IEC 61850 traffic analysis in electrical automation networks

Abstract

The IEC 61850 protocol suite is emerging as a de-facto standard solution for the interoperability problem in automation networks. Intelligent Electronic Devices (IEDs) support this protocol and their recent deployment in substation automation systems (SAS) raises two questions. The first issue has to do with the traffic performance in an SAS and its scalability for fault management. It is vital to understand beforehand whether SAS traffic withstands extreme events, such as blackout situations, as is often claimed by their manufacturers. As our experience with these devices remains small, we look to simulating their behavior under varying SAS conditions. A second concern relates to the security of automation networks. There is a need to evaluate the reliability of SAS critical elements. Threats as diverse as terrorist and cyber attacks are feared [1]. Many countries are putting in place new regulations to combat such harmful actions. The IEC 61850 standard does not guaranty security, as this has been left as part of the scope of a different standard, namely, the IEC 62531 [6] [4]. The latter digitally signs the Generic Object Oriented Substation Event (GOOSE) messages carrying sampled measured values (SMV). Nonetheless, many devices on the market do not yet support IEC 62531. Additional security mechanisms include the use of Intrusion Detection Systems (IDS). These monitor and analyze network traffic in an attempt to detect anomalous and unwanted traffic. Some of these operate by capturing automation traffic and comparing it to known traffic profiles. A threshold may for example, be established to report unusual traffic patterns and to single them out as possible attack scenarios. These may then be more thoroughly investigated using specialized tools. This work provides a network level classification of GOOSE messages according to faults of an electricity energy system. More specifically, we will be looking at typical IEC 61850 response traffic that is generated as a result of a failure within an automation network. The measurements illustrate substation network traffic patterns for a problem such as a TriPhase or Phase-to-ground fault. The sampled data traffic is used for the modeling of traffic representing each of the power system faults. These models can then be used next to feed other specially devised simulators used for the analysis of the performance of an SAS. Furthermore, the established models may potentially play a considerable role in the identification of out-of-profile traffic that is likely to represent security threats. Finally, we expect the obtained models to help with the early diagnosis of this type of failures by simply observing their traffic signature. First, a brief introduction of the problem of traffic measurement is given. Section 2 introduces the reader to the terminology and describes the SAS scenario under evaluation. The third part of this document illustrates the measured results. A simple model, used to understand SAS traffic patterns is described. Finally, comments and pointers to future work are realized.