Analysis and Implementation of Message Authentication Code (MAC) Algorithms for GOOSE Message Security

There is growing awareness towards cybersecurity threats in power systems. IEC 61850 standard facilitates communication between different Intelligent Electronic devices (IEDs) and eases interoperable operation with set data and message structures. An unwanted consequence of this standardized communication over ethernet is increased viability to cyber threats. The IEC 62351-6 standard stipulates the use of digital signatures for ensuring integrity in IEC 61850 message exchanges. However, the digital signatures result in higher computational times which makes it very difficult to use for Generic Object-Oriented Substation Events (GOOSE) messages. This short communication article proposes implementation of the Message Authentication Code (MAC) algorithms, such as Hash-based Message Authentication Code (HMAC) and Advanced Encryption Standard-Galois Message Authentication Code (AES-GMAC), for GOOSE message integrity. Lab tests are run to observe their timing performances and feasibility for GOOSE.


I. INTRODUCTION
IEC 61850 is the de-facto communication standard for Substation Automation Systems (SAS) [1]. IEC 61850's popularity can be attributed to two main factors: ease of connection via ethernet instead of traditional hard-wired systems and standardized message structures which ensures interoperability. An unwanted consequence of these is the increased vulnerability to cyber-attacks. It is easier to access ethernetbased networks and standardized messages allow hackers to know exactly what instructions to give. IEC 62351-6 standard is published to complement IEC 61850 by adding security features [2].
IEC 62351-6 identifies that message authenticity is an important security requirement for IEC 61850 communication in SAS. For achieving this, IEC 62351-6 standard recommends the use of authentication value algorithm The associate editor coordinating the review of this manuscript and approving it for publication was Filbert Juwono. with digital signatures (DS). For DS, use of Rivest-Shamir-Adleman (RSA) algorithm as per Request for Comments (RFC) 2313 is stipulated [3]. However, it is found that RSA based DS require computational times on the order of few milli seconds which is not suitable for Generic Object-Oriented Substation Events (GOOSE) message-based applications [4], [5]. GOOSE messages are used to transfer time critical information such as start, stop, trip and close between intelligent electronic devices (IEDs) in a substation. The GOOSE messages have a strict delivery timing requirement of 3 ms. In [6], [7] authors investigated Elliptic Curve Digital Signature Algorithm (ECDSA) based DS which resulted comparatively lower computational times compared to RSA based DS. However, still the computational times for ECDSA DS is much higher than the requirements of GOOSE messages [6]- [8]. Alternatively, it is possible to use Message Authentication Code (MAC) algorithms for GOOSE security as IEC 61850-90-5 [9] already stipulates it for Routable GOOSE (R-GOOSE) and Routable SV (R-SV).  Recently, in [10] authors employed hash-based message authentication code (HMAC) algorithm to secure GOOSE messages. However, the details for appending the HMAC value to GOOSE format is not specified. The specification of message format or structure is very crucial to achieve interoperability and standardization. Furthermore, in [10], actual implementation and practical results of computational time required for processing the MAC algorithms in time critical GOOSE messages was not discussed.
Therefore, in this article, GOOSE message structure is modified as per IEC 62351 to secure them with different MAC algorithms (such as HMAC and Advanced Encryption Standard -Galois Message Authentication Code (AES-GMAC)). A software library is developed to implement these secure GOOSE messages in the lab. Finally, lab tests have been run with different MAC algorithms to observe their timing performances. This data is utilized to compare MAC algorithms and analyze their feasibility in securing GOOSE messages in SAS.

II. MAC ALGORITHMS FOR GOOSE MESSAGE SECURITY
The main objective of GOOSE message is to offer a fast and reliable mechanism to exchange of data among substation IEDs. GOOSE messages are directly mapped on to ethernet layer to avoid the network and transport layer headers reducing the overall size of message, this in turn reduces the propagation and processing delays of the GOOSE messages. As shown in Fig. 1, the GOOSE message consists of destination and source address fields, 6 bytes each, followed by the Ether-type field of 2 bytes which defines the type of data present in the payload field. The value of ether-type for GOOSE message is 88-B8. GOOSE PDU consists of APPID, Length, Reserved1, Reserved2, GOOSE APDU fields followed by padded data and Frame Check Sequence (FCS).
Implementation of MAC algorithms require addition of a MAC value to GOOSE messages. GOOSE message structure is very well-defined by IEC 61850 and the modification required for security extensions is defined in IEC 62351-6. Accordingly, MAC value is appended to the extended GOOSE frame format in ''Extension'' field as per ASN.1 definitions, shown in Fig. 1. As this increases the length of the GOOSE frame, the difference is reflected on the 2nd byte of 2-byte ''Reserved1'' field. As shown in Fig. 2,  most significant bit in 1st byte of ''Reserved1'' is used to indicate simulated GOOSE message while the rest is reserved for future implementations. 2nd byte represents the increase in length due to addition of MAC value in ''Extension'' field. The range of values for the extension length are 0 to 255. If extension length field value is 0, it specifies that no security extension added to the GOOSE PDU. ''Reserved2'' field is used to specify 16-bit CRC value, which is calculated for first 8 bytes of the ''Extension'' field.
The structure of the extension field appended to the GOOSE protocol data unit (PDU) is shown in Fig. 3. ''SEQUENCE'' field is reserved for future security additions other than encryption and message authentication. ''Authentication value'' consists of ''version'', ''TimeofCur-rentKey'', ''TimeofNextKey'', ''InitializationVector (IV)'', ''KeyID'' and ''MAC'' fields. ''Version'' is by default 1; while ''TimeofCurrentKey'' and ''TimetoNextKey'' contain time data pertaining to key used in MAC algorithms. ''Initial-izationVector (IV)'' is an optional field which is used when some initialization values are required, e.g. AES-GMAC algorithms requires an initialization value. Its size depends on the MAC algorithm. ''KeyID'' is the reference to key that is used. ''MAC'' field contains the MAC value that is generated.
Different MAC algorithms recommended in IEC 61850-90-5 for R-GOOSE and R-SV are listed in Table 1

III. IMPLEMENTATION DETAILS AND ANALYSIS OF RESULTS
In this section, proposed MAC algorithms have been implemented and their performances are evaluated to confirm their applicability to GOOSE messages. For performance evaluation tests, the experimental setup of Fig. 4 is used.

A. SECURE GOOSE GENERATION
Authors have developed a GOOSE and SV generator library GoSV [11] to run tests on custom messages. By integrating MAC algorithms proposed above, a new library S-GoSV is developed. It secures GOOSE message communication by employing key verification and MAC algorithms as shown in Fig. 4. It is written in C language utilizing linux structures ifreq and sockaddr_ll libraries. S-GoSV framework generates a MAC value using a symmetric key that is shared beforehand. Then, it is stored in the ''Extension'' field of GOOSE PDU. The secure GOOSE message generation algorithm, Gen_MAC(), is given below: Protection IED generates a secure GOOSE message by appending ''Extension'' field to the original GOOSE PDU. Figure 5 shows the Wireshark capture of Secure GOOSE messages generated by S-GoSV framework for HMAC algorithm. It shows all the relative fields of GOOSE PDU The breaker IED receives the secure GOOSE message and reads the APDU values into ReceivedData buffer. Algorithm verify_MAC is utilized to check the integrity of GOOSE message. Firstly, a new MAC value ''h1'' is computed for the received GOOSE PDU using the symmetric PreSharedKey k. ''h1'' is compared with the received MAC value ''h''. If they match, then the received GOOSE PDU is accepted as a legitimate packet; otherwise, it is discarded. Table 2 shows the average computational time required and size of resultant secure GOOSE message for different MAC algorithms. The computational times are calculated for generating MAC at publisher, for generating MAC at subscriber and then for comparing both the MACs at subscriber. The programs were executed on a system with Intel R Celeron(R) processor with 4 GB RAM. This relatively old and slow system is intentionally selected. If this system can meet timing requirements, then current IEDs should not face any difficulties as they have much higher computing power (Intel R Core i7-3555LE with 8 GB RAM) [12]. It can be observed  that AES-GMAC-64 algorithm has the best timing performance, while truncated HMAC-SHA256-80 has the lowest message size. From Table 2, it is quite evident that the performance in terms of computational times of MAC algorithms is comparatively much better than the RSA or ECDSA based digital signatures (which has computational times 1-4 milli seconds) [3], [4].
Based on the secure GOOSE message size obtained from S-GoSV implementation, substation communication network has been simulated in Riverbed Modeler simulator tool [13] to find out communication delays. A bay of typical type D2-1 substation communication network consisting a Protection and Control (P&C) IED and Breaker IED was simulated in Riverbed Modeler. The communication delays for sending the secure GOOSE message with different MAC algorithms from P&C IED to Breaker IED are shown in Fig. 7. The total end to end (E2E) delays for exchanging secure GOOSE messages includes the computational times for running MAC algorithms and the communication delays. In Table 2, the last column gives the total E2E delay for exchanging the secure GOOSE messages. From the riverbed modeler simulations, the average and maximum communication delays for GOOSE messages are obtained. The maximum communication delays give the worst-case performance indicator. It is clearly evident from the results that the E2E delays for GOOSE messages secured with MAC algorithms even in worst-case are well within the stipulated requirements, i.e. 3 ms.

B. TAMPER DTECTION
Any change in the GOOSE PDU during transmission reflects a discrepancy between the appended MAC value, h, and the  one recomputed at the receiver, h1. Fig. 5 shows the results generated by the S-GoSV framework developed in this letter. As an example, GOOSE PDU value is tampered third byte is changed from 86 to 66, as shown in Fig. 8, and sent to the receiver. When hash values are recomputed, the tampering is successfully detected. Fig. 8 shows that all the MAC algorithms yield different MAC values when the GOOSE PDU is tampered. As these algorithms exhibit avalanche effect which makes them even more effective, i.e. a small change in input results in a large-scale variation in the MAC values, Also, due to this property, the truncated versions of HMAC would be effective as they potentially offer the same security benefits with lower size of MAC values. This considerably reduces the overhead of overall GOOSE packet size and, thus, in turn reduces the transmission delays of GOOSE message packets.

IV. CONCLUSIONS
IEC 61850 is gaining more ground as the de facto communication standard in smart grids. However, it does not have necessary tools to mitigate or detect cyber-attacks. The existing security standard for providing security to IEC 61850 message exchanges i.e. IEC 62351-6 recommends use of digital signatures such as RSA to generate hash values. The DS algorithms have higher computational times and are very difficult to implement in GOOSE messages. In this article, a software library has been developed to generate secure GOOSE messages with HMAC and GMAC based MAC algorithms. Their packet sizes and timing performances are evaluated for their suitability to ensure cybersecurity for GOOSE messages. Lab tests show that all algorithms can effectively sustain secure communication. Furthermore, the exhibited avalanche effect means that truncated versions with smaller PDU sizes are the most optimum solution for security and timing requirements.