Techniques to detect and harden smart electricity meters against tampering
10 September 2018
Non-technical losses, such as energy theft (tampering), are costing utility providers globally an estimated $96 billion every year. There are two main ways to tamper with a meter: nonintrusive and intrusive. This piece explains some of the specific tampering methods – and how to resist them…
For the digital issue of this piece, please visit this link – or click here to register for EPDT's magazine.
Indeed, to maximise efficiency, electric utility providers must seek to address the losses between electricity generation and customer distribution. Energy theft, in fact, remains one of the most prevalent forms of theft and subsequent revenue loss, and, since they’ve become so pervasive, hacking smart electricity meters (e-meters) has become a favoured method in the current climate…
What are e-smart meters and how do they work?
A smart e-meter measures the active energy and bills customers for that energy. The meter calculates the active energy by sensing both the mains voltage and the current drawn by the customer’s load, and accumulating the product of these two quantities over time.
Figure 1 shows an example single-phase e-meter and its connections, while Figure 2 shows an example three-phase e-meter and its connections (click here to see both Figures).
Non-intrusive tampering methods
1. Electromagnetic interference
One nonintrusive tampering method is to zap the meter with electrostatic discharge (ESD)/electromagnetic interference (EMI)-generating equipment. These attacks could permanently damage the meter or cause it to enter a state from which it cannot automatically recover without manual restart. It’s possible to harden e-meters against these types of tampering attacks by following good system design practices, such as adding ESD/EMI protection devices and minimising cuts in the printed circuit board (PCB)’s ground plane.
2. Magnetic tampering
Another common technique is magnetic tampering, where an individual places a strong magnet near the meter. A strong magnet could cause nearby transformers to saturate, thereby paralysing them. Specifically, a strong magnet could paralyse a transformer in the power supply or a current transformer (CT) current sensor, meaning the meter cannot power itself and will be unable to bill customers.
If a CT is affected by a magnet, the current sensed by the CT would be smaller than what is consumed, meaning utility customers will be charged less for electricity.
Countermeasures include trying to detect the presence of a magnetic field with a Hall-effect sensor, as well as hardening a meter against magnetic tampering attacks. The Magnetic Tamper Detection Using Low-Power Hall Effect Sensors Reference Design shows how three Texas Instruments (TI) DRV5033 devices can detect the presence of a strong magnet in all three dimensions, regardless of how the magnet is oriented on the case.
How to prevent magnetic tampering
To harden a transformer in a power supply against magnetic tampering, one option is to shield the transformer; however, this is only effective to a certain extent. The best way to obtain magnetically immune current sensing is to use shunt current sensors, instead of current transformers.
Using a shunt for a single-phase meter is relatively simple: just reference the system with respect to the shunt. If the shunt is on the line, then the system should be referenced with respect to line.
Similarly, if the shunt is on the neutral, the system should be referenced with respect to neutral. Referencing the system with respect to the shunt prevents any large, damaging differential voltages appearing on any integrated circuit (IC).
Figure 3 shows the components of a three-phase system with isolated shunt sensors, which features one individual device per phase that measures the voltage across the shunt sensors.
These devices could be something like the TI AMC1304 isolated delta-sigma modulator or the TI MSP430i2020 metrology analogue front end (AFE).
Isolating these shunt sensing devices enables the multiple shunt devices, which measure the voltage across shunts on different phases, to communicate with the same back-end chip.
Since the devices are isolated, you must have an individual power supply for each one.
If you’re using the AMC1304 as the shunt sensing device, you should select a back-end chip, such as TI’s MSP430F67641A, since it has a digital filter that could take the bitstream from the AMC1304 to generate analogue-to-digital converter (ADC) samples.
Calculating active energy
To calculate the active energy, it’s necessary to measure the mains voltage, in addition to the
current of the customer’s load. A voltage sensor translates the mains voltage to a range that the ADC can sense. In a poly-phase system, with isolated shunt sensors, you could implement the mains voltage sensing on the same device that senses the voltage across the shunt, or on the back-end device, if that device’s voltage sensing is synchronised with the shunt sensing.
In order to prevent hazardous voltages on back-end devices (because shunts don’t inherently have isolation), isolate the communication from the shunt sensing device to the back-end device, integrated through the use of an isolated shunt sensing device like the AMC1304.
Isolated shunt current sensing
The first approach for implementing isolated shunt current sensing, shown in Figure 4, involves using a metrology AFE like the MSP430i2020. This metrology AFE calculates the primary metrology (voltage, current, power, and so on) instead of having the back-end device perform these calculations.
Calculating these parameters reduces the processing needs of the back-end device. Additionally, if you only send metrology parameters to the back-end device, and not ADC samples, you could reduce the communication data rate from the shunt sensing device to the back-end device, reducing any emissions resulting from communication between the shunt sensing device and the back-end device.
The second approach is to have the shunt sensing device essentially only sense current and have the back-end device perform the metrology calculations, allowing easier parameter calculations between phases. Figure 5 shows this: an approach implemented in the Magnetically Immune Transformerless Power for Isolated Shunt Current Measurement Reference Design
1. Bypassing the current
One of the most common intrusive methods is to push a metal object against the terminal block of the e-meter, shown here in Figure 6. This metal forms a current divider with the current sensing circuitry, which causes the metal object to bypass the current.
Thus, the sensing circuitry registers less current than is actually consumed, leading to a smaller active energy reading. Since customers are billed on active energy, this means a less-expensive utility bill.
To deal with current-bypass tampering, a design can measure both the line and neutral current of a system, which ideally should both equal the current drawn by the customer’s load for a single-phase system.
If someone tries to bypass the line current, it would still be possible to accurately calculate the active energy by adding a current transformer current sensor between the neutral terminals and performing metrology calculations using the neutral current instead of the line current.
2. Disabling an e-meter’s power supply
Another method is to disconnect one of the neutral or line leads. Removing one of these leads disables the e-meter’s power supply, as well as the sensing of the mains voltage necessary for an accurate active energy calculation. To deal with a potentially unavailable mains-powered supply, a backup supply, such as a parasitic current transformer-based supply, a supercapacitor or a battery-based supply can power the meter if the primary power supply, is nonfunctional.
3. Reversing energy meter readings
A third intrusive technique is to reverse either the line or neutral connections. In a single-phase e-meter, reversing the connections causes the e-meter to count in reverse, thereby leading to the total accumulated active energy readings becoming progressively smaller.
These reversed connections can’t be left in place, however, because that would obviously indicate tampering if the active energy readings become too small.
How to stop intrusive tampering
The first line of defence for these attacks is the meter case itself. Meter cases should be sealed to hamper access to the internal components.
An intrusion detection system should also be added to determine if someone has opened or tried to open the case.
While this is a low cost method with minimal power consumption, it has significant limitations, such as issues during the assembly and transportation of the meter, which could damage the intrusion detection system. Alternatively, the button activation tolerances may not actually press the button down at all, or become stuck or frozen in place.
To address these limitations, an alternative option is to use a contactless inductive switch like the Texas Instruments (TI) LDC0851. The LDC0851 can accurately detect the movement of a conductive object and provide a simple high/low digital signal if the metal target crosses a predetermined threshold.
The Case Tamper Detection Reference Design Using Inductive Sensing uses a LDC0851 switch, as well as an MSP430F67791A metrology microcontroller for low-power detection of the opening of both an e-meter’s main cover and terminal block cover.
By following the anti-tampering techniques mentioned here, it’s possible to thwart or at least mitigate meter tampering, thereby reducing inefficiencies and revenue losses when supplying electricity to utility customers.
Contact Details and Archive...