2014 International Conference on Information Technology and Multimedia (ICIMU), November 18 – 20, 2014, Putrajaya, Malaysia

Financial Impacts of Smart Meter Security and

Privacy Breach
Salman Yussof, Mohd. Ezanee Rusli, Yunus Yusoff, Roslan Ismail, Azimah Abdul Ghapar
Center of Information and Network Security
College of Information Technology
Universiti Tenaga Nasional
Malaysia
Email: {salman, ezanee, yunusy, roslan, azimah}@uniten.edu.my

Abstract—Many power utility companies around the world to the utility company [2]. The smart meter can also interface
are moving towards smart grid, which integrates power delivery with ‘smart’ home appliances and control them to operate in a
infrastructure with information and communication technologies. power-efficient manner. Fig.1 portrays an example of smart
Smart meter is one of the main components of smart grid. The grid topography which shows the various components of a
task of a smart meter is to track energy consumption of a premise smart grid and how they are connected together.
and send that information to the utility company. Although the
use of smart meter has many benefits, there are a number of
security concerns regarding its usage. One particular concern is
regarding the impacts of security and privacy breach of smart
meter. This paper focuses on the financial impacts of smart meter
security and privacy breach. The financial impacts discussed in
this paper are derived from the impacts of security and privacy
breach described in the literature. It is found out that the
financial loss may involve various parties including the premise
owner, the utility company, as well as the nation. The amount of
loss can also go up to billions of dollars. Given the large group of
people who may be involved and the large amount of money to be
potentially lost should a security or privacy breach occur, it is
very important for power companies to establish a security policy
regarding smart meter and to allocate reasonable amount of
resources to secure the deployed smart meter as well as the rest Fig. 1. Example of smart grid topography [6]
of the smart grid infrastructure.

Keywords—Smart meter; security; privacy; financial impacts;

security economics.
I. INTRODUCTION
In recent years, a number of power utility companies have
migrated to a new power delivery infrastructure known as the
smart grid. Smart grid refers to the integration of power
delivery infrastructure with information and communication
technologies (ICT) [1]. This integration allows for a more
accurate monitoring and management of energy usage, which
in turn allows for a more efficient energy provision that can
save money [2]. A smart grid consists of four major
components which are advanced metering infrastructure
(AMI), supervisory control and data acquisition (SCADA),
plug-in hybrid vehicle (PHEV) and communication protocols
and standards [3]. Of interest to this paper is AMI, which is an
integration of multiple technologies that provides intelligent
connections between consumers and system operators. One of
the main components to provide AMI is the smart meter. A
smart meter is a computerized replacement of the electrical
meter located at a premise. The task of the smart meter is to
track the energy usage of a premise and send that information
This work is supported by the Malaysian Ministry of Education through
the Exploratory Research Grant Scheme (ERGS).
Although the use of smart meter has many benefits, there
are also downsides to its usage. The biggest concerns
nowadays are the security and privacy issues that may arise
from the use of smart meters. Smart meter is a computerized
device. As with other computerized devices, a smart meter is
prone to various types of security attacks. Security attacks are
well-known to security researchers and practitioners.
Unfortunately, a large portion of the society does not
understand much about security attacks and their implications.
However, most people do understand financial implications.
This has given rise to a research area called security
economics, which attempts to study the economic impacts of
security problems [4]. Researchers in this area argue that
security problems can be more appreciated if it can be
explained in terms of microeconomics [5]. Therefore, it is the
aim of this paper to highlight and discuss the financial
implications should there be a security or privacy breach in
smart meters. Hopefully, this will increase the awareness of the
public with regard to smart meter security and provide a guide
to the people in the management on how much money and
effort should be spent in order to ensure that such breach does
not occur.

978-1-4799-5423-0/14/$31.00 ©2014 IEEE 11

 2014 International Conference on Information Technology and Multimedia (ICIMU), November 18 – 20, 2014, Putrajaya, Malaysia
The rest of the paper is organized as follows. Section II
provides an overview of smart meter. Section III discusses the
financial impacts of smart meter security breach. Section IV
discusses the financial impacts of smart meter privacy breach.
Section V concludes the paper.
II. OVERVIEW OF SMART METER
Smart meter is a new kind of energy meter that has the
capability to obtain information from end users’ devices and
measure the energy consumption of those devices [7]. The
information obtained from the smart meter can be used by the
utility company to provide better monitoring and billing.
Furthermore, the consumers will also be better informed
regarding their energy consumption, which in turn will enable
them to make better decision on their energy usage. Typically,
smart meter supports bidirectional communication between
itself and the central system. This feature is important for
remote monitoring capability. Smart meter also has built-in
ability to control the connection status of certain load remotely.
In general, with the advancement of smart meter technology,
many other operations can be performed by a smart meter.
Example of functions that are expected to be available on a
smart meter are two-way communication function, data
management (i.e. collection, recording and storing) functions,
load control function, programming and display functions,
security function and billing function. Basically, the
introduction of smart meter plays an important role in realizing
the concept of “smart-building” in the future.
The benefits of smart meter that can be enjoyed by different
stakeholders such as consumers, utility companies and
government have been discussed extensively in [8]. These
benefits include more accurate and timely electrical billing,
reduction of operational cost and improvement of the
environmental condition by reducing CO2 emission. Due to
these benefits, many power companies in Europe and US have
taken the initiative to install smart meter in residential and
commercial buildings [8]. Similar trend can also be seen for
countries in Asia-Pacific region [9].
III. FINANCIAL IMPACTS OF SMART METER SECURITY
BREACH
The security vulnerabilities of smart meter are due to the
computer-like ability of the smart meter. The traditional
electric meter can only record the power usage of a premise.
The smart meter, on the other hand, can run various
applications, as well as communicate over the network. Even
though this computer-like capability is very useful, it may
expose the smart meter to the various security attacks that are
plaguing the computer network. Common security attacks on
computer network such as denial-of-service (DoS), user
impersonation, sniffing, side-channel analysis, traffic hijacking,
routing attacks, configuration manipulation and exploitation of
insecure software can now be performed on smart meter [10],
[11]. Furthermore, with the smart meter’s ability to execute
codes and communicate over the network, viruses, worms and
Trojan horses can run on the smart meter and spread through
its network connectivity [12], [13].
12
Security attacks to a smart meter can be done either through
the smart meter’s communication module, utility server,
service provider or the communication network [13]. The
attacks can be performed by various parties, where different
party may benefit in different ways. Attacks may be performed
by outsiders, premise owners, or even the energy provider
employers. Regardless of the attack vector, the target is
normally the smart meter itself, or the data transmitted/received
by the smart meter. Security attacks on smart meter can have
various negative consequences. Of particular interest are the
financial impacts caused by these security attacks. These
financial impacts can be categorized into several categories
based on the affected group and are further explained in the
following sub-sections.
A. Financial Impacts to Premise Owner
The premise owner is the person who resides in the premise
whose smart meter is being attacked. Financial loss to the
premise owner can occur is several ways. An attacker may
cause the premise owner to pay a higher electrical bill by
altering the meter reading so that the smart meter reports a
higher usage than the actual energy consumption of the owner
[13] – [15]. Altering the smart meter reading can be done by
physically tampering the smart meter [10] or performing data
manipulation on the smart meter remotely through its network
connectivity [13]. The latter is also made possible due to the
use of insecure software [12], [16]. In certain types of smart
meter, the attacker may be able to disconnect power supply
from certain household appliances, equipment or facilities [14].
Shutting down household appliances such as refrigerator or
freezer may cause damages to the food inside and this in turn
cause financial loss to the owner. With the use of smart
appliances as popularized by the smart home concept, it is also
possible for the attacker to have a malicious remote control
over the appliances [12]. This can definitely leads to damages
and financial losses. An attacker may also steal the premise
owner’s data from the smart meter and hold the owner
“hostage” through the data and eventually ask for some kind of
payment [17].
B. Financial Impacts to Utility Company
Compared to the premise owner, the utility company has a
lot more to lose when security breach occurs. Simply altering
the smart meter reading to report a lower usage than the actual
energy consumption will cause the utility company to lose
money [12] – [15]. In the situation where the attacker is able to
impersonate the smart meter, the attacker may be able to send
erroneous data or control commands to the power grid, which
may cause dire consequences. The consequence can be
anything from sub-optimal running condition, degraded power
quality, blackout or even equipment damage [14], [18], [19]. In
each of these consequences, the utility company will end up
losing money, either directly or indirectly. In countries where
energy prices are tied to the amount of energy produced, an
attacker may send false report on energy prices to the smart
meter, which may cause a usage spike that can destabilize the
power grid [13]. An unstable power grid may lead to blackout
or equipment damage.
 2014 International Conference on Information Technology and Multimedia (ICIMU), November 18 – 20, 2014, Putrajaya, Malaysia
When a security breach is known to the customers, the
integrity of the billing information may be questioned by the
customers and they may refuse to pay the bills [16]. Even
worse, the utility company may face substantial liability claims
and regulatory fines for not having adequate security measures
[17]. If that happens, the utility company not only has to pay
the fines, but it may also lose money through degraded
reputation and loss of customer trust. Furthermore, once the
source of the security breach has been identified, the remedial
action may require fixing or replacing existing hardware and
software which could be very costly to the utility company.
C. Financial Impacts to the Nation and Society
Security breach to smart meter can impact the nation or the
society when the security breach is severe enough that it allows
the attacker to have access or affect the power grid
infrastructure. As mentioned in Section III.B above, if the
attacker is able to send erroneous data or control commands to
the power grid, the attacker would be able to shut down the
power grid, which will cause blackouts [14] [18]. A blackout
does not only impact the utility company, but it would also
impact other companies, the public, as well as the nation who
depend on the electricity supply [12]. A long-duration blackout
that affects a large area can be very costly. For example, in
August 2003, there was a two-day blackout which affected the
northeastern region of the United States. The cost of this
blackout event is estimated to be around USD 6 billion [20]. It
even resulted in 11 deaths. Although this blackout was not
caused by a security breach, the financial loss caused by a
severe blackout following a security breach could be similar.
As described in Section III.A, a power failure to certain
household appliances such as a refrigerator may be costly to
the home owner. Even though the financial lost for a single
house may not be that much, but if that amount is multiplied
with the number of houses affected, the total loss to the whole
society who are affected by the power failure can be quite
large. A factory that cannot operate due to power failure may
lose millions of dollars due to loss of production. The same
goes for the banking industry, the service industry and the
government services, who cannot deliver the intended services
to the public. Unavailability of services does not only cost
financial loss to the service provider, but it would also cause
difficulty and financial loss to the public who may be impacted
in various ways.
IV. FINANCIAL IMPACTS OF SMART METER PRIVACY
BREACH
Many researchers have identified that the data obtained
from a smart meter can reveal some information about the
occupants of a premise, as well as about the electrical
appliances in the premise. The utility company or an attacker
can deduce whether the occupants are at home by monitoring
the power reading of the smart meter, where the change of
power consumption is more frequent when the occupants are at
home [21]. The type of electrical devices or home appliances
that are currently in the premise can also be deduced from the
power reading [22]. One way to do this is by using Non-
intrusive Load Monitoring (NILM) algorithms, which are able
to distinguish power fluctuations caused by different devices
13
[23], [24]. The power usage information from smart meter can
also reveal the private activities of the occupants within the
premise such as whether they are awake or asleep, cooking,
having meals, taking shower or watching TV [25] – [29].
Inferring these activities is made possible by comparing the
energy consumption with the energy profile of household
appliances [30]. Long-term monitoring of the power usage
information of a premise can eventually reveal the daily
activities, personal habits and lifestyle of the occupants [23],
[28], [31], [32].
The privacy breach of smart meter is, in general, harmful to
the owner or occupants of the premise. The main problem that
may cause financial loss to the premise occupants is burglary.
Knowing whether the occupants are at home and the daily
activities of the occupants will help the criminals to find the
right time to break into the premise. Knowing the types of
electrical devices or home appliances in the premise will help
the criminals to choose their targets. NILM may even reveal
whether the premise has an alarm system, and this will assist
the criminals even further [28]. By choosing the right target
and entering the premise at the right time, the criminals may be
able to conduct the robbery effectively and this may cost the
victim a large amount of money. In addition to burglary, other
criminal acts that may cause financial loss to the premise
owner include kidnapping, arson and vandalism. Criminals
who intend to perform these criminal acts would definitely
benefit from the information that can be obtained from smart
meters.
V. CONCLUSION
Smart meter is an essential part of smart grid. However,
similar to any other computerized equipment, smart meter may
be vulnerable to security attacks. Security attacks may lead to
security and privacy breaches. When that happens, various
parties may be affected. Our studies have shown that many of
the impacts of security and privacy breach of smart meter can
actually lead to financial losses. The financial loss may affect
the premise owner, the utility company, other companies who
depend on the power supplied by the utility company, the
public, as well as the government and the nation. The amount
of losses varies depending on the type of breach, the party
affected and the duration that the victims are affected by the
consequence of the breach. However, in serious cases, the
amount of financial loss that has to be endured by the affected
parties may reach billions of dollars. Due to the large amount
of potential losses, it is very important for power utility
companies to take smart meter security seriously by allocating
sufficient resources to ensure the security of the deployed smart
meters as well as the rest of the smart grid infrastructure.
The study has also found out that the level of vulnerability
of a smart meter to security attacks is related to the level of its
“smartness”. As described in Section II, there are various
different features that can be implemented in a smart meter.
However, not all smart meter models have the same set of
features. Different models may have different features. Models
with more features tend to be more vulnerable to security
attacks. This is because with more features, there will be more
attack vectors. Among the more vulnerable features are the
wireless communication interface, the ability to read data from
 2014 International Conference on Information Technology and Multimedia (ICIMU), November 18 – 20, 2014, Putrajaya, Malaysia
individual household devices and the ability to control
individual household devices. Similar to other areas of
computer security, there is always a tradeoff between
functionality and security. Therefore, it is important for the
utility company to identify what the smart meter can and
cannot do as part of its security policy. Using the security
policy as the guiding principle, the company can then choose
and deploy the right smart meter model to optimize
functionality and minimize the financial risk.
REFERENCES
[1] H.S. Fhom, K.M. Bayarou, “Towards a holistic privacy engineering
approach for a smart grid system,” in Proc. 10th IEEE International
Conference on Trust, Security and Privacy in Computing and
Communications, pp. 234 – 241, 2011.
[2] P. McDaniel, S. McLaughlin, “Security and privacy challenges in the
smart grid,” IEEE Security & Privacy, vol. 7, issue 3, pp. 75 – 77, 2009.
[3] Jing Liu and Yang Xiao, “Cyber security and privacy issues in smart
grids,” IEEE Communications Surveys & Tutorials, vol. 14, issue 4, pp.
981 – 997, 2012.
[4] R. Anderson, “Security economics – a personal perspective, ” in Proc.
Computer Security Application Conference, pp. 139 – 144, 2012.
[5] R. Anderson, “Why information security is hard – an economic
perspective,” in Proc. Computer Security Applications Conference, pp.
358 – 365, 2001.
[6] E. Ellis, “Report finds smart-grid security lacking,” [online]. Avalaible:
http://www.cnet.com/news/report-finds-smart-grid-security-lacking.
[7] L. Wang, V. Devabhaktuni, N. Gudi, "Smart meters for power grid —
Challenges, issues, advantages and status," in Proc. Power Systems
Conference and Exposition (PSCE), pp. 20 – 23, 2011.
[8] J. Zheng, D.W. Goa, L. Lin, “Smart meters in smart grid: an overview,”
in Proc. IEEE Green Technologies Conference, pp. 57 – 64, 2013.
[9] “The smart meter revolution: towards a smarter future,” [Online].
Available: https://m2m.telefonica.com/m2m-media/m2m-downloads.
[10] A. Barenghi, G. M. Bertoni, L. Breveglieri, M. G.Fugini, and G. Pelosi,
“Smart metering in power grids: Application scenarios and security,” in
Proc. 1st IEEE PES Innovative Smart Grid Technologies (ISGT) Asia
Conf., pp. 1 – 8, 2011.
[11] F. Skopik, and Z. Ma, “Attack vectors to metering data in smart grids
under security constraints,” in Proc. IEEE 36th Annual Computer
Software and Applications Conference Workshops (COMPSACW), pp.
134 – 139, 2012.
[12] G. Kalogridis, M. Sooriyabandara, Z. Fan, and M.A. Mustafa, “Toward
Unified Security and Privacy Protection for Smart Meter Networks,”
IEEE Systems Journal, vol. 8, issue 2, pp. 641 – 654, 2013.
[13] J. Chinnow, K. Bsufka, A.D. Schmidt, R. Bye, A. Camtepe, and S.
Albayrak, “A simulation framework for smart meter security
evaluation,” in Proc. IEEE International Conference on Smart
Measurements for Future Grids (SMFG), pp. 1 – 9, 2011.
[14] L. Al Abdulkarim and Z. Lukszo, “Information security assurance in
critical infrastructures: smart metering case,” in Proc. First International
Conference on Infrastructure Systems and Services: Building Networks
for a Brighter Future (INFRA), pp. 1 – 6, 2008.
[15] L.O. AlAbdulkarim and Z. Lukszo, “Information security
implementation difficulties in critical infrastructures: smart metering
case,” in Proc. International Conference on Networking, Sensing and
Control (ICNSC), pp. 715 – 720, 2010.
14
[16] F.M. Tabrizi, and K. Pattabiraman, “A model for security analysis of
smart meters,” in Proc. IEEE/EFIP 42nd International Conference on
Dependable Systems and Networks Workshops (DSN-W), pp. 1 – 6,
2012.
[17] Ye Yan, R.Q. Hu, S.K. Das, H. Sharif, and Yi Qian, “An efficient
security protocol for advanced metering infrastructure in smart grid,”
IEEE Network, vol. 27, issue 4, pp. 64 – 71, 2013.
[18] S. Kaplantzis, and Y.A. Sekercioglu, “Security and smart metering,” in
Proc. 18th European Wireless Conference European (EW), pp. 1 – 8,
2012.
[19] T. Mehra, V. Dehalwar, and M. Kolhe, “Data communication security of
advanced metering infrastructure in smart grid,” in Proc. 5th
International Conference on Computational Intelligence and
Communication Networks (CICN), pp. 394 – 399, 2013.
[20] J.R. Minkel, “The 2003 northeast blackout – five years later,” [online].
Available: http://www.scientificamerican.com/article/2003-blackout-
five-years-later/, 2008.
[21] S. Gong, and H. Li, “Anybody home? Keeping user presence privacy for
advanced metering in future smart grid,” in Proc. GLOBECOM
Workshops (GC Wkshps), pp. 1211 – 1215, 2011.
[22] C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization
of smart metering data,” in Proc. First IEEE International Conference on
Smart Grid Communications (SmartGridComm), pp. 238 – 243, 2010.
[23] L. AlAbdulkarim and Z. Lukszo, “Impact of privacy concerns on
consumers' acceptance of smart metering in the Netherlands,” in Proc.
IEEE International Conference on Networking, Sensing and Control
(ICNSC), pp. 287 – 292, 2011.
[24] Xuebin Ren, Xinyu Yang, Jie Lin, Qingyu Yang, and Wei Yu, “On
scaling perturbation based privacy-preserving schemes in smart metering
systems,” in Proc. 22nd International Conference on Computer
Communications and Networks (ICCCN), pp. 1 – 7, 2013.
[25] G. Kalogridis, C. Efthymiou, S.Z. Denic, T.A. Lewis, R. Cepeda,
“Privacy for smart meters: towards undetectable appliance load
signatures,” in Proc. First IEEE International Conference on Smart Grid
Communications (SmartGridComm), pp. 232 – 237, 2010.
[26] C. Thoma, T. Cui, and F. Franchetti, “Secure multiparty computation
based privacy preserving smart metering system,” in Proc. North
American Power Symposium (NAPS), pp. 1 – 6, 2012.
[27] Z. Erkin, J.R. Troncoso-Pastoriza, R.L. Lagendijk, and F. Perez-
Gonzalez, “Privacy-preserving data aggregation in smart metering
systems: an overview,” IEEE Signal Processing Magazine, vol. 30, issue
2, pp. 75 – 86, 2013.
[28] A. Cavoukian, and K. Kursawe, “Implementing privacy by design: the
smart meter case,” in Proc. IEEE International Conference on Smart
Grid Engineering (SGE), pp. 1 – 8, 2012.
[29] A. Reinhardt, F. Englert, and D. Christin, “Enhancing user privacy by
preprocessing distributed smart meter data,” in Proc. Sustainable
Internet and ICT for Sustainability (SustainIT), pp. 1 – 7, 2013.
[30] T. Jeske, “Privacy-preserving smart metering without a trusted-third-
party,” in Proc. International Conference on Security and Cryptography
(SECRYPT), pp. 114 – 123, 2011.
[31] Hsiao-Ying Lin, Shiuan-Tzuo Shen, and B.P. Lin, “A privacy preserving
smart metering system supporting multiple time granularities,” in Proc.
Sixth International Conference on Software Security and Reliability
Companion (SERE-C), pp. 119 – 126, 2012.
[32] C. Rottondi, G. Verticale, and C. Krauss, “Distributed privacy-
preserving aggregation of metering data in smart grids,” IEEE Journal
on Selected Areas in Communications, vol. 31, no. 7, pp. 1342 – 1354,
2013.