J. Mod. Power Syst.

Clean Energy
https://doi.org/10.1007/s40565-019-0498-5

A security scheme for intelligent substation communications

considering real-time performance
Jie ZHANG1, Jun’e LI1, Xiong CHEN2,3,4, Ming NI2,3,4,
Ting WANG1, Jianbo LUO2,3,4

Abstract Tampering, forgery and theft of the measure-
ment and control messages in a smart grid could cause one
breakdown in the power system. However, no security
measures are employed for communications in intelligent
substations. Communication services in an intelligent
substation have high demands for real-time performance,
which must be considered when deploying security mea-
sures. This paper studies the security requirements of
communication services in intelligent substations, analyzes
the security capabilities and shortages of IEC 62351, and
proposes a novel security scheme for intelligent substation
communications. This security scheme covers internal and
telecontrol communications, in which the real-time per-
formance of each security measure is considered. In this
scheme, certificateless public key cryptography (CLPKC)
is used to avoid the latency of certificate exchange in
certificate-based cryptosystem and the problem of key
escrow in identity-based cryptosystem; the security mea-
sures of generic object-oriented substation event, sampled
measure value and manufacturing message specification in
IEC 62351 are improved to meet the real-time require-
ments of the messages as well as to provide new security
features to resist repudiation and replay attacks; and the
security at transport layer is modified to fit CLPKC, which
implements mutual authentication by exchanging signa-
tures. Furthermore, a deployment of CLPKC in an intelli-
gent substation is presented. We also evaluate the security
properties of the scheme and analyze the end-to-end delays
of secured services by combining theoretical calculation
and simulation in this paper. The results indicate that the
proposed scheme meets the requirements of security and
real-time performance of communications in intelligent
substations.
Keywords Intelligent substation, Security measures,
Certificateless public key cryptography (CLPKC), Real-
time communication, IEC 62351

CrossCheck date: 27 November 2018

Received: 3 May 2018 / Accepted: 27 November 2018 Jianbo LUO

[email protected]
Ó The Author(s) 2019
1
& Jun’e LI Key Laboratory of Aerospace Information Security and
[email protected] Trusted Computing, Ministry of Education, School of Cyber
Science and Engineering, Wuhan University, Wuhan 430072,
Jie ZHANG China
[email protected] 2
NARI Group Corporation (State Grid Electric Power
Xiong CHEN Research Institute), Nanjing 211106, China
[email protected] 3
NARI Technology Co. Ltd., Nanjing 211106, China
Ming NI 4
[email protected] State Key Laboratory of Smart Grid Protection and Control,
Nanjing 211106, China
Ting WANG
[email protected]

123

1 Introduction
With the development of intelligent substations, the
communication of substations gradually developed from
point-to-point connections to networked connections.
Intelligent substations are facing increasing cyber security
threats. However, both internal and telecontrol communi-
cations of built intelligent substations have not employed
any security measures so far [1]. Messages such as sampled
value messages and protection control messages can easily
be tampered, forged or stolen due to the lack of integrity
verification, authentication or encryption. The security of
communication services has a profound impact on the
reliable operation of primary devices. The attack of mes-
sages may cause faults in the power system and cause
inestimable losses. A typical case is the large-scale
blackout in the Ukrainian grid caused by a cyber-attack at
the end of 2015 [2]. Therefore, it is urgent to add security
measures to communication networks in a substation.
Security measures cause extra computing cost and
communication delay despite improving the communica-
tion security of intelligent substations. The measurement
and control devices in intelligent substations are usually
embedded systems, which have limited computing
resources. Intelligent substations have high real-time
requirements for communications, and the real-time per-
formance of communications directly affect the reliable
operation of the primary device. Therefore, when designing
a security scheme for a substation communication network,
we need to consider not only the security of the scheme but
also its real-time performance.
To provide security assurance for communications in
intelligent substations, the International Electrotechnical
Commission (IEC) developed some security measures
released in IEC 62351 [3]. The cyber-security of intelligent
substations has also caused wide public concern in inter-
national academe. Reference [4] presented three weak-
nesses of IEC 62351 but without modification. Reference
[5] presented a security mechanism based on galois/counter
mode (GCM) to ensure communication security of intelli-
gent substations, but the distribution and management of
keys are very complicated. Reference [6] proposed a
password authentication method based on chaotic theory,
which has poor resistance for addressing plaintext attacks.
In order to ensure the secure transmission of communica-
tion messages, reference [7, 8] proposed SM2-based
security mechanisms, reference [9] designed a security
mechanism that was mixed with encryption by DES and
RSA, but both of them require high computing perfor-
mance to satisfy the real-time requirements of substation
communications, so they are not suitable for substation
systems.
123
Jie ZHANG et al.
Some scholars studied encryption key management
mechanisms for the smart grid, which can be classified in
the following categories: key management schemes based
on the symmetric-key [10], public key infrastructure (PKI)
[11], identity-based cryptosystem (IBC) [12], and prein-
stalled keys [13]. However, each of these four key man-
agement mechanisms has its own weakness. The
symmetric key is vulnerable to man-in-the-middle attacks;
the mechanism based on PKI creates heavy loads in the
communication network as well as delays in certificate
exchange; the mechanisms based on IBC or preinstalled
keys have the problem of key escrow. Beyond that, to
avoid the delay of certificate exchange and reduce the load
of the communication network, some scholars are trying to
employ the method of a preinstalled certificate for a new
device in view of the characteristic that the communication
relationship is certain in smart substations, but it comes
with the problem of certificate update.
In brief, though scholars have carried out extensive
researches on the communication security of intelligent
substations, there are various shortcomings in considering
its characteristics, especially real-time requirements. In
addition, no research so far has solved the problems of the
latency of certificates exchanging, certificate management
and key escrow in key management.
Therefore, aiming at the cyber threats of intelligent
substations, this paper analyzes the security capabilities
and shortages of IEC 62351 and presents an overall secu-
rity scheme for intelligent substation communications
taking into account real-time performance. In order to
enhance the capabilities of substation communication in
terms of confidentiality, integrity, authenticity, immunity
against replay attack and non-repudiation, security mea-
sures for internal and telecontrol communications are
proposed. Moreover, a key management method is
designed based on certificateless public key cryptography
(CLPKC) to avoid the delay of certificate exchange and the
problem of key escrow. Finally, the evaluation of security
properties and the analysis of end-to-end delays prove that
the security measures in this paper can meet the require-
ments of security and real-time performance of substation
communications.
2 Security requirements of intelligent substation
and security capability of IEC 62351
2.1 Threats and security requirements of smart
substations
Attacks on intelligent substations can be divided into
two phases in terms of time:  finding the appropriate
attack path to access the communication network of
A security scheme for intelligent substation communications considering real-time performance

substations; ` attacking the communication network or
important communication messages to cause abnormalities
in the physical device, ultimately reaching the purpose of
attacking the smart grid [14]. For the first phase, we can
deploy physical isolation, a firewall and other measures in
substations to block the attack path. Therefore, we study
the threats and security requirements of communication
services in the scenario that attackers have successfully
accessed the substation’s communication network.
At present, intelligent substations commonly adopt the
structure of ‘‘three layers, two networks’’. The architecture
shown in Fig. 1 is a typical framework of a substation’s
communication network. The data flows and their message
types of communication networks are presented in
Fig. 1.
The data exchanged between the substation level and the
other substation or remote control center are primarily
control instructions and original data files. The data
exchanged between the substation level and bay level are
control instructions, device status information and constant
values. Manufacturing message specification (MMS) pro-
tocol is used in the aforementioned transmission services.
These data may be tampered or forged to disturb normal
operations of substations, and the status data may be stolen
by attackers for future attacks. Therefore, it is necessary to
ensure their confidentiality, integrity and authenticity.
The data communications, whether within the bay level
or between the bay level and process level, are carried out
through the process level network and primarily adopt the
generic object oriented substation event (GOOSE) protocol
or sampled measure value (SMV) protocol. The sampled
value messages, from the merging unit (MU) to the pro-
tection and control (P&C) device, adopt the SMV protocol.
Control instructions and switch status messages adopt the
GOOSE protocol. These messages require high real-time
performance. An attacker could control the continuity of a
primary device or cause a malfunction of a primary device
by tampering, forging or replaying messages, thereby
causing the breakdown of the primary device or the
instability of the smart grid. Stealing these messages makes
little sense. Therefore, the security requirements of the
above communication services include integrity, authen-
ticity and availability, and no confidentiality.
In addition, current intelligent substations lack network
monitoring and log audit so that the source cannot be
traced. Therefore, they are vulnerable for repudiation
attacks. Furthermore, all services in substations could
suffer from denial of service (DoS) attacks that affect the
availability of the substations’ resources.
In brief, the main security threats of substations are
unauthorized access, forgery, theft, DoS, and repudiation.
2.2 Security capabilities and shortcomings of IEC
62351
According to Section 2.1 and IEC 62351, security
threats, requirements and capabilities of IEC 62351 for
messages in substation communication networks can be
summarized as shown in Table 1, which shows that the
security capabilities of IEC 62351 cannot meet the security
requirements of the substations.
There are also additional shortages in IEC 62351 as
follows:

Remote control 1) Key or certificate management has not yet been

Synchronous digital
Gateway
hierarchy (SDH) center/other specified in IEC 62351 standards.
substation 2) Some of the security measures specified in IEC 62351
Substation have weaknesses that make them unsuitable for com-
Substation host Server
level munication services in intelligent substations. As an
Status message, File Substation
control instruction transfer network
illustration, the performance of the specified signature
algorithm for the GOOSE and SMV messages cannot
Control
Constant satisfy real-time requirements of substation commu-
Status instruction
Status issue
message nications because of the high complexity of the RSA.
message
Bay level P&C
P&C

Status Control 3 Proposed security scheme for communications

message instruction Process network of intelligent substations
Control Sample
instruction message The security scheme includes security measures for
Process level communication messages and its key management method.
Circuit break MU IED
The communications messages involve the internal and
MMS; SMV; GOOSE telecontrol communications of the substation system. The
security measures are improvements to those in IEC 62351,
Fig. 1 Main data flows in an intelligent substation and the key management method is based on CLPKC in

123
 Jie ZHANG et al.

Table 1 Security threats, requirements and capabilities of IEC 62351 for messages in substations
Type of message Security threats Security requirements Security capabilities of IEC 62351

GOOSE/SMV Tampering, forgery, repudiation, Integrity, authenticity, non- Message authentication mechanism
DoS attack repudiation, availability
MMS Tampering, forgery, stealing, Integrity, authenticity, confidentiality, Peer entity authentication, transport-
repudiation, DoS attack non-repudiation, availability profile security

this scheme. The main contents are as shown below: the
security measures of GOOSE/SMV and MMS in IEC
62351 are improved in Section 3.1; the transport layer
security (TLS) protocol is modified to fit CLPKC, and its
handshake process of modified TLS is shown in Sec-
tion 3.2; a deployment of CLPKC is presented in Sec-
tion 3.3. The modified TLS is for both telecontrol
communications and the low-speed messages of internal
communications.
3.1 Security measures for internal communications
of intelligent substations
The deployment of security measures for communica-
tions within a substation is shown in Fig. 2. Security
measures proposed for GOOSE/SMV can be used to pro-
tect the communications within the bay level and the
communications between the bay level and process layer
(shown as the blue arrows in Fig. 2). Security measures
proposed for MMS can be used to protect the communi-
cations within the substation level and the communications
between the substation level and bay level (shown as the
red arrows in Fig. 2).
3.1.1 Security measures for GOOSE/SMV
As discussed in Section 2.1, the security requirements of
GOOSE/SMV are authenticity, integrity, availability and
non-repudiation. Taking into account the same security
requirements of the SMV and GOOSE protocols, this paper
designs the same measures to protect GOOSE/SMV
messages.
Server
Substation
level Substation
host Security measures
for MMS
Bay Monitoring
level unit P&C
Security measures
for GOOSE/SMV
Process
Circuit
level MU
break
According to IEC 62351-6, the reserved fields and
extension fields in GOOSE/SMV are used to extend the
function of GOOSE/SMV messages as follows:
1) The first byte of the Reserved1 field shall be used to
specify the number of octets conveyed by the exten-
sion octets; the Reserved2 field shall contain a 16-bit
cyclic redundancy check (CRC), the CRC shall be
calculated over octets 1–8 of the VLAN information of
the extended protocol data unit (PDU).
2) The extension shall be encoded; the authentication
value field shall be used to store the signature value.
3) In order to prevent a replay attack, skew filtering and
timestamp checking are proposed to distinguish cur-
rent messages and outdated messages.
The security measures in IEC 62351 for GOOSE/SMV
cannot resist repudiation. Therefore, this paper proposes
that the unique identification on behalf of the identity of a
device in a substation is added into the Reserved
SEQUENCE field. Hence, the device cannot deny its par-
ticipation in the communication. Moreover, considering the
real-time requirement of GOOSE/SMV messages, a hash-
based message authentication code (HMAC) algorithm is
employed to calculate the signature value instead of the
asymmetric RSA algorithm specified in IEC 62351, and the
SHA256 algorithm is employed for the hash calculation.
The specific authentication process of GOOSE/SMV is
shown in Fig. 3.
3.1.2 Security measures for MMS
MMS is an application protocol based on TCP/IP. The
security requirement of MMS includes confidentiality,
integrity, authenticity, availability and non-repudiation as
discussed in Section 2.1.
According to IEC 62351-4, the authenticity of MMS is
provided by peer entity authentication that occurs at asso-
ciation set up time. The authentication is implemented
through association control service element (ACSE) secu-
rity as follows: enabling sender-ACES-requirements field
and responder-ACSE-requirement field of the authentica-
tion functional unit (FU) of ACSE, defining the data

Fig. 2 Deployment of security measures within substation

123
A security scheme for intelligent substation communications considering real-time performance

Sender Start Start Receiver Sender Start Start Receiver

Populate meassage Parse message structure

Assign value for sender- Parse message structure and
information and extract Reserved extract verification field
ACSE-requirement
SEQUENCE
Set Reserved1 field to the
length of extension Assign value for uID verification N
uID verification N mechanism-name succeeds?
succeeds?
Set the Reserved2 field to Send Y
CRC value message Y Assign Tv to
GMT(time) and set the
Extract the input of Sender-ACSE- N
Set Reserved SEQUENCE time field to Tv
signature calculation and requirements verification
field to the unique signature by succeeds?
identification (uID) HMAC_SHA256 algorithm Apply for private key
Send
(skID) Y
message
Signature by
HMAC_SHA256 N Calculate the signature Mechanism- N
Signature verification
(the input is from EtherType succeeds? value of the Hash (time) name verification
field to Private field) by skID succeeds?
Y
Y
Set AuthenticationValue Calculate the CRC value Set the signature field to
field to the signature Extract the time field and
signature value
signature field, and calculate
End Hash(Tv) as Htime'
CRC verification Add unique
succeeds? identification of
Y equipment Obtain public key ( pkID), and
N decrypt the signature by pkID
as Htime
Authentication Authentication Abstract Syntax
succeeds fails Notation One (ASN1)
Htime = Htime' ? N
encode
End Y
End
N Tc (current time)
Fig. 3 Security authentication process of GOOSE/SMV Tvı10 min or signature (10
min) = signature?

structure MMS_Authentication-value where the signature
value is stored.
In order to improve the security measures in IEC 62351
for MMS in terms of integrity, non-repudiation and confi-
dentiality, this paper proposes the following security
measures.
To protect the integrity of MMS, this paper adopts the
method of hashing the date of MMS messages by using a
hash algorithm to prevent the unauthorized modification.
Considering the requirements of intelligent substations for
security and real-time performance, we select SM3 as the
hash algorithm. To resist the repudiation attack, this paper
proposes adding a unique identification of the device into
the MMS message. The specific authentication process of
MMS is shown in Fig. 4.
IEC 62351 suggests that the confidentiality of MMS is
provided by TLS protocol but does not specify details about
it, and TLS has deficiencies in real time. In addition, there
are different communication services of MMS messages in
intelligent substations, such as the device status message
and file transfer message. The device status message is a
medium-speed message whereas the file transfer message is
a low-speed message. They have different requirements of
real-time performance for communication services.
Y
Authentication Authentication
succeeds fails
End
Fig. 4 Specific authentication process of MMS
Therefore, in this paper, different security measures are
designed for different services of MMS messages to ensure
their confidentiality after considering their real-time
requirements: low-speed messages adopt the modified TLS
proposed in this paper; medium-speed messages adopt the
method of signature-then-encryption on the sending side
and decryption-then-authentication on the receiving side.
Compared with the RSA algorithm, SM2 has the advantages
of higher security, faster operation, and less resource con-
sumption, so we select SM2 as the algorithm of authenti-
cation and encryption.
3.2 Security measures for telecontrol
communications
The deployment of security measures for telecontrol
communications is shown in Fig. 5. The challenge-

123
 Jie ZHANG et al.

response mechanism is adopted to protect the communi-
cations between the two substations. The modified TLS
protocol, which achieves mutual authentication by
exchanging signatures instead of digital certifications, is
used to protect the communications between the substation
and remote control center.
3.2.1 Challenge-response mechanism
Challenge-response provides the authentication for the
application layer. According to IEC 62351-5, the role of a
substation can be a challenger or a responder for one inter-
station communication connection. When inter-station
operations are associated with specific application service
data units (ASDUs) that the challenger considers to be
protected, the challenge-response authentication mecha-
nism based on HMAC will be used. The authentication
process is shown in Fig. 6.
3.2.2 Modifications to TLS
Both of the communications between two substations
and the communications between a substation and remote
control center primarily use TCP/IP. TLS can be used to
Remote control center
Host Services
Communications with
TLS security measures
SDH
Communications with
challenge-response
mechanism
Gateway
Substation A Substation B
Fig. 5 Deployment of security measures for
communications
protect telecontrol communications. In order to fit CLPKC,
TLS shall be modified as follows: mutual authentication is
completed by exchanging the signature instead of using
digital certification, so as to avoid the impact of certificate
exchange on real-time performance of the
communication.
Depicted in Fig. 7, the handshake of our modified TLS
consists of the following three steps:
Step 1: Start handshake.
1) Client sends ClientHello message to server, which
contains version, random value a, session_id, and
cipher_suites, etc.
2) Server responds client with ServerHello message,
which specifies negotiated parameters and contains
random value b.
Step 2: Implement mutual authentication between server
and client.
1) Server selects a random plaintext M, and the signature
S = Sig(Ssk, Hash(M)) is calculated with the private
key (Ssk) of server. Then, server sends M and S to
client by ServerAuthenicate message.
2) Server sends AuthenticateRequest message to client to
request authenticating the identity of client.
3) Client calculates H = Ver(S, Spk) with the server’s
public key (Spk) and judges whether the identity of
server is legal by comparing H with Hash(M). Then,
client calculates S0 = Sig(Csk, Hash(M)) with the
client’s private key (Csk) and sends S0 to server.
4) Server calculates H0 = Ver(S0 , Cpk) with the client’s
public key (Cpk) to verifies the identity of client.
Step 3: Negotiate session key and finish handshake.
1) Client generates a random number Npm and generates
session key SK with a, b, and Npm. Then,
telecontrol

Responder Challenger
Non-critical ASDU
Standard protocol response
Critical ASDU
Authentication challenge
(HMAC+random data)
Authentication response
(Authentication value)
Standard protocol response
ClientHello
Client Server
ServerHello
S=Sig(Ssk, Hash(M))
SeverAuthenticate
H=Ver(S, S pk)
Execute Judge whether Ver(S, S pk) AuthenticateRequest
equals Hash(M)
S'=Sig(Csk, Hash(M)) ClientAuthenticate
H'=Ver(S', C pk)
SK=Fuc(a, b, N pm)
Judge whether Ver(S',
E=Encrypt (Spk, N pm)
Cpk) equals Hash(M)
ClientKeyExchange Npm=Decrypt (Ssk, E)
ChangeCipherSpec SK=Fuc(a, b, Npm)
Authentication
execute ChangeCipherSpec
Finished

Fig. 6 Process of challenge-response authentication Fig. 7 Handshake process of modified TLS protocol

123
A security scheme for intelligent substation communications considering real-time performance

E = Encrypt(Spk, Npm) is calculated and sent to the Step 1: The upper KGC generates public parameters
server, where Encrypt() is the encryption function. (spk) and master key (smk) randomly for every
2) Server decrypts E by using the decryption fuction substation.
Decrypt() to obtain Npm = Decrypt(Ssk, E), and then, Step 2: When a device applies for key, the underlying
server calculates the session key SK with a, b and Npm KGC in the substation generate part private key (dID) and
using the function Fuc(). partial public key (pID) with spk, smk and device’s identifier
3) Client and server verify the handshake channel, if ID, and sends dID and pID to the device through the secure
success, both sides exchange communication data by channel.
SK. Then, they indicate that they have switched to Step 3: The device generate a secret value (xID) with spk
encryption mode by ChangeCipherSpec message and and ID, and generate a public key (pkID) with spk, pID and
finish the handshake through Finished message. xID. Then the device publishes pkID out in the substation.
Step 4: Taking spk, dID and xID as input, the device
To ensure the security of the communication process,
generate the private key (skID).
this paper suggests SM2 as the signature algorithm for
The security process based on this deployment of
authentication and the encryption algorithm for encrypting
CLPKC in substation is shown in Fig. 8.
the session key. The advanced encryption standard (AES)
algorithm is used to encrypt the session data, and the
3.3.2 Key updating method
SHA256 algorithm is used to calculate the message
digest.
To ensure the availability of the public key in a certain
period, the traditional public key cryptography binds the
3.3 Scheme of key management
user to the public key by certification authority (CA) cer-
tification, and the cryptographic key of the user is bound to
PKI has been widely used in large-scale public net-
their identification information in the CLPKC. In order to
works, but the certificate management for enormous
complete the key management scheme, this paper considers
intelligent electronic devices (IEDs) in substations and the
the characteristics of substation communications and
exchange of certificates would result in huge communica-
chooses the method in [20] for the key update. The preset
tions costs. The research on IBC is still undergoing and the
time validity shall be attached to the user’s identity to
revocation and escrow of keys are unsolved in IBC.
achieve the update and revocation of the key. For example,
Therefore, considering the characteristics of communica-
if the public key of device A in a substation is (A_Identity,
tions in smart substations and the requirements of messages
spk) || current-day, it means that A needs to update its key
for real-time performance, this paper proposes employing
every day, otherwise the key will automatically expire. One
CLPKC in substations and presents a method of key update
could potentially make this approach more granular by
based on time validity.
changing the preset time validity. The shorter the time
validity is, the higher the frequent update will be, and the
3.3.1 Deployment of CLPKC in substation
more secure the cryptographic key will be. But frequent
updates of cryptographic keys will increase communication
In CLPKC, the generation of the user’s public key is not
latency. Therefore, the update frequency requires consid-
completely based on its identity information, and the key
eration of the real-time requirements of various commu-
generation center (KGC) does not know the user’s whole
nication messages in practice. On the premise of satisfying
private key. CLPKC does not require manage certificates
the real-time performance of the communication, the fre-
and therefore effectively solves the key escrow problem. At
quency of the key update increases. This will be considered
present, there are various models of CLPKC [15–19].
in a future work.
Considering the characteristics of substation communica-
tions, after comparing the existing CLPKC models, this
3.4 Scheme security analysis
paper chooses the model in [18] for the scheme and a
deployment in a substation system based on the following
Security of the proposed scheme is analyzed from the
proposal.
following two aspects.
In this scheme, KGC uses a centralized-distributed
architecture, which should be first established in the power
3.4.1 Security of measures
system. The detailed process of a device obtaining a pair of
public keys and private keys consists of the following four
1) Integrity and authenticity: in this scheme, the
steps.
AuthenticationValue filed in the GOOSE/SMV mes-
sage is enabled with signature authentication based on

123
 Jie ZHANG et al.

smk Key generation center smk of messages to ensure that the device cannot deny its
spk (spk, smk) spk participation in the communication, which effectively
ID_B ID_B resists a repudiation attack.
4) Immunity against replay: skew filtering and timestamp
Partial public key Partial private key checking are used to distinguish the current packages
of B (pID) of B (dID) and outdated packages, which effectively prevent a
pID dID replay attack.
Public key of B xID Secret value xID Private key of B
(pkID) (xID) (skID)
pkID
3.4.2 Security of key management
skID
Ciphertext C
Encryption Decryption Considering the disadvantages of PKI and IBC, we
Equipment A Equipment B propose employing CLPKC in substations. As an important
(a) Encryption and decryption part of the security scheme, the security of the key man-
agement is crucial. In the idea of security for CLPKC, there
smk smk are two types of adversaries, type I and type II. The
Key generation center
spk (spk, smk) spk type I adversary AI does not have access to the master key
ID_A
ID_A but it may replace the public key of arbitrary identities with
values of its own choice, whereas the type II adversary AII
Partial private key Partial public key
of A (dID) of A (pID)
does have access to the master key but may not replace the
public keys of entities. In the deployment of CLPKC in
dID pID
substations in this paper, the private key is not only related
Private key of A xID xID xID
Secret value Public key of A to a secret value but also to a partial private key obtained
(skID) (xID) ( pkID)
from the KGC, and the secret value is not transmitted
skID pkID through the channel. It is secure against type I and
Signature Authentication type II adversaries in a strong sense, provided that the
Plaintext and computational Diffie-Hellman problem is intractable and
Equipment A signature Equipment B the underlying hash functions are the random oracles [17].
(b) Signature and authentication

Fig. 8 Certificateless security processes

4 Analysis for real-time performance of scheme

the HMAC algorithm to ensure the integrity and
authenticity of GOOSE/SMV messages, which pre-
vents the data from being tampered or forged during
the transmission. Furthermore, we define the data
structure of the Authentication value of MMS and
adopt peer entity authentication based on the SM2
algorithm to verify the integrity and authenticity of
MMS messages. The method of hashing the date of
MMS messages by the SM3 algorithm can prevent an
unauthorized modification. By this way, attackers
cannot arbitrarily tamper or forge messages.
2) Confidentiality: in the scheme, as for different types of
MMS messages, different measures are designed to
ensure the confidentiality of message transmissions.
Modified TLS protocol is adopted to ensure the
confidentiality of low-speed messages, whereas med-
ium-speed messages adopt the encryption algorithm to
ensure their confidentiality. These measures can
effectively prevent data from being stolen.
3) Non-repudiation: the unique identification of the
sender is carried in the Reserved SEQUENCE field
4.1 Composition of communication delay
The end-to-end delay of a message across the secured
network with the proposed security measures primarily
includes the following four parts, as shown in Fig. 9.
1) Generating delay (TG) and parsing delay (TP): the time
that the sender generates and encapsulates the message
from application layer to physical layer, and the time
that the receiver parses and extracts the message from
physical layer to application layer.
2) Delay of security operations (TE): the computing time
of security measures and the delay of transmissions
between the security chip and master CPU.
3) Sending delay (TS) and receiving delay (TR): the time
that the sender sends all of the packet’s bits into the
wire and the time that the receiver receives all of the
packet’s bits from the wire, which is defined the same
as usual. This is the delay caused by the data rate of
the link.
4) Link transmission delay (TL): the amount of the
propagation delay on the links and the processing

123
A security scheme for intelligent substation communications considering real-time performance

detailed analysis and comparison of various security chips,

Sender Receiver
Generating delay (TG)
Security operations delay (TE)
Sending delay (TS)
Link transmission delay (TL) Receiving delay (TR)
Security operations delay (TE)
Parsing delay (TP)
Fig. 9 Composition of message communication delay in secured
substation network
and queuing delay in forwarding nodes from source to
destination.
According to the above analysis, the end-to-end delay
T of messages in intelligent substations is as follows:
T ¼ TE þ Tother
where Tother is the delay in addition to the delay of security
operations:
Tother ¼ TG þ TS þ TL þ TP
Current simulation software cannot support the
simulation of the proposed security operations. It is
difficult to embed the security operation implementations
to the existing simulation software, and the workload is too
large to implement an entire simulation system. Therefore,
the method of combining the theoretical calculation with
the simulation is used to analyze end-to-end delays in this
paper. The delay of security operations is calculated
through theoretical analysis and the other delays are
obtained by simulation in the software.
4.2 Calculation of security operation delays
Due to the high real-time requirement of intelligent
substation communication, security chips are used to sup-
we selected A980 chip as a practical choice for analysis.
The calculation rates of partial algorithms of A980 are
shown in Table 2, in which the unit tps signifies times per
second.
4.2.1 Analysis for security operation delay of GOOSE/
SMV
According to Fig. 3, the authenticating process of
GOOSE/SMV includes a CRC, digest calculation and
signature calculation. The calculating length of CRC is 8
bytes, which is ignored here because of the simplicity of
CRC. The length of a GOOSE/SMV message varies when
it transmits different types of information. In this paper, the
delays of the sampled value message, trip message and
switch status message are analyzed. These messages have
the highest real-time requirements. Large lengths of these
messages are configured in the analysis: sampled value
message is 159 bytes, trip message is 113 bytes, and switch
status message is 256 bytes. The input length of signature
ð1Þ calculation cannot exceed 240 bytes. Therefore, the oper-
ation delay of the digest calculation of the GOOSE/SMV
message (TSM3,digest) is:
 240  8
ð2Þ TSM3;digest ms   103  0:305 ð3Þ
6  10242
The delays of signature (THMAC,S) and authentication
(THMAC,A) are calculated, respectively, as (4) and (5).
 103
THMAC;S ms
¼  0:068 ð4Þ
14705
 103
THMAC;A ms
¼  0:128 ð5Þ
7812
Data transmitted during security operations of the
GOOSE/SMV messages are the cryptographic key and
the input and output data of the signature/authentication.
The transmission rate of serial peripheral interface (SPI) of
the A980 chip is 12 Mbit/s, so the transmission delay of
GOOSE/SMV during the security operations (TGOOSE/
SMV,SPI) is:

port security measures in our security scheme. After

Table 2 Calculating speed of partial algorithms of A980 chip

Algorithm SM2 (tps) SM3 (Mbit/s) AES (Mbit/s) SHA256 (Mbit/s) HMAC_SHA256 (tps)

Encryption 112 – 9 – –
Decryption 119 – 7 – –
Signature 285 – – – 7812
Authentication 101 – – – 14705
Digest calculation – 6 – 4 –

123
 Jie ZHANG et al.

 2  ð240  8 þ 800 þ 256Þ  103  ð256  2 þ 32  3Þ  8  2

TGOOSE=SMV;SPI ¼ TMMS2;SPI ms
¼  103
ms 12  10242 12  10242
 0:473  0:928 ð12Þ
ð6Þ Therefore, when encryption is adopted, the security
Therefore, the security operation delay of GOOSE/SMV delay of operations of MMS (TMMS2,sec) is:
message (TGOOSE/SMV,Sec) is: TMMS2;Sec ¼ TSM2;S þ TSM2;A þ TSM2;E þ TSM2;D
TGOOSE=SMV; Sec ¼ 2TSM3;digest þ THMAC;S þ THMAC;A þ TMMS2;SPI
þ TGOOSE=SMV;SPI ¼ 31:628 ms ð13Þ
 1:279 ms ð7Þ
4.2.3 Analysis for security operation delay of TLS
4.2.2 Analysis for security operation delay of MMS
According to Fig. 8, delay of the security operations of
According to Fig. 4, the delay of the security operation the modified TLS primarily comes from the following
of the MMS message comes from the following processes: processes:
the digest calculation, the signature and authentication of 1) Two digest calculations, two signature calculations
the time field, and the encryption and decryption of the and two authentication calculations in the process of
MMS message. The length of the time field is generally no mutual authentication.
more than 4 bytes and the time of digest calculation is 2) In the client, the generation of the session key and its
about 0.001 ms, so the delay of digest calculation is encryption by the server’s public key before the
negligible. receiver sends the ClientKeyExchange message.
The delay of completing a process of the signature 3) The server uses its private key to decrypt the session
(TSM2,S) and authentication (TSM2,A) is: key after receiving the ClientKeyExchange message.
 103 103 4) The client or server calculates the digest of interacted
TSM2;S þ TSM2;A ms
¼ þ  13:4 ð8Þ handshake messages by the SHA256 algorithm, and
285 101
carries out encryption or decryption of the digest by
The length of the signature generated by the SM2
negotiated session key and cipher suites.
algorithm is 512 bits. Without encryption, data to be
transmitted during security operations include the time In the interaction process of TLS, the session key is
field and signature field, so the transmission delay during calculated based on three random numbers generated by
security operations (TMMS1,SPI) is: the server and client, which takes about 3 ms (Tpk). The
 ð32 þ 512Þ  2 length of the plaintext is 256 bits, which is the maximum
TMMS1;SPI ms ¼  103  0:173 ð9Þ plaintext length allowed by the SM2 signature algorithm.
6  10242
Therefore, the delay of mutual authentication (TTLS,MA) is:
Therefore, without encryption, the security operations  
 256 103 103
delay of MMS (TMMS1,Sec) is calculated as: TTLS;MA ms ¼ þ þ  2  26:948
4  103 285 101
TMMS1;Sec ¼ TSM2;S þ TSM2;A þ TMMS1;SPI  3:573 ms
ð14Þ
ð10Þ
Before and after transmitting the ClientKeyExchange
In addition, the delay of completing a process of message, the client and the server both adopt the SM2
encryption (TSM2,E) and decryption (TSM2,D) is: algorithm to encrypt and decrypt the session key. The delay
 103 103 of this process is:
TSM2;E þ TSM2;D ms
¼ þ  17:3 ð11Þ
112 119  103 103
TTLS;SM2;E þ TTLS;SM2;D ms
¼ þ  17:3 ð15Þ
Date encrypted by SM2 include two BigInteger (x and y), 112 119
hash value and ciphertext. The length of x, y or hash value is Except for the ChangeCipherSpec message, the length
256 bits, and the length of ciphertext is equal to the length of of the interacted message is 425 bytes, and the delay of its
plaintext. When MMS messages adopt the method of digest calculation with SHA256 (TTLS,SHA256) is:
signature-then-encryption on the sending side and
 425  8
decryption-then-authentication on the receiving side, the TTLS;SHA256 ms ¼  103  0:811 ð16Þ
transmitted data during security operations include 4  10242
plaintext, x, y, hash value and ciphertext. So the The delay of authentication with HMAC TTLS,HMAC is:
transmission delay during security operations (TMMS2,SPI) is:

123
A security scheme for intelligent substation communications considering real-time performance

 103 103 substations are simulated. After deploying security mea-

TTLS;HMAC ms
¼ þ  0:086 ð17Þ sures, the relevant parameters of the five flows are shown in
14705 7812
Table 3.
The delay of encryption and decryption with ASE In the simulation, we set MU to upload the sampled
(TTLS,AES) is: value message at t = 0. P&C starts to upload the device
 
 256 256 status message to the station server at t = 3 s. An error
TTLS;AES ms ¼ þ  103  0:062
9  10242 7  10242 occurs at a bay at t = 5 s, P&C IED sends a tripping
ð18Þ message to the circuit breaker, and then the circuit breaker
returns a switch status message to P&C IED. The file is
Data to be transmitted during the security operations of transmitted during 6–7 s. The result of the simulation is
TLS include three plaintexts of 1024 bits, three signatures, shown in Fig. 10.
two keys of 256 bits and a partial interacted message, Figure 10 shows that the average delay of the network in
which is a total of 905 bytes. The transmission delay the substations is 0.135 ms. When a server sends file
between the security chip and master CPU (TTLS,SPI) is: transfer messages to the host, the average delay increases
 905  8 to 0.24 ms. After the file transfer, the average delay is
TTLS;SPI ms ¼  103  0:575 ð19Þ
12  10242 stable at 0.135 ms. The delay of the GOOSE/SMV mes-
sages is about 0.13 ms and the delay of device status
Therefore, the total delay of the TLS security operations
messages is 0.22 ms. The maximum delay of the file
(TTLS,Sec) is:

transfer message is 0.5 ms.
TTLS;Sec ¼ TTLS;SHA256 þ TTLS;HMAC þ TTLS;AES  2 þ Tpk
þ TTLS;SM2;E þ TTLS;SM2;D þ TTLS;MA þ TTLS;SPI 4.3.2 Simulation for delays of telecontrol communications
¼ 49:741 ms
The authentication based on the challenge-response
ð20Þ
mechanism will delay for about 120 s after one authenti-
4.3 Simulation for delays of substation cation, so it can be considered that the mechanism does not
communications affect the real-time performance of communication ser-
vices. Therefore, the delay of the challenge-response
To obtain Tother in (1) in addition to the security oper- authentication mechanism is ignored in the analysis, and
ation delay, we establish a substation network model of we primarily simulate the telecontrol communications
type D2-1 defined in IEC 61850-5 in the simulation soft-
ware. The specific network structure of type D2-1 is given
in [21]. This section will present the configuration and
result of simulation for delays of the substation commu-
nications, including communications between two substa-
tions and communications within a substation.

4.3.1 Simulation for delays of communications

within substation

Five typical data flows including sampled value mes-

sage, trip message, switch status message, device status
message and the file transfer message of the intelligent Fig. 10 Simulation result of communication delays within substation

Table 3 Parameters of the five data flows for simulation

Data flow Message Transmission direction Period (ms) Length of modified messages (byte)

Sampled value SMV MU?P&C 0.25 191

Trip GOOSE P&C?Breaker Paroxysmal 145
Switch status GOOSE Breaker?P&C Paroxysmal 288
Device status MMS P&C?Server 30000 384
File transfer MMS Server?Station host 300000 10242

123
 Jie ZHANG et al.

theoretical calculation results and simulation results, as

shown in (22) to (24):
TGOOSE=SMV ¼ TGOOSE=SMV;Sec þ TGOOSE=SMV;other
¼ 1:409 ms ð21Þ
TMMS ¼ TMMS2;Sec þ TMMS;other ¼ 31:848 ms ð22Þ
TFile ¼ TMMS1;Sec þ TTLS;Sec þ TFTP;other ¼ 63:820 ms ð23Þ
TFarFile ¼ TMMS1;Sec þ TTLS;Sec þ TFarFile;other þ TSDH
Fig. 11 Simulation result of delays for telecontrol communications ¼ 64:492 ms ð24Þ

where TFile is the end-to-end delay of file transfer inner

Table 4 Delays of secured communications and their requirements substation; TFarFile is the end-to-end delay of telecontrol file
Data flow Delay requirement in IEC 61850 (ms) Delay (ms)
transfer; TGOOSE/SMV,other, TMMS,other, TFTP,other and
TFarFile,other are the delays in addition to security operations
Sampled value \ 3 1.409 delay as (2).
Trip \3 1.409 The delay requirements specified in IEC 61850-5 [22] of
Switch status \3 1.409 the five data flows and their delays in the secured substa-
Device status \ 100 31.848 tion network are presented by Table 4, which shows that
File transfer 500–1000 B 64.492 the end-to-end delays of secured communications based on
the security scheme proposed in this paper meet the real-
based on the modified TLS. It should be noted that, in time requirements defined in IEC 61850-5 for intelligent
addition to the communication delays by the simulation, a substations.
delay of TSDH = 0.15 ms occurs when a message passes To compare the proposed scheme in this paper with the
through a board on the SDH link. existing works [5–8] in terms of real-time performance, the
The TLS handshake is set to start at t = 13 s and the security operations in each scheme are listed in Table 5.
larger file is transferred during 15–16 s, and the simulation Calculating the exact communication delay involves the
result is shown in Fig. 11. The average delay is maintained work of selecting an encryption chip for each scheme, so it
at 0.481 ms. When the TLS handshake is carried out, the is not carried out in this paper. In Table 5, H is a hash
average delay increases to 0.496 ms. When the file transfer operation, E is an encryption operation, D is a decryption
message is being transmitted, the average delay increases operation, S is a signature operation, V is a verification
to 0.546 ms. After the file transferring stops, the average operation, C is a certification operation, and N is a non-
delay stabilizes at 0.488 ms. The maximum delay of the linear operation.
file transfer message is 0.878 ms. The unit security strength of the elliptic curves cryp-
tography (ECC) algorithm is higher than the RSA algo-
4.4 End-to-end delay of secured communications rithm. Compared with RSA, ECC has advantages in terms
of memory usage, resource consumption and encryption
According to (1), the end-to-end delay of a communi- speed [23]. Therefore, according to Table 5, it can be
cation employing the security measures of the proposed concluded that our scheme is better than existing works in
scheme can be obtained by summing up the above

Table 5 Comparison of security operations between existing work and this paper in real-time performance
Source Security operations
GOOSE/SMV MMS TLS

[5] 2E ? 2D ? 2N – –
[6] 2HSM3 ? SSM2 ? VSM2 ? 2C – –
[7] – – 2SSM2 ? 2VSM2 ? 2C ? ERSA
? DRSA ? ESM4 ? DSM4 ? 4HSM3
[8] ERSA ? DRSA ? EDES ? DDES – –
This paper 2HSM3 ? SHMAC ? DHMAC SSM2 ? VSM2 ? ESM2 ? DSM2 2HSM3 ? 2SSM2 ? 2VSM2 ? ESM2
? DSM2 ? EASE ? DASE ? 2H256

123
A security scheme for intelligent substation communications considering real-time performance
real-time performance under the same computing
performance.
5 Conclusion
It is urgent to deploy security measures for intelligent
substation communications. For this reason, the IEC has
developed IEC 62351, but it has shortcomings for real-time
performance and security capability, and offers no solution
for the management of keys and certificates. In this paper, a
new security scheme including security measures and a key
management method is proposed for smart substations,
which not only meets the security demands but also satis-
fies the real-time requirements of the communications.
Considering the characteristics of a power system, we
innovatively propose to employ CLPKC in an intelligent
substation. This work provides a practical solution for
securing the communications in intelligent substations and
can be a reference for a revision of IEC 62351.
Acknowledgements This work is supported by the National Key
Research and Development Program of China (No.
2017YFB0903000), the National Natural Science Foundation of
China (No. 51377122) and the project of State Grid Corporation of
China (Research on Cooperative Situation Awareness and Active
Defense Method of Cyber Physical Power System for Cyber Attack).
Open Access This article is distributed under the terms of the
Creative Commons Attribution 4.0 International License (http://
creativecommons.org/licenses/by/4.0/), which permits unrestricted
use, distribution, and reproduction in any medium, provided you give
appropriate credit to the original author(s) and the source, provide a
link to the Creative Commons license, and indicate if changes were
made.
References
[1] Cleveland F (2006) IEC TC57 security standards for the power
system’s information infrastructure. In: Proceedings of IEEE
PES transmission and distribution conference and exhibition,
Dallas, USA, 21–24 May 2006, pp 1079–1087
[2] Tong XY, Wang XR (2016) Inference and countermeasure
presupposition of network attack in incident on Ukrainian power
grid. Autom Electr Power Syst 40(7):144–148
[3] IEC 62351 (2005) Data and communications security
[4] Strobel M, Wiedermann N, Eckert C (2016) Novel weaknesses
in IEC 62351 protected smart grid control systems. In: Pro-
ceedings of IEEE international conference on smart grid com-
munications, Sydney, Australia, 6–9 November 2016,
pp 266–270
[5] Wang B, Wang M, Zhang S (2013) A secure message trans-
mission method based on GCM for smart substation. Autom
Electr Power Syst 37(3):87–92
[6] Li L, Zhu Y (2009) Authentication scheme for substation
information security based on chaotic theory. In: Proceedings of
2009 Asia-Pacific power and energy engineering conference,
Wuhan, China, 28–31 March 2009, pp 1–3
[7] Luo Z, Xie JH, GU W et al (2015) Application of SM2
encrypted system in smart substation inner communication.
Autom Electr Power Syst 39(13):116–123
[8] Zhao L, Yan T, ZHU JP et al (2016) Application of SM2
encrypted system in telecontrol communication for smart sub-
station. Autom Electr Power Syst 40(19):127–133
[9] Wang FF, Wang HZ, Chen DQ et al (2014) Substation com-
munication security research based on hybrid encryption of DES
and RSA. In: Proceedings of 9th international conference on
intelligent information hiding and multimedia signal processing,
Beijing, China, 16–18 October 2014, pp 437–441
[10] Suhendray V, Wu YD, Saputra H et al (2016) Lightweight key
management protocols for smart grids. In: Proceedings of IEEE
international conference on internet of things, Chengdu, China,
15–18 December 2016, pp 345–348
[11] He XZ, Pun MO, Jay Kuo CC (2012) Secure and efficient
cryptosystem for smart grid using homomorphic encryption. In:
Proceedings of IEEE power and energy society innovative smart
grid technologies, Washington DC, USA, 16–20 January 2012,
pp 1–8
[12] Nicanfar H, Jokar P, Beznosov K et al (2014) Efficient
authentication and key management mechanisms for smart grid
communications. IEEE Syst J 8(2):629–640
[13] Fuloria S, Anderson R, Mcgrath K et al (2010) The protection of
substation communications. http://101.96.10.42/pdfs.
semanticscholar.org/5970/
094d87e87f94e73494523116ba24cfcec584.pdf. Accessed 2
May 2016
[14] Cui XH (2016) Research on the security of message and its real-
time in smart substation. Dissertation, Harbin Institute of
Technology
[15] Al-Riyami SS, Paterson KG (2003) Certificateless public key
cryptography. In: Laih CS (ed) Advances in cryptology:
ASIACRYPT 2003. Springer, Heidelberg, pp 452–473
[16] Dent AW (2008) A survey of certificateless encryption schemes
and security models. Int J Info Secur 7(5):349–377
[17] Baek J, Safavi-Naini R, Susilo W (2005) Certificateless public
key encryption without pairing. In: Zhou J, Lopez J, Deng RH
et al (eds) Information security, vol 3650. Springer, Heidelberg,
pp 134–148
[18] Sun YX, Zhang FT, Baek J (2007) Strongly secure certificate-
less public key encryption without pairing. In: Bao F, Ling S,
Okamoto T et al (eds) Cryptology and network security, vol
4856. Springer, Heidelberg, pp 194–208
[19] Zhang FT, Sun YX, Zhang L et al (2011) Research on certifi-
cateless public key cryptography. J Softw 22(6):1316–1332
[20] Boneh D, Franklin M (2001) Identity-based encryption from the
Weil pairing. In: Kilian J (ed) Advances in cryptology:
CRYPTO 2001, vol 2139. Springer, Heidelberg, pp 213–229
[21] Zhang Z, Huang X, Cao Y et al (2011) Comprehensive data flow
analysis and communication network simulation for virtual local
area network-based substation. Power Syst Technol
35(5):204–209
[22] IEC 61850-5 (2003) Communication network and systems in
substations—part 5: communication requirements for function
and device models
[23] Zhan Y (2017) The comparison of RSA and ECC. https://blog.
csdn.net/u010646653/article/details/73888734,2017-06-29.
Accessed 28 December 2017
Jie ZHANG received the B.S. degree in computer science and
technology from Shandong University, China. She is currently
pursuing her master’s degree in Wuhan University, China. Her
research interest is communication security for power systems.
123

Jun’e LI is a professor in Key Laboratory of Aerospace Information
Security and Trusted Computing, Ministry of Education, School of
Cyber Science and Engineering, Wuhan University, China. Her
research interests include computer network architecture, cyber
security, and the security of cyber-physical systems.
Xiong CHEN is an engineer in NARI Group Corporation/State Grid
Electric Power Research Institute. His research interests include
safety and stability control of power system.
123
Jie ZHANG et al.
Ming NI is a principal expert for grid planning and the national
experts of Thousand Talents Plan. His research interests include
power system planning and power cyber-physical systems.
Ting WANG is currently pursuing her master’s degree in Wuhan
University. Her research interest is communication security for power
systems.
Jianbo LUO is a senior engineer in NARI Group Corporation/State
Grid Electric Power Research Institute. His research interests include
safety and stability control of power system.