1 Introduction

With the development of intelligent substations, the communication of substations gradually developed from point-to-point connections to networked connections. Intelligent substations are facing increasing cyber security threats. However, both internal and telecontrol communications of built intelligent substations have not employed any security measures so far [1]. Messages such as sampled value messages and protection control messages can easily be tampered, forged or stolen due to the lack of integrity verification, authentication or encryption. The security of communication services has a profound impact on the reliable operation of primary devices. The attack of messages may cause faults in the power system and cause inestimable losses. A typical case is the large-scale blackout in the Ukrainian grid caused by a cyber-attack at the end of 2015 [2]. Therefore, it is urgent to add security measures to communication networks in a substation.

Security measures cause extra computing cost and communication delay despite improving the communication security of intelligent substations. The measurement and control devices in intelligent substations are usually embedded systems, which have limited computing resources. Intelligent substations have high real-time requirements for communications, and the real-time performance of communications directly affect the reliable operation of the primary device. Therefore, when designing a security scheme for a substation communication network, we need to consider not only the security of the scheme but also its real-time performance.

To provide security assurance for communications in intelligent substations, the International Electrotechnical Commission (IEC) developed some security measures released in IEC 62351 [3]. The cyber-security of intelligent substations has also caused wide public concern in international academe. Reference [4] presented three weaknesses of IEC 62351 but without modification. Reference [5] presented a security mechanism based on galois/counter mode (GCM) to ensure communication security of intelligent substations, but the distribution and management of keys are very complicated. Reference [6] proposed a password authentication method based on chaotic theory, which has poor resistance for addressing plaintext attacks. In order to ensure the secure transmission of communication messages, reference [7, 8] proposed SM2-based security mechanisms, reference [9] designed a security mechanism that was mixed with encryption by DES and RSA, but both of them require high computing performance to satisfy the real-time requirements of substation communications, so they are not suitable for substation systems.

Some scholars studied encryption key management mechanisms for the smart grid, which can be classified in the following categories: key management schemes based on the symmetric-key [10], public key infrastructure (PKI) [11], identity-based cryptosystem (IBC) [12], and preinstalled keys [13]. However, each of these four key management mechanisms has its own weakness. The symmetric key is vulnerable to man-in-the-middle attacks; the mechanism based on PKI creates heavy loads in the communication network as well as delays in certificate exchange; the mechanisms based on IBC or preinstalled keys have the problem of key escrow. Beyond that, to avoid the delay of certificate exchange and reduce the load of the communication network, some scholars are trying to employ the method of a preinstalled certificate for a new device in view of the characteristic that the communication relationship is certain in smart substations, but it comes with the problem of certificate update.

In brief, though scholars have carried out extensive researches on the communication security of intelligent substations, there are various shortcomings in considering its characteristics, especially real-time requirements. In addition, no research so far has solved the problems of the latency of certificates exchanging, certificate management and key escrow in key management.

Therefore, aiming at the cyber threats of intelligent substations, this paper analyzes the security capabilities and shortages of IEC 62351 and presents an overall security scheme for intelligent substation communications taking into account real-time performance. In order to enhance the capabilities of substation communication in terms of confidentiality, integrity, authenticity, immunity against replay attack and non-repudiation, security measures for internal and telecontrol communications are proposed. Moreover, a key management method is designed based on certificateless public key cryptography (CLPKC) to avoid the delay of certificate exchange and the problem of key escrow. Finally, the evaluation of security properties and the analysis of end-to-end delays prove that the security measures in this paper can meet the requirements of security and real-time performance of substation communications.

2 Security requirements of intelligent substation and security capability of IEC 62351

2.1 Threats and security requirements of smart substations

Attacks on intelligent substations can be divided into two phases in terms of time: ① finding the appropriate attack path to access the communication network of substations; ② attacking the communication network or important communication messages to cause abnormalities in the physical device, ultimately reaching the purpose of attacking the smart grid [14]. For the first phase, we can deploy physical isolation, a firewall and other measures in substations to block the attack path. Therefore, we study the threats and security requirements of communication services in the scenario that attackers have successfully accessed the substation’s communication network.

At present, intelligent substations commonly adopt the structure of “three layers, two networks”. The architecture shown in Fig. 1 is a typical framework of a substation’s communication network. The data flows and their message types of communication networks are presented in Fig. 1.

Fig. 1
figure 1

Main data flows in an intelligent substation

Full size image

The data exchanged between the substation level and the other substation or remote control center are primarily control instructions and original data files. The data exchanged between the substation level and bay level are control instructions, device status information and constant values. Manufacturing message specification (MMS) protocol is used in the aforementioned transmission services. These data may be tampered or forged to disturb normal operations of substations, and the status data may be stolen by attackers for future attacks. Therefore, it is necessary to ensure their confidentiality, integrity and authenticity.

The data communications, whether within the bay level or between the bay level and process level, are carried out through the process level network and primarily adopt the generic object oriented substation event (GOOSE) protocol or sampled measure value (SMV) protocol. The sampled value messages, from the merging unit (MU) to the protection and control (P&C) device, adopt the SMV protocol. Control instructions and switch status messages adopt the GOOSE protocol. These messages require high real-time performance. An attacker could control the continuity of a primary device or cause a malfunction of a primary device by tampering, forging or replaying messages, thereby causing the breakdown of the primary device or the instability of the smart grid. Stealing these messages makes little sense. Therefore, the security requirements of the above communication services include integrity, authenticity and availability, and no confidentiality.

In addition, current intelligent substations lack network monitoring and log audit so that the source cannot be traced. Therefore, they are vulnerable for repudiation attacks. Furthermore, all services in substations could suffer from denial of service (DoS) attacks that affect the availability of the substations’ resources.

In brief, the main security threats of substations are unauthorized access, forgery, theft, DoS, and repudiation.

2.2 Security capabilities and shortcomings of IEC 62351

According to Section 2.1 and IEC 62351, security threats, requirements and capabilities of IEC 62351 for messages in substation communication networks can be summarized as shown in Table 1, which shows that the security capabilities of IEC 62351 cannot meet the security requirements of the substations.

Table 1 Security threats, requirements and capabilities of IEC 62351 for messages in substations
Full size table

There are also additional shortages in IEC 62351 as follows:

  1. 1)

    Key or certificate management has not yet been specified in IEC 62351 standards.

  2. 2)

    Some of the security measures specified in IEC 62351 have weaknesses that make them unsuitable for communication services in intelligent substations. As an illustration, the performance of the specified signature algorithm for the GOOSE and SMV messages cannot satisfy real-time requirements of substation communications because of the high complexity of the RSA.

3 Proposed security scheme for communications of intelligent substations

The security scheme includes security measures for communication messages and its key management method. The communications messages involve the internal and telecontrol communications of the substation system. The security measures are improvements to those in IEC 62351, and the key management method is based on CLPKC in this scheme. The main contents are as shown below: the security measures of GOOSE/SMV and MMS in IEC 62351 are improved in Section 3.1; the transport layer security (TLS) protocol is modified to fit CLPKC, and its handshake process of modified TLS is shown in Section 3.2; a deployment of CLPKC is presented in Section 3.3. The modified TLS is for both telecontrol communications and the low-speed messages of internal communications.

3.1 Security measures for internal communications of intelligent substations

The deployment of security measures for communications within a substation is shown in Fig. 2. Security measures proposed for GOOSE/SMV can be used to protect the communications within the bay level and the communications between the bay level and process layer (shown as the blue arrows in Fig. 2). Security measures proposed for MMS can be used to protect the communications within the substation level and the communications between the substation level and bay level (shown as the red arrows in Fig. 2).

Fig. 2
figure 2

Deployment of security measures within substation

Full size image

3.1.1 Security measures for GOOSE/SMV

As discussed in Section 2.1, the security requirements of GOOSE/SMV are authenticity, integrity, availability and non-repudiation. Taking into account the same security requirements of the SMV and GOOSE protocols, this paper designs the same measures to protect GOOSE/SMV messages.

According to IEC 62351-6, the reserved fields and extension fields in GOOSE/SMV are used to extend the function of GOOSE/SMV messages as follows:

  1. 1)

    The first byte of the Reserved1 field shall be used to specify the number of octets conveyed by the extension octets; the Reserved2 field shall contain a 16-bit cyclic redundancy check (CRC), the CRC shall be calculated over octets 1–8 of the VLAN information of the extended protocol data unit (PDU).

  2. 2)

    The extension shall be encoded; the authentication value field shall be used to store the signature value.

  3. 3)

    In order to prevent a replay attack, skew filtering and timestamp checking are proposed to distinguish current messages and outdated messages.

The security measures in IEC 62351 for GOOSE/SMV cannot resist repudiation. Therefore, this paper proposes that the unique identification on behalf of the identity of a device in a substation is added into the Reserved SEQUENCE field. Hence, the device cannot deny its participation in the communication. Moreover, considering the real-time requirement of GOOSE/SMV messages, a hash-based message authentication code (HMAC) algorithm is employed to calculate the signature value instead of the asymmetric RSA algorithm specified in IEC 62351, and the SHA256 algorithm is employed for the hash calculation. The specific authentication process of GOOSE/SMV is shown in Fig. 3.

Fig. 3
figure 3

Security authentication process of GOOSE/SMV

Full size image

3.1.2 Security measures for MMS

MMS is an application protocol based on TCP/IP. The security requirement of MMS includes confidentiality, integrity, authenticity, availability and non-repudiation as discussed in Section 2.1.

According to IEC 62351-4, the authenticity of MMS is provided by peer entity authentication that occurs at association set up time. The authentication is implemented through association control service element (ACSE) security as follows: enabling sender-ACES-requirements field and responder-ACSE-requirement field of the authentication functional unit (FU) of ACSE, defining the data structure MMS_Authentication-value where the signature value is stored.

In order to improve the security measures in IEC 62351 for MMS in terms of integrity, non-repudiation and confidentiality, this paper proposes the following security measures.

To protect the integrity of MMS, this paper adopts the method of hashing the date of MMS messages by using a hash algorithm to prevent the unauthorized modification. Considering the requirements of intelligent substations for security and real-time performance, we select SM3 as the hash algorithm. To resist the repudiation attack, this paper proposes adding a unique identification of the device into the MMS message. The specific authentication process of MMS is shown in Fig. 4.

Fig. 4
figure 4

Specific authentication process of MMS

Full size image

IEC 62351 suggests that the confidentiality of MMS is provided by TLS protocol but does not specify details about it, and TLS has deficiencies in real time. In addition, there are different communication services of MMS messages in intelligent substations, such as the device status message and file transfer message. The device status message is a medium-speed message whereas the file transfer message is a low-speed message. They have different requirements of real-time performance for communication services. Therefore, in this paper, different security measures are designed for different services of MMS messages to ensure their confidentiality after considering their real-time requirements: low-speed messages adopt the modified TLS proposed in this paper; medium-speed messages adopt the method of signature-then-encryption on the sending side and decryption-then-authentication on the receiving side. Compared with the RSA algorithm, SM2 has the advantages of higher security, faster operation, and less resource consumption, so we select SM2 as the algorithm of authentication and encryption.

3.2 Security measures for telecontrol communications

The deployment of security measures for telecontrol communications is shown in Fig. 5. The challenge-response mechanism is adopted to protect the communications between the two substations. The modified TLS protocol, which achieves mutual authentication by exchanging signatures instead of digital certifications, is used to protect the communications between the substation and remote control center.

Fig. 5
figure 5

Deployment of security measures for telecontrol communications

Full size image

3.2.1 Challenge-response mechanism

Challenge-response provides the authentication for the application layer. According to IEC 62351-5, the role of a substation can be a challenger or a responder for one inter-station communication connection. When inter-station operations are associated with specific application service data units (ASDUs) that the challenger considers to be protected, the challenge-response authentication mechanism based on HMAC will be used. The authentication process is shown in Fig. 6.

Fig. 6
figure 6

Process of challenge-response authentication

Full size image

3.2.2 Modifications to TLS

Both of the communications between two substations and the communications between a substation and remote control center primarily use TCP/IP. TLS can be used to protect telecontrol communications. In order to fit CLPKC, TLS shall be modified as follows: mutual authentication is completed by exchanging the signature instead of using digital certification, so as to avoid the impact of certificate exchange on real-time performance of the communication.

Depicted in Fig. 7, the handshake of our modified TLS consists of the following three steps:

Fig. 7
figure 7

Handshake process of modified TLS protocol

Full size image

Step 1: Start handshake.

  1. 1)

    Client sends ClientHello message to server, which contains version, random value a, session_id, and cipher_suites, etc.

  2. 2)

    Server responds client with ServerHello message, which specifies negotiated parameters and contains random value b.

Step 2: Implement mutual authentication between server and client.

  1. 1)

    Server selects a random plaintext M, and the signature S = Sig(Ssk, Hash(M)) is calculated with the private key (Ssk) of server. Then, server sends M and S to client by ServerAuthenicate message.

  2. 2)

    Server sends AuthenticateRequest message to client to request authenticating the identity of client.

  3. 3)

    Client calculates H = Ver(S, Spk) with the server’s public key (Spk) and judges whether the identity of server is legal by comparing H with Hash(M). Then, client calculates S′ = Sig(Csk, Hash(M)) with the client’s private key (Csk) and sends S′ to server.

  4. 4)

    Server calculates H′ = Ver(S′, Cpk) with the client’s public key (Cpk) to verifies the identity of client.

Step 3: Negotiate session key and finish handshake.

  1. 1)

    Client generates a random number Npm and generates session key SK with a, b, and Npm. Then, E = Encrypt(Spk, Npm) is calculated and sent to the server, where Encrypt(·) is the encryption function.

  2. 2)

    Server decrypts E by using the decryption fuction Decrypt(·) to obtain Npm = Decrypt(Ssk, E), and then, server calculates the session key SK with a, b and Npm using the function Fuc(·).

  3. 3)

    Client and server verify the handshake channel, if success, both sides exchange communication data by SK. Then, they indicate that they have switched to encryption mode by ChangeCipherSpec message and finish the handshake through Finished message.

To ensure the security of the communication process, this paper suggests SM2 as the signature algorithm for authentication and the encryption algorithm for encrypting the session key. The advanced encryption standard (AES) algorithm is used to encrypt the session data, and the SHA256 algorithm is used to calculate the message digest.

3.3 Scheme of key management

PKI has been widely used in large-scale public networks, but the certificate management for enormous intelligent electronic devices (IEDs) in substations and the exchange of certificates would result in huge communications costs. The research on IBC is still undergoing and the revocation and escrow of keys are unsolved in IBC. Therefore, considering the characteristics of communications in smart substations and the requirements of messages for real-time performance, this paper proposes employing CLPKC in substations and presents a method of key update based on time validity.

3.3.1 Deployment of CLPKC in substation

In CLPKC, the generation of the user’s public key is not completely based on its identity information, and the key generation center (KGC) does not know the user’s whole private key. CLPKC does not require manage certificates and therefore effectively solves the key escrow problem. At present, there are various models of CLPKC [15,16,17,18,19]. Considering the characteristics of substation communications, after comparing the existing CLPKC models, this paper chooses the model in [18] for the scheme and a deployment in a substation system based on the following proposal.

In this scheme, KGC uses a centralized-distributed architecture, which should be first established in the power system. The detailed process of a device obtaining a pair of public keys and private keys consists of the following four steps.

Step 1: The upper KGC generates public parameters (spk) and master key (smk) randomly for every substation.

Step 2: When a device applies for key, the underlying KGC in the substation generate part private key (dID) and partial public key (pID) with spk, smk and device’s identifier ID, and sends dID and pID to the device through the secure channel.

Step 3: The device generate a secret value (xID) with spk and ID, and generate a public key (pkID) with spk, pID and xID. Then the device publishes pkID out in the substation.

Step 4: Taking spk, dID and xID as input, the device generate the private key (skID).

The security process based on this deployment of CLPKC in substation is shown in Fig. 8.

Fig. 8
figure 8

Certificateless security processes

Full size image

3.3.2 Key updating method

To ensure the availability of the public key in a certain period, the traditional public key cryptography binds the user to the public key by certification authority (CA) certification, and the cryptographic key of the user is bound to their identification information in the CLPKC. In order to complete the key management scheme, this paper considers the characteristics of substation communications and chooses the method in [20] for the key update. The preset time validity shall be attached to the user’s identity to achieve the update and revocation of the key. For example, if the public key of device A in a substation is (A_Identity, spk) || current-day, it means that A needs to update its key every day, otherwise the key will automatically expire. One could potentially make this approach more granular by changing the preset time validity. The shorter the time validity is, the higher the frequent update will be, and the more secure the cryptographic key will be. But frequent updates of cryptographic keys will increase communication latency. Therefore, the update frequency requires consideration of the real-time requirements of various communication messages in practice. On the premise of satisfying the real-time performance of the communication, the frequency of the key update increases. This will be considered in a future work.

3.4 Scheme security analysis

Security of the proposed scheme is analyzed from the following two aspects.

3.4.1 Security of measures

  1. 1)

    Integrity and authenticity: in this scheme, the AuthenticationValue filed in the GOOSE/SMV message is enabled with signature authentication based on the HMAC algorithm to ensure the integrity and authenticity of GOOSE/SMV messages, which prevents the data from being tampered or forged during the transmission. Furthermore, we define the data structure of the Authentication value of MMS and adopt peer entity authentication based on the SM2 algorithm to verify the integrity and authenticity of MMS messages. The method of hashing the date of MMS messages by the SM3 algorithm can prevent an unauthorized modification. By this way, attackers cannot arbitrarily tamper or forge messages.

  2. 2)

    Confidentiality: in the scheme, as for different types of MMS messages, different measures are designed to ensure the confidentiality of message transmissions. Modified TLS protocol is adopted to ensure the confidentiality of low-speed messages, whereas medium-speed messages adopt the encryption algorithm to ensure their confidentiality. These measures can effectively prevent data from being stolen.

  3. 3)

    Non-repudiation: the unique identification of the sender is carried in the Reserved SEQUENCE field of messages to ensure that the device cannot deny its participation in the communication, which effectively resists a repudiation attack.

  4. 4)

    Immunity against replay: skew filtering and timestamp checking are used to distinguish the current packages and outdated packages, which effectively prevent a replay attack.

3.4.2 Security of key management

Considering the disadvantages of PKI and IBC, we propose employing CLPKC in substations. As an important part of the security scheme, the security of the key management is crucial. In the idea of security for CLPKC, there are two types of adversaries, type I and type II. The type I adversary AI does not have access to the master key but it may replace the public key of arbitrary identities with values of its own choice, whereas the type II adversary AII does have access to the master key but may not replace the public keys of entities. In the deployment of CLPKC in substations in this paper, the private key is not only related to a secret value but also to a partial private key obtained from the KGC, and the secret value is not transmitted through the channel. It is secure against type I and type II adversaries in a strong sense, provided that the computational Diffie-Hellman problem is intractable and the underlying hash functions are the random oracles [17].

4 Analysis for real-time performance of scheme

4.1 Composition of communication delay

The end-to-end delay of a message across the secured network with the proposed security measures primarily includes the following four parts, as shown in Fig. 9.

Fig. 9
figure 9

Composition of message communication delay in secured substation network

Full size image
  1. 1)

    Generating delay (TG) and parsing delay (TP): the time that the sender generates and encapsulates the message from application layer to physical layer, and the time that the receiver parses and extracts the message from physical layer to application layer.

  2. 2)

    Delay of security operations (TE): the computing time of security measures and the delay of transmissions between the security chip and master CPU.

  3. 3)

    Sending delay (TS) and receiving delay (TR): the time that the sender sends all of the packet’s bits into the wire and the time that the receiver receives all of the packet’s bits from the wire, which is defined the same as usual. This is the delay caused by the data rate of the link.

  4. 4)

    Link transmission delay (TL): the amount of the propagation delay on the links and the processing and queuing delay in forwarding nodes from source to destination.

According to the above analysis, the end-to-end delay T of messages in intelligent substations is as follows:

$$T = T_{\text{E}} + T_{\text{other}}$$
(1)

where \(T_{\text{other}}\) is the delay in addition to the delay of security operations:

$$T_{\text{other}} = T_{\text{G}} + T_{\text{S}} + T_{\text{L}} + T_{\text{P}}$$
(2)

Current simulation software cannot support the simulation of the proposed security operations. It is difficult to embed the security operation implementations to the existing simulation software, and the workload is too large to implement an entire simulation system. Therefore, the method of combining the theoretical calculation with the simulation is used to analyze end-to-end delays in this paper. The delay of security operations is calculated through theoretical analysis and the other delays are obtained by simulation in the software.

4.2 Calculation of security operation delays

Due to the high real-time requirement of intelligent substation communication, security chips are used to support security measures in our security scheme. After detailed analysis and comparison of various security chips, we selected A980 chip as a practical choice for analysis. The calculation rates of partial algorithms of A980 are shown in Table 2, in which the unit tps signifies times per second.

Table 2 Calculating speed of partial algorithms of A980 chip
Full size table

4.2.1 Analysis for security operation delay of GOOSE/SMV

According to Fig. 3, the authenticating process of GOOSE/SMV includes a CRC, digest calculation and signature calculation. The calculating length of CRC is 8 bytes, which is ignored here because of the simplicity of CRC. The length of a GOOSE/SMV message varies when it transmits different types of information. In this paper, the delays of the sampled value message, trip message and switch status message are analyzed. These messages have the highest real-time requirements. Large lengths of these messages are configured in the analysis: sampled value message is 159 bytes, trip message is 113 bytes, and switch status message is 256 bytes. The input length of signature calculation cannot exceed 240 bytes. Therefore, the operation delay of the digest calculation of the GOOSE/SMV message (TSM3,digest) is:

$$\left\{ {T_{{{\text{SM}}3,{\text{digest}}}} } \right\}_{\text{ms}} \le \frac{240 \times 8}{{6 \times 1024^{2} }} \times 10^{3} \approx 0.305$$
(3)

The delays of signature (THMAC,S) and authentication (THMAC,A) are calculated, respectively, as (4) and (5).

$$\left\{ {T_{{{\text{HMAC}},{\text{S}}}} } \right\}_{\text{ms}} = \frac{{10^{3} }}{14705} \approx 0.068$$
(4)
$$\left\{ {T_{{{\text{HMAC}},{\text{A}}}} } \right\}_{\text{ms}} = \frac{{10^{3} }}{7812} \approx 0.128$$
(5)

Data transmitted during security operations of the GOOSE/SMV messages are the cryptographic key and the input and output data of the signature/authentication. The transmission rate of serial peripheral interface (SPI) of the A980 chip is 12 Mbit/s, so the transmission delay of GOOSE/SMV during the security operations (TGOOSE/SMV,SPI) is:

$$\left\{ {T_{{{\text{GOOSE}}/{\text{SMV}},{\text{SPI}}}} } \right\}_{\text{ms}} = \frac{{2 \times \left( {240 \times 8 + 800 + 256} \right) \times 10^{3} }}{{12 \times 1024^{2} }} \approx 0.473$$
(6)

Therefore, the security operation delay of GOOSE/SMV message (TGOOSE/SMV,Sec) is:

$$T_{{{\text{GOOSE}}/{\text{SMV}},\,{\text {Sec}}}} = 2T_{{{\text{SM}}3,{\text{digest}}}} + T_{{{\text{HMAC}},{\text{S}}}} + T_{{{\text{HMAC}},{\text{A}}}} + T_{{{\text{GOOSE}}/{\text{SMV}},{\text{SPI}}}} \approx 1.279 \text{ ms}$$
(7)

4.2.2 Analysis for security operation delay of MMS

According to Fig. 4, the delay of the security operation of the MMS message comes from the following processes: the digest calculation, the signature and authentication of the time field, and the encryption and decryption of the MMS message. The length of the time field is generally no more than 4 bytes and the time of digest calculation is about 0.001 ms, so the delay of digest calculation is negligible.

The delay of completing a process of the signature (TSM2,S) and authentication (TSM2,A) is:

$$\left\{ {T_{{{\text{SM}}2,{\text{S}}}} + T_{{{\text{SM}}2,{\text{A}}}} } \right\}_{\text{ms}} = \frac{{10^{3} }}{285} + \frac{{10^{3} }}{101} \approx 13.4$$
(8)

The length of the signature generated by the SM2 algorithm is 512 bits. Without encryption, data to be transmitted during security operations include the time field and signature field, so the transmission delay during security operations (TMMS1,SPI) is:

$$\left\{ {T_{{{\text{MMS}}1,{\text{SPI}}}} } \right\}_{\text{ms}} = \frac{{\left( {32 + 512} \right) \times 2}}{{6 \times 1024^{2} }} \times 10^{3} \approx 0.173$$
(9)

Therefore, without encryption, the security operations delay of MMS (TMMS1,Sec) is calculated as:

$$T_{{{\text{MMS}}1,{\text{Sec}}}} = T_{{{\text{SM}}2,{\text{S}}}} + T_{{{\text{SM}}2,{\text{A}}}} + T_{{{\text{MMS}}1,{\text{SPI}}}} \approx 3.573 \text{ ms}$$
(10)

In addition, the delay of completing a process of encryption (TSM2,E) and decryption (TSM2,D) is:

$$\left\{ {T_{{{\text{SM}}2,{\text{E}}}} + T_{{{\text{SM}}2,{\text{D}}}} } \right\}_{\text{ms}} = \frac{{10^{3} }}{112} + \frac{{10^{3} }}{119} \approx 17.3$$
(11)

Date encrypted by SM2 include two BigInteger (x and y), hash value and ciphertext. The length of x, y or hash value is 256 bits, and the length of ciphertext is equal to the length of plaintext. When MMS messages adopt the method of signature-then-encryption on the sending side and decryption-then-authentication on the receiving side, the transmitted data during security operations include plaintext, x, y, hash value and ciphertext. So the transmission delay during security operations (TMMS2,SPI) is:

$$\left\{ {T_{{{\text{MMS}}2,{\text{SPI}}}} } \right\}_{\text{ms}} = \frac{{\left( {256 \times 2 + 32 \times 3} \right) \times 8 \times 2}}{{12 \times 1024^{2} }} \times 10^{3} \approx 0.928$$
(12)

Therefore, when encryption is adopted, the security delay of operations of MMS (TMMS2,sec) is:

$$T_{{{\text{MMS}}2,{ {\text {Sec}} }}} = T_{{{\text{SM}}2,{\text{S}}}} + T_{{{\text{SM}}2,{\text{A}}}} + T_{{{\text{SM}}2,{\text{E}}}} + T_{{{\text{SM}}2,{\text{D}}}} + T_{{{\text{MMS}}2,{\text{SPI}}}} = 31.628 {\text{ ms}}$$
(13)

4.2.3 Analysis for security operation delay of TLS

According to Fig. 8, delay of the security operations of the modified TLS primarily comes from the following processes:

  1. 1)

    Two digest calculations, two signature calculations and two authentication calculations in the process of mutual authentication.

  2. 2)

    In the client, the generation of the session key and its encryption by the server’s public key before the receiver sends the ClientKeyExchange message.

  3. 3)

    The server uses its private key to decrypt the session key after receiving the ClientKeyExchange message.

  4. 4)

    The client or server calculates the digest of interacted handshake messages by the SHA256 algorithm, and carries out encryption or decryption of the digest by negotiated session key and cipher suites.

In the interaction process of TLS, the session key is calculated based on three random numbers generated by the server and client, which takes about 3 ms (Tpk). The length of the plaintext is 256 bits, which is the maximum plaintext length allowed by the SM2 signature algorithm. Therefore, the delay of mutual authentication (TTLS,MA) is:

$$\left\{ {T_{{{\text{TLS}},{\text{MA}}}} } \right\}_{\text{ms}} = \left( {\frac{256}{{4 \times 10^{3} }} + \frac{{10^{3} }}{285} + \frac{{10^{3} }}{101}} \right) \times 2 \approx 26.948$$
(14)

Before and after transmitting the ClientKeyExchange message, the client and the server both adopt the SM2 algorithm to encrypt and decrypt the session key. The delay of this process is:

$$\left\{ {T_{{{\text{TLS}},{\text{SM}}2,{\text{E}}}} + T_{{{\text{TLS}},{\text{SM}}2,{\text{D}}}} } \right\}_{\text{ms}} = \frac{{10^{3} }}{112} + \frac{{10^{3} }}{119} \approx 17.3$$
(15)

Except for the ChangeCipherSpec message, the length of the interacted message is 425 bytes, and the delay of its digest calculation with SHA256 (TTLS,SHA256) is:

$$\left\{ {T_{{{\text{TLS}},{\text{SHA}}256}} } \right\}_{\text{ms}} = \frac{425 \times 8}{{4 \times 1024^{2} }} \times 10^{3} \approx 0.811$$
(16)

The delay of authentication with HMAC TTLS,HMAC is:

$$\left\{ {T_{{{\text{TLS}},{\text{HMAC}}}} } \right\}_{\text{ms}} = \frac{{10^{3} }}{14705} + \frac{{10^{3} }}{7812} \approx 0.086$$
(17)

The delay of encryption and decryption with ASE (TTLS,AES) is:

$$\left\{ {T_{{{\text{TLS}},{\text{AES}}}} } \right\}_{\text{ms}} = \left( {\frac{256}{{9 \times 1024^{2} }} + \frac{256}{{7 \times 1024^{2} }}} \right) \times 10^{3} \approx 0.062$$
(18)

Data to be transmitted during the security operations of TLS include three plaintexts of 1024 bits, three signatures, two keys of 256 bits and a partial interacted message, which is a total of 905 bytes. The transmission delay between the security chip and master CPU (TTLS,SPI) is:

$$\left\{ {T_{{{\text{TLS}},{\text{SPI}}}} } \right\}_{\text{ms}} = \frac{905 \times 8}{{12 \times 1024^{2} }} \times 10^{3} \approx 0.575$$
(19)

Therefore, the total delay of the TLS security operations (TTLS,Sec) is:

$$T_{{{\text{TLS}},{\text{ Sec} }}} = \left( {T_{{{\text{TLS}},{\text{SHA}}256}} + T_{{{\text{TLS}},{\text{HMAC}}}} + T_{{{\text{TLS}},{\text{AES}}}} } \right) \times 2 + T_{\text{pk}} + T_{{{\text{TLS}},{\text{SM}}2,{\text{E}}}} + T_{{{\text{TLS}},{\text{SM}}2,{\text{D}}}} + T_{{{\text{TLS}},{\text{MA}}}} + T_{{{\text{TLS}},{\text{SPI}}}} = 49.741\,{\text{ms}}$$
(20)

4.3 Simulation for delays of substation communications

To obtain \(T_{\text{other}}\) in (1) in addition to the security operation delay, we establish a substation network model of type D2-1 defined in IEC 61850-5 in the simulation software. The specific network structure of type D2-1 is given in [21]. This section will present the configuration and result of simulation for delays of the substation communications, including communications between two substations and communications within a substation.

4.3.1 Simulation for delays of communications within substation

Five typical data flows including sampled value message, trip message, switch status message, device status message and the file transfer message of the intelligent substations are simulated. After deploying security measures, the relevant parameters of the five flows are shown in Table 3.

Table 3 Parameters of the five data flows for simulation
Full size table

In the simulation, we set MU to upload the sampled value message at t = 0. P&C starts to upload the device status message to the station server at t = 3 s. An error occurs at a bay at t = 5 s, P&C IED sends a tripping message to the circuit breaker, and then the circuit breaker returns a switch status message to P&C IED. The file is transmitted during 6–7 s. The result of the simulation is shown in Fig. 10.

Fig. 10
figure 10

Simulation result of communication delays within substation

Full size image

Figure 10 shows that the average delay of the network in the substations is 0.135 ms. When a server sends file transfer messages to the host, the average delay increases to 0.24 ms. After the file transfer, the average delay is stable at 0.135 ms. The delay of the GOOSE/SMV messages is about 0.13 ms and the delay of device status messages is 0.22 ms. The maximum delay of the file transfer message is 0.5 ms.

4.3.2 Simulation for delays of telecontrol communications

The authentication based on the challenge-response mechanism will delay for about 120 s after one authentication, so it can be considered that the mechanism does not affect the real-time performance of communication services. Therefore, the delay of the challenge-response authentication mechanism is ignored in the analysis, and we primarily simulate the telecontrol communications based on the modified TLS. It should be noted that, in addition to the communication delays by the simulation, a delay of \(T_{\text{SDH}}\) = 0.15 ms occurs when a message passes through a board on the SDH link.

The TLS handshake is set to start at t = 13 s and the larger file is transferred during 15–16 s, and the simulation result is shown in Fig. 11. The average delay is maintained at 0.481 ms. When the TLS handshake is carried out, the average delay increases to 0.496 ms. When the file transfer message is being transmitted, the average delay increases to 0.546 ms. After the file transferring stops, the average delay stabilizes at 0.488 ms. The maximum delay of the file transfer message is 0.878 ms.

Fig. 11
figure 11

Simulation result of delays for telecontrol communications

Full size image

4.4 End-to-end delay of secured communications

According to (1), the end-to-end delay of a communication employing the security measures of the proposed scheme can be obtained by summing up the above theoretical calculation results and simulation results, as shown in (22) to (24):

$$T_{{{\text{GOOSE}}/{\text{SMV}}}} = T_{{{\text{GOOSE}}/{\text{SMV}},{\text{Sec} }}} + T_{{{\text{GOOSE}}/{\text{SMV}},{\text{other}}}} = 1.409 {\text{ ms}}$$
(21)
$$T_{\text{MMS}} = T_{{{\text{MMS}}2,{\text{Sec} }}} + T_{{{\text{MMS}},{\text{other}}}} = 31.848 {\text{ ms}}$$
(22)
$$T_{\text{File}} = T_{{{\text{MMS}}1,{\text {Sec} }}} + T_{{{\text{TLS}},{\text {Sec} }}} + T_{{{\text{FTP}},{\text{other}}}} = 63.820 {\text{ ms}}$$
(23)
$$T_{\text{FarFile}} = T_{{{\text{MMS}}1,{\text{Sec} }}} + T_{{{\text{TLS}},{\text{Sec} }}} + T_{{{\text{FarFile}},{\text{other}}}} + T_{\text{SDH}} = 64.492 {\text{ ms}}$$
(24)

where TFile is the end-to-end delay of file transfer inner substation; TFarFile is the end-to-end delay of telecontrol file transfer; TGOOSE/SMV,other, TMMS,other, TFTP,other and TFarFile,other are the delays in addition to security operations delay as (2).

The delay requirements specified in IEC 61850-5 [22] of the five data flows and their delays in the secured substation network are presented by Table 4, which shows that the end-to-end delays of secured communications based on the security scheme proposed in this paper meet the real-time requirements defined in IEC 61850-5 for intelligent substations.

Table 4 Delays of secured communications and their requirements
Full size table

To compare the proposed scheme in this paper with the existing works [5,6,7,8] in terms of real-time performance, the security operations in each scheme are listed in Table 5. Calculating the exact communication delay involves the work of selecting an encryption chip for each scheme, so it is not carried out in this paper. In Table 5, H is a hash operation, E is an encryption operation, D is a decryption operation, S is a signature operation, V is a verification operation, C is a certification operation, and N is a nonlinear operation.

Table 5 Comparison of security operations between existing work and this paper in real-time performance
Full size table

The unit security strength of the elliptic curves cryptography (ECC) algorithm is higher than the RSA algorithm. Compared with RSA, ECC has advantages in terms of memory usage, resource consumption and encryption speed [23]. Therefore, according to Table 5, it can be concluded that our scheme is better than existing works in real-time performance under the same computing performance.

5 Conclusion

It is urgent to deploy security measures for intelligent substation communications. For this reason, the IEC has developed IEC 62351, but it has shortcomings for real-time performance and security capability, and offers no solution for the management of keys and certificates. In this paper, a new security scheme including security measures and a key management method is proposed for smart substations, which not only meets the security demands but also satisfies the real-time requirements of the communications. Considering the characteristics of a power system, we innovatively propose to employ CLPKC in an intelligent substation. This work provides a practical solution for securing the communications in intelligent substations and can be a reference for a revision of IEC 62351.