The 7th Annual IEEE International Conference on
Cyber Technology in Automation, Control and Intelligent Systems
July 31-August 4, 2017, Hawaii, USA
Key Issues in Designing Cyber Security Proxy Gateways
for Digital Substation Non-immune Bay Layers
Jianmin Zhang, Jiayu Zhang, Pingliang Zeng
School of Automation
Hangzhou Dianzi University
Hangzhou 310018, China
zhangjmhzcn@hdu.edu.cn
Abstract—Protective relay and measurement-control devices
in digital substation bay layers are two core IEDs at the bottom
of the power grid control system which can directly open or close
circuit breakers. At present, the bay layer is the most vulnerable
layer at risk of cyber-attack as both IEDs lack of any anti cyber-
attack measures. A novel scheme of cyber security proxy
gateways is proposed in this paper in that an upper cyber
security proxy gateway is implemented in the station control
layer and a lower one in the station process layer, such that the
bay layer is immune from cyber-attack. Key issues and detailed
design are discussed.
Keywords—digital substation; protective relay; non-immune;
cyber security; proxy gateway
I. INTRODUCTION
Bay layer is the most fragile and deadly place for cyber-
attack if it has no cyber security measures, because two critical
IEDs, i.e., protective relay (Protect IED) and measurement-
control device (M&C IED), have the capability to open or
close the circuit breaker according to the presupposed scheme
or after receiving a command from master station. Taking
protective relay as an example, its basic operation rule is very
simple, in case some electrical values are over the pre-stored
setting point, commands of opening corresponding circuit
breakers will be automatically issued to isolate the faulty
apparatus from the power system. In digital substation, the
measured electrical values are from Merging Unit (MU) in
process layer in a message of Multicast Sampled Value (SMV),
and the setting point values can be changed by a message from
station layer or master station in control center in the format of
MMS (Manufacturing Message Specification).Nowadays, no
cyber security measures are implemented on protective relays,
i.e., protective relays do not have immune ability from cyber-
attack, therefore, in case of malicious tampering, false data
injection, or replay attack of SMV messages or setting value
targeted MMS, a great possibility of malfunctions would
happen which might lead to major safety incident. Similarly,
SMV messages are the main data for the SCADA/EMS for
state estimation and decision making, malicious tampering,
false data injection, or replay attack of SMV messages will
also lead SCADA/EMS to make a risky decision.
As for protection SMV messages, paper [1] proposes an
approach to identify false data based on context information,
such as voltage and current, of the same substation. Through
collecting all data flowing in substation, include false data, to
improve PNNs (probabilistic neural networks), and then use it
978-1-5386-0490-8/17/$31.00 © 2017 IEEE
Authorized licensed use limited to: Birla Inst of Technology and Science Pilani Dubai. Downloaded on November 02,2023 at 17:02:12 UTC from IEEE Xplore. Restrictions apply.
Yong Li, Caiming Yang, Yuanwen Jin
Dispatch and control center
State Grid Shaoxing Power Supply Company
Shaoxing , 312000,China
to detect incursion; A scheme based on A-codes
(authentication codes), called unconditionally secure
authentication codes, in order to defend the attack with infinite
computer power is described in [2]; paper [3] assumes that all
devices have redundant CT/PT, and when redundant
measurement is different in the same bay, it proposes a novel
fusion algorithm based on other interval CTs/PTs
measurement data, in order to determine whether the fault is
really occurred in the bay, but it still has uncertain intervals.
The results of [2], [3] are all based on simulation.
As for measuring and control message, the possible attack
strategy about false data injection is discussed in [4-8], from
the perspective of attacker. The attack module is described in
[9] based on graph theory and polynomial time complexity
method, and it uses generalized likelihood ratio test method to
detect the attack. In [10], through scanning multiple key IEDs
at the same time, inference algorithm is used to detect the
potential invasion event, and ensure that IEDs have a security
network environment. However, these strategies all ignore the
real-time transmission requirement of message, as well as the
real-time of detection.
All above studies are preliminary with no application in
practice. In this paper, we propose a two-layered cyber
security gateways as the proxy to prevent the non-immune
protection relays from the cyber-attack.
II. PROPOSED PROXY GATEWAYS IN DIGITAL SUBSTATION
Workstation 1 Workstation 1 Remote workstation
Station
layer
network
UCP: Upper Cyber Proxy Gateways
Bay
layer Protect M&C
...
network IED IED
Process LCP: Lower Cyber Proxy Gateways
layer
Network
Breaker MU
Fig. 1 the proposed proxy gateways in digital substation
According to IEC61850 standard, a digital substation can
be divided into three layers from bottom to top: process layer,
bay layer and station layer. Only the protective relays and
1309
 measuring & control IEDs in the bay layer have the power to
trip the breakers. Therefore, making sure of bay level free
from cyber-attack is crucial. Fig.1 shows the proposed
framework of proxy gateways in the digital substation, an
upper cyber proxy (UCP) will be implemented in the station
layer, and lower cyber proxy (LCP) in the process layer.
According to IEC61850 standard, a digital substation can
be divided into three layers from bottom to top: process layer,
bay layer and station layer. Only the protective relays and
measuring& control IEDs in the bay layer have the power to
trip the breakers. Therefore, making sure of bay level free
from cyber-attack is crucial. Fig.1 shows the proposed
framework of proxy gateways in the digital substation, an
upper cyber proxy (UCP) will be implemented in the station
layer, and lower cyber proxy (LCP) in the process layer.
III. UPPER CYBER PROXY DESIGN
A. Downward Command and Upward Message
All the downward command from workstation at station
layer of substation, or from remote control center workstation,
will work on the IEDs at bay layer, i.e., protective relays or
M&C IEDs, through subsystem or RTU at station layer, which
means those bay layer IEDs are only operable through
subsystem in substation layer. The implementation of UCP
will make the bay layer free from cyberattack originating
from substation master station or from work stations at remote
control center.
B. Time-critical Control Command Secure Transmission
According to IEC62351-6[11], the cyber security
prevention measures are mainly in two ways, i.e.,
authentication and encryption, authentication can be done by
digital signature.
SCADA will issue a fast breaker control command to
M&C IED to open or close the corresponding breaker, though
such command will pass through UCP and RTU to M&C, the
secure transmission of such message should meet the real-time
requirement, which is similar like the SMV secure
transmission in section V in this paper.
C. Non time-critical Remote Operation
We assume that all the non time-critical remote operation
of IEDs in bay layer from substation master station or from
work stations at remote control center will be in a format of
operation-order-sheet (OOS), and the model of OOS is similar
to the substation SCL XML description, but contains all the
necessary command and follows XML Security standards[12-
13] developed by W3C(World Wide Web Consortium) and
IETF(Internet Engineering Task Force).
D. Digital Signature and Encryption of OOS
Digital signature use public key password system; each
user has a private key that is held by himself for decryption
and signatures, and has a public key that is publicly available
for encryption and verification of signatures; when signing a
file or message, the signer use signature function to calculate
the unique message digest, and then use his private key to
1310
Authorized licensed use limited to: Birla Inst of Technology and Science Pilani Dubai. Downloaded on November 02,2023 at 17:02:12 UTC from IEEE Xplore. Restrictions apply.
translate it into digital signature, and the obtained digital
signature is unique to the signed information, as well as the
private key used to create the digital signature.
E. MMS Transmission of XML
The transmission is carried out using the IEC61580 file
transmission model in the form of MMS message, and it uses
the upper cyber proxy gateways as the server and remote
workstation as a client.
F. Decryption and Signature Verification of XML
UCP will firstly read the sender’s public key, and use the
key to verify the digital signature for confirm the file from
sender, when it receives the encrypted XML file by the
method of MMS ObtainFile; then use the irreversible
algorithm to create new message digest of received file, and
compare it with original message digest, if they are the same,
that means the file has not been subject to any change after
digital signature; otherwise, the file is changed. And we can
determine whether the file is changed by this way.
G. The Operation of Upper Cyber Proxy Gateways
As a client, UCP will complete the operation such as set
the fixed value of protective relays, change the fixed setting
area and reset signal etc., according to IEC 61850MMS; as for
fixed periodic verification, it can also use the corresponding
protocol to query the current fixed value and complete fixed
periodic verification, and then return the results to the master
station in the form of report.
IV. LOWER CYBER PROXY DESIGN
A. Cyber-attack from Process Layer and its Defense Strategy
The main form of process layer cyber-attack is process
layer send false or tampered SMV message to protective
relays of the bay level. The conspiracy of attack is as follows:
(1) Upload the fault current while no fault happen; (2) Upload
the fault-free current while fault happen; (3) Change the
sample value randomly.
SMV message of process layer belongs to fast
message[14], therefore it has a high real-time requirement
(less than 4ms), and there are some lightweight encryption
methods. An encryption strategy has been proposed in [15],
which aim at a kind of wide-area protection system, and by
way of Data Encryption Algorithm (DES) and Public Key
Encryption (RSA), the test result shows that DES can meet the
security requirements of wide-area protection and substation
automation system. However, the message length used in
paper is 8B, which can’t reflect the real-time data that transmit
in actual power system. Similarly, an encryption method based
on tiny encryption algorithm (TEA) has been described in [16],
which only encrypt the key content of SMV message (such as
electric values) so that it could avoid the huge time consuming
for the direct encryption of the whole message, the test result,
verified by the typical embedded hardware platform, shows
that the encryption time is only 0.181ms, which can satisfies
the real-time requirement; a security framework proposed in
[17], which combine with the SM2 password system.
 B. SMV Detection and Protection Module of LCP
LCP will perform the following operations on the message:
(1) If MU sends a digitally signed SMV message, then:
1) LCP will verify the integrity and signature of the
message. And if the message passes the integrity verification,
the SVED sends the message to IEDs through a specific
authorized port, otherwise the message is discarded and a
warning is generated, and then, the warning event is written to
the warning log.
2) the SMV message passed the integrity verification will
be send to the SMV filtering module. And after analyzing in
SMV message analysis module, the message will come into
the specification-based intrusion detection module which
detects intrusion such as Dos attacks and generates warning,
as well as detect the logical exception of message sequence
number.
3) if the message passes the intrusion detection, then check
it based on historical events. Otherwise record the message,
and report to master station; at the same time, the message will
be stored on the spot, waiting for the call from master station.
(2) if MU sends a SMV message without a digital
signature, then the SMV message will skip the verification and
go on the detection items. If the message passes the detection,
it will be sent to IEDs through a specific authorized port. And
the total time of detection is limited within 4ms. Otherwise,
record the message, and report to master station, at the same
time, the message will be stored on the spot, waiting for the
call from master station.
C. Design of the Lower Cyber Proxy Gateway
The detection algorithm of the lower cyber proxy gateway
is based on predefined specifications. The main principle is
actively recognize the behavior that does not conform to the
predefined logic, and then judge it. All the correct behavior
rules will be added into a whitelist, and it can be enriched by
address that does not match the table, the detection indicator
J MAC is set to true, and the data is discarded with warning sent
immediately.
(5) specification-based intrusion detection module:
perform detection such as triggering trip data, bad data,
violation logic, over flow threshold warning and so on.
(6) data detection based on historical events: detect
whether the current sampling data match the trigger conditions
of historical events, such as over current, overvoltage and so
on. And if it is confirmed, set the historical fault indicator J lsft
to be true. Then, detect whether this sampling data match the
one of historical attack, if it is confirmed, set the historical
intrusion indicator J lsit to be true.
The last result will be respectively written to event log
and warning log, according to the indicator Q n which is used
to assess the abnormal. Warning, intrusion data and
indictorQ n will be send to master station, or displayed on the
spot.
If there is an abnormal detection result, then the
corresponding indicator is set to true, and the anomaly
evaluation indexQ n will become to 1, which means intrusion
detection module has abnormal intrusion events. And LCP
will shows warning to the master station. On the contrary, the
value of Q n is 0 means there is no intrusion.
V. AUTHENTICATION AND ENCRYPTION/DECRYPTION OF SMV
MESSAGE
A. Authentication and Encryption /Decryption Algorithm
MU of sending side SVDE of received side
M waiting Received
for transfer message M
Decryption
Encryption
by SM3 by SM3 verification
Transfer
algorithm (include M
algorithm

training on the correct behavior data. And the data, which does Hash value
of M(SM)
and SSM)
SM1 if(SM1==SM2){
SMV=true˗
not meet the whitelist rules after training, will be added into a Encryption }else if˄SM!=SM2){
by SM2
blacklist. Six key modules of the lower proxy gateway are as secret key SM2 SMV=false;
}
follows: of MU
Digital
Decryption
by SM2 public
signature
key of MU
(1) message decryption module: verify the digital Received SSM
signature of the SMV message that from MU, and decrypt the
message according to the encryption and decryption rules. Fig. 2 the authentication of integrity and digital signature for SMV message

(2) message filtering module: due to GOOSE/SMV
message having a high real-time requirement, GOOSE/SMV
message is transmitted directly from application level to data
link level, which does not use UDP/TCP/IP protocol.
Therefore, it is necessary to filter SMV message according to
the different MVC star address.
(3) message analysis module: analyze the MAC address
protocol of the message, extract the data in the message, and
send MAC address as well as data to the module of message
anomaly detection.
(4) MAC address anomaly detection: all MAC address
arriving at intrusion detection module must strictly abide by
the predefined address receiving table. Once there is a MAC
Encryption/decryption of the SMV message, and digital
signature can ensure the integrity of data transmission,
authenticate the identity of sender and avoid the repudiation in
data exchange, however, it should take into account both real-
time and security. In this section, we will select a suitable
encryption /decryption method and algorithm for MU as well
as for lower proxy gateway.
Because the core data, as well as the most wanted data to
attacker, of the SMV message is the 4B data in front of each
electric quantity in DataSet field, which is in second half of
each application service data unit (ASDU). As long as ensure
the confidentiality of this part of data, the natural content of
SMV message will not be disclosed. Therefore, it can improve

1311
Authorized licensed use limited to: Birla Inst of Technology and Science Pilani Dubai. Downloaded on November 02,2023 at 17:02:12 UTC from IEEE Xplore. Restrictions apply.
 the real-time transmission by encrypting the key data of SMV
message.
The description of the SM2 password system is no longer
introduced. Fig.2 shows the detailed implementation process
of SM2 password system.
B. Time-critical Simulation
The following is the analysis of the time cost of secure
transmission of SMV messages. Take protection from MU to
the bus as an example, the total delay time of SMV message
transmission is T, and the timing is stars from the MU digital
signature processing until protective relays remove the data
message from its transmission stack. That means:
T t1  t 2  t 3  t 4
1) the digital signature processing time is denoted by t 1 .
Take HUADA INFOSEC SSM0901 encryption chip [18] as
an example, we can find the processing speed of SM3
algorithm to generate 256bit hash digest is 290Mbit/s,
referring to SSM0901 module performer indicators. And the
SMV message from MU to the IED of bus is 113B, including
two ASDU data unit and the key message content is 8B,
therefore the hash time is 0.00006ms. Meanwhile, the
encryption time of SM2 for 256bit message is 0.438ms.
Finally, MU digital signature time is t 1 =0.43806ms.
2) the delay, before the message package to the LCP
digital signature verification process, is denoted by t 2 . We
simulate the star communication network and ring
communication network composed of typically T-1 substation
on OPNET. The simulated result shows that, the delay of star
communication network and ring communication network are
0.034ms and 0.052ms, respectively.
3) the cost time of LCP digital signature verification is
denoted by t 3 . The time of SM2 algorithm to verify signature
is 0.713ms according to SSM0901 module performer index.
And SM3 hash time is 0.00006ms. Therefore, LCP digital
signature time is t 3 =0.71306ms.
4) the transmission time of SMV message, which send to
protective relays with form of original message after remove
the signature digest section, is denoted by t 4 . The OPNET
simulated time delay of star communication network and ring
communication network t 4 are 0.044ms and 0.075ms,
respectively.
In conclusion, the total transmission delay T of star/ring
network substation SMV message is 1.229ms and 1.278ms,
respectively. And all satisfy the real-time requirement that the
transmission delay less than 4ms.
VI. CONCLUSION
In this paper, a novel scheme of cyber security proxy
gateways in digital substation is proposed, with an upper cyber
security proxy gateway implemented in station layer and
Authorized licensed use limited to: Birla Inst of Technology and Science Pilani Dubai. Downloaded on November 02,2023 at 17:02:12 UTC from IEEE Xplore. Restrictions apply.
lower one in the process layer such that bay layer is free from
cyber-attack. Such strategy is completely independent of the
existing non cyber security immune IEDs in most fragile and
deadly bay layer, from which it can avoid the replacement or
upgrade of existing protective relays and control devices in
operational substation as well as those in the market.
ACKNOWLEDGE
This work is supported by China National Natural Science
Foundation NSFC51677047 and State Grid Zhejiang Electric
Power Company Sci.& Tech. Program ZBGW15-011-007-83.
REFERENCES
[1] S. Sheng, W.L. Chan, K. K. Li, et al. Context information-based cyber
(1) security defense of protection system [J]. IEEE Transaction on Power
Delivery, 2007, 22(3): 1477-1481
[2] T. Matsumoto, T. Kobayashi, S. Katayama, et al. Protection relay
systems employing unconditionally secure authentication codes [C]
IEEE PowerTech, June 28 - July 2, Bucharest, Romania, 2009:1-6
[3] L. Zhu; D. Shi; X. Duan. Evidence theory-based fake measurement
identification and fault-tolerant protection in digital substations [J]. IET
Generation, Transmission & Distribution, 2011, 5(1): 119-126
[4] L. Yao, M. K. Reiter, N. Peng. False data injection attacks against state
estimation in electric power grids[C].Proceedings of the 16th ACM
conference on Computer and Communications Security. Chicago, USA,
2009: 21-23.
[5] O.Kosut, L.Jia,J.R.Thomas, et al. On malicious data attacks on power
system state estimation [C]. 2010 45th International Universities Power
Engineering Conference (UPEC), Aug. 31 2010-Sept. 3 2010, Cardiff,
United Kingdom.
[6] H. Sandberg, A.Teixeira, K.H. Johansson. On security indices for state
estimators in power networks[C].Proceedings of the First Workshop on
Secure Control Systems, CPSWEEK 2010.Stockholm
Sweden:IEEE,2010.
[7] G. Dan, H. Sandberg. Stealth attacks and protection schemes for state
estimators in power systems[C] Proceedings of 1st IEEE International
Conference on Smart Grid Communications. MD USA: IEEE, 2010.
[8] Abdallah A, Shen X S. Efficient prevention technique for false data
injection attack in smart grid[C]. IEEE International Conference on
Communications. IEEE, 2016:1-6.
[9] O. Kosut, L.Jia,J.R.Thomas, et al.Malicious data attacks on smart grid
state estimation: attack strategies and countermeasures[C].Proceedings
of 1st IEEE International Conference on Smart Grid Communications.
MD USA, 2010.
[10] C.W.Ten, J.H.Hong. Anomaly detection for cyber security of the
substations [J].IEEE Transactions on Smart Grid, 2012: 865-873.
[11] IEC62351-6. Power systems management and associated information
exchange-data and communication security:Part6  security for
IEC61850[S]. 2007.
[12] XML Signature Syntax and Processing (Second Edition) [EB/OL]
https://www.w3.org/TR/xmldsig-core/
[13] XML Encryption syntax and processing [EB/OL]
https://www.w3.org/TR/xmldsig-core/
[14] P. Gaborit, M. Girault. Lightweight code-based identification and
signature[C].IEEE International Symposium on Information Theory.
IEEE Xplore, 2007:191-195.
[15] X.Y.Tong. Proactive defense strategies for wide-area protection and
substation communication based on trusted computing[J]. Automation of
Electric Power Systems,2011,35(20):53-58.
[16] Z.Wang, G. Wang, Y. LI, et al. An encryption method for IEC 61850-9-
2LE packet based on tiny encryption algorithm[J].Automation of
Electric Power Systems,2016,40(4):121-127.
[17] N Hong, X Zheng. A security framework for internet of things based on
SM2 cipher algorithm[C]. International Conference on Computational
and Information Sciences. IEEE Computer Society, 2013:13-16.
[18] ISECMM1256Emodule:[EB/OL]
http://www.istecc.com/productzz.asp?id=10.
1312