Secure Communication Modeling for Microgrid Energy Management System: Development and Application

: As the number of active components increase, distribution networks become harder to control. Microgrids are proposed to divide large networks into smaller, more manageable portions. The benefits of using microgrids are multiple; the cost of installation is significantly smaller and renewable energy-based generators can be utilized at a small scale. Due to the intermittent and time dependent nature of renewables, to ensure reliable and continuous supply of energy, it is imperative to create a system that has several generators and storage systems. The way to achieve this is through an energy management system (EMS) that can coordinate all these generators with a storage system. Prior to on-site installation, validation studies should be performed on such controllers. This work presents a standardized communication modeling based on IEC 61850 that is developed for a commercial microgrid controller. Using commercial software, different terminals are set up as intelligent electronic devices (IEDs) and the operation of the EMS is emulated with proper message exchanges. Considering that these messages transmit sensitive information, such as financial transactions or dispatch instructions, securing them against cyber-attacks is very important. Therefore; message integrity, node authentication, and confidentiality features are also implemented according to IEC 62351 guidelines. Real-message exchanges are captured with and without these security features to validate secure operation of standard communication solution.


Introduction
In the past decade, power systems have witnessed a very rapid transformation, yet there are many unelectrified communities around the globe [1]. While some isolated communities in developed countries can be counted in this category, the bulk of this population lives in Sub-Saharan Africa, South Asia, and Latin America [2]. Traditional grid extension solution does not apply, as most of these locations are far from cities and costs of such projects are simply too high, i.e., prohibitive [3]. Isolated islands have inherent limitations and require scalable solutions. Reports show that electricity, or lack thereof, has great impact on quality of life, gender equality, and poverty eradication [4].
Traditionally, diesel generators are used in isolated communities. However, diesel generators have significant drawbacks such as high cost of fuel and its availability, environmental pollution, and regular maintenance and service costs. Alternatively, renewable energy source based-distributed generators are emerging [5]. They are less intrusive to the environment and have much less capital cost [6]. For over a century, bulk generation and transmission dominated the scene [7], and it was simply impossible for these sites to be electrified. However, with the advent of renewable energy-based generators, microgrids are picking up pace. Their ability to provide energy in small scale lends itself to geographically limited areas, e.g., communities in deserts or small islands. Intermittency and time-dependent generation profile of these systems require storage systems and coordination to supply reliable energy [8].
To address this gap, equipment that can track several generators and the load within a microgrid to coordinate charging and discharging of a battery energy storage system (BESS) has been developed [9]. The energy management system (EMS) needs to follow the load profile in a microgrid, estimate generation profile of the generators, and keep the battery charge at an appropriate level [10]. In addition, EMS is responsible for responding to system disturbances, such as generator loss or frequency deviation, to ensure the operation is as smooth as possible [11].
All these capabilities need to be integrated over a standard communication infrastructure for interoperability between different equipment. These are required to monitor the current status of the power network and to notify new operating conditions from EMS. There are many EMS algorithms in the literature [12][13][14][15]. However, these works only focus on the development and solution of an optimization equation. There is no detail about how such dispatch information is relayed. For instance, an EMS algorithm may be run, and as a result, storage needs to start discharging [16]. How this information will be sent from the EMS controller to the storage device is not discussed. It is assumed that there is a reliable and functioning communication solution that will enable transmission of such messages. There is some literature which focuses on developing communication architecture for an EMS [16][17][18]. However, these only focus on the information model development and not real implementations. Also, detailed communication models of the components are not given.
The main contribution of the work presented in this manuscript is to develop a real-life communication system that enables EMS components to communicate in a standard way. Its objective is to develop a communication infrastructure that can seamlessly connect different equipment from different vendors without any issues. In this regard, IEC 61850 has emerged as a promising solution for power utility automation domain since it proposes an object-oriented approach for information modeling of different components of the power system [19].
The object-oriented modeling approach helps in organizing data, configuring objects and making them consistent and interoperable. There is a consensus among research and industry stakeholders that IEC 61850 will emerge as the communication standard of the future smart grid [20,21]. The research focuses on extending IEC 61850 to model new components such as electric vehicles (EVs) [22], smart meters [23], different protection schemes [24], and fault current limiters [25]. Building on this trend, a standardized model needs to be developed for EMS controllers in microgrids.
This paper presents a standardized communication modeling of an EMS that is developed for a real microgrid. Individual components are developed with logical devices (LDs) and logical nodes (LNs). These individual models are combined to develop overall EMS modeling. Furthermore, data objects (DOs) are designated mapped to variables that are monitored in the microgrid. Generic object-oriented substation event (GOOSE) and manufacturing message specification (MMS) messages are configured to exchange information between microgrid components and the EMS controller. Further, the IEC 62351 cybersecurity considerations for securing these IEC 61850 GOOSE and MMS messages are implemented and results are demonstrated.
The rest of the paper is organized as follows: Section 2 shows the operation principles of the EMS controller that is modeled. Section 3 details the standard communication models that are developed and shows message exchanges for different scenarios. Section 4 discuss the implementation of IEC 62351 cybersecurity considerations for GOOSE and MMS messages. Section 5 gives future research directions and draws the conclusions.

Microgrid EMS Operation Principles
In this paper, a microgrid EMS controller for an off-grid island located in Southeast Asia is considered [11]. In this scenario, ample solar potential is envisioned. As shown in Figure 1, said microgrid consists of a diesel generator, photovoltaic (PV) system, battery system, and loads. The diesel generator operates in grid-forming mode and stipulates voltage and frequency. PV and battery systems are utilized to maximize renewable energy use. It is observed that for 250 kW of aggregated load, there is excess installed capacity; 225 kW diesel generator, 50 kW PV system and 100 kW battery system. The EMS in question implements two main functions: Function 1: Diesel Generator Output Control In this function, generator outputs and the load values are monitored. PV or BESS are instructed to meet some of the demand so that the diesel generator's output does not exceed its upper boundary. Currently, there are 4 units in the diesel generator plant, and it is desired to use only 1 of them. That is to say, when the demand rises and another diesel generator unit needs to be fired, the EMS controller meets this demand from PV and BESS to avoid this. Furthermore, the increase in the microgrid's demand value can be compensated with the functionality. In this fashion, PV or BESS will be utilized to meet the increase in demand, instead of new diesel generators.
There is a certain lower boundary for the output of diesel generator so that it can successfully set local voltage and frequency. Inverters, utilized for PV and BESS, mostly need a reference point to follow. Smart inverters, which can help with grid forming, will be investigated in future work [10].
Function 2: Frequency Control In this function frequency at the terminals of the diesel generator is monitored. In case of a swing, BESS is triggered to suppress the variation in the frequency value. Since the frequency control requires a much quicker and reliable response, EMS instructs the BESS to charge or discharge. In an ideal situation, if there is a frequency drop, the preferred step is to increase the generation from the PV system. However, this depends on the current solar radiation, power output of PV, and its ability to pick up EMS's instruction quickly. In order to ensure the desired operation, BESS is prioritized as such events have larger impacts in off-grid systems [26].

EMS Modeling with IEC61850
Communication models of these four components of the microgrid are developed with LDs and LNs of IEC 61850. The diesel generator model has four LDs. LD0 represents operation modes with DOPR1, schedules with DSCH1, and related information with DOPM1 and DRCC1. LD0 is included in all models, i.e., diesel generator, PV, load and BESS and used for similar purposes. LD01 models physical connection with XCBR5 and measurement devices with MMXU5. EMS contacts MMXU5 to acquire any measurement data and instructs XCBR5 to connect or disconnect to the microgrid. LD2 in PV and BESS model energy generation and storage characteristics of these devices. For PV, it models PV module with DPVC1 and DPVM1, inverter with ZINV. As for BESS, it models battery with DBAT1 (for rated value information), inverter with ZINV1, and battery controller with ZBTC1. EMS contacts ZINV if any specific information or instruction is to be sent to inverters of PV or BESS. BESS includes a battery and EMS can retrieve related information from DBAT1 and change its settings in ZBTC1. The load model includes two separate LNs for connection and measurement, i.e., XCBR1 and MMXU1, respectively. This model can be used for multiple loads. In other words, it does not necessarily model aggregate load. EMS only considers load-shedding by instructing XCBR1 to disconnect from the microgrid. Sophisticated demand side management schemes are not implemented. Therefore, detailed real, reactive, apparent power, and power factor measurements are included in the model. These are stored inside MMXU1 LN, namely in TotW, TotVAr, TotVA, TotPF data objects.
EMS is an intelligent electronic device (IED) that is connected to these components as shown in Figure 1 and uses the communication mapping detailed in Figure 2. In order to test the operation and validate message exchanges, different scenarios are run, and the operation is observed. Due to lack of space, detailed message captures are only given for results of Function 2. Nevertheless, Table  1 summarizes all the operation details of these functions. It illustrates the different functions, the components involved, specific action taken, and the types of IEC 61850 messages used.

Function 1: Diesel Generator Output Control Tests (Load Decrease)
The load value is set, initially, to 160 kW. PV output is at its limit, 50 kW, and the remaining 110 kW is sourced by the diesel generator. PV operating mode and its limit are reported as follows: In reality, this is a very high value, but the purpose is to see how EMS controller reacts. At t = 1 sec, the load is decreased from 160 to 100 kW. Without any EMS controller, this drop is reflected on the diesel generator's output while PV and BESS stay the same. This causes the diesel generator's output to go beyond its lower limit.
There are two ways to solve this. The EMS controller can instruct BESS to start charging so that the diesel generator's output is higher than the lower limit. This command is relayed from EMS to BESS via ZBTC LN.

EMS_controller  Battery.ZBTC $ BatChaSt $ ENG $ '2' (Battery charging operational mode).
If the BESS is already charged, or the drop-in diesel generator's output is very high, the EMS controller can instruct PV to curtail its generation. It is important to note that if the load decrease was larger, this option would not be sufficient on its own. In that case, a combination of the above is required. This "if" statement and the resultant curtailment instruction are performed by EMS as follows:

Function 1:Supply-Demand Control Tests (Load Increase)
Initially, load was set to 140 kW. The PV generator provides no power, and the entire demand is met by the diesel generator, i.e., 140 kW. The upper limit of the diesel generator is set to be 140 kW. Of available units, only unit 1 is operating under these conditions. These settings and operating values are mapped to communication models as follows: In reality, this may not be a very high value, but the purpose is to see how the EMS controller reacts. At t = 1 s, the load is increased from 140 to 190 kW. Without any EMS controller, this increase is reflected on the diesel generator's output and it exceeds its upper limit. This means additional units of diesel generators need to be turned on to meet this demand (i.e., by setting Diesel.DGEN2 $ GnOpSt to 2). Since PV generation is not dispatchable, in this case, the only solution is to instruct BESS to discharge. BESS immediately starts discharging and gradually increases the amount of provided energy. This ramp rate is totally dependent on the battery characteristics and can be improved by using batteries with high discharge speeds. In parallel, DG output decreases below the upper limit.

Function 2: Frequency Control Tests
Initially, load was set to 150 kW. The PV generator provides no power, the entire demand is met by the diesel generator and the frequency is 50 Hz. At t = 1.6 s, load is reduced from 150 to 70 kW. Figure 3a,b show results with and without the EMS controller, respectively [11]. It can be observed that frequency swing without the EMS controller is much larger than that of with EMS controller.
The EMS controller compares the lower limit of the diesel generator with its current measured value. If the latter is lower, then it instructs battery to operate in frequency response mode. These are performed as follows:

If Diesel.DRCC$OutWSet < Diesel.DOPR $ ECPNomWRtg (min) Then EMS_controller  Battery.DSFC $ HzAct $ SPC $ '1' (1-activate frequency control mechanism).
This command is relayed to BESS via GOOSE message, as this is an event-based operation. Figure 4 shows Wireshark capture of the message sent by EMS to BESS to commence frequency support.  At any time, EMS can inquire about the operating mode of BESS via MMS messages. Figure 5 shows the information request sent by EMS (IP address 192.168.0.4) to BESS (IP address 192.168.0.5) and the response sent back. As shown, the request MMS has "Battery.LD0.DSFC$ST HzAct" while the response MMS shows "True (1)". This confirms the BESS is operating in frequency support mode.
EMS and other communication models are emulated using IEC 61850 software tools in a local area network (LAN). As shown in Figure 6, EMS can connect to any of these IEDs, example shows diesel and BESS, to read and set the parameters. This ensures necessary parameters are read for decision making and others are set as required by the EMS logic. As shown, EMS instructs diesel IED to connect to the network and start injection power while BESS is instructed to activate its HzAct mode, i.e., frequency support mode.

Cybersecurity Considerations for Microgrid Communication
The IEC 61850 message exchanges for realizing the microgrid energy management functions are described in the previous section. These messages carry critical and sensitive information such as dispatch instructions or control commands for energy management operation. If any of these messages are tampered or modified, this would have an adverse impact on microgrid energy management operation. Further, it may lead to severe consequences. Hence, all the message exchanges must be protected against any potential attack.
In this regard, IEC 62351 standard series has recommended security guidelines for safeguarding IEC 61850 messages [27]. From Table 1, it is clear that GOOSE and MMS messages are employed for realizing the energy management function. Hence, the GOOSE and MMS messages must be protected against any potential cyberattacks.

Security Considerations for GOOSE Message
IEC 62351-1 considers authenticity and integrity as the security requirements for GOOSE messages. To achieve this, IEC 62351-6 recommends appending the GOOSE messages with an authentical value. The authentication value is generated by digitally signing a message authentication code (MAC) using RSASA-PKCS1-v1_5. The MAC is generated by computing a hash value of GOOSE APDU using the SHA256 algorithm. This digitally signed authentication value is added as extension field to the GOOSE message as shown in Figure 7. The format of this extension field is shown in Figure 8. At the publisher IED, all the GOOSE messages are appended with digitally signed authentication values. At the subscriber IED, after receiving the GOOSE message, it decrypts the digitally signed authentication value and also computes a new hash value for the received GOOSE APDU. Now, the computed hash value is compared with the decrypted authentication value. If these values match, then the received GOOSE message is authentic. If the values do not match, the GOOSE message is discarded as it not authentic.  Figure 7. Extended GOOSE message with security field appended. Previous studies reported that the RSA-based digital signatures for generating authentication values require high processing times, hence cannot be applied to GOOSE messages which has very stringent timing requirements of 3 ms (including computational and communication delays) [28]. Hence, in literature, elliptic curve digital signature algorithm (ECDSA)-based digital signatures were proposed, which resulted in comparatively lower computational times but still not enough for GOOSE requirements. Recently, hashed message authentication code (HMAC)-based algorithms have been proposed as an alternate solution to secure the GOOSE messages [29]. HMAC-based algorithms resulted is very low computational times, well below the 3 ms, which do not affect the performance of the GOOSE messages. In this paper, HMAC algorithms are utilized to secure the GOOSE messages. The size of the extension field for different digital signatures and HMAC variants is shown in Table 2.
IEC 61850 GOOSE message exchanges for implementing functions discussed in Section 3, also shown, in Table 1 are secured by adding HMAC-based authentication values. The GOOSE message, shown in Figure 4, published by EMS to activate frequency mode operation in BESS is secured appending the HMAC-based authentication value as shown in Figure 9. Similarly, all the GOOSE messages published are secured by appending the authentication values.   1 RSASSA-PKCS1-v1_5 128 2

Security Considerations for MMS Messages
IEC 62351-4 recommends transport layer security (TLS) defined by the RFC 5246 for securing the IEC 61850 MMS messages. Through TLS mechanism, a secure session is established between client and server before exchanging any data. TLS defines a cipher suite which is a set of cryptographic algorithms for peer authentication, key exchange, encryption, and message authentication for establishing a secure session. Figure 10 illustrates the message exchanges between a client and server for establishing a TLS session. The client and server initially exchange certificates (X.509 format) and verify each other. The node authenticity is confirmed by the certificate exchange mechanism. Also, through the certificate exchange, the public keys of both client and server are exchanged. Once the certificates are exchanged, the client sends a secret key by using any key exchange algorithm such as Diffie-Hellman (DH). Using this secret key, the client and server negotiate changes in cipher suite. Once the cipher suite is finalized, further application message exchanges are encrypted with digital signatures according to the cipher suite algorithms. This encryption of the application message exchanges ensures confidentiality of the message exchanges.
IEC 62351-4 standard specifies the minimum cipher suite for securing MMS messages shall be TLS_DH_DSS_WITH_AES_256_SHA. This implies that the DH algorithm is used for establishing secret key, advanced encryption standard-256 (AES 256) is used for application data encryption and secure hash algorithm (SHA-256) algorithm is utilized for generating hash function. Further, IEC 62351-4 specifies uses of port 3782 in transport layer for establishing TLS sessions and exchanging MMS messages.
Using the above cipher suite, the IEC 61850 message exchanges described in Table 1 for realizing different EMS functions are secured. As an example, the IEC 61850 MMS request message shown in Figure 5 is secured by establishing a TLS session over port 3782 with the above cipher suite. Figure 11 shows the screenshot of TLS secure MMS request message request showing information request regarding the operating mode of BESS by EMS. Figure 11. Transport layer security (TLS) secured IEC 61850 MMS request showing information request by energy management system (EMS) to battery energy storage system (BESS).

Conclusions
Integration of intermittent renewable energy technologies in power systems, especially in microgrids, requires extensive monitoring and control. EMS controllers can be utilized for this purpose. Considering the variety of equipment that can be a part of the microgrid and the diversity of manufacturers, it is imperative that a standard communication infrastructure be developed. This ensures that the EMS can communicate with different devices in an interoperable way. IEC 61850 is poised to be the communication standard of future smart grids due to its object-oriented structure and data-transmission capacity.
In this paper, an IEC 61850-based communication model has been developed and implemented for a microgrid EMS. The developed IEC 61850 models were emulated and real-time message exchanges between different components of the microgrid for energy management are shown. The results validate the developed models and message mapping. The results from the emulation models are very useful before the actual deployment of the system in field. Furthermore, considering that sensitive operational data is exchanged in these messages, cybersecurity features have been implemented as per IEC 62351. Messages with and without security features are compared to highlight differences in tags and message size. Future work may focus on investigating the performance of the proposed IEC 61850-based communication for microgrid EMS for on real hardware system by including a real microgrid controller (such as SEL RTAC 3555) in conjunction with real time digital simulator (RTDS). Further, investigations on performance of the proposed system for different communication technologies that can be used in small islands with more diverse generation portfolio can be conducted.