You are on page 1of 4


Prevent hacking, tampering in

energy metres
By Mohit Arora fication required depends on the
Freescale Semiconductor ADC resolution as well as the Class
accuracy (0.1, 0.2. 1.0 etc.) required
Today energy theft is a worldwide for a three-phase metre.
problem that contributes heav- A typical energy metre also
ily to revenue losses. Consumers requires a real time clock (RTC)
have been found manipulating for tariff information. The RTC re-
their electric meters, causing quired for a metering application
them to stop, under-register or needs to be accurate (< 5ppm) for
even bypassing the metre, ef- Time of Day (TOD), which involves
fectively using power without dividing the day, month and year
paying for it. This article discusses into tariff slots. Higher rates are
vulnerabilities, challenges and applied at peak load periods and
techniques to prevent tampering lower tariff rates at off-peak load Figure 1: System block diagram for three phase energy metre.
in an energy metre. periods.
The heart of the metre is the
Intro to energy meters firmware, which calculates active,
An energy metre is a device that reactive energy based on voltage
measures the amount of electri- and current measurement. The
cal energy supplied to a residen- firmware also includes tamper
tial or commercial building. The detection algorithms, data log-
most common unit of measure- ging and protocols like DLMS and
ment made by a metre is the kilo- Power Line Modem communica-
watt hour, which is equal to the tion protocol for Automatic Meter
amount of energy used by a load Reading (AMR).
of one kilowatt in one hour. The energy metre also needs
Figure 1 shows a system block to be calibrated before it can be
diagram for a three-phase energy used and that is done in a digital
metre. As shown the energy me- domain for an electronic metre.
tre hardware includes a power Digital calibration is fast, efficient
supply, an analogue front end, a and can be automated, removing
microcontroller section, and an the time-consuming manual trim-
interface section. The analogue ming required in traditional, elec- Figure 2: Normal phase neutral connection for single phase metre.
front end is the part that inter- tromechanical meters. Calibration
faces to the high voltage lines. It coefficients are safely stored in an ing conditions and assure proper loads is connected to the ground
converts high voltages and high EEPROM that can be either inter- billing, unlike electromechanical and thus part of the return current
currents to voltages sufficiently nal or external. meters. I2 does not go through the metre.
small to be measured directly by An energy pulse output (EP) This section describes several Thus the current in the neutral
the analogue/digital converter is an indication of active power, tampering techniques used by wire IN, is less than that in the
(ADC) of the microcontroller. as registered by the metre; the thieves along with solutions for Phase or live wire (IP).
frequency of the pulse is directly avoiding tampering. To detect this condition, firm-
Voltage measurement is done proportional to active power. ware monitors the currents on
with a shunt resistor (shown as Partial earth fault condition both energy wires - Phase and
“Load”), while the current mea- Hacking in energy metres An earth fault means some of the Neutral, and compares them. If
surements require more precise Due to the increasing cost of elec- load has been connected to an- they differ significantly, the firm-
measurement and thus are done tricity, energy theft is becoming a other ground potential and not ware uses the larger of the two
by current transformer (CT) on major concern for government the neutral wire. Figure 2 shows currents to determine the amount
all phases along with current agencies across the globe, and normal Phase and Neutral wire of energy to be billed and signals
measurement on neutral. Meter especially in populous countries connections to the metre. Note a “fault” condition.
manufacturers often integrate like India and China. that current going through the
gain amplifiers in order to amplify A large portion of these rev- Phase wire is the same as coming Reverse current
voltage as well as current mea- enue losses can be recovered by out of the neutral wire (IP = IN). Reverse current occurs when the
surements in the range supported installing electronic energy meters Figure 3 shows a partial earth phase and neutral are wired to
by the ADC. The amount of ampli- because they can detect tamper- fault condition where one of the the wrong inputs, causing cur- | EE Times-India
rent to flow in the direction op- consumption.
posite to normal. Figure 4 shows Note: It is important to mea-
the same where the neutral wire sure current on neutral in addition
connection is swapped thus to phase currents to detect any
causing current IN to flow in the mismatch in reverse current flow
reverse direction. during the described tamper con-
Due to the reverse current ditions so that metering firmware
flow through Neutral, metering can take appropriate steps for ac-
firmware will show wrong signs curate energy calculation.
in active power readings. The
firmware activates the reversed Missing potential
current indicator when any of the Again this is a common connection
two currents has a sign opposite fraud usually deployed in meters
the one expected. To overcome where the voltage component for
this, metering firmware always one of the phases is made zero by
uses the absolute value of active removing one of the phase wires
power for driving the energy from the metre terminal. This results Figure 3: Partial earth fault condition.
pulse, thus reverse current has no in recording less energy consump-
effect on energy calculation or ac- tion as consumption from one of
curate billing. the phases becomes zero. (P = V x I
where V= 0)
Phase and neutral wire During this condition since the
swapped voltage is absent and current is
Here live and neutral wires are present, the logic is easily able to
swapped, which makes the cur- sense this and record as tamper
rent in the live wire less than that event if condition persists for cer-
in the neutral. tain duration. Metering firmware
during this case can be tuned to
Missing neutral record maximum consumption.
A more common method of
tampering is shown in Figure Magnetic interference
5. The missing neutral tamper-
ing condition occurs when the Meters use magnetic material
neutral is disconnected from the in voltage and current measure-
power metre. With the Neutral ment circuits and thus are affected Figure 4: Reverse current condition.
disconnected, there is no voltage by abnormal external magnetic in-
input and thus no output would fluences, that in turn affect proper
be generated by the power sup- functioning of the metre.
ply. However when the load is For example, the use of a
applied (Figure 5), there would strong magnet to change the
be a valid input signal on cur- magnitude of current—this in
rent channel so power would be turn introduces large errors in
consumed. Since the voltage on measurement. The idea is to
neutral is zero, so is the power (P saturate the core of the sensors
= V x I). or distort the flux in the core so
To take care of this condition, that output is erroneous. This ef-
the tampering algorithm (part fectively results in less billing.
of firmware) can assume volt- One way to avoid this is by hav-
age fixed at a known amplitude ing magnet sensors to detect the
and phase and continue power presence of abnormal magnetic
calculation based on IRMS and fields and provide evidence by
adjust the IRMS gain to produce logging it as a tamper. Another
the same power output when the solution is to increase the gap
voltage is at its nominal value. This between the sensors and magnet, Figure 5: Missing neutral condition.
ensures billing is continued during or by shielding the sensors and
a missing neutral condition. thus suppressing the effect of the not wound around a metallic core. to gain increasing acceptance and
Most tampering algorithms magnetic field. Since there is no core to saturate in desirability in anti-tamper meter-
require current to be measured on A cleaner solution is to use a the presence of strong magnetic ing applications.
neutral apart from all the phases Rogowski Coil instead of a conven- fields, these sensors are largely im-
to correctly detect a tamper event tional current transfer for current mune to magnetic tampering. Neutral disturbance
and accurately calculate energy measurement. Rogowski coils are The Rogowski coil is beginning This is similar to Section 2.4 ex- | EE Times-India
cept that apart from tampering lights, still go through legal con-
with the neutral at the source, nection so that the electric com-
high-frequency signals are su- pany will not get suspicious.
perimposed on neutral causing Meter bypass by double feed-
inaccurate current measurement ing is one of the easiest conditions
and thus reducing the energy to detect unless the cables around
recorded by the metre. the metre are so dense that it is
Under this condition, metering difficult to notice which ones are
firmware may choose to calcu- legal and which are not.
late energy based on maximum
current and record the event as Meter manipulated
Tamper. Unlike electromechanical meters
Other board design techniques where techniques like manipu-
like using ferrite beads, capacitor lating the disc brakes or slowing
line filters and physically large SMD them so that the metre records
resistors help to protect the metre less consumption are used, these
electronics from various forms of techniques cannot be used on an
electromagnetic disturbance. electronic metre. Figure 6: Meter bypass with jumpers.
Metres (generally electro-
Powering off metre mechanical) with counter type
Meter can be powered off by display are generally based on a
removing all the voltage connec- stepper motor for disc rotation
tions. and are prone to errors as they can
be easily manipulated to alter the
Bypassing metre metre reading.
There are many ways to bypass These problems are overcome
an energy meter metre. The by providing an electronic display
most common way is by put- (like an LCD) in the meters that
ting a jumper (Figure 6) in metre are now common in electronic
terminal such that connection is meters.
bypassed and the energy con-
sumption is not registered. This External tampers
kind of meter metre bypass can External tampering may include
be easily detected. Another type breaking the metre case, chemi-
of metre bypass is by removing cal injection or even burning the
the external potential copper on metre. All these result in chang-
the terminal. These events can ing the electrical characteristics
be compared with power failure of the components thereby re-
records from the substation data. cording less or no energy usage.
Figure 7: Double feeding to bypass metre.
The event date and time logging One may want to open the metre
is enough to identify these ab- case to change the settings or
normal power failures and their even remove the backup battery voltage/frequency generating e.g., changing PM to AM such that
duration. so that the metre will reset when device. It is recommended to fol- metering firmware charges less
the main power goes off. low some of the board guidelines due to non-peak load during that
Double feeding the metre Anti-tamper switches can be mentioned in Section 2.7 along time. Thus, the RTC circuit should
Figure 7 shows another yet tech- placed on the casing of the metre with high-tolerant IOs to avoid not allow time reversal unless it
nique—”Double Feeding” to by- to trigger a tamper when the cas- any influence of a 35-kV spike on follows a secure protocol.
pass the metre where additional ing is opened. energy calculation. Other techniques include
feeding is connected directly to changing the RTC crystal as the
the line so that the consump- High voltage/frequency Changing the time RTC usually relies on a 32.768-kHz
tion for additional feeding is not tamper Electric companies may have external crystal oscillator. The RTC
registered. A metre can be tampered with different billing rates depending circuit should be able to detect
Here one would have legal ser- by an electrostatic device that on time of the day, maximum this and correct the time. Thus,
vice but the metre will not register generates spikes or voltages demand, load, etc., thus making on-chip compensation should be
the consumption for bypass load. in the range of 35 kV. This may a real time clock (RTC) an essen- an essential feature for an energy
Usually the additional feeding is induce errors in consumption tial part of the electronic metre metre.
done to connect an appliance recording or may even damage to provide time reference. One Crystal characteristics vary
that requires more electricity load the metre. The accuracy of the may tamper with the clock or widely with temperature. Thus,
(like the air conditioner shown in metre should not be affected manipulate the time to fool the temperature changes can pro-
the Figure 7). The other loads like by the application of abnormal system and charge differently, duce an inaccurate reference. | EE Times-India
The RTC circuit should be able to around the world include: Radio AMR communications, it is worth once broken cannot be glued or
detect changes in temperature frequency (RF), ZigBee proto- considering that any code protec- reapplied on the metre. Many me-
and compensate for them by col, data modem (via standard tion schemes used should pro- ters also have external cases that
adding or removing clock pulses. telephone network) and power vide additional security. Sensitive prevent opening without damag-
The clock accuracy desired for any line communication (PLC). Other keys may be stored in hardware ing the metre.
metering applications needs to be partial communication may in- with policies and procedures for
less than 5 PPM. clude reading via optical port in enrolling and authorising system Conclusion
Note: It is important that the an “electronic reader” device. The along with using data encryption To control revenue losses, util-
RTC for any metering application later may be based on Serial Port schemes. ity companies worldwide need
must support standby operation (RS-485) or Infrared Link. to detect metre tampering and
when the RTC keeps working (on With AMR, any tampering Tampering seals ensure accurate billing even
battery) even during power failure events logged in the memory It is always best to prevent a when tampering has occurred.
thereby retaining the time. can be provided to the substation problem rather than fix it after it Tampering may range from sim-
Techniques for tampering pre- via AMR network if there are any has occurred. Nowadays there are ple techniques like manipulat-
vention discrepancies between the total specially designed seals available ing live or neutral wires to more
billed and the total generated for use on electric and utility me- sophisticated ones like hacking
Automatic metre reading power. ters. These seals should be used firmware and changing energy
(AMR) on metres during installation to consumption records.
Automatic metre reading (AMR) Code protection prevent unauthorised access. It Energy metering ASICs are
technology refers to the capabil- One of the advantages of AMR is is recommended that electronic available that provide solutions for
ity of the metre to communicate remote firmware upgrade. It is im- meters should be provided with implementing multiple layers of
its reading to a fully automated portant to authenticate firmware front side seals so that they are tamper detection implemented
collection and communication patches and reject unauthorised readily visible to a metre reader as a part of hardware and software
centre, via the use of wired or or tampered software. Though or inspector. solution.
wireless networking infrastruc- security is built into some of the There are several companies
ture. Some of the AMR technolo- protocols like ZigBee (ECC public that offer seals especially designed
gies employed in various regions key technology) when used for for energy meters such that a seal | EE Times-India