Design, implementation, and evaluation of secure communication for line current differential protection systems over packet switched networks

https://doi.org/10.1016/j.ijcip.2018.06.005Get rights and content

Abstract

In this work we propose a secure communication concept for the protection of critical power supply and distribution infrastructure. Especially, we consider the line current differential protection method for modern smart grid implementations. This protection system operates on critical infrastructure, and it requires a precise time behavior on the communication between devices on both ends of a protected power line. Therefore, the communication has to fulfill deterministic constraints and low-delay requirements and additionally needs to be protected against cyber attacks. Existing systems are often either costly and based on deprecated technology or suffering from maloperations. In order to allow for both, economical and reliable operation, we present the first holistic communication concept capable of using state-of-the-art packet switched networks. Our solution consists of three parts: (i) we develop a list of design requirements for line current differential protection systems communication; (ii) we propose a communication concept obeying these design requirements by combining cryptographical and physical security approaches; and (iii) we evaluate our solution in a practical setup. Our evaluation shows a clock accuracy of 3 µs with a resilience to asymmetric delay attacks down to 8 ns/s. This demonstrates the secure and fault-free operation of a line current differential protection system communicating over a state-of-the-art network.

Introduction

The power grid is responsible to provide electrical energy to meet the needs of the society. Hence, the power grid is a critical infrastructure as referred in the Official Journal of the European Union [1] and has to be protected against faults, like an earth fault or short circuit that would have high economical impact if not detected accurately. Basically, three protection principles are used for grid protection according to [2]: overcurrent protection, distance protection, and differential protection. Additionally, these systems need to be secured from malicious, intentional attacks from outside the grid to provide a holistic protection of the critical infrastructure. This work addresses the security issues that arise from such attacks on the communication interface for differential protection.

The influential change of the electrical grid from a hierarchical to a distributed topology causes a variety of consequences, like reverse power flow which disrupts existing power grid protection systems, as discussed in [3], [4]. This change is rooted by introducing Distributed Renewable Energy Sources (DRES), e.g., wind and photovoltaic power plants, which are replacing centralized big scale power plants, e.g., coal and nuclear power plants. Lightner and Widergren [5] previously discussed this grid evolution and the aggravating effect of arising lack of power due to non-controllable environmental situations at decreased wind speed or illumination from the sun. Hence, a power grid including a power control is required to cover the demand of electrical energy in a power grid with DRES. As a consequence, the direction of the power flow is changing depending on environmental factors.

Alvin et al. [3] already discussed the impact of the power flow direction on protection systems and proposed a phase comparison scheme based on the same principle as the differential protection scheme. It is inevitable to adapt the protection schemes to the resulting characteristic of the evolved distributed power grid. To establish safe operation of the grid, a robust and flexible protection system is necessary which can handle bidirectional energy flow, as discussed in [3], [6].

Overcurrent and distance protection are well established protection types, suffering from complex coordination of the relay parametrization in a grid with frequent change of the power flow direction. In contrast, the big advantage of a differential protection system is the absolute selectivity in its protection area and its correct function independent of the energy flow direction. This scheme, according to Fig. 1, is proposed to work most efficient in a power grid with increasing penetration level of DRES [4]. Therefore, the importance of differential protection and especially Line Current Differential Protection (LCDP) is increasing in the grid and is considered in this work because of its convincing characteristics.

In this work, LCDP protection relays as discussed in [6] are contemplated, which compare the measured currents between the ends of the power line (e.g., overhead line or cable). According to Kirchhoff’s current law, the resulting current must be zero in a non-fault condition. If there is a resulting current above a preset threshold, a fault in the power system is detected. To get an accurate result of the difference current, measurement values from the same point in time have to be compared. Therefore, synchronized sampling at both ends of the line is required to yield proper results.

Fig. 1 shows the basic arrangement of such a system at the top and the diagram on the bottom shows on the left side accurately synchronized samples, whereas resulting difference current caused by poor synchronized samples is shown on the right side. Therefore, accurate synchronization is inevitable for LCDP systems, otherwise a spuriously calculated difference current is the result. As a matter of the functional principle a communication between the protection relays, i.e., the protection interface, is required to exchange their measurement values. The timing constraint for transferring the measurement value, i.e., path delay tPD along the communication channel, must be lower than the specified limit tlimit (cf., Fig. 1).

An LCDP system is a vital protection approach for the prevailing grids, yet suffering from high interface costs. Todays realizations either use a dedicated Fiber Optical (FO) cable, or a communication network with a Time Division Multiplexing (TDM) method (e.g., Synchronous Digital Hierarchy (SDH)). TDM-based systems served well through the 1990s, but reached end of life, as discussed in [7], [8]. This Wide Area Network (WAN) technology is replaced by Packet Switched Networks (PSNs), like Ethernet [9]. Further literature [10] (Sec. I) also stated that PSNs are increasingly adopted by electrical utilities because of: “packet-based networks offering several operational benefits; the lack of availability of leased Time-Division Multiplexing (TDM) services; the decline of expertise and availability of legacy technologies; and network infrastructure cost optimisations”. A secure and efficient communication concept to use Ethernet WANs for the protection interface has not been discussed yet and is proposed in this paper.

Security investigations are of big importance in addition to protecting the grid from system faults in order to maintain a safe operation and high availability. Hansen et al. [11] previously discussed the vulnerability of the power grid to cyber attacks referring to the attacked Ukrainian power grid. Therefore, availability, confidentiality and integrity has to be ensured to provide a secure operation of the protection system. In order to achieve this, well-established protocols are available (e.g., IPsec [12] or Transport Layer Security [13]), to meet the security requirements. Nevertheless, it is not possible to prevent all possible threats (e.g., packet dropping and asymmetric delay attacks).

In the following, we describe related work, the contributions of our work and this paper’s structure.

To realize an efficient concept that uses Ethernet communication systems for the protection interface, the requirements for the communication have to be identified first. Operational requirements for LCDP according to standard exist [2], [14], but no holistic summary for the communication interface.

The authors in [15] use the Global Positioning System (GPS) for clock synchronization. GPS is not contemplated in this work by reason of security issues (e.g., GPS spoofing [16]). Another approach focuses on using channel-based clock synchronization, like the Precision Time Protocol (PTP) according to IEEE Std. [17], which needs correcting clocks along the communication path and the data transfer is based on Layer 2 Ethernet messages [18]. The use of correcting clocks is costly and most existing infrastructures do not support them. Blair et al. [10] discusses the realization of an LCDP system over an IP-based Multi Protocol Label Switching (MPLS) WAN without sampling synchronization between the protection relays to compensate the influence of the jitter caused by the PSN. The correction of asymmetric latencies or jitter, respectively, is performed by using a feature of special WAN devices called asymmetrical delay control. Their implementation presents a cost-effective solution, but suffers from possible maloperations, i.e., unwanted operation of the protection relay.

Aichhorn et al. [19] and [20] propose clock synchronization algorithms for exponential distributed delays, like they occur in PSNs. No implementation and no measurement was presented in real-life systems so far.

A predestined protocol for securing IP-based Ethernet communication is IPsec [12]. A major security issue for channel-based clock synchronization, which can not be solved by using IPsec, is the asymmetric delay attack. IPsec covers security threads on the IP layer in terms of protecting the content of the message without any focus on timing constraints. The delay attack represents a physical attack on the system, where time sensitive synchronization messages are intentionally delayed in one direction only which yields a distortion of the clock synchronization. In the field of power system protection, especially for LCDP systems, a correct and precise clock synchronization is inevitable. A distortion of the clock synchronization may lead to a malfunction of the protection system and threatens the power system which is a critical infrastructure. Several approaches were published to solve the issue of the delay attack, which is discussed in the following paragraphs, but no such proposed solution can solve this issue for the LCDP system.

Ganeriwal et al. [21] present a threats analysis and propose a secure clock synchronization method for wireless sensor systems. The delay attack is discussed and a countermeasure is proposed to compensate the estimated injected delay to synchronize during such an attack. The basic idea is to observe the delays from A → B and B → A. A delta delay Δ is introduced to estimate if an attack is performed. The probability to detect a delay attack is increasing if the injected delay increases. For their system, a reliable delay attack detection is reached for an injected delay of Δ ⩾ 30 μs, where the LCDP system already violates the required synchronization accuracy (cf., Section 2). Further, the authors of [21] only consider a single step of introduced delay but not a slight incremental injected delay (e.g., 8 ns/s which is discussed in this paper). Therefore, [21] has not investigated the slight but steady increase of the injected delay which is malicious and jeopardizing for LCDP systems.

Moussa et al. [22] propose the use of GPS receiver in addition to the channel-based clock synchronization for a plausibility check of the estimated clock parameter. For this approach it is assumed, that a GPS spoofing attack is not happening at the same time as delay attack and additional GPS receivers are required for the realization. Mizrahi [23] requires multiple communication paths to create a reference for the validation of the received time information to detect anomalies of the clock synchronization. Hence, it is assumed that the used communication paths are not simultaneously affected by a delay attack and more than one active communication channel is required for this approach. Since Moussa et al. and Mizrahi assume that no simultaneous attack is going on and only a single communication path without additional use of GPS is contemplated in this work, these approaches do not provide a sufficient detection method for delay attacks in the application of LCDP systems. We already presented a threats analysis and a relating security concept solving the delay attack problem designed for LCDP systems without an assumption of a non-attacked reference time in [24].

With the increased penetration of Smart Grids, communication infrastructures based on PSN (e.g., Ethernet), is widely available. A secure, accurate and cost-efficient system architecture for the protection interface of an LCDP system using this widespread available infrastructure is the key feature for the broad application of LCDP systems to maintain system safety of state-of-the-art power grids.

In this work, a new communication concept for the protection interface is developed, which fulfills the necessary requirements to realize a secure and accurate working LCDP system which uses the existing Ethernet infrastructures. From Aichhorn et al. [14], [24] we summarize the operational requirements on the communication and present a suitable solution for the protection interface.

The contributions of this paper are:

  • A complete set of requirements for the protection interface communication system of an LCDP system communicating over PSN;

  • A holistic concept that enables secure and cost-efficient implementation of the protection interface communication system of an LCDP system without the risk of maloperations;

  • Verification measurements of the implemented proposed clock synchronization algorithm in an embedded system, tested in real-life PSN infrastructures;

This article includes a comprehensive analysis of some aspects which have previously appeared in [19], [24], [25]. First, the concept bases on the proposed transport protocols from [25] including a channel-based clock synchronization from Aichhorn et al. [19] which is implemented in hardware and tested in active Ethernet WANs under various conditions and the relating results are presented in this paper. Second, the proposed security concept, presented in [24], is enhanced investigated in this work for its interoperability. The holistic concept including the requirements, the implementation and the evaluation is presented in this paper.

Section 2 specifies all requirements for a PSN-based protection interface communication system of an LCDP system. Section 3 presents a state-of-the-art implementation of the protection interface using PSNs. Section 4 presents the proposed concept of using existing PSNs for fulfilling the specified requirements and Section 5 evaluates it. The conclusion is finally presented in Section 6.

Section snippets

Requirements for the protection interface communication system of LCDP systems

This section summarizes the necessary requirements for the protection interface communication system of an LCDP system. We first provide a general description of LCDP systems, followed by a detailed set of requirements, shown in Section 2.1 to 2.7. Section 2.8 summarizes the requirements which are subsequently illustrated in Table 1.

The aim of a power system protection relay is to detect and clear faults in a power system. The total clearing time1

State-of-the-art implementation of the protection interface

Since a dedicated fiber optical cable would be the best solution from the technical point of view, whereas the economic point of view is not supporting this solution. Considering a distance of hundreds of kilometers between the protection relays, it is very costly to place a dedicated fiber for only this application. In real-life, FO cables are used to connect WANs, Ethernet-based nowadays, with a high bandwidth utilization to increase the cost-efficiency. Ethernet is using packet switching to

Proposed communication concept for the protection interface using PSNs

According to Section 3, it is not possible to fulfill all necessary requirements for the protection interface of an LCDP system by using Ethernet with state-of-the-art methods. The aim of this research is to solve these open issues to enable the use of existing Ethernet WANs for the protection interface of LCDP system, which is also applicable to other secure real-time measurement data exchange applications. This section describes the proposed architecture of the protection interface extending

Evaluation / results

The evaluation of the proposed system architecture for the protection interface was performed in a real-life MPLS network of an Austrian utility company by using various topologies, routed across several network devices, i.e., hops. To keep the measurement setup for the evaluation of the clock synchronization and the channel latency / path delay measurement as simple as possible, the interfaces for both protection relays are routed to the same substation. If the devices would be placed at

Conclusion

This paper presents a holistic concept for the protection interface of an LCDP system communicating over a packet switched network and its evaluation results from a real-life environment. The proposed concept provides a protection interface fulfilling the stringent requirements summarized in Table 1. The presented measurements illustrate a proper working system within the required limits. Particularly, the synchronization algorithm enables this concept, also to establish a strong End-to-End

Acknowledgments

This work was supported in part by the research project SmartProtect, supported by The Austrian Research Promotion Agency (FFG), project no. 848911, and in part by the LCM in the framework of the Austrian COMET-K2 program. The financial support by the Austrian Federal Ministry of Science, Research and Economy and the Austrian National Foundation for Research, Technology and Development is gratefully acknowledged.

References (32)

  • Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical...
  • IEEE Std, IEEE Guide for Protective Relay Applications to Transmission Lines, IEEE Std C37.113–2015, IEEE Std.,...
  • T.G. M. Alvin, I.Z. Abidin, H. Hashim, A.A.Z. Abidin, Phase comparison protection for distribution networks with high...
  • A.F. Sarabia, Impact of Distributed Generation on Distribution System, Master’s thesis, Aalborg University, Denmark,...
  • E.M. Lightner, S.E. Widergren, An Orderly Transition to a Transformed Electricity System, IEEE Transactions on Smart...
  • E. Sortomme, S.S. Venkata, J. Mitra, Microgrid Protection Using Communication-Assisted Digital Relays, IEEE...
  • B. Gowan, White paper: SONET/SDH Network Modernization is long overdue, Technical Report, ciena®  corporation, 2013....
  • White paper: TELEPROTECTION OVER MPLS WIDE-AREA NETWORKS, Technical Report, CISCO™ and SIEMENS, 2017. URL...
  • K. Parikh, J. Kim, TDM Services over IP Networks, in: MILCOM 2007 - IEEE Military Communications Conference, 2007, pp....
  • S.M. Blair, C.D. Booth, B.D. Valck, D. Verhulst, K.Y. Wong, Modelling and Analysis of Asymmetrical Latency in...
  • A. Hansen, J. Staggs, S. Shenoi, Security analysis of an advanced metering infrastructure, International Journal of...
  • S. Frankel, S. Krishnan, IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap, RFC 6071, 2011. URL...
  • T. Dierks, E. Rescorla, The Transport Layer Security (TLS) Protocol, RFC 5246, 2008. URL...
  • Communication networks and systems for power utility automation - Part 90-1: Use of IEC 61850 for the communication...
  • S.V. Muddebihalkar, G.N. Jadhav, Analysis of transmission line current differential protection scheme based on...
  • T.E. Humphreys, B.M. Ledvina, M.L. Psiaki, B.W. O’Hanlon, P.M. Kintner Jr, Assessing the spoofing threat: Development...
  • Cited by (0)

    View full text