Introduction
An electricity meter is a device that records the flow of electricity or consumption over time. Smart meters are designed to perform this same function; what sets them apart from previous meters is the precision and frequency with which they take their measurements. This shift from coarse to fine-grained metering is a significant boon to all the participants in the energy market and can lead to greater economies. However, it also has the potential to compromise end-users’ privacy by exposing them to side-channel attacks.
Side-Channels: A Crash Course
Briefly, a system is considered prone to a side-channel attack when it allows an observer to indirectly deduce a hidden state through secondary effects. For example, standing in a street, one may presume that a house is inhabited by observing how the lights behave, without having ever directly observed any of its occupants. Confidence in the hypothesis can be raised by choosing a good vantage point and lengthening the observation period.
The side-channel that a meter may present goes beyond simply deducing the number of occupants on a site. A meter continuously measures the aggregate consumption of a property, and given a sufficiently long period of observation, one can identify all the appliances present at a site by isolating their characteristic energy consumption patterns. For example, a kettle would appear as a fixed, high-powered load that lasts for a few minutes. Alternatively, the consumption pattern of a refrigerator may be identified by its relatively stable duty cycle, which should also be correlated to some degree with air temperature.
Risks
In the worst case, a successful side-channel attack can furnish a malicious actor with a complete characterisation of a target’s device usage patterns.
The consequences of such an invasion of privacy vary depending on the attacker and the target. Certain businesses could tap into a domestic meter in order to acquire yet another rich source of behavioural tracking that would inform their development of hyper-targeted adverts. Information ranging from a target’s TV viewing patterns (how many hours a day and at what time?) to their eating (do they skip breakfast or dinner?) and sleeping habits (do they suffer from insomnia or work shift-patterns?) can be used to tailor the design and delivery of adverts to a specific target.
In a commercial setting, the primary risk brought about by side-channel attacks is that of industrial espionage. By developing an accurate profile of a target, a competitor or malicious actor can determine commercially-sensitive factors such as manufacturing volumes, equipment utilisation rates and operating costs.
Mitigations
The complexity of disentangling a stream of aggregated consumption values into its constituent devices is largely dependent upon the meter’s resolution and the number and type of devices that are being profiled. The more accurate and frequent a meter’s readings, the stronger the models that an attacker can build.
All mitigations against side-channels focus on reducing or removing information content from a side-channel. In the context of metering, this can be done in a number of ways, including:
Lowering the resolution of a meter by reducing a meter’s sampling rate, one effectively hides transient consumption patterns and decreases the likelihood that an individual device’s signature ever appears in isolation.
Adding random noise by deliberately adding evenly-distributed noise to readings, one can reduce the precision of individual readings while leaving the all-time aggregate consumption intact. This solution is not particularly robust, as its effectiveness depends on the amplitude of the noise that is being added. In addition, it poses challenges in billing and hamstrings the utility of smart metering.
Maintaining a fixed load by always consuming the same amount of energy, one would eliminate an attacker’s ability to characterise variations over time. With reference to the example presented earlier, this would be analogous to leaving all the lights turned on so as to prevent observers from correlating their state with a building’s occupancy (incidentally, this is why indicator lights on external components of burglar alarms are typically kept on irrespectively of whether or not the alarm is armed). This mitigation is both wasteful and difficult to generalise.
Presenting a fixed load using energy storage a more practical approach to maintaining a fixed consumption pattern is to use a battery to flatten-out peaks and troughs, presenting, in the best case, a continuous flat line as a consumption pattern.
These mitigations are technically challenging to implement, and may incur expenses or hinder legitimate analysis. Ultimately, the simplest and most robust mitigation may very well be to enact strong access controls and limit access to metering data.
By Kevin Falzon
Dr.-Ing. Kevin Falzon is a Senior Software Engineer at NGP. He read for a master’s at the University of Malta in 2012 and completed a doctorate at TU Darmstadt in 2016. He has worked in various industries, including enterprise integration, online gaming and on-demand video streaming.
He currently works on NGP’s energy management systems, namely ClearVUE.Lite and ClearVUE.PRO, developing programs that allow users to efficiently analyse large volumes of metering data and gain insight on their organisation’s consumption patterns.