Security and Privacy Concerns in Smart Metering: The Cyber-Physical Aspect

By Samet Tonyali

The ongoing Smart Grid (SG) initiative proposes several modifications to the existing power grid through several new applications. One of these applications is the Advanced Metering Infrastructure (AMI). AMI provides two-way communication between utility companies and the consumers' smart appliances, such as refrigerators, washers, thermostats, etc. through the deployment of smart meters and smart data collection techniques. Smart meters mainly measure the real-time electrical energy consumption of the consumers in addition to power quality and instantaneous electric measurements such as voltage and current at their connection points and periodically report them to the utilities. Thus, utilities can monitor and adjust power demands over short periods (demand response), provide more accurate billing and utilize dynamic pricing to facilitate the reduction of energy consumption in peak demand.

Smart meters are designed to improve efficiency and reduce costs. Therefore, government agencies require that utilities install smart meters for their customers. These efforts have resulted in more than a hundred million smart meters being installed around the world.

Besides noted benefits, smart meters add some vulnerability to the household security. Since they are main communication hub between utilities and smart home appliances, they attract malicious actors’ (eavesdroppers and intruders) attention. From an attacker point of view, a smart meter is seen as a single point of failure. That is, once it is compromised, the attacker can both manipulate the utility by injecting fake consumption data and also take control of the home appliances by sending control commands like turn on and off.

Smart meters communicate their measurements to the utilities over wireless links and these fine-grained power consumption data and since most of the smart meters do not encrypt the data before transmission, this data can easily be obtained. The obtained fine-grained consumption data can be analyzed and used to make some inferences about household activities, which could lead to a privacy breach.

Security. The ways of attacking smart devices can be divided into two: physical attack (i.e., intrusion via tampering with hardware components of the device) and exploiting vulnerabilities in the communication protocols.

Smart meters are considered tamper-proof thanks to various protection mechanisms, so physical security of smart meters is typically strong. In an event that the meter case is opened in an unauthorized way and a physical change is made, the meter logs a tamper event and forwards it to the AMI center. However, it is still possible to attack in a semi-physical fashion in which some specific hardware is used while performing the attack. The billing fraud that took place in Puerto Rico is an exemplary incident to this kind of attacks. The attack resulted in a widespread billing fraud, which cost $400 million to the Puerto Rican utility annually. A possible and reasonable precaution that can be taken by the utility company could be to authenticate the laptop/handheld device by a challenge-response mechanism along with a vendor specific data encryption.

Some of the smart meter vendors do not implement encrypted memory. Two supervisory control and data acquisition (SCADA) and industrial control system (ICS) security specialists took advantage of that and developed a toolkit that lets anyone access the memory of a smart meter and intercept the credentials used to administer it. Obviously, the best solution to overcome this problem is to install secure memory.

The security problems stem from outdated protocols, poor implementations, and weak design principles. Moreover, some of the smart meter vendors use the same hardcoded credentials in their meters. Therefore, utilities should force smart meter vendors not to embed the same credentials on the devices. Also, the consumers should be vigilant and change them as soon as they have the smart meter installed if the vendor implemented such an interface.

Wireless protocols that some meters use may also have some vulnerabilities that are exploited by attackers. Smart meter vendors tend to work with 3G and 4G networks which provide a wide bandwidth allowing additional consumer services, but most of today’s smart metering infrastructure is part of the global system for mobile communications (GSM) network, and uses the general packet radio service (GPRS) data service and a low-cost 2G solution, to communicate with the utility company. Many electricity utility companies still have not implemented any form of encryption, despite being warned of the risks several years ago. Moreover, since the smart meters deployed by the same utility use the same credentials, it could be easy for the attackers to compromise all of the devices operated by that utility company. Such attacks can be thwarted if utility companies use proper encryption, segment the network instead of using one giant LAN and monitor their smart meter networks via an intrusion detection system (IDS).

Smart meters use ZigBee or Z-Wave to communicate with smart home appliances. These standards have been poorly implemented in smart meters, so their communication is often insecure and unencrypted because the meter vendors skip including security checks to minimize the code as the meters have limited CPU power and memory resources. Utilities should compel the vendors to implement proper encryption algorithms defined for the standards in use.

There are some basic security considerations that should be taken into account when designing secure smart meters to limit the effect of common network attacks such as Denial-of-Service and Man-in-the-Middle attacks:

• The smart meter should be able to filter network packets
• The smart meter should have a static ARP cache
• Network traffic with high-speed rate targeting smart meters should be denied from reaching the kernel of the meters (Tarpitting)
• Smart meters should be equipped with encryption capabilities.
• Smart meters should be able to detect any intrusion attempt and report it to the utility company

Privacy. Eavesdroppers can monitor power usage and make inferences about what you are doing at home or whether you are at home or not, even when your home is vacant for long periods of time. They can predict with a high probability even what program is being shown on the TV by comparing fine-grained power consumption data with a fingerprint power consumption value for each individual frame.

It has been demonstrated that someone with network sniffing skills and equipment can perform a “man in the middle” attack to eavesdrop the data related to power consumption in a house. The collected data can be sold to advertisers without the consent of the consumers. Traditional encryption methods can protect consumer privacy against eavesdroppers, but utilities still can access actual meter readings. To prevent utilities or trusted third parties from accessing fine-grained consumption values, data obfuscation, homomorphic encryption, and secure multiparty computation schemes can be implemented in smart meters. These schemes enable to perform arithmetic operations on encrypted/concealed meter readings.

To summarize, utility companies need to take several security and privacy considerations into account to realize a secure and privacy-preserving smart grid, including: protecting the integrity of the device(s) installed at the consumer side, proofing and protecting the integrity of data sent between the consumer premises and the utility, authenticating the identities of the parties in communication, concealing the data in transit between the consumer devices and the utility, ensuring authorized access to the consumer data stored at the utility side. All of these considerations can be handled using digital certificates. Public Key Infrastructure creates, manages, distributes, uses, stores, and revokes digital certificates. This enables secure communication between parties and provides security through authenticity, integrity, confidentiality, and non-repudiation.

This article was edited by Pardis Khayyer.

Contributors