Abstract
International Electrotechnical Commission (IEC) 62351-6 standard specifies the security mechanisms to protect real-time communications based on IEC 61850. Generic Object Oriented Substation Events (GOOSE) and Sampled Value (SV) messages must be generated, transmitted and processed in less than 3 ms, which challenges the introduction of IEC 62351-6. After evaluating the security threats to IEC 61850 communications and the state of the art in GOOSE and SV security, this work presents a novel architecture based on wire-speed processing able to provide message authentication and confidentiality. This architecture has been implemented and tested to evaluate its performance, resource usage, and the latency introduced. Other proposals in the scientific literature do not support real-time traffic, so they are not suitable for GOOSE and SV messages. Whereas the others exceed the target latency of 3 ms or do not comply with the standards, our design authenticates and encrypts real-time IEC 61850 data in less than 7 μs-predictable latency-, and complies with IEC 62351:2020.
Highlights
Smart Grid and modern Substation-Automation-Systems (SAS) are considered critical infrastructures by governments and organizations [1]–[4]
The simulation environment has been created with Vivado 2018.3 and consists of 2 instances, A and B, of the Intellectual Property (IP) core, which are interconnected in a daisy chain
Result analysis is carried out using the waveform view of the simulation, whereas configuration is made by writing and reading the internal registers of the IP cores from the testbench
Summary
Smart Grid and modern Substation-Automation-Systems (SAS) are considered critical infrastructures by governments and organizations [1]–[4]. These two authentication algorithms are based on symmetric-key cryptography, which reduces computation load in comparison with asymmetric key cryptographic algorithms, such as RSA This change is expected to enable the generation of digital signatures without compromising the time requirements set by IEC 61850 for GOOSE and SV messages. They propose 3 methods derived from IEC 62351-6 that use AES and SHA-256 to protect communications in three different ways. In MAC Encrypt (MtE), the digital signature is calculated over GOOSE APDU, and both GOOSE APDU and security extension are encrypted This method makes decrypting the frame impossible for the receiver, as the IEC 62351-6 extension where the required cryptographic information is stored has between encrypted. HASH: the calculated HMAC value that authenticates all the bytes of the frames starting from the Ethertype and until de APDU (included)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
