Enhancing Brownfield Digital Substation Cyber Security with HMAC Authentication

Abstract

The increasing digitalization of power grids has introduced cyber security vulnerabilities. One of the vulnerabilities is related to the IEC 61850 Generic Object Oriented Substation Event (GOOSE) protocol for time-critical communication between Intelligent Electronic Devices (IEDs). This protocol lacks built-in message integrity and authentication mechanisms, making it susceptible to cyber attacks, e.g., spoofing. To address these vulnerabilities, IEC 62351-6:2020 recommends the usage of a Hash-based Message Authentication Code (HMAC). However, implementing this security measure in existing brownfield digital substations is challenging due to the lack of compatible commercial devices and is economically expensive. Therefore, this research proposes and evaluates a cost-effective cyber security enhancement using commodity hardware, e.g., Raspberry Pi, to implement HMAC-based message authentication for ensuring GOOSE message integrity and authentication in brownfield digital substations with respect to stringent time requirements for the operation of protective relays. The proposed solution ensures message integrity and authentication while maintaining compliance with standard requirements. Validation is performed using real commercial IEDs in a real-time Hardware-in-the-Loop (HIL) architecture, demonstrating that the solution meets substation time requirements. This approach provides a feasible and immediate cyber security enhancement for brownfield digital substations without requiring significant infrastructure changes.