by Fred Steinhauser, OMICRON electronics GmbH, Austria
Protection engineers strive to control the traffic in the power utility communication networks to the very detail, eventually making their life harder.
Virtual LANs were invented for a reason and there are applications where they are the right solution. On the other hand, this does not mean that they are the silver bullet of networking. But when it comes to designing a communication network for an IEC 61850 system, it often seems that the only thing that’s clear from the beginning, is that VLANs must be used.
If you start to argue why this is so undoubted and the traffic management does not hold as a striking argument, the discussion is quickly deferred to other issues. And if all arguments fail, there may come the last resort: “uhm, yeah, but it is probably good for cyber security.” There must be a reason for VLANs!
OK, the makers of IEC 61850 have done their part to promote the VLANs when they defined their use when publishing GOOSE and Sampled Values. The intention was not the logical segregation of networks in the first place, but the use of the priority mechanism for real-time messaging.
The priority information is part of the VLAN tag that also contains the VLAN-ID. You get either both or none of them. Back then, there was the idea to run the networks in a “priority only” mode.
So, why are VLANs so appealing, almost addictive, to PAC engineers?
I believe it is a deep-rooted desire to stay in absolute control. With the proliferation of the communication networks as a mission critical part of the PAC systems, the PAC engineers became insecure. Understandingly, such a situation causes some sort of anxiety that contributed much to the skepticism against IEC 61850.
The old systems had literally each piece of information transmitted over its individual hard-wired loop. But due to this, complexity was restrained, and the technology was so simple that it could be tested with a multimeter, even though this was very cumbersome process.
Today with IEC 61850, we have more information than ever running through the power utility communication network, where all kinds of data packets are merging on the bus, forming a kind of traffic anarchy which obviously can’t be borne in some’s opinion.
Old myths from the early days of Ethernet before switched networks were used were quoted, and there is this argument that Ethernet is non-deterministic, although this uncertainty can be contained on a level which is insignificant for the operation of a PAC system.
Imaginations like this raised fears that may culminate in a form of anxiety disorder. We can still remember the phobic reflexes from protection engineers when the IEC 61850 services were first promoted, statements containing the word “never” were posted. Later, when it became obvious that IEC 61850 would eventually break through, some tried to escape with words like “as long as I …”. Today, there is no escape and ways must be found to cope with it.
VLANs foster the hope to regain absolute control over the communication network. Another option would be to utilize MAC filtering. Even applying MAC filtering on top of VLANs is discussed in some places! We need to bear in mind that these measures cause considerable efforts for configuration, documentation, and operation.
The guiding principle to manage the traffic just as much as required, but as little as possible, should ward us from overdoing it. The upcoming technical report IEC 61850-90-22 (network auto-routing) facilitates the opposite, eventually reinstating point-to-point connections through a logical patch panel, sacrificing the advantages of a bus.
To find the adequate measures requires the understanding of the capabilities of the communication network.
Understanding removes fear and builds trust. And trust allows to grant freedom for the benefit of all.