Cybersecurity for Shared Infrastructure Substation Networks with IEC 61850 Goose and Sampled Values

Authors: Carlos Diago Torrente and Andrew Forshaw, GE Grid Solutions, UK

The network is planned, designed and commissioned by one operator, and will be maintained by two operators - one for generation assets for the windfarm, the other for the grid connection power transmission assets. The topology deployed is shown at a high level, describing how the windfarm offshore and onshore networks will be divided between the operators, and the specific requirements of the solution. A more detailed view of the network is shown depicting Ethernet switches, routers and IEDs; with the services and protocols used explained and aligned with the challenges that each one represents in terms of cybersecurity, for example interconnections that use Parallel Redundancy Protocol (PRP) as defined in IEC 62439–3 for redundancy in the exchange of GOOSE for interlocking.

Each challenge is addressed one at a time and the topology will evolve as the solutions are added, going from a unified network under the control of one operator into two that can be easily split between operators.
The main objective will be to protect the network of both operators from accidental or intentional cyber-attacks originated on the network of the other operator. The secondary objective is to control where GOOSE and Sampled Values are distributed to optimize network resources. Achieving this will expand the number of applications for Ethernet based solutions and improve the smart capabilities of substation solutions. However, allowing layer 2 traffic will also open paths for attacks to traverse the operator networks, and simple solutions that use a single approach may easily fail to provide reliable protection. For example, if Virtual Local Area Networks (VLANs) are used to separate traffic, attack messages on the allowed VLANs will easily move between both networks.

The article will be focusing on the challenges and solutions for a specific network topology, but the information would apply to any similar solution where two different companies operate the same network. Most of the proposals can be used in conjunction with each other stacking security levels and preventing a wider range of attacks. The offshore windfarm and associated grid connection power transmission system was developed by one company and the network shown in Figure 1 was therefore commissioned by them. However, to meet local regulations the company that is responsible for Generation, from now on referred to as GEN, cannot be responsible for power Transmission, the company in charge of it will be referred as PTR. Hence, even though the equipment for GEN and PTR share the same physical location, the PTR assets that would correspond to GEN needed to be sold to a different operator. The general requirements are:

  • All data that is required to be exchanged needs to be done so securely
  • Only the required data can be exchanged, all other data/traffic needs to be blocked in the red link shown in Figure 1
  • The network must be designed so that cyberattacks, intentional or accidental, must not have any impact on the other side of the network behind the red link. Any network disruption originated on one operator should remain contained within its boundaries, otherwise a disruption caused to the other operator would be the former’s operator responsibility
BeijingSifang June 2016