Next Article in Journal
On the Use of Infrared Thermography and Acousto—Ultrasonics NDT Techniques for Ceramic-Coated Sandwich Structures
Next Article in Special Issue
T2S2G: A Novel Two-Tier Secure Smart Grid Architecture to Protect Network Measurements
Previous Article in Journal
Global Warming Potential of Biomass-to-Ethanol: Review and Sensitivity Analysis through a Case Study
Previous Article in Special Issue
Virtual Power Plant Management in Smart Grids with XMPP Based IEC 61850 Communication
Article

S-GoSV: Framework for Generating Secure IEC 61850 GOOSE and Sample Value Messages

1
Department of Computer Science and Engineering, YSR Engineering College, Yogi Vemana University, Kadapa 516360, Andhra Pradesh, India
2
Fukushima Renewable Energy Institute, AIST (FREA), Koriyama 963-0215, Japan
*
Author to whom correspondence should be addressed.
Energies 2019, 12(13), 2536; https://doi.org/10.3390/en12132536
Received: 10 June 2019 / Revised: 28 June 2019 / Accepted: 29 June 2019 / Published: 1 July 2019
(This article belongs to the Special Issue Cybersecurity in Smartgrids)

Abstract

Standardized communication plays an important role in substation automation system (SAS). IEC 61850 is a de-facto standard in SAS. It facilitates smooth communication between different devices located in the substation by achieving interoperability. Generic Object-Oriented Substation Event (GOOSE) and Sample Value (SV) messages developed according to IEC 61850 enable efficient monitoring and operation control of SAS. IEC 61850 is very popular due to its flexible and robust modeling. As the number of critical infrastructures that employed IEC 61850 increases, it is important to study cybersecurity aspects as well. To this end, this paper develops a software framework, S-GoSV (Secure GOOSE and SV), that generates custom GOOSE and Sample Value messages. Furthermore, security features are added to protect them from different security attacks within a substation. IEC 62351-6 specifies digital signatures to achieve node authentication and messages integrity. Therefore, S-GoSV implements RSASSA-PKCS1-v1_5 digital signature algorithm based on RFC 2313. Performance studies show that digital signature algorithms based on RSA signing and verification take long times and do not conform to timing requirements stipulated by IEC 61850 for power system communication. To address this, Message Authentication Code (MAC) based digital signature algorithm, Keyed Hash-Message Authentication Code- Secure Hash Algorithm (HMAC-SHA256), is additionally implemented in S-GoSV framework for securing GOOSE messages.
Keywords: security in Substation communication system; Generic Object-Oriented Substation Event (GOOSE); Sample Values; IEC 62351-6 standard security in Substation communication system; Generic Object-Oriented Substation Event (GOOSE); Sample Values; IEC 62351-6 standard

1. Introduction

Legacy power systems are transforming into smart grids which are designed to operate in a more reliable and resilient fashion. Existing Supervisory Control and Data Acquisition (SCADA) systems do not have the capability to implement these features [1]. Substations play a key role in smart grid revolution. IEC 61850 is a de-facto standard for substation automation [2]. It offers different protocol services such Generic Object-Oriented Substation Event (GOOSE), Sample Value (SV) and Manufacturing Message Service (MMS) [2]. It enables interoperability among substation devices of different vendors with standard modeling. It also offers many services that include seamless communication, defining data sets, defining logical nodes for substation communication equipment [3].
IEC 61850 standard was initially developed for substation automation. Due to its widespread popularity and success, it was extended to other components in power grids such as fault current limiters [4], Distributed Energy Resources (DERs) [5], Electric Vehicles (EVs) [6] and smart meters [7]. In these new implementations, IEC 61850 GOOSE and SV are utilized to exchange different data sets between DERs, EVs and other components. Some researchers have developed open access tools for generating GOOSE and SV messages, which are quite helpful in conducting different studies [8,9,10]. However, the reported tools only use datasets based on IEC 61850-9-2 LE SV format (only include three-phase current and voltages values) or GOOSE formats. Addressing this knowledge gap; in this paper, a C based framework ‘GoSV’ [11] is developed for generating custom GOOSE and SV messages which can be used to send customized data sets in GOOSE and SV formats.
Cyber security is a rising concern for substation communication networks [12,13,14] and phasor measurement units [15] as reported in the literature recently. Authors in [12], proposed Anomaly Detection System (ADS) for the substations to protect simultaneous intrusions into multiple substations which may cause severe cascading events that have catastrophic consequences. Authors in [14] reviewed cyber security challenges and potential threats in IEC 61850-substation network and summarized security measures. They argue that among different IEC 61850 services such as GOOSE, SV and MMS, GOOSE message service is of paramount importance as it carries time critical information related to power system operation. If GOOSE message service is compromised, then it may cause severe loss to power system. To address these concerns, IEC 62351-6 specifies security mechanisms for GOOSE message service [16]. The security requirements such as authentication and integrity are very important in IEC 61850 substation networks and IEC 62351-6 recommends digital signatures to mitigate cyber-attacks. Furthermore, the said standard specifies RSA digital signature algorithm for signing and verifying the GOOSE messages. The timing performance of the specified digital signature is evaluated and reported in [17,18]. Authors in [19] specify that the actual digital signature algorithm explicitly specified by IEC 62351-6 to secure GOOSE is RSA-Probabilistic Signature Scheme based on Signature Scheme with Appendix (RSASSA-PSS) based on RFC 3447 [20], which should be also compatible with RFC 2313 [21].
In order to investigate cybersecurity considerations in power system communication networks, this paper extends the GoSV framework with security implementations as Secure-GoSV (S-GoSV) [22] using openSSL libraries. In S-GoSV framework RSASSA-PKCS1-v1_5 digital signature algorithm is implemented to secure IEC 61850 GOOSE messages. However, investigations show that performance of RSASSA-PKCS1_v1-5 digital signature algorithm is not suitable for time critical GOOSE messages [19]. Therefore, authors have proposed the use of fast computing Message Authentication Code (MAC) based digital signature algorithm, Hash based Message Authentication Code- Secure Hash Algorithm (HMAC-SHA-256) [23]. HMAC-SHA-256 based implementations are also included in the S-GoSV framework for studying their performance.
The rest of the paper is organized as follows, Section 2 discusses GOOSE and SV message structures according to IEC 61850-8-1 and IEC 61850-9-2 standards, respectively. It also shows implementation details of GoSV software framework that generates custom GOOSE and Sample Values. Section 3 briefly discusses S-GoSV software that implements RSASSA-PKCS1-v1_5 digital algorithm specified by IEC 62351-6. Section 4 describes the implementation details of RSASSA-PKCS1-v1_5 digital algorithm and HMAC-SHA256 on GOOSE messages. Section 5 demonstrates the results with Wireshark captures. Section 5 draws the conclusions.

2. GoSV Framework

The GoSV framework is developed for generating and publishing customized GOOSE and SV messages. The crucial part of this framework is to accurately construct Ethernet frame according to IEC 61850-9-2 (Sample Values) and IEC 61850-8-1 (GOOSE) formats. Figure 1 shows the ethernet frame and its fields. The Ethernet frame format starts with destination and source MAC address followed by 802.1q and 802.1p (VLAN and priority tag) optional fields. The next field is ‘ethertype’ which defines the Ethertype Protocol Data unit (PDU) in the frame. The value of the ‘ethertype’ field for GOOSE and SV messages are 0x88-0xB8 and 0x88-0xBA, respectively. All the fields of ‘Ethertype PDU’ are encoded according to ASN.1 BER as specified in ISO/IEC 8825-1. All the fields are in triplet format of Tag, Length and Value (TLV). Again, the value can contain a new set of triplets in itself as shown in Figure 2. ‘Ethertype PDU’ consists of ‘APPID’, ‘Length’, ‘Reserved1’, ‘Reserved2’ followed by either Sample Values or GOOSE message fields. Ethernet frame ends with Frame Check Sequence (FCS) field. The ‘APPID’ field of 2 bytes contains the tag of ‘Ethertype PDU’. For ‘Ethertype SV PDU’ the ‘APPID’ value can be 0x4000 to 0x7FFF. The length field of 2 bytes contains the value of the total length of the Ethertype SV or GOOSE PDU and it should be less than 1501 bytes. The ‘reserved1’ field of the Ethertype SV or GOOSE PDU are reserved for security related information when the SV or GOOSE is sent with IEC 62351-6 security considerations. The ‘reserved2’ field is of 2 bytes to store 16-bit Cyclic Redundancy Check (CRC) value. Figure 3 and Figure 4 gives the description of set of fields that can be interpreted as T-L-V format.
The SV APDU starts with ‘savPdu’ field with a tag of 0x60 followed by its length. The ‘noASDU’ field (number of ASDU) has a tag 0x80 followed by its length and value. The ‘Sequence of ASDU’ field (Sequence of ASDU) begins with a tag 0xA2 followed by its length and value. The ‘ASDU’ field (Application Service Data Unit) has a tag 0x30 followed by its length and value. Each ASDU consists of the following fields: ‘svID’ (sample value ID), ‘smp_Cnt’ (sampling count), ‘confRev’ (count of configuration changes), ‘smpSynch’ (sample synchronization), ‘Sequence of Data’ (sequence of data) and ‘data’ (the actual dataset). The ‘svID’ field begins with a tag 0x80 followed by its length and value. The ‘smp_Cnt’ field has tag 0x82 followed by its length and value. The ‘confRev’ field has a tag 0x83 followed by its length and value. The ‘smpSynch’ field begins with tag of 0x85 followed by its length and value. The ‘Sequence of Data’ field begins with tag of 0x87 followed by its length and value. The final field is the actual data set. Figure 3 describes the Tag, length, value triplets of every field of SV message.
Similarly, PDU of GOOSE consists of following fields as gocbRef, ‘timeAllowedtoLive’, ‘datSet’, ‘goID’, ‘t’, ‘stNum’, ‘sqNum’, ‘test’, ‘confRev’, ‘ndsCom’, ‘numDatSetEntries’, ‘allData’ as shown in Figure 4. The frame format of GOOSE message along with description of its fields is given in Table 1.
The GoSV software framework is implemented in C programming language using Ethernet libraries available in ether.h, sys/socket.h and sys/ioctl.h header files. The implementation can be accomplished at layer 2 of Open Systems Interconnect (OSI) reference model. Figure 5 describes the implementation details. First it is needed to configure the network device at the sending end of the GOOSE and Sample Values. It includes the following steps: The packet interface is used to create a raw socket on the device. Linux supports ioctls (input-output controls) to configure network devices. For configuring network device, it is needed to set the structure called ifreq (Interface request) with the name and index of the interface using ioctls. Structure ifreq facilitates low level access to Linux network devices. Device independent physical layer structure called sockaddr_ll is used to set the destination MAC address of the packet. A buffer with the max size of 2048 is taken to construct the ethernet frame. Construction of payload field for GOOSE/SV protocol is considered by taking standard fields in the form of cascading tag, length and value. Authors have uploaded the developed version of GoSV [11] in the GitHub repository.

3. Secure GoSV Framework

Security is a growing concern in power system communication networks. Compromising it may lead to plethora of security attacks such as Data integrity attack, replay attack, Man in The Middle (MITM) attack, Denial of Service (DoS) attack etc. These attacks may cause catastrophic damages to power grid. IEC 62351-6 specifies authentication and integrity as the security requirements and recommends using of digital signatures to protect IEC 61850 GOOSE or SV messages from cyber-attacks. Further, the IEC 62351-6 standard recommends RSASSA-PKCS1-v1_5 to Secure GOOSE and SV. However, the RSA based digital signature algorithms exhibit higher computational delays and do not meet the strict timing requirement of 3 ms for GOOSE messages [19]. The computational times required for generating digital signatures using RSASSA-PKCS1-v1_5 are given in the Table 2. Accordingly, Keyed Hash based Message Authentication Code (HMAC) based digital are proposed in literature for securing GOOSE messages [23].
In this paper, authors developed S-GoSV software framework that implements both RSASSA-PKCS1-v1_5 digital signature and HMAC algorithms. Authors considered securing Sample Value messages as a future work.

3.1. RSASSA-PKCS1-v1_5 Digital Signature Algorithm

Development of secure S-GoSV software framework for RSASSA-PKCS1-v1_5 digital signature is done in two steps. In the first step, the digital signature is generated using RSASSA-PKCS1-v1_5 digital signature algorithm. The first step is implemented using python Crypto.PKCS1_v1_5 libraries. In the second step, the generated digital signature is transmitted using GoSV software which is developed using C language by adding extension fields.
Digital signatures for GOOSE message are generated in two major steps. First, an EMSA encoded message (EAPDU) generated for the GOOSE message. The EMSA encoding involves generation of hash value using SHA256 and addition of paddings [19]. Second, the generated encoded message is converted to octet string format and then signed by digital signature algorithm RSASSA-PKCS1-v1_5. The complete process of digital signature generation and verification for RSASSA-PKCS1-v1_5 is described in [19]. Figure 6 outlines the generation and verification of digital signature using RSASSA-PKCS1-v1_5 algorithm. GOOSE message along with appended DS is sent to subscriber in the network. At subscriber, a new EMSA encoded message (newEAPDU) is generated with the received GOOSE message and the received DS is decrypted by using the public key of the publisher. This decrypted digital signature value (EAPDU) is compared with the a new EMSA encoded value (newEAPDU) generated at the subscriber. If both are the same, then GOOSE message is valid otherwise it will not be accepted as a legitimate message.
In order to carry this additional Digital Signature (DS) value in the ethernet frame, IEC 62351-6 standard specifies extension to be added at the end of ethernet frame as shown in the Figure 7. Extension field consists of SEQUENCE field and authentication value. SEQUENCE field is reserved for future security considerations other than encryption and message authentication. Authentication value contains digital signature value generated by RSASSA-PKCS1-v1_5.
RSASSA-PKCS1-v1_5 (Public Key Cryptography Standard #1 version 1.5) digital signature algorithm generates digital signature in three steps, as shown in Algorithm 1 below. In the first step, it takes GOOSE APDU as input and performs encoding using EMSA_PKCS1-v1_5 encoding scheme. The output of the encoding scheme is Encoded APDU (EAPDU). In the second step, EAPDU is converted into integer representation. In the final step, integer representation is encrypted with private key of RSA algorithm that gives digital signature (ds).
Algorithm 1. RSASSA_PKCS1-v1_5_Gen_Signature (gooseAPDU)
1 : ( P u b _ K e y ,   Pr _ K e y )   G e n _ K e y s ( )
2 : E A P D U E M S A _ P K C S 1 _ v 1 _ 5 _ E n c o d e ( g o o s e A P D U )
3 : x     O c t e t S t r i n g 2 I n t e g e r ( E A P D U )
4 : d s R S A E n c Pr _ K e y ( x )
5 : r e t u r n   d s
Algorithm 2. RSASSA_PKCS1-v1_5_Signature_Verify (gooseAPDU, ds)
1 : ( P u b _ K e y ,   Pr _ K e y )   G e n _ K e y s ( )
2 : x R S A D e c Pub _ K e y ( d s )
3 : E A P D U I n t e g e r 2 O c t e t S t r i n g ( x )
4 : n e w E A P D U E M S A _ P K C S 1 _ v 1 _ 5 _ E n c o d e ( g o o s e A P D U )
5 : i f   ( E A P D U = n e w E A P D U )
6 : t h e n
7 :             r e c e i v e d   G O O S E   m e s s a g e   v a l i d
8 : e l s e
9 :           r e c e i v e d   G O O S E   m e s s g e   i s   i n v a l i d
10 : r e t u r n   F a l s e
At the publisher device, Algorithm 2 takes input a GOOSE APDU (gooseAPDU) and gives encoded code (EAPDU) using EMSA_PKCS1-v1_5 encoding algorithm. The output of encoding scheme is converted into integer representation (x) which is further signed with RSA private key (Pr_Key) that generates digital signature (ds). At the subscriber device, RSASSA_PKCS1-v1_5_Signature_verify algorithm verifies the generated signature (ds). The received digital signature (ds) is decrypted with RSA public key (Pub_Key) that gives integer representation x. Further, integer representation (x) value is converted into octet string that gives Encoded APDU (EAPDU). A new Encoded APDU (newEAPDU) is generated by taking received GOOSE APDU (gooseAPDU) as input to EMSA Encoding scheme. Newly generated EAPDU and received EAPDU is compared, if both are same then received GOOSE APDU (gooseAPDU) is valid otherwise it is invalid. Figure 6 illustrates the signature generation and verification process based on RSASSA_PKCS1-v1_5 digital signature algorithm.

3.2. HMAC

Keyed Hash based Message Authentication Code (HMAC) is used for data origin authentication and integrity verification mechanisms in the network communications. It can be combined with either of the three different Secure Hash Algorithms: SHA256, SHA384 and SHA512. Secure Hash algorithms are cryptographic hash functions that generate hash values. HMAC combined with either of the above Secure Hash algorithms can be employed to generate digital signature instead of asymmetric RSASSA-PKCS1-v1_5 specified by IEC 62351-6. In this paper, among the above variants we have chosen HMAC with SHA256 algorithm for digital signature calculation. The main goal of these variants is to ensure the authenticity of data and it is not modified during its transmission in the network. HMAC implementation requires a pre-shared key shared by both publisher and subscriber. The security of the HMAC is ensured by the secure distribution and unpredictability of the associated secret symmetric key. The size of input data is arbitrary and produces a fixed size output. For HMAC-SHA256 where key size is 256 bits, it produces 32 bytes of digital signature.
In S-GoSV framework the HMAC algorithm is implemented using openSSL/hmac C libraries. The openSSL/hmac libraries are used to generate the MAC value (i.e., digital signature), using the pre-shared key, which is appended to GOOSE message and sent to subscriber. At the subscriber, again the MAC value is calculated for the received GOOSE message using the pre-shared key. The newly generated MAC value at the subscriber is compared with the received MAC value. If they do not match the GOOSE message is rejected. Figure 8 shows the process of securing GOOSE messages with HMAC algorithm.

4. Implementation Results

4.1. GoSV

Initially, GoSV software framework is implemented that generates custom GOOSE and Sample Values using C library. A testbed consists of three laptop computers connected in a Local Area Network (LAN) environment as shown in the Figure 9. GoSV software program running in a laptop computer constructs custom GOOSE and Sample Values according to TLV formats described in the Figure 3 and Figure 4 and send them in to LAN. Figure 10 and Figure 11 shows the screenshots of GoSV software program sending custom GOOSE and Sample Value frames respectively. In order to test the validity of messages generated by GoSV, Infotech Avenue SAV receiver [24] software is run at the destination node which runs Windows OS. The stream was successfully detected as shown in the Figure 12 where the input stream from GoSV is listed as a legitimate SV message. Further to test the legitimacy of the generated GOOSE and SV messages, Libiec61850’s SV subscriber [10] module is run at the receiving node. Libiec61850 SV subscriber run in Linux platform. The packets are successfully received as SV messages and unpacked as defined in IEC 61850 standard. Figure 12 shows how libiec61850 SV subscriber receives SV messages generated by GoSV software. In addition to this, Wireshark network sniffer software tool identifies GoSV frames as IEC SV and IEC GOOSE messages and all the required fields are successfully decoded as shown in the Figure 13 and Figure 14.

4.2. Secure-GoSV

As security of GOOSE messages is of prime importance which transmits time critical information, compromising it causes devastating consequences in the grid. Authors of this paper further extended the implementation of GoSV software framework to protect GOOSE messages using RSASSA-PKCS1-v1_5 digital signature algorithm as specified by IEC 62351-6 using openSSL library. Protecting Sample Value messages can be further implemented in the future works.
Figure 15 shows the Wireshark capture of implementation of RSASSA-PKCS1-v1_5 digital signature algorithm. Reserved1 and Reserved2 fields of GOOSE APDU fields are used when security mechanism is applied. In order to carry additional value of digital signature, an extension field which consists of SEQUENCE, Authentication value in tag-length-value (TLV) format is constructed in the program. Figure 15 shows tag value for SEQUENCE field is 0x30 and length is 0x24. Authentication field tag value is 0xA4 and length is 0x22. Finally, digital signature tag value is 0x85, length value is 0x80 followed by 128 bytes of generated digital signature value by RSASSA-PKCS1-v1_5 digital signature algorithm. Similarly, Figure 16 shows the Wireshark capture of implementation of HMAC algorithm for securing GOOSE message.

5. Conclusions

IEC 61850 standard is receiving more attention as it is poised to become the power system communication standard of the future. Much of the research focuses on customizing IEC 61850 information models as well as message structures to accommodate new smart grid equipment. Current software available for GOOSE and SV messages do not have the capability to customize their contents and properties, such as contained data and sampling rate. However, performance studies necessitate the existence of a tool that can construct and publish custom GOOSE and SV messages. GoSV software is developed to fill this gap. Lab tests show that messages published by GoSV strictly conform to IEC 61850 format as they are successfully identified by several other software such as Infotech Avenue receiver software which runs on Windows OS platform and Libiec61850 Subscriber module which runs on Linux. Furthermore, Wireshark network sniffer software tool also successfully decodes all the fields of generated custom GoSV frames. In addition to publishing messages, security requirements for GOOSE messages is implemented based on IEC 62351-6 which specifies digital signatures to achieve message authentication and integrity. GoSV software is extended as S-GoSV to implement RSASSA-PKCS1-v1_5 digital signature based on IEC 62351-6 recommendation. After running performance studies with S-GoSV, it is found that RSA based digital signatures do not meet the timing requirements of power system communication and an alternative is required. MAC based digital signature algorithm HMAC-SHA256 is implemented for GOOSE messages. For future work, it is possible to secure Sample Value messages in the substation communication network.

Author Contributions

All authors contributed equally.

Funding

This work was supported by Research and Innovation Fund 2018.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Ali, I.; Hussain, S.M.S.; Tak, A.; Ustun, T.S. Communication modeling for differential protection in IEC-61850-based substations. IEEE Trans. Ind. Appl. 2018, 54, 135–142. [Google Scholar] [CrossRef]
  2. Communication Networks and Systems for Power Utility Automation, 2.0.; Standard IEC 61850; IEC: Geneva, Switzerland, 2013.
  3. Aftab, M.A.; Roostaee, S.; Hussain, S.M.S.; Ali, I.; Thomas, M.; Mehfuz, S. Performance Evaluation of IEC 61850 GOOSE based inter substation communication for accelerated distance protection scheme. IET Gener. Transm. Distrib. 2018, 12, 4089–4098. [Google Scholar] [CrossRef]
  4. Ustun, T.S.; Ozansoy, C.; Zayegh, A. A central microgrid protection system for networks with fault current limiters. In Proceedings of the 2011 10th International Conference on Environment and Electrical Engineering, Rome, Italy, 8–10 May 2011; pp. 1–4. [Google Scholar]
  5. Ali, I.; Thomas, M.S.; Gupta, S.; Hussain, S.M.S. Information modeling for Distributed Energy Resource integration in IEC 61850 based substations. In Proceedings of the 2015 Annual IEEE India Conference (INDICON), New Delhi, India, 17–19 December 2015; pp. 1–6. [Google Scholar]
  6. Hussain, S.M.S.; Ustun, T.S.; Nsonga, P.; Ali, I. IEEE 1609 WAVE and IEC 61850 Standard Communication Based Integrated EV Charging Management in Smart Grids. IEEE Trans. Veh. Technol. 2018, 67, 7690–7697. [Google Scholar] [CrossRef]
  7. Hussain, S.M.S.; Tak, A.; Ustun, T.S.; Ali, I. Communication Modeling of Solar Home System and Smart Meter in Smart Grids. IEEE Access 2018, 6, 16985–16996. [Google Scholar] [CrossRef]
  8. Hegazi, O.; Hammad, E.; Farraj, A.; Kundur, D. IEC-61850 GOOSE traffic modeling and generation. In Proceedings of the 2017 IEEE Global Conference on Signal and Information Processing (GlobalSIP), Montreal, QC, Canada, 14–16 November 2017; pp. 1100–1104. [Google Scholar]
  9. Lopes, Y.; Muchaluat-Saade, D.C.; Fernandes, N.C.; Fortes, M.Z. Geese: A traffic generator for performance and security evaluation of IEC 61850 networks. In Proceedings of the 2015 IEEE 24th International Symposium on Industrial Electronics (ISIE), Buzios, Brazil, 3–5 June 2015; pp. 687–692. [Google Scholar]
  10. LibIEC61850. Available online: http://libiec61850.com/libiec61850/ (accessed on 1 July 2019).
  11. GoSv. Available online: https://github.com/61850security/GoSV (accessed on 1 July 2019).
  12. Hong, J.H.; Liu, C.-C.; Govindarasu, M. Integrated anomaly detection for cyber security of the substations. IEEE Trans. Smart Grid. 2014, 5, 1643–1653. [Google Scholar] [CrossRef]
  13. Cai, J.; Zheng, Y.; Zhou, Z. Review of cyber-security challenges and measures in smart substation. In Proceedings of the 2016 International Conference on Smart Grid and Clean Energy Technologies (ICSGCE), Chengdu, China, 19–22 October 2016; pp. 65–69. [Google Scholar]
  14. Chattopadhyay, A.; Ukil, A.; Jap, D.; Bhasin, S. Toward threat of implementation attacks on substation security: Case study on fault detection and isolation. IEEE Trans. Ind. Inform. 2018, 14, 2442–2451. [Google Scholar] [CrossRef]
  15. Farooq, S.M.; Hussain, S.M.S.; Kiran, S.; Ustun, T.S. Certificate based authentication mechanism for PMU communication networks based on IEC 61850-90-5. Electronics 2018, 7, 370. [Google Scholar] [CrossRef]
  16. Power Systems Management and Associated Information Exchange—Data and Communications Security, Part 6: Security for IEC 61850, IEC/TS 62351-6:2007(E); IEC: Geneva, Switzerland, 2007.
  17. Hohlbaum, F.; Braendle, M.; Fernando, A. Cyber security practical considerations for implementing IEC 62351. In Proceedings of the PAC World Conference, Dublin, Ireland, 28–90 June 2010; pp. 21–24. [Google Scholar]
  18. Ishchenko, D.; Nuqui, R. Secure communication of intelligent electronic devices in digital substations. In Proceedings of the IEEE PES Transmission and Distribution Conference & Exposition, Denver, CO, USA, 16–19 April 2018; p. 115. [Google Scholar]
  19. Farooq, S.M.; Hussain, S.M.S.; Ustun, T.S. Performance Evaluation and Analysis of IEC 62351-6 Probabilistic Signature Scheme for Securing GOOSE Messages. IEEE Access 2019, 7, 32343–32351. [Google Scholar] [CrossRef]
  20. Jonsson, J.; Kaliski, B. Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1; Document RFC 3447; IETF: Fremont, CA, USA, 2003. [Google Scholar]
  21. Jonsson, J.; Kaliski, B. Public-Key Cryptography Standards (PKCS) #1: RSA Encryption Version 1.5; Document RFC 2313; IETF: Fremont, CA, USA, 1998. [Google Scholar]
  22. S-GoSV. Available online: https://github.com/61850security/S-GoSV-part-1 (accessed on 1 July 2019).
  23. Hussain, S.M.S.; Farooq, S.M.; Ustun, T.S. Analysis and Implementation of Message Authentication Code (MAC) Algorithms for GOOSE Message Security. IEEE Access 2019, in press. [Google Scholar] [CrossRef]
  24. SAV Sender and Receiver—INFO TECH. Available online: https://goo.gl/8yLw9A (accessed on 26 June 2019).
Figure 1. Ethernet frame.
Figure 1. Ethernet frame.
Energies 12 02536 g001
Figure 2. Basic Encoding rule followed by Tag, Length and Value (TLV).
Figure 2. Basic Encoding rule followed by Tag, Length and Value (TLV).
Energies 12 02536 g002
Figure 3. Description of IEC 61850-9-2 Sample Values payload fields.
Figure 3. Description of IEC 61850-9-2 Sample Values payload fields.
Energies 12 02536 g003
Figure 4. TLV format of pay load fields of GOOSE and Sample Values.
Figure 4. TLV format of pay load fields of GOOSE and Sample Values.
Energies 12 02536 g004
Figure 5. Frame generation process.
Figure 5. Frame generation process.
Energies 12 02536 g005
Figure 6. Generation and verification using of digital signature RSASSA-PKCS1-v1_5.
Figure 6. Generation and verification using of digital signature RSASSA-PKCS1-v1_5.
Energies 12 02536 g006
Figure 7. Extension field of GOOSE APDU according to IEC 62351-6.
Figure 7. Extension field of GOOSE APDU according to IEC 62351-6.
Energies 12 02536 g007
Figure 8. HMAC integration to GOOSE messages for secure communication.
Figure 8. HMAC integration to GOOSE messages for secure communication.
Energies 12 02536 g008
Figure 9. LAN set up to test the developed software ‘GoSV’.
Figure 9. LAN set up to test the developed software ‘GoSV’.
Energies 12 02536 g009
Figure 10. GoSV software program sending custom GOOSE frames.
Figure 10. GoSV software program sending custom GOOSE frames.
Energies 12 02536 g010
Figure 11. GoSV software program sending custom SV frames.
Figure 11. GoSV software program sending custom SV frames.
Energies 12 02536 g011
Figure 12. Infotech Avenue Receiver detecting the stream of GoSV software framework.
Figure 12. Infotech Avenue Receiver detecting the stream of GoSV software framework.
Energies 12 02536 g012
Figure 13. Wireshark capture of GOOSE frame values.
Figure 13. Wireshark capture of GOOSE frame values.
Energies 12 02536 g013
Figure 14. Wireshark capture of SV frame values.
Figure 14. Wireshark capture of SV frame values.
Energies 12 02536 g014
Figure 15. Wireshark capture of GOOSE frame with the extension of RSASSA-PKCS1-v1_5 digital signature.
Figure 15. Wireshark capture of GOOSE frame with the extension of RSASSA-PKCS1-v1_5 digital signature.
Energies 12 02536 g015
Figure 16. Wireshark capture of GOOSE frame with the extension of HMAC-SHA256 digital signature.
Figure 16. Wireshark capture of GOOSE frame with the extension of HMAC-SHA256 digital signature.
Energies 12 02536 g016
Table 1. GOOSE payload fields.
Table 1. GOOSE payload fields.
Field NameHex Value/Value in BytesSize (in Bytes)Description
goosePDU Tag 0x61812GOOSE protocol data unit
goosePDU Length 1452
goosePDU Value fieldgocbRef_Tag0x801Reference to the associated GoCB that is controlling the GOOSE message
gocbRef_length261
gocbRef_value 26
timeAllowedtoLive_Tag0x811The time a receiver waits before receiving a re-transmitted
timeAllowedtoLive_Length31
timeAllowedtoLive_value 3
Dataset_Tag0x821Name of the Data Set
Dataset_length241
Dataset_value 24
goID_tag0x831ID of publishing IED
goID_length111
goID_value 11
Time_tag0x841Time stamp indicating a new GOOSE event
Time_length81
Time_value 8
st_Num_tag0x851Status Number—counter that increments with every GOOSE event
st_Num_length11
st_Num_value 1
sq_Num_tag0x861Sequence Number—counter that increments with every repeated GOOSE message
sq_Num_length11
sq_Num_value 1
Test_tag0x871Specifies if a message is/is not intended for testing
Test_length11
Test_value 1
confRev_tag0x881Number of times Data Set has changed
confRev_length11
confRev_value 1
ndsCom_tag0x891Needs commissioning field
ndsCom_length11
ndsCom_value 1
numDatSetEntries_tag0x8A1Number of data elements in ‘allData’ field
numDatSetEntries_length11
numDatSetEntries_value 1
All_data_tag0xAB1Actual data being sent (bool, integer, float, etc.)
All_data_length321
All_data_value 32
Table 2. Computational time for RSASSA-PKCS1-v1_5 digital signature algorithm.
Table 2. Computational time for RSASSA-PKCS1-v1_5 digital signature algorithm.
DS AlgorithmKey Size (bits)DS Signing Time (ms)DS Verification Time (ms) ProcessorReference
RSASSA-PKCS1-v1_510240.9420.283Intel i5-3210M CPU @2.50GHz[19]
20483.560.75
Back to TopTop