Using High-Speed and Secured Routable GOOSE Mechanism

Authors: Mital Kanabar, Anca Cioraca, GE Grid Solutions, Canada, and Anthony Johnson, Southern California Edison, USA

The major communication infrastructure considerations for WAPC system are:

  • High-speed message delivery (delays over WAN)
  • Network bandwidth requirement (i.e. optimum information/dataset and data rate requirements)
  • Cyber security
  • Availability/Redundancy
  • International standardized protocols

IEC Technical Report (TR) 61850-90-5:2012 provides communication protocol for synchrophasors (Routable-Sampled Values or R-SV) and event-driven GOOSE (Routable-GOOSE or R-GOOSE) with a cyber-security protocol over WAN.
This article presents implementation of high-speed and secure R-GOOSE for WAPC applications, and also discusses a practical use case of Centralized Remedial Action Scheme (CRAS) project by Southern California Edison (SCE) at approximately 100 (primarily 500kV and 230kV) substations.

How to Implement GOOSE with Routing, High-Speed, and Security?
GOOSE is an accepted mechanism for time-critical peer-to-peer communication among Intelligent Electronic Devices (IEDs).

A. Current GOOSE Operation:  IEC 61850-8-1 standard specifies the GOOSE. GOOSE characteristics are: 1) Event driven with re-transmission; 2) high-priority and Virtual LAN support (IEEE 802.1Q); 3) peer-to-peer based publisher/subscriber communication (unlike client/server or master/slave); 4) multicasting over LAN (i.e. simultaneously publishing to multiple subscribers); 5) dataset items including status information (digitals) or measurements (analog).
To achieve a highly dependable level of GOOSE message delivery, the IEC 61850-8-1 specifies a retransmission scheme for GOOSE messages, as shown in Figure 1. When none of the dataset items in a transmitting GOOSE are changing, the GOOSE message is sent periodically (heartbeat) to allow subscribers to monitor the connection. When any dataset item state changes, the GOOSE message is re-transmitted immediately multiple times with the new values, shown as Event messages. A short time after the initial event message is sent, it is resent several times.

B. Routing GOOSE over WAN: Until recently, GOOSE was specified for local applications over LAN, i.e. within substation, power plant or industrial sites. A technical report IEC TR 61850-90-5:2012 extends the application of GOOSE from LAN to WAN, either using tunneling or allowing GOOSE to multicast over IP networks using IGMPv3 protocol.
These R-GOOSE messages are routed over layer-3 routers with UDP/IP headers. Security mechanisms for WAN are also called out in IEC TR 61850-90-5:2012 and enable several applications of high-speed and secured R-GOOSE for WAPC.

1) Multicasting over IP networks: Figure 2 illustrates the communication stack from IEC TR 61850 90-5. The technical report specifies IGMP version 3 (RFC 3376) for multicasting of R-GOOSE. IGMPv3 extended the capabilities of the protocol by allowing source filtering, which means that the routers are informed of the sources of the traffic.
Three different Application Profiles (A-Profiles) are specified in IEC/TR 61850-90-5. Each of these A-Profiles makes use of three independent Transport Profiles (T-Profiles). The correlation between the A-Profiles and T-Profiles is shown in Figure 2.
Various T-Profiles have common elements for the Network and Layer 2 layers. However, there are some differences within the Transport layer.

2)  R-GOOSE Control Blocks: IEC TR 61850-90-5 defines new Control Blocks to handle the Routable 90-5 semantics. "RG" control blocks are used to control routable GOOSE state information. Destination address attribute type is changed to UDPCOMADDR, which is shown in Figure 3. This configuration allows UDP/IP header over the GOOSE.

3)  Priority over IP: IP Class of Traffic (CoT), also known as TypesOfService (ToS), as shown in Figure 3, is used to provide high speed quality of service. The encapsulated application messages are published via UDP/IP multicast services, which use the Differentiated Service Code Protocol (DSCP) to provide IP priority tagging for high-speed processing at the router.

C. Securing R-GOOSE over WAN: IEC TR 61850-90-5 security mechanism for R-GOOSE has the following options: 1) None; 2) Signature (i.e. Authentication); 3) Signature and Encryption.
IEC TR 61850-90-5 security specifies the use of a signature using symmetric keys being applied to create a secure Hashed Message Authentication Code (HMAC).  The application messages are carried over a IEC TR 61850-90-5 session layer, which provides security and management via the 90-5 specificGroup Domain of Interpretation (GDOI) protocol.
GDOI support for 61850 protocols is described in the updated revision of IEC 62351-9, and the key exchanges use Group Domain of Interpretation (RFC 6407 – GDOI)

Relion advanced protection & control.
Protecting your electrical assets? today and tomorrow