by Christoph Brunner, it4power, Switzerland
Standards are in place to support security of IEC 61850, however not only are the standards there, but they are also already available in products.
Cyber security has been a topic for a while. In IEC TC 57, the WG 15 is the one that prepares the IEC 62351 series standards for cyber security. Those standards can be applied to the various communication standards from TC 57, including IEC 61850.
IEC 62351-4 deals with security for profiles including MMS and derivatives and is related to the part 3 that deals in general with profiles including TCP/IP. IEC 62351-6 was originally published as a TS and discussed security for IEC 61850 GOOSE and Sampled Values. In 2020, a revision of that part was published as “security for IEC 61850,” that considers all protocols including the mapping defined in IEC 61850-8-2 on XMPP. As such, IEC 62351-6 relates to the part 4. Cyber security key management, which is important for security is specified in IEC 62351-9 and is used in the IEC 62351-6.
Another important element is role-based access, which is introduced in IEC 62351-8. The TR IEC 62351-90-1 adds to that a standardized method for defining and engineering custom roles, their role-to-right mappings and the corresponding infrastructure support needed. The part IEC 61850-90-19 applies this method to IEC 61850.
Finally, IEC 62351-11 specifies schema, procedures, and algorithms for securing XML documents which can be applied to the SCL files used in the IEC 61850 engineering process.
While cyber security may be less of a concern for the communication within a substation, it certainly is relevant for communication beyond substations or beyond a power plant. There are several use cases, where IEC 61850 can be used beyond the substation.
- First, IEC 61850 can be used as well for the communication from the substation to the control center. This has been discussed in the technical report IEC 61850-90-2 which is currently under revision and will be transferred in a technical specification with the number 61850-80-6
- Other usage of IEC 61850 beyond a substation is for the integration of DERs with a DER Management system
Those use cases typically will use client / server-based communication which is based on MMS over TCP/IP. In that case, IEC 62351-4, which is referred to in IEC 62351-6 can be applied.
However, there are use cases that require peer to peer communication like GOOSE or Sampled Values to go beyond the substation:
- A first example is the communication between two substations for teleprotection schemes as it has been described in the technical report IEC 61850-90-1
- One method described uses tunneling of the GOOSE message
- Other applications are wide area protection schemes or the transmission of synchrophasors
For those it may not always be practicable to establish a tunnel, that is why IEC TR 61850-90-5 introduced routable GOOSE (R-GOOSE) and routable sampled values (R-SV).
There are many applications for R-GOOSE or R-SV. A typical use case are remedial action schemes. For remedial action schemes, action needs to be taken in substations or generator stations based on events captured in other substations.
A centralized logic that takes those decisions needs to receive the information about the events, process them and forward controls. The information exchange associated with those schemes is done using R-GOOSE.
Another example is the use of synchrophasors to detect a broken wire. The impedance changes are sent by R-GOOSE or R-SV. A sudden change in the line impedance indicates a line break. When that change is detected, the line can be tripped before the wire touches the ground.
Now the next question is – how can we secure GOOSE messages. And more precisely – against what do we need to secure GOOSE messages. In general, OT security concentrates on AIC – Availability, Integrity and Confidentiality.
The availability of the R-GOOSE messages is provided by the communication profile. Integrity and confidentiality are supported by IEC 62351-6. For R-GOOSE and R-SV, confidentiality is optional, but authentication is required. Authentication is enabled by the key management defined in IEC 62351-9.
While for client / server-based communication asymmetric encryption with a public key used by the sender and a private key used by the receiver can be used, this does not work for multicast communication as GOOSE and SV.
For those, a symmetric key concept is used where all the members of a group, which consists of the publisher and all the subscribers, have the same key. For that, the group members have to communicate with a Key Distribution Center to get the current keys. Keys rotate not less than every 24 hours. In the IEC 61850-6 SCL file, it can be configured, which of the multicast streams shall be secured. As the SCL file contains information as well about the subscribers, the groups can be derived from the SCL file.
So, in the meantime, standards are in place to support security of IEC 61850. But not only are the standards there, but they are also already available in products.
At the DistribuTECH conference, which was held in Dallas in May, secure routable GOOSE was demonstrated. This included both publisher and subscribers of R-GOOSE that communicated with a key distribution center to receive the keys.
Biography:
Christoph Brunner is the President of his own independent consulting company it4power LLC based in Switzerland. He has over 25 years of experience with knowledge across several areas within the Utility Industry and of technologies from the Automation Industry. He has worked as a project manager at ABB Switzerland Ltd in the area of Power Technology Products in Zurich / Switzerland where he was responsible for the process close communication architecture of the automation system. He is Convener of WG 10 of the IEC TC57 and is a member of WG 17, 18 and 19 of IEC TC 57. He is member of IEEE-PES and IEEE-SA. He is an IEEE Fellow and is active in several working groups of the IEEE-PSRC and a member of the PSRC main committee and the subcommittee H. He is advisor to the board of the UCA international users’ group.
