IEC 61850

Goose message exchange

GOOSE is the outlier in the set, and the missing return arrows are the point. There is no master, no server and no acknowledgement: a publishing IED multicasts frames at Layer 2 and any subscriber on the substation LAN takes what it needs. Because multicast offers no delivery guarantee, GOOSE buys reliability with redundancy in time. While nothing changes it sends a slow heartbeat. On a state change, a breaker trip or a protection signal, it sends a frame immediately and then repeats it in a rapid burst whose interval widens back out to the heartbeat. Two counters carry the meaning: stNum steps on each new event, sqNum counts the retransmissions, so a subscriber reads a new stNum as an event and a gap in sqNum as a lost frame. It is built for protection signalling where a few milliseconds are the budget. Native GOOSE has no authentication, IEC 62351-6 defines signing for it, and uptake so far is partial.

IEC 61850 family

IEC 61850 is the international standard for communication in electrical substations and power systems. Published from 2003, it defines a data model for substation devices, a configuration language (SCL), and several communication services. The three most widely deployed are MMS (Manufacturing Message Specification, used for SCADA communication with intelligent electronic devices), GOOSE (Generic Object Oriented Substation Event, used for protection and control between IEDs), and Sampled Values (used for merging unit output carrying digitised voltage and current measurements).

Of these, GOOSE is the one that concentrates the most risk. A GOOSE message can trip a breaker. It is multicast, carries no authentication, and travels at link speed with no IP header.

GOOSE

GOOSE was designed for speed. Protection functions in a substation operate on timescales of tens of milliseconds; a distance relay detecting a fault trips the relevant breaker before the fault current damages equipment. GOOSE achieves the required speed by running directly over Ethernet (EtherType 0x88B8), bypassing IP and TCP entirely. There is no IP address, no port number, and no connection state.

A GOOSE message carries a dataset of status values published by an IED: breaker position, protection element state, interlocking signals. Subscribing IEDs receive the multicast and act on the values. When a value changes, the publisher retransmits the message with decreasing intervals (typically 2ms, 2ms, 4ms, 8ms, 16ms…) before settling at a slow heartbeat rate. A subscribing IED that stops receiving heartbeats within the configured timeout treats the link as failed and enters a defined fallback state.

There is no authentication in the base specification. Any device on the same Ethernet segment or VLAN that can source a correctly formatted GOOSE frame with the right GOOSE Control Block reference can inject values that subscribing IEDs will act on. A spoofed TRIP signal causes the subscribing IED to open a breaker. A spoofed BLOCK signal prevents a protection function from operating on a genuine fault.

Injecting a GOOSE frame requires only Scapy and knowledge of the GOOSE Control Block reference, which is readable from any legitimate GOOSE capture on the segment:

from scapy.all import Ether, sendp

# GOOSE EtherType 0x88B8; destination is the IED's subscribed multicast address
frame = Ether(dst='01:0c:cd:01:00:01', src='de:ad:be:ef:00:01', type=0x88B8)
# GOOSE PDU follows: APPID, length, reserved, then ASN.1-encoded GOOSE payload
# with matching gocbRef, stNum incremented, and the spoofed boolean values
sendp(frame / goose_pdu, iface='eth0', verbose=False)

The IED does not verify the source. It receives a GOOSE frame with a stNum higher than the last seen, concludes a state change has occurred, and acts on the values in the payload.

MMS

MMS (ISO 9506) is the protocol used for SCADA communication with IEDs: reading measurements, writing setpoints, retrieving logs, and issuing control commands. In IEC 61850 it runs over TCP port 102 (the same port as Siemens S7comm, which uses a different ISO transport stack on the same port).

MMS in IEC 61850 supports reading and writing of IED data objects, SCADA reporting (unbuffered and buffered report control blocks), logging, and control services including direct control and select-before-operate. The select-before-operate sequence is the two-step equivalent of DNP3’s SELECT/OPERATE: a client first selects a controllable object, then operates it. The IED checks that the same client that selected is the one operating.

Like GOOSE, the base MMS specification carries no authentication. IEC 62351 Part 8 defines role-based access control for MMS, but deployment is uncommon. The more widely deployed protection is network-level: MMS traffic is confined to the station bus VLAN, and access from outside the substation LAN goes through a firewall or data diode.

IEC 62351

IEC 62351 is the companion security standard series for IEC 61850 and other power system communication standards. Part 6 addresses GOOSE and Sampled Values; Part 8 addresses MMS role-based access control.

IEC 62351 Part 6 defines authentication for GOOSE and Sampled Values using a Message Authentication Code appended to each frame. The MAC is computed over the frame content using a shared symmetric key, providing integrity and source authentication without encryption (encryption would add latency incompatible with protection-speed requirements). A subscribing IED that receives a GOOSE frame with an invalid or absent MAC rejects it.

Deployment of IEC 62351 Part 6 is growing but not yet the norm. It requires IED firmware support from the vendor and key management infrastructure for distributing and rotating the shared keys across the IED population. Many substations in service were commissioned before IEC 62351 Part 6 was widely supported, and retrofitting requires firmware updates that may require the IED to be taken out of service.

Sampled Values

Sampled Values (SV, IEC 61869-9 / IEC 61850-9-2) carry digitised voltage and current samples from merging units to protection IEDs at rates of 80 or 256 samples per power system cycle. Like GOOSE, SV runs directly over Ethernet with no IP header and no authentication in the base specification.

An injected SV stream carrying fabricated voltage and current values can cause a protection relay to see a fault condition that does not exist, triggering an unnecessary trip, or to not see a fault that does exist, preventing protection from operating. The consequence of the latter is equipment damage or extended fault duration. IEC 62351 Part 6 applies the same MAC-based authentication approach to SV as to GOOSE.

The station bus and process bus

IEC 61850 distinguishes the station bus (connecting IEDs to the substation SCADA and engineering workstation) from the process bus (connecting IEDs to merging units and switchgear at the process level). GOOSE and SV traffic primarily runs on the process bus; MMS runs on the station bus.

The security boundary between the two buses is a practical control point. Managed switches with VLAN configuration can isolate GOOSE and SV multicast to the process bus segments where it is expected, preventing an attacker who has reached the station bus from injecting process bus traffic directly. Port-based access control (IEEE 802.1X) on the process bus switches limits which physical ports can originate GOOSE frames.

A station bus that is accessible from the corporate network through a misconfigured firewall, or from the internet through a directly connected engineering workstation, brings the attack surface to MMS. A SCADA compromise that reaches the station bus can issue control commands to IEDs using the same MMS services the legitimate SCADA uses. IEC 62351 Part 8 role-based access control, where deployed, limits what a given authenticated client can do; without it, access to the station bus is access to the IEDs.

Substation automation and consequence

The consequence of a successful attack on IEC 61850 infrastructure is distinct from most OT attacks in its immediacy. A Modbus write that sets a PLC output to an unintended value may take seconds or minutes to manifest in the physical process. A spoofed GOOSE TRIP frame opens a breaker in the time it takes the subscribing IED to process the message: milliseconds. Restoring the breaker requires either automatic reclosure (if configured and appropriate) or manual intervention at the substation.

A coordinated attack that sends TRIP signals to multiple IEDs across multiple substations simultaneously can cause a cascading outage covering a wide geographic area. The 2015 and 2016 Ukraine power grid attacks demonstrated that OT-targeting attacks on power infrastructure are feasible and consequential. Neither used IEC 61850 specifically, but the attack surface that standard creates is the one that defences need to address in substations that have deployed it.

  • DNP3: dominant SCADA protocol for North American utilities; shares the no-auth baseline and the same compensating control pattern for MMS/TCP access

  • IEC 60870-5-104: European and global counterpart to DNP3; runs on TCP port 2404 with the same authentication gap

  • IEC 62351: the companion security standard; Part 6 defines MAC authentication for GOOSE and Sampled Values, Part 8 defines RBAC for MMS

  • Shodan: port 102: internet-exposed MMS endpoints (port 102 is shared with ICCP/TASE.2 and Siemens S7comm)