Privacy Enhancing Techniques for Smart Grids PETs PhD Course 4 th - - PowerPoint PPT Presentation
Privacy Enhancing Techniques for Smart Grids PETs PhD Course 4 th Session Valentin Tudor October 18th, 2012 Karlstad Chalmers University of Technology Dept. of Computer Science and Engineering Computer Science and Engineering Department
Valentin Tudor
Chalmers University of Technology
Computer Science and Engineering Department Chalmers University of Technology, Gothenburg, Sweden October 18th, 2012 Karlstad
2
Smart Grid general concepts Privacy in the Smart Grid Smart Grid privacy via anonymization of smart metering data Conclusions
3
Electricity as the driving force Effects of a blackout
2003 a “dark” year 50 mil people left into darkness Loses in billions $
4
The traditional electrical grid is changing By 2020:
EU mandated that by 2020 all the traditional electricity
Source: http://ec.europa.eu/clima/policies/brief/eu/index_en.htm
5
a small embedded system automates (consumption) index
instantaneous consumption in-door display time of use tariffs the base for the Advanced
6
7
Generation Transmission Distribution
Managed and monitored by the SCADA system.
No dedicated real time monitoring system (yet).
8
Power Island
9
Lots of new sensitive data, gathered with a higher frequency
10
By the utility company
Billing Fraud detection Operational purposes – grid stability and security Marketing
11
By 3rd parties (benign and malign)
Research related activities Malicious activities Fraud Invasion of privacy Attacks on critical infrastructures
12
Smart metering data can be used to infer information
Customer’s privacy should be protected against the Utility
13
14
Through data manipulation
Anonymization Altering data (adding values from a random distribution) 3rd party data aggregation and disclosure
Through load-shedding
Changing consumption pattern using energy storage and/or production
facilities at the premises (batteries, renewable energy sources, etc.)
15
Anonymous credentials – based on blind signatures 3rd party escrow mechanism – anonymize high-frequency metering data Load-signature moderation – load-shedding Smart energy gateway – establishing levels of privacy Privacy preserving authentication – using private-public key pairs to create
pseudo-identities
From: F. Siddiqui, S. Zeadally, C. Alcaraz, and S. Galvao, “Smart Grid Privacy: Issues and Solutions,” in Computer Communications and Networks (ICCCN), 2012 21st International Conference on, 2012, pp. 1–5.
16
Examples:
De-pseudo-anonymization – linking by behavior Data-mining (see more about this later) Compromising the Trusted 3rd Party or the Utility Company
More: M. Jawurek, M. Johns, and K. Rieck, “Smart metering de-pseudonymization,” in Proceedings of the 27th Annual Computer Security Applications Conference, 2011, pp. 227–236.
17
[Costas Efthymiou and Georgios Kalogridis, 2010]
Goal: preserving customers’ privacy while having access to
For one specific customer, the data needed for billing should
18
‘High-frequency’ metering data - meter readings that a smart meter
transmits to the utility often enough (e.g. every few minutes) and may divulge information related with the private life of the user (e.g. usage patterns of specific electrical appliances) – non-attributable data
19
‘High-frequency’ metering data - meter readings that a smart meter
transmits to the utility often enough (e.g. every few minutes) and may divulge information related with the private life of the user (e.g. usage patterns of specific electrical appliances) – non-attributable data
‘Low-frequency’ metering data - is transmitted to the utility scarcely
enough (e.g. every week or month) and is used for account management or billing purposes – attributable data
20
To handle the two types of data, each Smart Meter must have
21
To handle the two types of data, each Smart Meter must have
HFID – High-Frequency ID – used when sending high-
22
To handle the two types of data, each Smart Meter must have
HFID – High-Frequency ID – used when sending high-
LFID – Low-Frequency ID – used when sending low
23
Who knows the Smart Meter’s identities?
Smart Meter 3rd party/Manufacturer Utility Company HFID Yes Yes No LFID Yes Yes Yes
24
Who knows the Smart Meter’s identities? Who is allowed to store and/or use the metering data?
Smart Meter 3rd party/Manufacturer Utility Company HF-Data Yes No Yes LF-Data Yes No Yes Smart Meter 3rd party/Manufacturer Utility Company HFID Yes Yes No LFID Yes Yes Yes
25
)
Source: C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smart metering data,” in Smart Grid Communications (SmartGridComm), 2010 First IEEE International Conference on, 2010, pp. 238–243.
3rd party escrow entity
26
PISM - Personal Identifiable SM profile
PISM Certificate (LFID, PISM Public Key,
PISM CA information)
PISM Private Key
Source: C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smart metering data,” in Smart Grid Communications (SmartGridComm), 2010 First IEEE International Conference on, 2010, pp. 238–243.
27
PISM - Personal Identifiable SM profile
PISM Certificate (LFID, PISM Public Key,
PISM CA information)
PISM Private Key
ANSM - Anonymous SM profile
ANSM Certificate (HFID, ANSM Public Key,
ANSM CA information)
ANSM Private Key
Source: C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smart metering data,” in Smart Grid Communications (SmartGridComm), 2010 First IEEE International Conference on, 2010, pp. 238–243.
28
PISM - Personal Identifiable SM profile
PISM Certificate (LFID, PISM Public Key,
PISM CA information)
PISM Private Key
ANSM - Anonymous SM profile
ANSM Certificate (HFID, ANSM Public Key,
ANSM CA information)
ANSM Private Key
PISM and ANSM profiles are hardcoded into the Smart Meter and used to create the Client Data Profile (CDP) and the Anonymous Data Profile (ADP)
Source: C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smart metering data,” in Smart Grid Communications (SmartGridComm), 2010 First IEEE International Conference on, 2010, pp. 238–243.
29
Are attached to each message which contains metering data
Each message containing Low-Frequency metering data has CDP
(Client Data Profile) attached to it
Each message containing High-Frequency metering data has ADP
(Anonymous Data Profile)attached to it
30
Is initiated by the Smart Meter or the Utility Company
. CERT + U. CERT
. CERT + U. CERT
CDP = CLI + PI SM . CERT + AGG. CERT + U. CERT + PDN. CERT
: CDP + U. c ode
CDP + SPI SM
. PRI V( CDP)
SM
. PRI V( CDP + Da t a . LF)
31
Is initiated by the Smart Meter or the Utility Company HFID – High-Frequency ID – used when sending high-
LFID – Low-Frequency ID – used when sending low
32
Is initiated by the Utility Company and the Smart Meter after
: ADP s e t up r e que s t ADP = ANSM . CERT + AGG. CERT + U. CERT + PDN. CERT SM wa i t s a r a ndom t i m e
. PRI V( EK( CDP + ADP) )
: OK SM
. PRI V( ADP + Da t a . HF)
33
Is initiated by the Smart Meter or the Utility Company HFID – High-Frequency ID – used when sending high-
LFID – Low-Frequency ID – used when sending low
34
CDP setup security analysis: to verify if a genuine Smart Meter has been installed to a genuine
location
The client is verified by the utility engineer The Smart Meter authenticity can be verified by checking U. c ode The utility engineer must be trusted at all times
(see http://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/)
35
ADP setup security analysis: Depends on the security of the CDP process Depends on the trustworthiness of the 3rd party escrow entity Depends on the level of anonymity achieved through the setup and use
The anonymity set depends on the number of ADP finalization
responses received by the utility between the CDP finalization response(ADP setup request) and the ADP finalization response of the same meter
36
ADP setup security analysis: Depends on the security of the CDP process Depends on the trustworthiness of the 3rd party escrow entity Depends on the level of anonymity achieved through the setup and use
The anonymity set depends on the number of ADP finalization
responses received by the utility between the CDP finalization response(ADP setup request) and the ADP finalization response of the same meter
… CDP1ADPr , CDP33ADPr , CDP2ADPr , CDP7ADPr , CDP5ADPr , CDP49ADPr , [ ADP77, ADP1, ADP13, ADP2, ADP33] … … CDP1ADPr , CDP33ADPr , CDP2ADPr , CDP7ADPr , CDP5ADPr , CDP49ADPr , [ ADP77, ADP1, ADP13, ADP2, ADP33] …
COLOR LEGEND: SENT, RECEI VED, NOT_RECEI VED
37
ADP setup security analysis: Depends on the security of the CDP process Depends on the trustworthiness of the 3rd party escrow entity Depends on the level of anonymity achieved through the setup and use
The anonymity set depends on the number of ADP finalization
responses received by the utility between the CDP finalization response(ADP setup request) and the ADP finalization response of the same meter
… CDP1ADPr , CDP77ADPr , CDP33ADPr , CDP2ADPr , CDP7ADPr , CDP5ADPr , CDP49ADPr , ADP77, ADP1, [ ADP33] …
COLOR LEGEND: SENT, J UST_SENT, RECEI VED, NOT_SENT
38
ADP setup security analysis: Depends on the security of the CDP process Depends on the trustworthiness of the 3rd party escrow entity Depends on the level of anonymity achieved through the setup and use
The anonymity set depends on the number of ADP finalization
responses received by the utility between the CDP finalization response(ADP setup request) and the ADP finalization response of the same meter
The random time interval between receiving the ADP setup request and
the ADP finalization responses must be chosen in such a way that a large anonymity set can be created
39
Splitting data depending on the usage purpose and privacy
Setting up public and anonymous pseudonyms must be done
40
Privacy in the Smart Grid is important – data can expose
Laws and regulations not very well defined or applicable only
Not a very clear understanding of the privacy issues in the