What is Secure GOOSE & Sampled Values?

GOOSE is a mechanism for transmitting time-critical information, such as alarms or status changes, between intelligent electronic devices (IEDs) in a substation. Sampled Values provides synchronized sampling and transmission of analog data, such as voltage and current, from sensors to protection and control devices in substations. Securing GOOSE and Sampled Values refers to the implementation of enhanced security measures in the transmission of real-time events and analog measurements throughout the power system, namely authentication and optionally encryption: 

When using KDC, each GDOI (Group Domain of Interpretation as defined in RFC-6407) has one publisher and one or more subscribers.  The KDC Server is responsible for assigning cryptographic keys to each GDOI and sending them to each KDC Client, which then matches the GDOIs to the correct publisher or subscriber stream on the device.  

Authentication (mandatory for routable versions) - GOOSE and Sampled Values are authenticated by utilizing HMAC to validate that the messages were signed with the key supplied by the KDC Server, this verifies that the message was not corrupted in transit.       

Encryption (optional) - Implement encryption to protect the confidentiality of the data transmitted. Encryption ensures that unauthorized parties cannot decipher the content of the messages.

Why do I need to Secure GOOSE & Sampled Values?

1. Confidentiality of Data:
• Use Case: Protect sensitive information in real-time operational data or critical system parameters.
2. Integrity Assurance:
• Use Case: Verify data integrity and prevent tampering during transmission.
3. Perfect Forward Secrecy :
• Use Case: Breaking the key for one set of key pulls does not provide key materials that allow you to break future exchanges since key exchanges are protected via Diffie-Hellman Exchanges.
4. Information Isolation:
• Use Case: Each group consisting of a publisher and its subscribers has its own set of keys and policies therefore compromising one group does not compromise the other groups.
5. Secure Communication in Shared Networks:
• Use Case: Ensure confidentiality in shared network environments with non-critical systems or external entities.
6. Compliance with Security Standards:
• Use Case: Meet industry standards and regulations for power system security.
7. Prevention of Man-in-the-Middle Attacks:
• Use Case: Guard against unauthorized interception and alteration of communication.
8. Maintaining Data Integrity in Wide-Area Networks:
• Use Case: Secure communication over extended distances to ensure data integrity.
9. Protection Against Insider Threats:
• Use Case: Mitigate risks associated with malicious actions from within the organization.
10. Ensuring System Resilience:
• Use Case: Enhance infrastructure resilience against cyber threats for continuous and reliable power grid operation.

 

How do I secure GOOSE & Sampled Values?

The KDC, or Key Distribution Center, provides a mechanism for encryption and authentication of both GOOSE and Sampled Value messages. KDC is made up of two components, a KDC Server such as Garibaldi, which manages and distributes secure keys, and a KDC Client such as the one provided with Triangle MicroWorks’ IEC 61850 Source Code Library, which receives the keys and uses them to encrypt, decrypt, sign, and authenticate messages. This technology can be applied to both Routable and Layer 2 GOOSE and Sampled Value communications.

What does TMW support?

KDC Client Source Code Library

• Supports failover to a secondary KDC Server.
• Autonomously performs pull requests for clients as keys expire.
• Fully compliant with IEC-62351-9 and RFCs 2407, 2408, 2409, 6407, and 8052.
• Cryptographic algorithms supported include any combination of:
  • Authentication = HMAC-SHA256-128, HMAC-SHA256-256, AES-GMAC-128, AES-GMAC-256    
  • Encryption = none, AES-128-GCM, AES-256-GCM, AES-128-CBC, AES-256-CBC

Garibaldi 

• Key Distribution and Access Control
• Security Domains
• IEC 61850 Security
• Member Validation and Policy Delivery