Impact and Vulnerability Analysis of IEC61850 in Smartgrids Using Multiple HIL Real-Time Testbeds

Due to the increasing use of smart components in smart grids, interoperability among them is a crucial aspect to address. IEC61850 is a communication standard that has been already used in substations because of its instant data transfer and the ability to enable data exchange between a variety of smart energy-related digital technologies. This article studies the application of the communication protocols defined by the IEC61850 standard in Intelligent Electronic Devices (IEDs) by using a prototype testbed architecture running on a real-time digital device. The goal of this activity is to recreate a given substation using built-in IEC61850 protocols instead of conventional co-simulations and to study the performance and cyber vulnerabilities of this more realistic architecture. This testbed includes the supervisor, the substation bus, and the process bus communication layer creating a local network exchanging data at distinct levels. Different fault protection scenarios are discussed using both physical and emulated IEDs, and the communication protocols implemented in each scenario are explained showing that additional delays are introduced. In the first two scenarios, the operation of the testbed using physical versus emulated IEDs is analyzed and compared, ensuring the robustness of this methodology in situations where the use of a physical IED would be unfeasible. In these scenarios, the functionality and robustness of the protection mechanisms and communication protocols are confirmed. In the third scenario vulnerability of smart grids that use IEC61850 as their primary communication protocol to data injection attacks is studied. Sniffing the local network, packets are captured and monitored. Spoofed data with the same structure are injected into the network to conduct false data injection attacks on the supervisory unit. Vulnerability to cyber attacks of the IEC61850 protocol in specific situations is shown.

To study these challenges, the availability of test benches, 49 such as digital twins [7] of the grid, can be useful to fore-50 cast the behavior of the grid and validate algorithms and 51 devices [8], [9]. 52 In this work, the Hardware-in-the-loop (HIL) [10], [11] 53 methodology is adopted to simulate the microgrid in a

75
• Integration of the layers of the IEC61850 GOOSE, 76 SV messages, and MMS communication protocol in the 77 real-time electrical grid simulation.

78
• Test of the emulated IED's protection logic for short 79 circuit current protection, overload protection, network 80 unbalance tests, and analysis of the performance of our 81 grid in these fault scenarios.

82
• Further use of the testbed to study the vulnerabilities 83 of the IEC61850 communication protocol to false data 84 injection in case of man-in-the-middle cyber security 85 threats. 86 In the following, a brief review of the related literature is 87 given in section II. Then the main body of work is presented 88 in section III where implementation and investigation of each 89 one of the three scenarios is shown. In the first scenario, 90 described in III-A, communication latency is investigated 91 using physical IEDs. Since testing coordination strategies in 92 sophisticated networks requires multiple IEDs, in the second 93 scenario, given in III-B, an emulated IED, running real-time 94 on a HIL device, is designed so that the physical constraints 95 associated with the characteristics of expensive physical IEDs 96 are considered. In the third scenario, presented in III-C, DERs 97 are considered in the model using the same microgrid with the 98 inclusion of an Electric Vehicle Charging Station (EVCS) and 99 a PV plant that substitutes one of the generators. A man-in-100 the-middle attack is performed on the network, causing the 101 isolation of the EVCS. Finally, in Section IV, the main results 102 of this project are discussed and some interesting topics to 103 consider in future studies are suggested.

105
Recent work addresses the behavior of the power grid in an 106 environment where cyber attacks occur, which is one of the 107 objectives of this study. In the next section, some of them are 108 briefly presented.

109
Some previous studies addressed the construction of an 110 experimental framework to approximate the IEC61850 stan-111 dard [14], [15], [16], considering physical constraints while 112 maintaining scalability, to ease the way for more complex 113 power grid implementations. The authors in [15], investigated 114 complex protection coordination using the Arcteq-F215 IED. 115 Their work redefines the relationship between primary and 116 backup protection for microgrid protection. They employed 117 Directional Over-Current (DOCR) [17] IEDs to achieve pro-118 tection coordination without using the inverse time charac-119 teristics. The status of the direction of the fault currents is 120 communicated between the IEDs via fast GOOSE messages. 121 Several IEDs were used to build the presented microgrid, 122 and further study is limited only to them. The platform they 123 created is an offline simulation, which is not the best approach 124 for studying communication systems.

186
In this work, the testbed grid is selected based on the power 187 system network presented previously in [4]. However, nomi-188 nal values are modified for the test scenarios presented here. 189 The nominal voltage of the grid is 120 kV and the working 190 frequency 50 Hz, there are three constant power loads present 191 in the base grid that consume 700 kW in total and two Diesel 192 Generators (DG) whose nominal parameters are presented in 193 table 1; the two DGs provide 600 kW of the total power while 194 the rest is delivered from the slack node in bus13. The general 195 design details related to the components used and the software 196 memory assigned to each subsystem in the grid modeling are 197 also given in [4]. In the following, three different scenarios are described to 199 expand the concept of the scalability of this testbed. Each 200 procedure focuses on another aspect of the designed testbed 201 and is built on top of the previous one.

203
The first scenario is mainly concerned with incorporating 204 physical IEDs as the hardware under test using Hardware-205 In-the-Loop (HIL) methodology whose logical decisions and 206 communication timing scenarios are examined. The IEDs 207 used in this experiment uses IEC61850 as their communi-208 cation protocol. The communication scheme in this imple-209 mentation consists of all three layers: the supervisory layer, 210 the substation, and the process bus communication layer 211 (shown in Fig.2). This architecture is similar to the sub-212 station automation topology based on IEC61850 presented 213 in [22] and [23] . These physical IEDs communicate with 214 the HIL SCADA panel of the microgrid through the MMS 215 server (supervisory layer), while they use GOOSE messages 216 to communicate their status with each other (substation bus 217 layer), and acquire the sample value (SV) messages that 218 are generated, time-stamped and synchronized in Merging 219 Units (MUs) implemented inside the simulation. These MUs 220 receive current samples from measurement instruments and 221 then convert them to digital data packets.

222
The sketch of the test setup used for this scenario is shown 223 in Fig. 3. Initially, the circuit breakers (CBs) on line (3)(4) are 224 in the closed position, and the circuit breaker on line (2-3) 225 is in the open position so that bus3 is powered by bus4. 226 The circuit breakers receive the trip command and status 227 from their corresponding IEDs via a hardwired cable from 228 the input terminals of the HIL device, and the IEDs receive 229 the measurement signals via the Ethernet port from the MUs 230 implemented in the microgrid.      Here, a simple overload test scenario is presented to inves-308 tigate the test bench shown in Fig.7. As shown in the sketch 309 of the setup, the microgrid used is the same as in the first 310 scenario, but here an overload event occurs at load 2. As men- which resembles the microgrid testbed, and the other is the 313 virtual IED. These two devices are connected via a router that 314 resembles the gateway and demonstrates communication over 315 the substation bus.

316
When the fault occurs, the emulated IED receives the 317 sampled values of the measured currents and voltages. The 318 emulated IED publishes a trip signal through the GOOSE 319 publisher by comparing the measured currents with the pro-320 tection setpoints. The GOOSE subscriber receives this signal 321 inside the microgrid, and this means that one of the input 322 signals to the logical AND became zero. As a result, the 323 output of the logical AND is set to zero and the CB trips. The 324 CB implemented in the microgrid responds to both the MMS 325 pushed command from the monitoring unit and the GOOSE 326 message command received from the IED in the event of fault 327 detection.

328
The protection relay in the emulated IED analyzes the 329 readings sent from MU and sends a trip command when the 330 setpoints of a protection mechanism are violated. In this case, 331 the GOOSE publisher in the emulated IED publishes a trip 332 command over the Ethernet port. The GOOSE subscriber 333 that triggers the corresponding CB subscribes to the GOOSE 334 messages published by the relay. It triggers the CB when it 335 receives the trip command signal. Different applications may 336 require less frequent or more frequent status updates, which 337 can be set accordingly. In this implementation, the execution 338 time is set to 100 µs.

339
For each implemented protection mechanism, there are 340 separate setpoints that can be set from the SCADA control 341 panel of the emulated IED. In particular, for the overload 342 protection (Ansi 49), which is the subject of this scenario, 343 there are three characteristic curves to choose from in the 344 SCADA panel (there are two other curves defined in the ANSI 345 VOLUME 10, 2022  standard [24], which are mainly used for 60 Hz systems; therefore, they are neglected in this simulation). As shown in 347 the I − t curve (Fig.8), the relay logic unit calculates the time 348 delay according to the selected curve for the given threshold  As mentioned earlier, the CB also responds to the manual 361 trigger command by monitoring the unit via the MMS server.

362
The IED Explorer software installed on the SCADA device 363 allows the supervisor to receive the quantities published 364 by the MMS server implemented in the emulated IED. 365 It is also possible to change the status of the IED man-366 ually in the configured direction of the MMS package 367 DRCC1.ST.Beh.stVal as shown in Fig.10. This setup 368 can be used to monitor control quantities such as active 369 power, reactive power, apparent power, current magnitude, 370 and angle. 371 Fig.11 shows the measured values sent by the IED via 372 the MMS server from the MU connected to the CB before 373 tripping. These data can be found in the DataSets directory 374 of the LLN0.MEASUREMETS file, as shown in the figure.

375
The update frequency of the measurement can be set using 376 the highlighted window at the top of the interface. This value 377 only indicates the MMS packet rate captured by the monitor-378 ing unit and is independent of the execution rate set in the 379 MMS server setup in the emulated IED.

380
After the circuit breaker is tripped (using GOOSE 381 messages from the emulated IED or manually from the mon-382 itoring unit via the MMS server), the corresponding mea-383 surements received from the MMS server implemented in the 384 emulated IED are displayed in Fig. 12.

385
The same measurements are also collected from the sim-386 ulated MU in the microgrid at the time of the MMS pushed 387 command to capture the communication delay time. The cir-388 cuit breaker was tripped upon receiving the MMS trip signal. 389 Note that, as mentioned earlier, this signal was transmitted 390 over a hardwired cable from the emulated IED running on 391 the other device to the main microgrid to avoid further delays 392 associated with GOOSE. In the enlarged window in Fig.13  which shows that it is not accurate. In this experiment, the 409 calculated time delay using the described method is 1 ms.

410
An unbalanced current spike and an overload event are 411 injected into load2 to capture the results by the emulated 412 IED protection functions. As expected, the GOOSE message 413 published by the IED was received by the GOOSE subscriber 414 without noticeable delays. The captured measurements for 415 these two experiments are shown in Fig.14 and Fig.15 respec-       As in the previous scenario, the protection relay inside the 436 emulated IED analyzes the measurements of currents and 437 voltages, and in case of violation, sends a trip signal via 438 GOOSE. The monitoring unit also has access to change the 439 status of the circuit breaker in case of emergency, and this can 440 be done as described in the previous scenario.

441
The monitoring unit and the created LAN communicate 442 through MMS messages. These MMS messages are not 443 encrypted because they are not widely spread and can only 444 The man-in-the-middle (MITM) attack is aimed at the 483 application layer (layer 7). In the MITM attack, the goal of 484 the attacker is to insert himself, unnoticed, between two or 485 more communicating parties. The victims are not aware of 486 the presence of a third party and believe they are directly 487 in contact with each other since the attacker acts as a com-488 munication channel and relays the messages between the 489 victims [21], [28]. In this way, the attacker has the possibility 490 of hijacking the exchanged information and, possibly, making 491 independent changes in the information exchanged by the 492 victims.

493
The algorithm below illustrates the script written to per-494 form this attack on the network in pseudo-code. Spoofed_Messages.add(modify_stVal(MMXU1_message)) for(i=0, i<=1000, i++): send_to_DRCC1(Captured_Messages) END Fig.18 displays the time instant of the attack cap-496 tured directly from the MU implemented in the microgrid. 497 As shown, after running the written algorithm, the trip com-498 mand is sent to the CB and the EVCS is isolated from the 499 grid. However, the monitoring unit receives the manipulated 500 data that show that EVCS is still connected to the grid and is 501 performing in a healthy state.

503
Cyber-Physical Systems (CPS) are widely used as mod-504 ern infrastructure to achieve faster and more reliable power 505 grids. The IEC61850 communication protocol is one of many 506 steps toward automated protection mechanisms that lead to 507 smarter and more sophisticated grids. However, there are still 508 VOLUME 10,2022 challenges that need to be addressed, especially concerning 509 the cyber vulnerabilities of this protocol.

510
The proposed test environment and the discussed scenar-