Smart grids have intelligent monitoring devices, which frequently transmit the customers' power usage information to the utility containing information like which appliances were in use, their frequency of usage, time of usage, consumption amount, carbon footprint, heat production etc. These are vital information pertaining to the privacy of the customer that can make them vulnerable to burglars, annoying marketers, insurance companies, and civil litigation's etc.; hence these information need to be secured from wrong hands. Smart grid uses numerous channels like RF network, cellular network, power line communication etc. for data collection and transmission; many of these communication networks lack the robust security apparatus of a traditional network. So smart grids are vulnerable to many attacks like 'Man in the middle' attack, 'Replay' attack' and 'Spoofing attack' etc. and the hackers can share the usage information with external agencies like insurance companies, electrical appliance makers, pharmaceutical company's etc. without the knowledge or approval of the customer. Also the usage data stored in the utility server has the risk of being stolen and misused. In order to preserve the privacy some researchers have proposed sending anonymous data packets (which contain the usage information, but no user information). This approach, though allows the utility to forecast load in a region, but will neither enable the utility to analyze individual usage data to advice the consumers regarding their energy usage habits nor will the utility have a way to resolve a bill dispute by mapping usage data with billing amount. In this paper, an asymmetric key based cryptographic solution along with anonymity is proposed to take care of the issue. As a part of this solution both the smart-meter and the intermediate receiver will have their own public and private key and the communication between them will happen through a public key algorithm (like RSA). The usage data at the intermediate location will be stripped off the user's signature and sent to the central server after being appended with an encrypted signature, thereby preserving the privacy of the customers and allowing individual usage data analysis with approval of the customer. The solution will also provide necessary protection from the hackers.
Smart grid uses numerous channels like RF network, cellular network, power line communication etc. for meter data collection. Some of these communication networks lack the robust security apparatus thus making the grid vulnerable to hackers who can not only steal the energy usage information, but also can send improper control signals to paralyze the grid. In January 2008, one CIA analyst had reported that hackers had attacked some utilities, forcing power outage affecting multiple cities. Though it is not clear who initiated these attacks and with what intention, it confirms the possibility of cyber attacks on the grid. Apart from that the customer specific energy usage data that flows in the grid and is stored in utility servers, has the risk of being stolen and shared with other groups like insurance companies, electrical appliance makers, pharmaceutical companies etc. without the knowledge or approval of the customer.
A good number of customer surveys on smart grid security reveal that the customers are skeptical of such intelligent monitoring devices, which transmit power usage information to the utility as frequently as every fifteen minutes. These data can seriously compromise the privacy of the customer and can make them vulnerable to burglars, annoying marketers, insurance companies, and civil litigation's. A comprehensive report on smart grid privacy released by the National Institute of Standards and Technology (NIST) compiles a list of scenarios that consumers fear if their energy data got into the wrong hands.
To preserve the privacy of the customers, some researchers have suggested sending anonymous power usage information to the utilities. This approach, though allows the utility to forecast load in a region, but will not enable the utility to analyze individual usage data to advice the users regarding their energy usage habits nor the utility will have a way to resolve a bill dispute by mapping usage data with billing amount. With anonymous usage data collection in place, if a customer hacks the meter, sends improper energy usage data and challenge the bill in the court of law, the utility company will have no way to justify the amount they have charged to the customer because the usage information is anonymous.
This paper proposes a solution that protects the grid from hackers, preserves the anonymity of the customers' usage information and at the same time allows the utility to analyze the usage data with the approval of the customer, as and when required.
SG Overview in Context of Security
In brief, the following diagram in a very simple way explains the communication pattern in a smart grid.
The smart meters are installed in individual homes of utility customers. Data from a group of meters in one small region is collected through an intermediate receiver. The data collection at the intermediate receiver can be through a radio frequency based receiver or a cellular network or a drive-by meter reading through mobile van or power line communication. The data from a set of intermediate receiver are delivered to a central server, which is responsible for storing and processing the data further.
The data flowing in the grid can be broadly categorized into three types.
Usage information: Each electrical appliance -- the television, refrigerator, kettle, toaster, washing machine -- has its own energy fingerprint also known as appliance load signature, that a smart meter can read. It can have information like which appliance was in use, its frequency of usage, time of usage, consumption and efficiency, carbon footprint, heat production etc. These are vital information pertaining to the privacy of the customer and can be misused. At the same time usage data must be captured to analyze the pattern of usage and find ways to optimize the consumption.
Consumption information (for billing purpose): Amount of energy used and time of consumption.
Control Signals: Acknowledgments, fault messages, rate-updates etc.
In a nutshell, there are three types of security problems.
Utility customers can manipulate the smart meter installation to send improper usage data.
External hackers can hack the communication channels (both from Meter to Receiver & Receiver to Server) and cause various security issues.
Utility companies can share energy usage information with external agencies or data stored in utility servers can be stolen and shared with external agencies without the knowledge or approval of the customer.
The proposed solution addressed the above threats by - securing the grid from hackers using public key cryptography and maintaining anonymity of customer data. At the same time the solution enables the utility to analyze the customer's usage data with the approval of the customer or the regulator
Asymmetric Key (aka Public key)Cryptography
Before getting into the proposed solution, let's briefly look at asymmetric cryptography. Here the user has a pair of keys -- a public encryption key and a private decryption key. The publicly available encrypting-key is widely distributed, while the private decrypting-key is known only to the recipient. Messages are encrypted with the recipient's public key and can only be decrypted with the corresponding private key. The keys are related mathematically, but the private key cannot be derived from the public key.
For our discussion, let us assume that:
E: Stands for encryption function. Encryption is always done using public key
D: Stands for decryption function. Decryption is always done using private key
E(message) => message is encrypted using the public key
D(message) => message is decrypted using the private key
D(E(message)) = message
E(D(message)) = message [this is true for many asymmetric key algorithm including the popular RSA algorithm]
Protection From Hackers
Each of smart meters, the intermediate receivers and the central server will have a security unit installed in them and each of them will have a public key and private key. For the meters and the intermediate receivers, this unit can be a microchip with built in security algorithms. For the central server software will do the same job. The public key of the meter will be stored in the receiver and in the server. The public key of the server, meter and the intermediate receiver will be available with each other, while their private key will be known only to them. The private key of the meter and the receivers will be embedded into the hardware or micro controllers and won't be accessible to any person or device. Each unit will also have the public key of the utility regulator so that they can listen to and execute instructions sent to them by the regulator using digital signature. One simple example where the regulator comes to the picture is while resolving billing conflicts between the utility and the customer.
Let P denote the message to be sent by the Meter to the Receiver. P will be encrypted with public key of the Receiver to produce ER(P). This will further be decrypted with private key of the Meter to produce DM (ER (P)) and then it will be transmitted to the Receiver. The Receiver receives the encrypted message DM (ER (P)). The received message is encrypted with public key of the Meter [EM (DM (ER (P))) => ER (P)]. ER (P) is then decrypted with private key of the Receiver [DR (ER (P)) => P]. The usage of public key of the Meter ensures that the message is coming from the desired source. Similarly the usage of the private key of the Intermediate Receiver ensures that a hacker cannot decrypt the message.
The Receiver to Server communication happens in a similar fashion as described in the following figure.
Privacy Through Anonymity
The data being sent from the meter has two components --
(i) The consumption details (amount and time of consumption used for billing) and the
(ii) The usage information containing the details like which appliances were in use, frequency of usage, efficiency of the devices, brand of the equipment etc, which are sensitive information,
The meter will send both the consumption and usage data to the receiver. The intermediate receiver will split it into two parts - (i) consumption and (ii) usage data. It will send the (i) consumption part to the server along with the identifier of the meter so that the utility can prepare the bill accordingly. But while sending the (ii) usage data, the receiver will not send the meter identifier; instead it will send the meter identifier encrypted by the public key of the meter (which can only be decrypted with the private key of that meter). So the server will have the usage details of the region (because of the intermediate receiver-id), but will have no means to link the usage details with any particular customer.
That means the server will know that x number of air conditioners were in use at y PM in a particular region (that belongs to the intermediate receiver), but it will have no way to figure out, in which houses these ACs were in use. This will preserve the privacy of customer data.
Enabling Analysis of Usage Data
In the above approach, it is possible for the utilities to analyze customer specific usage data (for various purposes like advising the customer to save energy, defending a bill dispute etc.) with approval from the customer or the regulator.
The above diagram gives a simplistic picture of extraction of usage data (for a specific customer) from the server. In this case the encrypted meter-id comes to the picture. Here the regulator, with the approval of the customer, will send a digitally signed instruction to the meter to send its private key to the server and the same can be used to decrypt the encrypted meter-id and find out the exact usage data corresponding to that meter for analysis. The private key of the meter is stored only in the volatile memory of the server only for decryption purpose and not stored at any permanent storage.
Security is not just a product or a protocol, it rather is a process. It is more than just implementing a set of hardware and software in the smart grid; rather it is important to design the grid in such a way that all security measures involving people, process and algorithms work together. It is also important to look at security as an evolving challenge, rather than a one shot solution. The advents of newer technologies are likely to open up newer vulnerabilities. But that must not stop us from embracing the new innovations. The advantages of smart grid largely outweigh the security issues it imposes. Many of these similar security issues are already addressed in different domains of internet applications. That experience will enormously help us build a secure and smarter grid.