonymity set”, i.e. how hard it is to associate a givenanonymous (ADP) with an eponymous customer (CDP)profile / security key.
I The use of random time intervals in the ADP setup protocolsis crucial.
C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smart metering data,” in IEEESmartGridComm conference, Maryland, USA, Oct. 2010, pp. 238-243.
PP Techniques 56/100
Anonymization with off-line TTP
EPConcentrator
…
Smart meters
ADP, p, Sig(ADP, p), …
ADP = ANSM.CERT, EP.CERT, DNO.CERT
ANSM.CERT includes the HFID and the anonymous public key of the smart meter
TTP
I Each SM has two IDs, one for sending low frequency readings,LFID, and one for sending high frequency readings, HFID.
I Only TTP is aware of the connection between a validHFID/LFID pair.
I TTP is involved only in the SM registration (setup) stage.I EP knows only the connection between a valid LFID/real user
ID pair, but not the connection between HFID/LFID.C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smart metering data,” in IEEESmartGridComm conference, Maryland, USA, Oct. 2010, pp. 238-243.
PP Techniques 57/100
Anonymization & Data Splitting
EP
Concentrator 1
…
Smart meters
Concentrator 2
p1=p11+p12
p2=p21+p22
p1=p11+p12
p2=p21+p22
I Each SM splits its data into shares and sends each share to adifferent concentrator.
I Each concentrator replaces the real ID of the user with apseudonym and forwards the data to EP.
I EP sums all the shares attached with the same pseudonym.I EP knows the SM readings, but not their origin.
C. Rottondi, G. Mauri, and G. Verticale, “A data pseudonymization protocol for smart grids,” in IEEE GreenComConference, Sept. 2012, pp. 68-73.
PP Techniques 58/100
Aggregation with Trusted Third Party (TTP)
EPConcentrator (TTP)
…
Smart meters
P
P = 𝑝
I SM readings sent to a TTP over secure links.I TTP reports to EP:
I sum consumption for a group of SMs (e.g., neighbourhood),I sum consumption of each user over billing period.
I EP learns exactly what it needs to learn, not more.I TTP does not need to know real identities of users, but has to
be trusted.J.-M. Bohli, C. Sorge, and O. Ugus, “A privacy model for smart metering,” in IEEE Int’l Conf. on Comm.Workshops, Cape Town, South Africa, May 2010, pp. 1-5.
PP Techniques 59/100
Aggregation & Data Splitting
EP
Concentrator 1
…
Smart meters
Concentrator w
p1={p11, …,p1w}
p2={p21, …,p2w}
…
P = 𝑃𝑖
I Each SM splits its data into w shares using (w , t) secretsharing scheme; sends each share to a different concentrator.
I Each concentrator sums the received shares and sends theaggregated shares to EP.
I EP sums at least t of the received aggregated shares to obtainthe aggregated data of all SMs.
C. Rottondi, G. Verticale, and A. Capone. “Privacy-preserving smart metering with multiple data consumers.”Computer Networks 57, no. 7, 2013, 1699-1713.
PP Techniques 60/100
Aggregation without Trusted Third Party (TTP)
I How to add a user’s data to the aggregate without revealing itto other users?
I SMs have trusted elements (e.g., smart card or secure USBstick) that cannot be controlled by the grid operator (i.e., itcannot change keys remotely).
I These trusted elements provide secure storage and basiccryptographic functionality
I Common tool: homomorphic encryption, thanks to itsadditive homomorphic property.
I Proposed approaches differ mainly in:I Who performs the aggregation,I How keys are managed.
PP Techniques 61/100
Homomorphic Encryption with Aggregation done byCollector
EPConcentrator (TTP)
…
Smart meters
C
C = 𝑐
P = 𝑝 = 𝑑𝑒𝑐(ℎ𝑠𝑘, 𝐶)
I Each SM encrypts its data with the homomorphic public keyof EP and sends the ciphertext to the collector.
I The collector aggregates the received ciphertexts and sendsthe aggregated ciphertext to EP.
I The EP decrypts the aggregated ciphertext to obtain theaggregated data of all SMs.
R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “EPPA: An efficient and privacy-preserving aggregation scheme forsecure smart grid communications,” IEEE TPDS, vol. 23, no. 9, 2012, pp. 1621-1631.
PP Techniques 62/100
Homomorphic Encryption with Aggregation done by EPI Each SM chooses random key k of bihomomorphic encryption
scheme.I Keys are aggregated within SM group by electing random SM
as key aggregator (KA) through a secure channel thatprovides anonymity for every SM.
I KA computes aggregated key K and sends it to EP.I Every SM sends its data, encrypted with its key to EP via a
secure channel.I EP aggregates all received encrypted values, then obtains the
aggregated energy consumption by decrypting the aggregatedencrypted value using K .
I SMs updates their keys at every data reporting round suchthat K remains the same.
F.G. Marmol, C. Sorge, O. Ugus, and G.M. Perez, “Do not snoop my habits: preserving privacy in the smart grid,”IEEE Communications Magazine, vol. 50, no. 5, 2012, pp. 166-172.
PP Techniques 63/100
Homomorphic Encryption & Data Splitting
I Neighbourhood groups of size N.I Each node prepares N shares of its measurements.I Encrypts one share with the public key of each user (N-1
users) and sends to the EP (except own share).I The EP, using the properties of homomorphic encryption,
sums all N − 1 ciphertexts intended for a user and sends theresulting ciphertext to her to decrypt.
I Each user adds its own share and sends the final result backto the EP unencrypted.
I EP sums all the received results.
F. D. Garcia and B. Jacobs, Privacy-friendly energy-metering via homomorphic encryption, in Proc. Int’l Conf. onSecurity and Trust Management, Berlin, Heidelberg, 2011, pp. 226-238.
PP Techniques 64/100
Homomorphic Encryption & Selective Aggregation
TSODCC
EP𝑖
𝐶
Nep ∗ 𝐶 Nep ∗ 𝐶
ΣP
||r
Nep ∗ 𝐶
DNO𝑗
…𝐶
𝐶
𝐶
I SM data encrypted with DNO’s homomorphic public key.I At collectors ciphertexts are aggregated based on EP.I At DCC ciphertexts are aggregated based on DNO and EP.I DNO recovers the data and random number from ciphertexts,
sends both items to EP, sums all data and sends to TSO.I EP performs ciphertext-based verification of the data.
M.A. Mustafa, N. Zhang, G. Kalogridis, and Z. Fan “DEP2SA: A Decentralised Efficient Privacy-Preserving andSelective Aggregation Scheme in Advanced Metering Infrastructure,” in IEEE Access journal, 2015, to appear.
PP Techniques 65/100
Zero-proof SM cryptosystemYet another fancy cryptosystem
Utility
Signed
& e
ncry
pted
read
ings
Certifi
ed P
olicy
Dynam
ic ra
tes p
er ½
hou
r
Certified Zero-knowledge Proof of correctness
Signed & encrypted readingsper ½ hour
Shared key
Decrypted readings donot leave the user device
Utility can verify correctness of computation
without access to secret readings!
I Computations executed by the customer without disclosingraw meter readings.
I Correctness can be guaranteed.I If the raw data is needed, secure aggregation can be used.
A. Rial, G. Danezis, “Privacy-preserving smart metering”, Proceedings of the 10th annual ACM workshop onPrivacy in the electronic society, pp 49–60, 2011.
PP Techniques 66/100
Obfuscation
I Users add zero-mean independent noise to their readingsbefore forwarding to EP.
I Average sum consumption remains same at each period.I Goal: low confidence for individual measurements (high
variance noise component), and high-confidence for totalconsumption (too many uses aggregated together: 99.9%confidence requires aggregating 3.8 million users.)
I Meters should be tamper-proof.
J.-M. Bohli, C. Sorge, and O. Ugus, “A privacy model for smart metering,” in IEEE Int’l Conf. on Comm.Workshops, Cape Town, South Africa, May 2010, pp. 1-5.
PP Techniques 67/100
Main Approaches
1. Real energy consumption is not modified, meter data ismodified before being reported to EP.
I Anonymization with/ without TTP, i.e., using pseudonymsinstead of real identities.
I Aggregation with/ without trusted third party (TTP), i.e.summing measurements over a group of users,
I Obfuscation, i.e., adding noise to data,
2. Energy consumption is modified:I Through storage devices, i.e., filtering energy consumption,I Through alternative energy sources (renewables, uninterrupted
power supplies),I Sampling approach, i.e., reducing sampling rate of
measurements.
PP Techniques 68/100
Privacy - Utility Trade-off
Billing problemEP needs to bill users. Perfect attribution and exactness required.Low sampling frequency sufficient.
Grid management problemEnergy provide needs to manage the grid. High sampling frequencyrequired, attribution exactness not necessary (i.e., can work withaggregate meter readings).
Meter data can leak sensitive information that should be keptprivate. There is a trade-off between utility and privacy.
PP Techniques 69/100
Information Theoretic SM Privacy
I Energy consumption of user is modeled as a sequence of realnumbers, X n.
I SM readings, Y n, represents information available to EP.I Privacy is measured by average information leakage, defined
as average mutual information between X n and Y n:
1n I(X n; Y n) = 1
n [H(X n)− H(X n|Y n)]
= 1n
∑(xn,yn)∈X n×Yn
p(xn, yn) log p(xn, yn)p(xn)p(yn)
PP Techniques 70/100
Reporting Quantized Energy Consumption
I SM maps X n to a predefined set of meter readings:
Encoder :X n → SMR = {SMR1, . . . ,SMRM}
I No matter what real consumption is, EP will receiveY n ∈ SMR, one of M readings,
I The closer Y n to X n, the more useful it is for grid estimation/monitoring, and the more data is leaked.
I There is a fundamental trade-off between privacy and utilityof reported SM readings
Sankar et al., “Smart Meter Privacy: A Theoretical Framework,” IEEE Trans. Smart Grid, Jun. 2013.
PP Techniques 71/100
Privacy- Utility Trade-off
I Utility: The closer the estimates, the higher the utility:
∆ = E[
1n
n∑i=1
d(Xi ,Yi )]
d(·, ·): given distortion measure (distance between real energyconsumption and EP’s estimation)
I Average information leakage:
I = 1n I(X n; Y n)
I Question: What is the set of feasible (∆, I) pairs?
PP Techniques 72/100
Privacy- Utility Trade-offI For given utility ∆, minimum information leakage is obtained
by the rate-distortion function R(∆)I Rate-distortion function, R(D): Minimum number of bits per
symbol that should be transmitted to a receiver, so that thesource (input signal) can be approximately reconstructedwithin a given distortion, D (lossy data compression).
U"lity "Distortion
Privacy/ Informa"on leakage
PP Techniques 73/100
Privacy Through Energy Consumption Manipulation
I Physical approach to privacy, rather than cyber.I Previous techniques assume grid operator depends solely on
SM readings for load monitoring.I However, grid operator owns the grid, and has many other
sensors, measuremetn mechanisms that can provide some levelof information
I Moreover, obfuscation, data aggregation, etc. limit operatorscapabilities to monitor grid for failures, energy qualitychanges, renewable integration, etc.
I Alternative solution: Consumers manipulate their energyconsumption over time by exploiting storage devices oralternative energy sources (renewable sources, uninterruptiblepower supply, etc.).
PP Techniques 74/100
Alternative Energy Source
Appliances Energy
Management Unit (EMU)
Smart Grid
Alterna8ve Energy Source
X(t) Y(t)
X(t) – Y(t)
U8lity Provider
Smart
Meter
I Discrete time model:I Energy demand (input load): Xt
I Energy from grid (output load): Yt
I Remainder from alternative energy source(AES): Xt − Yt
I SM reads and reports YtD. Gunduz and J. Gomez-Vilardebo, Smart meter privacy in the presence of an alternative energy source, IEEE Int’lConf. on Comms. (ICC), Budapest, Hungary, Jun. 2013.
PP Techniques 75/100
Simple alternative energy-based systemNaive (best-effort) privacy algorithm: Perturbs electrical eventswhile improving energy efficiency.
PP Techniques 76/100
Battery friendly privacy algorithmAlgo 1 (selective use of battery):
I If a rare event occurs (e.g. kettle at 1am): discharge batteryto hide it.
I If an expected event does not occur (e.g. lights at 9pm):recharge battery to simulate it.
Algo 2 (selective allocation per appliance):I Allocate battery energy quotas to differen appliances (e.g.
protect privacy of TV, but not Kettle).I Detect appliance (e.g. NIALM algorithm)I Apply best-effort (water filling) algorithm for each appliance
and its allocated sub-battery resources.
G. Kalogridis, R. Cepeda, T. Lewis, S. Denic, andC. Efthymiou,“ElecPrivacy: Evaluating the Privacy Protectionof Electricity Management Algorithm”, IEEE Trans. onSmart Grid, 2011.
PP Techniques 77/100
Utility friendly privacy algorithmEnergy Capping algo:
I Objective: consume a certain amount of energy (CAP) everyT = 30 minutes.
I If prediction > CAP, then battery power is used (best effort).I If prediction < CAP, then the battery is charged.I Benefits
I (Grid-scale effect) mitigate peaks & rebound peaksI (Uncertainty) reduce demand uncertainty,I complementary to demand response signal.
G. Kalogridis and S. Dave, “PeHEMS: Privacy enabled HEMSand load balancing prototype”, IEEE SmartGridComm12
PP Techniques 78/100
Energy Management PolicyI Energy management policy: ft : X t × Yt−1 → Y, s.t.
0 ≤ Xt − Yt ≤ P
I Privacy: Information leakage rate
In ,1n I(X n; Y n)
I Average power from AES:
Pn = E
[1n
n∑t=1
(Xt − Yt)]
I For given P, pair (I, P) is achievable if there exist energymanagement policies with limn→∞ In ≤ I and limn→∞ Pn ≤ P.
I Privacy-power function, I(P, P), is the minimum achievableinformation leakage rate for given peak power P, and averagepower P.
PP Techniques 79/100
Energy Management PolicyI Energy management policy: ft : X t × Yt−1 → Y, s.t.
0 ≤ Xt − Yt ≤ P
I Privacy: Information leakage rate
In ,1n I(X n; Y n)
I Average power from AES:
Pn = E
[1n
n∑t=1
(Xt − Yt)]
I For given P, pair (I, P) is achievable if there exist energymanagement policies with limn→∞ In ≤ I and limn→∞ Pn ≤ P.
I Privacy-power function, I(P, P), is the minimum achievableinformation leakage rate for given peak power P, and averagepower P.
PP Techniques 79/100
Privacy- Power FunctionI Assume independent identically distributed (i.i.d.) input
power sequence X n with distribution pX
Theorem (Privacy-Power Function)Privacy - power function for an i.i.d. input load X with distributionpX (x) is given by
I(P, P) = infpY |X (y |x):E[X−Y ]≤P
0≤X−Y≤P
I(X ; Y )
LemmaPrivacy - power function is a non-increasing convex function of P.
I Optimal energy management policy is memoryless andstochastic: randomly generate output load based oninstantaneous input load.
D. Gunduz and J. Gomez-Vilardebo, Smart meter privacy in the presence of an alternative energy source, IEEE Int’lConf. on Comms. (ICC), Budapest, Hungary, Jun. 2013.
PP Techniques 80/100
Rate-Distortion Interpretation
Privacy-power function is a rate-distortion function with differencedistortion measure:
d(x , y) ={
x − y if 0 ≤ x − y ≤ P,∞ otherwise.
I No digital interface: Y n is direct output of “encoder”, ratherthan the reconstruction of the decoder based on thetransmitted index
I EMU does not operate over blocks: Yt decidedinstantaneously based on previous input/output loads
I If all future energy demands were known, same privacy couldbe achieved by deterministic block-based energy managementpolicy
PP Techniques 81/100
Numerical Analysis
I Continuous output alphabet: Infinitely many variables
TheoremWithout loss of optimality output load alphabet Y can beconstrained to input alphabet, i.e., Y = X .
I Discrete input/output alphabets: Convex optimizationproblem
I Blahut-Arimoto algorithm
PP Techniques 82/100
Uniform Input Load
0 0.2 0.4 0.6 0.8 10
0.5
1
1.5
2
2.5
3
3.5
4
4.5
E
I(E
)
Optimal
Limit max output load
Time division
I Uniform demand over {0, c, 2c . . . , 20c}, such that E [X ] = 1I Time division: Either from AES or gridI Limit max output load: Y (t) ≤ C
PP Techniques 83/100
Continuous Input Loads
I Continuous input and output alphabetsI No efficient numerical computation method (infinite
dimensional optimization problem)I Shannon Lower Bound (SLB):
I(P) ≥ (h(X )− ln (P))+ nats
I Not tight in generalI Exponential input load, X ∼ exp(λ): SLB is tight
I(P) =(
ln(λ
P
))+nats.
J. Gomez-Vilardebo and D. Gunduz, Smart meter privacy for multiple users in the presence of an alternative energysource, IEEE Trans. on Information Forensics & Security, vol. 10, no. 1, pp. 132-141, Jan. 2015.
PP Techniques 84/100
Differentially Private BillingI Even billing information can reveal private data in the
presence of additional side informationI Users add noise (only positive) to meter measurements to
create privacyI Noise = Money: Users minimize noise (trade-off between
additional cost and privacy)I Discrete noise: Geometric distribution (instead of Laplacian)
I Geometric distribution maximizes uncertainty for given mean
I Rebates: With additional encrytion tools (zero-knowledgeproof, anonymous payment) added cost can be reimbursed tocustomer
I Negative noise can be possible by introducing depositpayment in advance
G. Danezis, M. Kohlweiss, A. Rial, Differentially Private Billing with Rebates. IACR Cryptology ePrint Archive,2011, p. 134.
PP Techniques 85/100
Differentially Privacy + Modulo Encryption
I Group SMs into clusters.I X i
t : Consumption of user i at time slot tI Energy provider (EP) interested only in sum consumption of a
cluster within a time slot:∑N
i=1 X it
I Each user adds noise, and encrypts noisy measurement beforesending to EP.
G. Acs and C. Castelluccia, I have a DREAM! (DiffeRentially privatE smArt Metering), 13th Information HidingConference, 2011.
PP Techniques 86/100
Distributed Noise AdditionI User i calculates X i
t = X it + Γ1(N, λ)− Γ2(N, λ) in slot t and
sends it to the aggregator.I Γ1(N, λ) and Γ2(N, λ) independently drawn from gamma
distribution with shape parameter 1/N and scale parameter λ.
N∑i=1
X it =
N∑i=1
X it +
N∑i=1
[Γ1(N, λ)− Γ2(N, λ)]
=n∑
i=1X i
t + [Γ1(1, λ)− Γ2(1, λ)]
=n∑
i=1X i
t + [Exp(λ)− Exp(λ)]
=n∑
i=1X i
t + L(λ), L(λ) : Laplace distribution.
G. Acs and C. Castelluccia, I have a DREAM! (DiffeRentially privatE smArt Metering), 13th Information HidingConference, 2011.
PP Techniques 87/100
Modulo Encryption
I Each SM is configured with a private key, and gets thecorresponding certificate from a trusted third party.
I Generate pairwise keys between each pair of SMs.I Modulo addition based encryption: EP can only decode noisy
aggregate data (since it does not know pairwise keys).I Aggregate noise enough to provide differential privacy to each
consumer.
G. Acs and C. Castelluccia, I have a DREAM! (DiffeRentially privatE smArt Metering), 13th Information HidingConference, 2011.
PP Techniques 88/100
Table of Contents
1. Introduction
2. Smart Metering Privacy AnalyticsPrivacy MetricsKnowledge extraction
3. Privacy-Preserving Smart Metering TechniquesData modification: protocolsEnergy modification: Information-theoretic
4. Conclusions
In summary
I PEMS: Privacy-enabled Energy Management SystemI Data anonymisation (escrow protocol)I Secure aggregation, key management (network security)I Policy, Regulations, Access Control (Standards)
Conclusions 90/100
Smart Metering Standardisation I
Open Smart Grid Protocol (OSGP)European Telecommunications Standards Institute (ETSI) approved,OSGP Alliance (Mitsubishi, Schneider, Vattenfall, Ericsson, Oracle).Used with ISO/IEC 14908 control networking standard for smart gridapplications. Over 4 million OSGP based SMs deployed worldwide -mostwidely used standard.
IEEE 802.15.4gNeighborhood Area Networking (NAN) standard developed by IEEESmart Utility Networks (SUN) Task Group (Elster, Itron, Landis+Gyr,NICT, and Silver Spring Networks).
Telecommunications Industry Association (TIA)TR-51 engineering committee, Smart Utility Networks, is also developingair-interface, network and conformance standards to support smart grids.
Conclusions 91/100
Smart Metering Standardisation IIEU / ECEC set up Smart Grids Task Force (SGTF) in 2009. Keyrecommendations: User should have choice e.g. opt-in, opt-out. SGTFExpert Group 2 (EG2) and SGIS work-programme included Dataprotection impact assessment (DPIA) and Cyber-security assessment.
UKThe Department of Energy and Climate Change (DECC) has assessedthat the UK Data Protection Act (DPA) protection is not enough; PIA(privacy impact assessment): data storage, communication and accesscontrol should be protected by means of cryptography. Data may beaggregated. The consumer should choose in which way data shall beused and by whom, with the exception of regulated duties.
GermanyThe BSI, the federal agency for IT security, has developed a “smart meterprotection profile” specification (2010). Smart meter data are stored inhome Gateway. Stakeholders are authenticated and authorised by theGateway. The consumer may choose in which way consumption datashall be accessed and by whom, with the exception of regulated duties.Conclusions 92/100
Future Directions
I An exciting research fieldI Many open questions at the intersection of computer science,
power systems, control theory, signal processing andinformation theory.
I What is the relationship of different privacy definitions?I k-Anonymity.I Information leakage.I Anomaly detection & Atypicality.I Knowledge extraction (data mining & Machine learning).I Differential privacy.
I How else can privacy be defined and measured?I How much does the user care about privacy? What is the
future of privacy with IoT and big data?
Conclusions 93/100
Take away message
I Privacy is a fundamental value; in a future of complex (smartcity) systems, security and trust (policies) is not enough. . .
I To protect privacy we need to measure it.
I Diverse privacy preservation techniques may be based oninformation theory, multiple source energy engineering, andcryptographic network protocols. Which one to use?
Conclusions 94/100
THANK YOU!
Conclusions 95/100
References”Guidelines for Smart Grid Cyber Security,” National Institute of Standards andTechnology (NIST), Privacy and the Smart Grid, vol. 2, NIST IR 7628 Rev. 1,Sep. 2014.
”Potential Privacy Impacts that Arise from the Collection and Use of SmartGrid Data,” NIST, vol. 2, pp. 30–32.
K. Kursawe and C. Peters, “Structural Weaknesses in the Open Smart GridProtocol”, Cryptology ePrint Archive, Report 2015/088.
P. Jovanovic and S. Neves, “Dumb Crypto in Smart Grids: PracticalCryptanalysis of the Open Smart Grid Protocol”, Aug. 2015.
A. Molina-Markham, P. Shenoy, K. Fu, E. Cecchet, and D. Irwin, “Privatememoirs of a smart meter,” in ACM Workshop on Embedded Sensing Systemsfor Energy-Efficiency in Building, New York, 2010, pp. 61-66.
R. Petrlic, “A privacy-preserving concept for smart grids,” in Sicherheit invernetzten Systemen 18. DFN Workshop, ser. Books on Demand GmbH, 2010,pp. 1-14.
C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smartmetering data,” in IEEE SmartGridComm conference, Maryland, USA, Oct.2010, pp. 238-243.
Conclusions 96/100
ReferencesC. Rottondi, G. Mauri, and G. Verticale, “A data pseudonymization protocol forsmart grids,” in IEEE GreenCom Conference, Sept. 2012, pp. 68-73.
J.-M. Bohli, C. Sorge, and O. Ugus, “A privacy model for smart metering,” inIEEE Int’l Conf. on Comm. Workshops, Cape Town, South Africa, May 2010,pp. 1-5.
C. Rottondi, G. Verticale, and A. Capone. “Privacy-preserving smart meteringwith multiple data consumers.” Computer Networks 57, no. 7, 2013, 1699-1713.
R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “EPPA: An efficient andprivacy-preserving aggregation scheme for secure smart grid communications,”IEEE TPDS, vol. 23, no. 9, 2012, pp. 1621-1631.
F.G. Marmol, C. Sorge, O. Ugus, and G.M. Perez, “Do not snoop my habits:preserving privacy in the smart grid,” IEEE Communications Magazine, vol. 50,no. 5, 2012, pp. 166-172.
F. D. Garcia and B. Jacobs, Privacy-friendly energy-metering via homomorphicencryption, in Proc. Int’l Conf. on Security and Trust Management, Berlin,Heidelberg, 2011, pp. 226-238.
M.A. Mustafa, N. Zhang, G. Kalogridis, and Z. Fan “DEP2SA: A DecentralisedEfficient Privacy-Preserving and Selective Aggregation Scheme in AdvancedMetering Infrastructure,” in IEEE Access journal, 2015, to appear.
Conclusions 97/100
ReferencesM.A. Mustafa, N. Zhang, G. Kalogridis, and Z. Fan “MUSP: Multi-service, UserSelf-controllable and Privacy-preserving System for Smart Metering,” In IEEEICC, June 2015, pp.788-794.
C. Dwork, Differential privacy, in Automata, Languages and Programming, vol.4052 of LNCS, 2006.
C. Dwork, K. Kenthapadi, F. McSherry, I. Mironov, and M. Naor. Our data,ourselves: Privacy via distributed noise generation. In Proc. 25th InternationalCryptology Conference (EUROCRYPT), vol. 4004 of LNCS, pages 486–503.Springer, 2006.
Sankar et al., “Smart Meter Privacy: A Theoretical Framework,” IEEE Trans.Smart Grid, Jun. 2013.
D. Gunduz and J. Gomez-Vilardebo, Smart meter privacy in the presence of analternative energy source, IEEE Int’l Conf. on Comms. (ICC), Budapest,Hungary, Jun. 2013.
J. Gomez-Vilardebo and D. Gunduz, Smart meter privacy for multiple users inthe presence of an alternative energy source, IEEE Trans. on InformationForensics & Security, vol. 10, no. 1, pp. 132-141, Jan. 2015.
G. Danezis, M. Kohlweiss, A. Rial, Differentially Private Billing with Rebates.IACR Cryptology ePrint Archive, 2011, p. 134.
Conclusions 98/100
ReferencesG. Acs and C. Castelluccia, I have a DREAM! (DiffeRentially privatE smArtMetering), 13th Information Hiding Conference, 2011.
A. Rial, G. Danezis, “Privacy-preserving smart metering”, Proceedings of the10th annual ACM workshop on Privacy in the electronic society, pp 49–60, 2011.
G. Kalogridis, C. Efthymiou, T. Lewis, S. Denic, and R. Cepeda, “Privacy forSmart Meters: Towards Undetectable Appliance Load Signatures”, IEEESmartGridComm’10.
G. Kalogridis and S. Denic, “Data mining and privacy of personal behaviourtypes in smart grid”, IEEE Data Mining Workshops (ICDMW), pp 636–642,2011
G. Kalogridis, R. Cepeda, T. Lewis, S. Denic, and C. Efthymiou,“ElecPrivacy:Evaluating the Privacy Protection of Electricity Management Algorithm”, IEEETrans. on Smart Grid, 2011.
G. Kalogridis and S. Dave, “PeHEMS: Privacy enabled HEMS and loadbalancing prototype”, IEEE SmartGridComm12.
G. W. Hart. “Nonintrusive appliance load monitoring”. Proceedings of the IEEE,80(12):1870–1891, 1992.
Conclusions 99/100
ReferencesC. Laughman, et al., “Power signature analysis”, IEEE Power and EnergyMagazine, 1(2):56–63, 2003.
M. Baranski and J. Voss, “Genetic algorithm for pattern detection in NIALMsystems”, IEEE Systems, Man and Cybernetics, 2004.
D. Bergman et al., “Distributed non-intrusive load monitoring”, IEEE PES ISGT2011.
J. Z. Kolter and M. J. Johnson. “REDD: A public data set for energydisaggregation research”. 1st KDD Workshop on Data Mining Applications.
J. Z. Kolter and T. Jaakkola. “Approximate Inference in Additive FactorialHMMs with Application to Energy Disaggregation.” Int. Conf. on ArtificialIntelligence and Statistics, 2012.
O. Parson, S. Ghosh, M. Weal, and A. Rogers. “Non-intrusive load monitoringusing prior models of general appliance types”. In Proceedings of the 26th AAAIConference on Artificial Intelligence.
H. Kim, M. Marwah, M. F. Arlitt, G. Lyon, and J. Han. “UnsupervisedDisaggregation of Low Frequency Power Measurements”. In 11th SIAMInternational Conference on Data Mining, 2011.
J. Kelly and W. Knottenbelt, “The UK-DALE dataset, domestic appliance-levelelectricity demand and whole-house demand from five UK homes”, ScientificData Nature Publishing Group, 2015.
Conclusions 100/100