Performance Evaluation and Analysis of IEC 62351-6 Probabilistic Signature Scheme for Securing GOOSE Messages
Cyber security is a growing concern in power systems. To achieve security requirements such as authentication and integrity for generic object-oriented substation event (GOOSE) messages, IEC 62351-6 standard recommends using digital signatures. Furthermore, it explicitly specifies to use RSASSA-Probabilistic Signature Scheme (PSS) digital signature algorithm based on RFC 3447. Power systems run in real-time and implemented cybersecurity measures have to strictly meet timing requirements. Therefore, it is very important to study performances of such methods and contrast them with the timing requirements stipulated by grid operations, e.g., power system protection enforces a maximum delay of 3 ms. In this fashion, it can be analyzed whether a recommended cyber security mechanism is fit for use in power systems. In previous works, only RSA digital signatures were studied and its performance evaluation in terms of computational times for securing GOOSE messages have been studied. This paper analyses the timing performance of RSASSA-PSS digital signature algorithm for securing the GOOSE messages. This is important to assess its feasibility for IEC 61850-based networks, as specified by the IEC 62351-6 standard. RSASSA-PSS digital signature algorithm is implemented in Python and verification times are calculated. The results show that RSASSA-PKCS1-v1_5 1024 key digital signatures provide improved performance compared with other RSA digital signature schemes. That being said, none of the algorithms is fast enough to be implemented for time-critical operations such as protection coordination. INDEX TERMS Cyber Security in power systems, probabilistic signature scheme (PSS), generic object-oriented substation event (GOOSE), public key cryptographic standard1 version 1.5 (PKCS1-v1_5).
When equipped with an on-board wireless kit, electric vehicles (EVs) can communicate with nearby entities, e.g., road side units (RSUs), via a vehicle ad-hoc network (VANET). More observability enables smart charging algorithms where charging stations (CSs) are allocated to EVs based on their current state of charge, destination, and urgency to charge. IEEE 1609 WAVE standard regulates VANETs, while IEC 61850 is emerging as the smart grid communication standard. In order to integrate these two domains of energy management, past research has focused on harmonizing these two standards for a full smart city solution. However, this solution requires very sensitive data to be transmitted, such as ownership of EV, owners’ personal details, and driving history. Therefore, data security in these networks is of prime concern and needs to be addressed. In this paper, different security mechanisms defined by the IEEE 1609 WAVE standard are applied for both vehicle-to-infrastructure (V2I) and vehicle-to-grid (V2G) communication. The former relates to EV–RSU, while the latter covers EV–CS communication. The implicit and explicit certificate mechanism processes proposed in IEEE 1609 WAVE for authentication are studied in great detail. Furthermore, a performance evaluation for these mechanisms is presented in terms of total time lapse for authentication, considering both the computational time and communication time delays. These results are very important in understanding the extra latency introduced by security mechanisms. Considering that VANETs may be volatile and may disappear as EVs drive away, overall timing performance becomes vital for operation. Reported results show the magnitude of this impact and compare different security mechanisms. These can be utilized to further develop VANET security approaches based on available time and the required security level.
A Novel Approach for Mitigation of Replay and Masquerade Attacks in Smartgrids Using IEC 61850 Standard
There is growing awareness towards cybersecurity threats in power systems. Deployment of more intelligent electronic devices (IEDs) and the communication lines increase the probability of such attacks. IEC 61850 standard facilitates communication between different IEDs and eases interoperable operation with set data and message structures. An unwanted consequence of this standardized communication over ethernet is increased viability to cyber threats. Replay and masquerade attacks are, especially, of concern due to their imminent impact on the operation. While detecting replay attacks is easier, since the original messages are used for the attack, masquerade attack messages may be difficult to distinguish from original ones. Furthermore, inadequate mitigation approaches may be tricked by the hackers and the system starts the attacker as the authentic sender and discards original messages from authentic sources. It is vital to develop an approach that incorporates message authentication. In this fashion, when the hackers modify the message contents to bypass security systems, the tampering can be detected, and the messages will be discarded. This paper analyses replay and masquerade attacks on IEC 61850 GOOSE messages and develops a solution to mitigates both of those. To detect modified messages, two distinct authentication mechanisms are utilized: RSA since it is the algorithm stipulated in IEC 62351-6 and Elliptic Curve Digital Signature Algorithm (ECDSA) due to its widespread use in smartgrid cybersecurity solutions. A full solution to mitigate GOOSE replay and masquerade attacks is developed based on the proposed framework in IEC 62351 standard. Full implementation is tested in the lab and results are included to show the viability of the solution. INDEX TERMS Cyber-physical systems, cybersecurity in power systems, IEC 61850, IEC 62351, digital signature algorithms, message integrity check. NOMENCLATURE Symbol Explanation goosePDU GOOSE data frame gooseAPDU The payload field of GOOSE packet consists of data in TLV format goosePDU.
Analysis and Implementation of Message Authentication Code (MAC) Algorithms for GOOSE Message Security
There is growing awareness towards cybersecurity threats in power systems. IEC 61850 standard facilitates communication between different Intelligent Electronic devices (IEDs) and eases interoperable operation with set data and message structures. An unwanted consequence of this standardized communication over ethernet is increased viability to cyber threats. The IEC 62351-6 standard stipulates the use of digital signatures for ensuring integrity in IEC 61850 message exchanges. However, the digital signatures result in higher computational times which makes it very difficult to use for Generic Object-Oriented Substation Events (GOOSE) messages. This short communication article proposes implementation of the Message Authentication Code (MAC) algorithms, such as Hash-based Message Authentication Code (HMAC) and Advanced Encryption Standard-Galois Message Authentication Code (AES-GMAC), for GOOSE message integrity. Lab tests are run to observe their timing performances and feasibility for GOOSE.INDEX TERMS IEC 62351, IEC 61850, generic object-oriented substation Events (GOOSE), cybersecurity, hash-based message authentication code (HMAC), advanced encryption standard-galois message authentication code (AES-GMAC).
Smart grids are becoming increasingly popular thanks to their ability to operate with higher precision and smaller margins. Dynamic operation control in smart grids can be achieved with phasor measurement unit (PMU) based wide area monitoring and control systems. The data communication requirements for the PMU based applications are well addressed in the IEEE C37.118.2 and IEC 61850-90-5 standards. Due to the higher probability of cyberattacks and the scale of their impact, data security is a critical requirement in PMU communication networks. The IEC 61850-90-5 communication standard addresses this security concern and proposes the HMAC (hash based message authentication code) with key distribution center (KDC) scheme for achieving information authentication and integrity. However, these IEC 61850-90-5 security recommendations do not consider the mechanism for attacks such as man-in-the-middle (MITM) attacks during KDC key exchanges. MITM attacks can be easily implemented and may have a large impact on the grid operation. This paper proposed an explicit certificate-based authentication mechanism to mitigate MITM attacks in PMU communication networks. The proposed certificate-based authentication mechanisms were implemented in real-time using Python-based terminals to observe their performance with different signature algorithms.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
Contact Info
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Product
Resources
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.
