IEEE C37.118-2 Synchrophasor Communication Framework:Overview, Cyber Vulnerabilities Analysis and Performance Evaluation

Khan, R., McLaughlin, K., Laverty, D., & Sezer, S. (2016). IEEE C37.118-2 Synchrophasor CommunicationFramework: Overview, Cyber Vulnerabilities Analysis and Performance Evaluation. In Proceedings of the 2ndInternational Conference on Information Systems Security and Privacy (pp. 159-170). SciTePress.https://doi.org/10.5220/0005745001670178

Published in:Proceedings of the 2nd International Conference on Information Systems Security and Privacy

Queen's University Belfast - Research Portal:Link to publication record in Queen's University Belfast Research Portal

Publisher rights© 2016 SCITEPress.This work is made available online in accordance with the publisher’s policies. Please refer to any applicable terms of use of the publisher.

General rightsCopyright for the publications made accessible via the Queen's University Belfast Research Portal is retained by the author(s) and / or othercopyright owners and it is a condition of accessing these publications that users recognise and abide by the legal requirements associatedwith these rights.

Take down policyThe Research Portal is Queen's institutional repository that provides access to Queen's research output. Every effort has been made toensure that content in the Research Portal does not infringe any person's rights, or applicable UK laws. If you discover content in theResearch Portal that you believe breaches copyright or violates any law, please contact openaccess@qub.ac.uk.

Download date:13. Apr. 2020

IEEE C37.118-2 Synchrophasor CommunicationFramework: Overview, Cyber Vulnerabilities

Analysis and Performance EvaluationRafiullah Khan, Kieran McLaughlin, David Laverty and Sakir Sezer

Queen’s University Belfast, Belfast, United KingdomEmail: {rafiullah.khan, kieran.mclaughlin, david.laverty, s.sezer}@qub.ac.uk

Abstract—Synchrophasors have become an important partof the modern power system and numerous applications havebeen developed covering wide-area monitoring, protection andcontrol. Most applications demand continuous transmission ofsynchrophasor data across large geographical areas and requirean efficient communication framework. IEEE C37.118-2 evolvedas one of the most successful synchrophasor communicationstandards and is widely adopted. However, it lacks a predefinedsecurity mechanism and is highly vulnerable to cyber attacks.This paper analyzes different types of cyber attacks on IEEEC37.118-2 communication system and evaluates their possibleimpact on any developed synchrophasor application. Further,the paper also recommends an efficent security mechanism thatcan provide strong protection against cyber attacks. Although,IEEE C37.118-2 has been widely adopted, there is no clearunderstanding of the requirements and limitations. To this aim,the paper also presents detailed performance evaluation ofIEEE C37.118-2 implementations which could help determinerequired resources and network characteristics before designingany synchrophasor application.

Index Terms—Smart Grid, Synchrophasor, Cyber Security,Vulnerability, IEEE C37.118

I. INTRODUCTION

Synchrophasors are the measurements of electrical quantitiesacross different parts of the power system synchronized using acommon precise time source. For higher accuracy and utilizinga universal time source, synchrophasors are normally time-stamped using Global Positioning System (GPS) time. Withthe development of synchrophasor technology, numerous ap-plications have been proposed. Today, synchrophasor technol-ogy is being used in Wide-Area Monitoring System (WAMS),Wide-Area Protection and Control System (WAPCS), island-ing detection, determining stability margins, system dynamicsvisualization and recording, enhancing operator situationalawareness, etc [1].

The aim of synchrophasor technology is to represent powersystem condition/status in real time. This requires transmissionof synchrophasor measurements across large geographicalareas in real-time with very low latency. Using IP basedcommunication is feasible where it utilizes already availablehigh speed infrastructure. To transmit synchrophasor mea-surements over an IP network, a suitable communicationframework is required. The IEEE C37.118-2 standard evolvedas one of the most successful and widely adopted communi-cation framework for synchrophasor applications. The IEEE

C37.118-2 standard specifies messaging format but does notput any restriction on the choice of communication medium ortransport protocol. Further, IEEE C37.118-2 standard does notaddressed security features. The synchrophasor measurementsare transmitted over insecure IP network which make IEEEC37.118-2 communication highly vulnerable to cyber attacks[2].

This paper describes the IEEE C37.118-2 standard in detailshighlighting its main features and capabilities. It also exploreshow vulnerabilities can be exploited to launch different typesof attacks on IEEE C37.118-2 communication system. Inparticular, reconnaissance, authentication/access, man-in-the-middle, replay/reflection and denial of service attacks areexplored. These attacks alone or in combination may severelyimpact the synchrophasor applications. They may leave differ-ent components of the synchrophasor system not being ableto communicate with each other or unintentionally performingwrong decisions. For most critical synchrophasor applications,cyber attacks could potentially cause severe damage to thephysical equipment. Therefore, it is vital to effectively analyzeand mitigate cyber vulnerabilities in the synchrophasor system.Most often, attackers try to exploit communication frameworkto launch attacks. To protect IEEE C37.118-2 communicationframework against attacks, this paper recommends an effectivesecurity mechanism where security policy and keying materialperiodically change. Such refreshment of security credentialsprevent attacker never being able to discover a valid secretkey. Even if an attacker somehow discovers secret key throughanalyzing captured packets, it will no longer remain valid. Inshort, the main contributions of this paper include:

1) Analysis of vulnerabilities in IEEE C37.118-2 standardthrough different cyber attacks and their impact on thesynchrophasor application.

2) Recommendation of an efficient security mechanism in-tegrated in IEEE C37.118-2 standard and evaluation ofits effectiveness.

3) Detailed performance evaluation of IEEE C37.118-2 stan-dard to analyze requirements and limitations in a practicalenvironment.

The rest of the paper is organized as follows: SectionII addresses related work. Section III describes a genericsynchrophasor system and its basic building blocks. Section

IV describes IEEE C37.118-2 standard, different types ofdefined messages, and communication modes and protocols.Section V analyzes cyber vulnerabilities in IEEE C37.118-2standard and recommends a suitable security mechanism byaddressing its unique features. Section VI presents detailedperformance evaluation of IEEE C37.118-2 implementations.Finally, Section VII concludes the paper.

II. RELATED WORK

Synchrophasor technology got increasing popularity sinceits development. Its applications quickly progressed fromsimple data visualization and archiving or postmortem anal-ysis to several real-time protection, monitoring and controlapplications. This is due to the capability of synchrophasorsrepresenting power system condition in real time and takingprompt control actions. The authors in [1] described sev-eral advanced real-time synchrophasor applications developedover time. Several efforts were put to develop a suitablecommunication standard for synchrophasors. IEEE C37.118-2evolved probably as the first most successful communicationstandard. It was originally based on IEEE 1344 standardand its evolution is explained in [3]. The authors have alsohighlighted key differences between old and new versions andintroduced several applications for IEEE C37.118-2 standard.

Since, most synchrophasor applications involve transmis-sion of data across large geographic areas using non-reliableand insecure IP network, analysis of potential cyber vulnerabil-ities and threats drawn more and more research attention [4].It is worth to mention that IEEE C37.118-2 standard does notinclude any security feature and making applications highlyvulnerable to cyber attacks. Although cyber security researchin general is not new, still implementation of experimentaltools or strategies to effectively mitigate vulnerabilities forsynchrophasor system is quite limited.

Authors in [2] presented best practice techniques (suchas firewall, Virtual Private Network (VPN)) and verified byexperiments to overcome cyber vulnerabilities. Their mainfocus was to ensure information security between substationand control center. However, security within the substationLAN or within the control center LAN has negligible con-siderations. Authors in [5] evaluated the resilience of PhasorMeasurement Units (PMUs) against denial of service attacksusing IEEE C37.118. They flooded PMU with ARP requestpackets, IPv4 packets and PPPoE packets and monitored itsunresponsiveness. Further, the authors evaluated resilienceagainst malformed packets through protocol mutation tests.Several other efforts also tried to protect synchrophasor net-work against cyber attacks [6].

Along with information security, several research effortsalso focused on ensuring PMU and Phasor Data Concentrator(PDC) security [7]. A further work analyzing PMUs vulner-abilities using IEEE C37.118 protocol was performed by [8].Synchrophasor applications require high time synchronizationwhich is normally achieved through GPS. GPS spoofing mayleave severe impact on any synchrophasor application. Thisis analyzed by authors in [9] that GPS spoofing can cause

intentional tripping of power generators and may even causephysical damage to equipment. A further work analyzingdetection of GPS spoofing attacks is presented in [10].

In short, cyber vulnerabilities analysis is a hot researchtopic and numerous research articles are available in literature.There are also number of available surveys analyzing cyberthreats relevant to smart grid in general, PMU network, and/orsynchrophasor applications [11], [12], [13], [14], [15].

Most of the research in literature addresses cyber vulnera-bilities for power system in general with few have little focuson synchrophasors network. No much work is available onanalyzing cyber vulnerabilities in IEEE C37.118-2 communi-cation standard. This paper analyzes cyber vulnerabilities inIEEE C37.118-2 standard and evaluates possible impact onthe synchrophasor application. Further, this paper also recom-mends a security mechanism to be used with IEEE C37.118-2standard to achieve protection against different cyber attacks.Although IEEE C37.118-2 standard is being widely used, itsrequirements and limitations in practical environment havenever been addressed. To this aim, this paper also presentsdetailed performance evaluation of IEEE C37.118-2 standard.

III. OVERVIEW OF SYNCHROPHASORMEASUREMENT SYSTEM

A synchrophasor system consists of several basic buildingblocks including GPS receivers, PMUs, PDCs, communica-tion network and equipment and visualization, monitoring orcontrol software as shown in Fig. 1. A PMU is the devicethat performs measurements of synchrophasor data which rep-resent electrical quantities for current/voltage waveform at agiven time instant. The measurements performed by PMU arenormally time stamped to a common and highly precise timesource often GPS. Thus, PMU devices are normally equippedwith a GPS antenna. The PMU can be a standalone devicewith dedicated functionality or it may co-exist on a multi-functional device. There are two possible modes of operationsof PMU; commanded and spontaneous. In commanded mode,PMU establishes bi-directional communication with its peer(local or remote PDC or application). The peer can sendcommands to PMU to control its operations (e.g., stop/startor control synchrophasors transmission). The communicationbetween PMU and its peer is normally private unicast incommanded mode. In spontaneous mode, PMU operationscannot be controlled by its peer. The communication is uni-directional (from PMU to its peer) and PMU is not able toreceive any commands. The communication between PMUand its peers is normally multicast in spontaneous mode ofoperation.

Another important element in a synchrophasor system isPDC. PDC is a device which receives synchrophasor data frommore than 1 PMU and aggregates and transmits as one outputstream. A PDC may be receiving data from multiple PMUs(i.e., substation PDC in Fig. 1) or multiple PDCs (i.e., ControlCenter PDC in Fig. 1).

As illustrated in Fig. 1, the control center may be re-ceiving data from more than one substation and handover

Substation 1

LANPDC

GPS

Ant

enn

a

Substation N

LANPDC

GPS

An

ten

na

Control Center

Monitoring / Visualization

PDCControl

Software

Archive

Network /Internet

PMU

PMU

PMU

PMU

PMU

PMU

Figure 1. Generic synchrophasor communication system.

to respective application. The application may be designedfor simply archiving data, performing visualization/monitoringor performing protection and control functionalities. It canbe observed in Fig. 1 that the synchrophasor data could bedirectly provided by PMUs to respective application withoutneeding any PDC. However, such approach will result in alot of network traffic overhead (analyzed in Section VI) andambiguity for control application in interpreting data fromeach PMU. Thus, the substation PDC makes the transmissionmuch more efficient by sending out only one stream of datainstead of multiple streams.

As depicted in Fig. 1, synchrophasor measurements aretransmitted in real-time over insecure public Internet. Thus,a suitable communication protocol is required that can ensuresecurity as well as low transmission latency. IEEE C37.118-2is most wide used communication framework for synchropha-sor applications. Although it lacks security features and isvulnerable to cyber attacks. Section IV analyzes importance ofsecurity and presents a suitable security mechanism for IEEEC37.118-2 standard.

IV. IEEE C37.118-2 COMMUNICATION STANDARD

Synchrophasor applications demand real-time transmission ofmessages with very low latency. This section briefly addressesthe IEEE C37.118-2 standard, which evolved as one of themost suitable and well tested standard for the transmissionof synchrophasor measurements. IEEE C37.118-2 standardeffectively addresses synchrophasor requirements, presentssuitable format and structure for messages and ensures to keepcommunication overhead to the minimum possible level.

A. Overview

With the development of synchrophasor technology and itsneed for transmission over wide area networks, IEEE es-tablished a working group to develop a suitable communi-cation standard. The working group developed IEEE 1344in 1995, the first standard for transmission of synchrophasormeasurements in real-time. IEEE 1344 addresses data formats,structures and time synchronization of data from multiplesources. However, it does not address measurement accuracy,support for transmission hierarchy, hardware and softwarerequirements, process for calculating synchrophasors, securitymechanism and transport protocol. These considerations areleft to the users based on their needs and application require-ments.

In 2005, IEEE 1344 was replaced by an improved IEEEC37.118 standard which overcomes the limitations of theprevious standard and focuses on the requirements for futurepower systems. The most obvious improvements include theintroduction of methods for evaluating measurement perfor-mance, accounting measurements from multiple PMUs anda more complete messaging system. It introduced Total Vec-tor Error (TVE) criterion to check if the measurements arecompliant with the standard. It mainly shifted focus from themeasurement method to the measurement results. Thus, anyalgorithm or technique can be used as long as it producesacceptable results.

The IEEE C37.118 standard was limited to address ac-curacy requirements only for steady state conditions. Overtime, the IEEE realized the need to address requirements forsynchrophasor measurements also under dynamic conditions.Further, IEEE C37.118 standard combined synchrophasormeasurement and communication functions. To overcome theshortcomings and fix some minor errors, IEEE C37.118 splitinto two parts in 2011, IEEE C37.118-1 and IEEE C37.118-2. IEEE C37.118-1 addresses requirements for synchropha-sor measurements under dynamic conditions which makes itvery suitable for most of the applications where the phasormeasurements could be severely affected by system noise anddisturbances. Whereas, IEEE C37.118-2 addresses only thecommunication framework and requirements for transmissionof synchrophasors. It is worth mentioning that IEEE C37.118-2 is an extended standard with some new features but pro-vides full backward compatibility with original IEEE C37.118.Further, it also does not put any restriction on the choiceof communication protocol, communication medium and themode of communication.

B. Message Format and Types

IEEE C37.118-2 specified a standard format for different typesof the messages as depicted in Fig. 2. Each message beginswith identification and synchronization word (SYNC), fol-lowed by FRAMESIZE (total Bytes inside message), IDCODE(ID of the synchrophasor data source), SOC (Second OfCentury count since epoch midnight 01.01.1970), FRACSEC(FRACtion of SECond and time quality), DATA (Depends onmessage type) and CHK (Cyclic Redundancy Check (CRC)).The content and structure of DATA field is different for dif-ferent types of messages. IEEE C37.118-2 standard describedfour types of messages: data, configuration, command andheader. Header message carries descriptive information inhuman readable format while all other types of messages arein machine readable format. Command messages are sent bythe control application to data source (e.g., PMU, PDC) asinstructions/orders while data, configuration and header aresent by the data source.

1) Data Message: Data messages are sent by the datasource which include real-time measurements of synchropha-sors. The sending device can be a PMU (containing singleblock of data) or PDC (containing multiple blocks of data).Each block of data contains a complete structure according

SYNC SOC CHK

2 Bytes 2 Bytes 2 Bytes 4 Bytes 4 Bytes Depending on Data Size 2 Bytes

MSB LSB

IDCODE FRAMESIZE FRACSEC DATA 1 DATA 2 DATA N

Figure 2. IEEE C37.118-2 standard message format.

to IEEE C37.118-2 (phasors in polar or rectangular format,analog and digital values, frequency deviation, rate of changeof frequency etc). In the case of a PDC, data from multiplePMUs is correlated to a particular time stamp and transmittedin a single message.

2) Configuration Message: Configuration messages containinformation and processing parameters (calibration factors,meta data, data types, etc) for a synchrophasor data stream.It basically provides necessary information to the receiveron how to decode data messages. IEEE C37.118-2 standardidentified three types of configuration messages: CFG-1, CFG-2 and CFG-3. CFG-1 and CFG-2 were also present in the firstIEEE C37.118 standard published in 2005. CFG-1 representsdata source (PMU, PDC) capabilities and the data it willbe reporting. CFG-2 represents measurements currently beingtransmitted in data messages. CFG-3 is similar to CFG-1 andCFG-2 but includes added information and flexible framing.

3) Header Message: Header messages carry human read-able descriptive information about the data source, scalingalgorithms, filtering etc. It does not have a special format forthe DATA field (in Fig. 2) but carries information in ASCIIformat.

4) Command Message: Command messages are ordersreceived by a data source device. These orders include butare not limited to: start and stop transmission of data mes-sages, send header message, send CFG-1, CFG-2 or CFG-3configuration message etc.

Data Source Controller

Command: Send Configurations

Configuration: CFG-2

Command: Start Data Transmission

Data: Synchrophasors

Command: Stop Data Transmission

Figure 3. Generic IEEE C37.118-2 communication scenario for data sourceoperating in commanded mode.

Fig. 3 depicts a generic communication scenario when thedata source operates in commanded mode. For simplicityheader message is not shown which may be requested bycontrol application/controller using command message. Uponreceiving request, data source sends a header message to thecontroller. When a data source operates in spontaneous mode(cannot receive commands), then communication should onlycontain data and configuration messages. A data source will

ensure to send configuration messages whenever necessary toenable the receiver to correctly decode data messages.

C. Communication Modes and Protocols

IEEE C37.118-2 only specifies different types of messagesand their structure, format and content. It does not put anyrestriction on communication mode or choice of transport pro-tocol. Most industrial implementations targeted either RS232serial or IP based network communication depending onthe application. The possible communication modes include:client-server/unicast (one device sends data which is receivedby one other device), multicast (one device sends data whichis received by a group of device) and broadcast (one devicesends data which is received by all available device in thenetwork). The freedom on the choice of transport protocolleads to several combination: (i) TCP for all types of messages,(ii) UDP for all types of messages, and (iii) data messages onUDP while all other messages on TCP. Each combination willhave its own pros and cons which we will try to analyze inSection VI.

V. SECURITY ANALYSIS & RECOMMENDATIONS

IEEE C37.118-2 does not specify any kind of crypto-graphic signature. Thus, packets are vulnerable to spoofing,being modified in the network during transmission or beingtransmitted by un-authorized peers. This section first analyzeshow vulnerabilities in IEEE C37.118-2 based communicationsystem could be exploited in the form of different possibleattacks. To overcome the vulnerabilities, a security mecha-nism based on Group Domain of Interpretation (GDOI) isrecommended that could be efficiently integrated in IEEEC37.118-2 communication systems [16]. Finally, this sectionalso analyzes the effectiveness of the recommended securitysystem.

A. Cyber Vulnerabilities Analysis

Cyber vulnerabilities in IEEE C37.118-2 could be exploitedby unauthorized entities/attackers to extract, modify or insertmessages in the network. With the knowledge of vulnerabili-ties, different types of attacks could be launched which mayimpair the communication and cause physical damage to thesynchrophasor system. The attacks described here are basedon the generic synchrophasor system depicted in Fig. 1.

1) Reconnaissance Attack: In a reconnaissance attack, anadversary first tries to discover vulnerabilities in the net-work which could be exploited for the actual attack. It isthe unauthorized learning process of the network devices orcommunication system to discover available services, openports, identify network stack daemons or the operating system,etc. Reconnaissance itself is not normally a harmful action butprovides necessary information for the adversary to plan andlaunch more severe attacks such as Denial of Service (DoS)attack, access attack etc.

Reconnaissance attack could be launched either on the phys-ical device or on the communication network. The main focushere is the communication network. Through eavesdropping on

network traffic of IEEE C37.118-2, attackers could learn aboutthe substation name, names and locations of different physicalcomponents (e.g., PMU, breakers) and configurations of thedevice sending packets. Such information is normally carriedby IEEE C37.118-2 configuration messages. The attacker maybe interested in controlling the PMU operations (or the wholesubstation depending on synchrophasor application) througheavesdropping on command messages. Eavesdropping on datamessages will enable an attacker to know the current physicalstate of the substation. The level of risk through eavesdroppingon header messages might be low or high depending onthe synchrophasor application. In short, eavesdropping ondifferent types of IEEE C37.118-2 messages can enable anattacker to launch high impact attacks on the substation.

2) Authentication/Access Attack: Authentication is an ac-cess control mechanism which ensures that only authorizedusers can get access to a system or resources. It is the processin which credentials provided by the client devices are checkedand compared to the information on file/database and accessis granted only if the credentials match. Unauthorized accessto a device or information is sometimes also referred to asaccess attack.

IEEE C37.118-2 does not specify any form of authenticationbetween communicating devices. Thus, it is possible that thecontrol application or the PDC interprets messages beingreceived from genuine PMUs but it may not be the case. Themessages may be received from non-intended PMUs or fromattackers through packet injection or replay attacks.

Not only on the network traffic, access attacks may alsotake place on the physical device e.g., PMU/PDC or controlcenter. Once attacker has control on the physical device, hecan easily alter packets being transmitted or injects packets onits own.

3) Man In The Middle Attack: In a Man In The Middle(MITM) attack, the attacker impersonates two communicatingdevices and makes them believe that they are directly commu-nicating with each other. Instead, the attacker lies in the middleand is able to intercept each and every packet exchangedbetween the two communicating devices. The MITM attackmay also involve connection/session hijacking. The attackercapabilities in a successful MITM attack include hijackingpackets, altering or dropping them and injecting new packets.

The MITM attack can target any message type in an IEEEC37.118-2 synchrophasor communication system. However,its impact could be much more severe on command, con-figuration and data messages compared to header messages.Targeting configuration messages will enable an attacker toseverely disrupt the synchrophasor application. The attackercan easily leave a receiver (applications at the control center)unable to decode/understand data messages. This makes attackon configuration messages the most attractive choice for anattacker. Command messages control the whole communica-tion and an attacker may intentionally disrupt or start/stopthe transmission of data messages. Attacks on data messagesmay alter/modify the synchrophasor measurements and makethe receiver believe that the data is genuine. This will leave

receiver unintentionally performing decisions based on incor-rect data. The impact of MITM attack on header messages isapplication dependent.

4) Replay or Reflection Attack: Replay attacks rely onMITM attack to record communication between two devicesand replay it to hide real system information. The replay pack-ets might lead to incorrect decisions by the receiving device.Further, this attack does not require detailed knowledge of theunderlying system. The impact of replay attacks on differenttypes of IEEE C37.118-2 messages is similar to a MITMattack. Replaying data messages may cause the receiver tocarry out incorrect actions. If configurations change, replayingold configuration messages could prevent the receiver fromdecoding upcoming data messages.

5) Denial of Service Attack: The DoS attack is differentfrom previous attacks as it does not require unauthorizedaccess to network traffic or the communicating devices butsimply attempts to disrupt or block communication betweenthe communicating devices. The DoS attacks overwhelm thetarget device with high data rate bulk packets so that itbecomes irresponsive due to lack of available resources (band-width, CPU, memory etc) or buffer overflow. Referring to Fig.1, the DoS attack can be on the communication link betweenPMUs and substation PDC, substation PDC and control centerPDC or control center PDC and the control applications.The most feasible choice for most of the attackers will betargeting communication link between substation PDC andcontrol center PDC. This will lead to loss of substationsvisibility for the control center.

Normally, DoS attacks will prevent all types of IEEEC37.118-2 messages being processed by the receiver. How-ever, if the DoS attack is weak, it may result in less numberof messages being lost at the receiver. Depending on the typeof message (that is lost), the impact of DoS attack could bedifferent. Loss of configuration message will leave receiverunable to decode upcoming data messages. Loss of few datamessages will make difficult for the receiver to take decisionsdue to not having enough information about the synchrophasorsystem dynamics. Loss of command message will preventreceiver from controlling data source. While the impact ofDoS attack on header message is application dependent.

B. Enabling Security Based on GDOI

To secure the IEEE C37.118-2 based communication sys-tem against attacks, its inherent vulnerabilities should beaddressed. Further, a mechanism should be introduced that canmake attacker activities visible to the user. To this aim, this pa-per suggests the use of GDOI to ensure secure communicationof synchrophasors using IEEE C37.118-2. GDOI is a groupkey management protocol published by Cisco Systems & MIT[16]. Since publication, GDOI is getting increasing popularity.It has already been adopted in IEC 61850-90-5, a real timecommunication system for the smart grid applications. GDOIensures that the communication remains highly secure byconstantly changing group Security Associations (SAs).

Group Controller / Key Server (GCKS)

Group Member Group Member Group Member

Internet

Phase 1

Phase 2

Phase 3

Figure 4. Generic GDOI-based communication scenario.

The generic GDOI-based communication scenario is de-picted in Fig. 4. The GDOI group key management modelconsists of two types of devices: Group Controller/Key Server(GCKS) and Group Member (GM). GCKS is responsible tomaintain group security policy and generation of keys. Asshown in Fig. 4, the GDOI mechanism consists of threephases:

• Phase 1: The group members authenticate and registerwith the GCKS in order to get IPsec SAs which arenecessary to secure communication between the groupmembers. The registration phase is secured through en-cryption using Pairwise key. It is possible that GCKSmanages more than one group and each group has dif-ferent SAs. To request security policies and keys, groupmembers need to provide group ID to GCKS. After thegroup ID is verified, GCKS sends group security policyto the group member. The group member checks if it canhandle the policy and acknowledges to the GCKS in orderto download the Key Encryption Key (KEK). The KEKis used to encrypt the message in which GCKS providesTraffic Encryption Key (TEK) to the group member.

• Phase 2: The group member uses TEK as an IPsec SA toencrypt messages it exchanges with other group members.In synchrophasor applications, TEK will be used toencrypt different types of IEEE C37.118-2 messages.

• Phase 3: Remember, GCKS assigns both KEK and TEKkeys with certain validity period. The keys should berefreshed periodically and provided to group membersbefore the expiry of previous keys to enable uninterruptedsecure communication between group members. Thiskeys update mechanism can be unicast to a single groupmember or multicast to all group members. Multicastupdate messages have no delivery acknowledgment andare transmitted multiple times to account for any packetloss.

The GDOI protocol is based on Internet Security Associa-tion and Key Management Protocol (ISAKMP) to protect thegroup members authentication and registration in Phase 1. Allthe group members and GCKS must have the same ISAKMPpolicy acquired via an out of band method. The ISAKMPpolicy should be strong enough as the whole GDOI mecha-nism security depends on it. Two new ISAKMP exchanges

are defined in GDOI: GROUPKEY-PULL and GROUPKEY-PUSH. GROUPKEY-PULL exchange is used in Phase 1 asexplained above. GROUPKEY-PULL exchange allows groupmembers to request group policy and keying material (KEK,TEK) from GCKS. GROUPKEY-PUSH exchange is Phase 3 inwhich GCKS distributes the updated group policy and keyingmaterial to all authorized group members before the expiry ofthe previous keying material.

It is important that GCKS is explicitly a trusted entity byall group members. If no authentication is performed, MITMattack between GCKS and group member could be possiblefor a rogue GDOI participant. It is also important that GCKSexplicitly authenticates/authorizes each group member beforesending them group policy and keying material. The GCKSshould implement a method for authenticating members (e.g.,by maintaining an up to date authorization list).

C. Benefits of GDOI Based Security

All the different types of attacks described in Section V-Acould be mitigated if the devices and IEEE C37.118-2 com-munication are appropriately secured. As explained before, thereconnaissance attack could either take place on the networkdevices or the communication network. The main focus hereis only on the communication network. If IEEE C37.118-2 messages are encrypted, eavesdropping on network trafficwould not benefit the attacker. Although IEEE C37.118-2 doesnot include authentication, still the authentication or accessattacks could be prevented. It is due to the fact that unau-thorized users could not acquire security policy and keyingmaterial from GCKS. Without having valid TEK, devices arenot be able to communicate. Similarly to eavesdropping onnetwork traffic, MITM attack could be easily prevented dueto encrypted messages.

The replay attacks replay the recorded communication be-tween two devices. These attacks could also be prevented dueto periodic security policy and keying material refreshmentmechanism used in GDOI. The replayed messages might bebased on old keying material which is no longer valid. Thisobviously depends on the validity period of keys assigned byGCKS. A shorter key validity period could effectively preventIEEE C37.118-2 based communication from replay attacks.The DoS attacks overwhelm the target device with high traffic.The impact of DoS attacks can be mitigated to a degree ifthe receiver simply discard messages without processing them.This is only possible if the receive knows that messages arereceived from unauthorized device. The GDOI mechanismprevents any unauthorized device being able to communicationwith authorized devices.

Thus, different types of attacks could be prevented as longas key distribution mechanism is not compromised. GDOIassumes that the network is insecure and could be exploitedby attackers. However, it assumes that GCKS and groupmembers are all trusted and secure. Any compromised groupmember may enable attacker to reveal group policy and keyingmaterial necessary to eavesdrop on network traffic. Therefore,

group members must have proper security in place preventingunauthorized access to them.

GDOI consists of three different phases as described inSection V-B. From a security point of view, attackers willmost probably look for vulnerabilities in Phase 1 ISAKMPauthentication, GROUPKEY-PULL and GROUPKEY-PUSHexchanges of secret keying material. The effectiveness of theseexchanges is briefly described in the following.

1) Phase 1 ISAKMP Authentication: The authenticationin Phase 1 is achieved via pre-shared keys assuming secureGCKS and group members. Any connection hijacking orMITM attack will foil the authentication of one or morecommunicating peers during key establishment. An attackermay launch replay or reflection attack between GCKS anda group member and replays captured messages to a groupmember. The replay of previous key management messagescould be detected as GDOI relies on hash based messageauthentication along with Phase 1 nonce mechanism. Further,GDOI provides prevention against DoS attacks by identifyingspurious messages through a Phase 1 cookie mechanism priorto processing cryptographic hash.

2) GROUPKEY-PULL Exchange: GROUPKEY-PULL ex-change is used by group members to request security policyand keying material from GCKS. It is assumed that GCKS andgroup members are secure and properly authenticated in Phase1. The GROUPKEY-PULL exchange is protected against con-nection hijacking and MITM attacks as the authentication in-volves a secret known only to GCKS and group members whenconstructing HASH payload. Thus, the attacker could not altera message that goes undetected by GCKS or group members.GCKS also keeps track of previously processed GROUPKEY-PULL messages (e.g., message HASH) and directly rejectsmessages previously processed in order to not overload thecomputational resources. This contributes to preventing againstreplay and DoS attacks.

3) GROUPKEY-PUSH Exchange: GROUPKEY-PUSH ex-change is used by GCKS to update group members aboutnew security policy and keying material prior to the expiryof previous SAs. The message is encrypted by KEK whichis only known to group members and distributed in previ-ous GROUPKEY-PUSH exchange or GROUPKEY-PULL ex-change. The KEK is only known to GCKS and group members(both are assumed secure) and this provides protection againstconnection hijacking and MITM attacks. The GROUPKEY-PUSH messages carry an increasing sequence number whichprovides protection against reflection/replay attacks. A groupmember will simply discard a GROUPKEY-PUSH message ifit contains sequence number the same or lower than a pre-viously received message. Further, cookies provide protectionagainst DoS attacks for GROUPKEY-PUSH message.

VI. PERFORMANCE EVALUATION

The implementation of the IEEE C37.118-2 library was carriedout in Linux OS using Python programming language. Anumber of experiments were performed to analyze the require-ments, effectiveness and limitations of IEEE C37.118-2 using

Table ISIZE OF REAL INFORMATION AND MESSAGE FORMATTING AS

PERCENTAGE OF OVERALL COMMUNICATION OVERHEAD (INCLUDINGHEADERS AND PROTOCOL SCEMANTICS).

Using UDP Using TCP

RealInfo Formatting RealInfo Formatting

Data 26.83 % 21.95 % 3.77 % 3.08 %Config 86.70 % 3.67 % 40.30 % 1.71 %Command 3.33 % 26.67 % 0.36 % 2.85 %Header 21.62 % 21.62 % 2.78 % 2.78 %

different transport protocols. Currently, research focuses onthe efficient design of PMUs/PDCs on compact hardware. Tothis aim, all the experimental results reported in this sectionwere performed on a low power pocket PC i.e., RaspberryPi v2 (CPU: ARMv6 700 MHz, Memory 512 MB, Powerconsumption: 3.6 W (idle) & 3.8 W (full load)).

It is worth noting that any synchrophasor application basedon IEEE C37.118-2 will have its own resource requirementsand performance metrics based on its size, complexity andcapabilities. The reported results in this section are perfor-mance metrics only ascribable to IEEE C37.118-2 library inany developed application. For all the reported results, it is as-sumed that the PMU/PDC sends data messages each carrying2 phasors, 2 analog values and 1 digital word, all expressedin integer format except frequency deviation (FREQ) and rateof change of frequency (DFREQ) in floating point format.The same settings are also reflected in Configuration (Config)messages.

A. Communication Overhead

The communication overhead is a significant performancemetric for any protocol. It indirectly reflects the maximumsize of data that can be included inside any packet. Further, itis also a factor affecting channel bandwidth requirements fortransmission of messages. Normally, synchrophasor systemsinvolve high data transmission rates. This in turn requires morechannel bandwidth especially if the protocols communicationoverhead is high.

The overhead for IEEE C37.118-2 is reported in Table Iconsidering different types of messages sent over UDP orTCP. It can be observed that the communication overheadis significantly low for Data and Config messages; the twomost frequently exchanged messages in IEEE C37.118-2 basedcommunication systems. Compared to UDP, TCP has quitehigh communication overhead due to exchange of severaladditional packets during connection establishment and ter-mination.

Fig. 5 depicts how the communication overhead is affect-ing with the increasing size of data messages. The size ofreal information inside the packet increases when a PDCaggregates data from multiple PMUs which in turn resultsin lower communication overhead. The number of PMUsdata inside a PDC depends on its location. A local/substationPDC may aggregate data from 10 PMUs whereas regionalcontrol center or super PDC may carry data from up to

1000 PMUs [17]. Fig. 5 illustrates that UDP is the mostfavorable choice to transmit small size packets. Choosing a lowcommunication overhead option (i.e., UDP) could significantlyreduce channel bandwidth requirement. However, UDP is anon-reliable protocol. The TCP could be a suitable choice fortransmission of large size packets (when its overhead is notsignificantly high compared to UDP) to achieve reliability andother benefits offered by TCP in general.

0

20

40

60

80

100

120

140

5 10 15 20 25 30 35 40 45 50

Ove

rhead A

naly

sis

(%)

Number of PMUs

Data + Formatting (UDP)Communication (UDP)

Data + Formatting (TCP)Communication (TCP)

Figure 5. Overhead analysis when PDC aggregates data from multiple PMUs.

B. Impact of Latencies

Latency is the critical factor that can impair the performanceof real-time applications in three ways: (i) application latencywhich is ascribable to encoding and decoding of different typesof messages, (ii) network latency which is time taken by pack-ets to traverse the network, and (iii) transport latency whichis time taken by transport protocol e.g., TCP to acknowledgeor retransmit data. Network and transport latencies are linkedwith available bandwidth (low latencies are observed on highbandwidth channels and vice versa) whereas application la-tency depends on the processing power of a given device. TableII presents the sum of all three latencies for different types ofIEEE C37.118-2 messages averaged over 100 transmissions.To avoid clock synchronization issues between sender andreceiver, latency measurements were calculated from two-waytime measurements. The observed latencies are comparativelylow for UDP than TCP but the difference is not too significant.It is due to the fact that most of the latency is ascribable toencoding and decoding of messages on a low power device i.e.,Raspberry Pi. Based on the values reported in Table II, thereshould be ideally no packet loss if messages are transmitted atappropriate rate (roughly 90 and 97 data messages per secondfor TCP and UDP, respectively). Practically, high data ratescan be easily supported (especially for UDP) using parallelprocessing and large size socket buffer.

It can be observed in Table II that latencies are different fordifferent types of messages. This is due to different messagesize, format and structure. The latencies are expected toincrease with increase in message size and complexity. Whichwill in turn affect the maximum possible data transmissionrate. Fig. 6 divides latencies into two parts: (i) time requiredto encode the message and send it to receiver device, and

(ii) time required to receive a message, analyze/decode it andextract data. It is apparent from Fig. 6 that encoding latenciesare quite low compared to decoding latencies. It is due to thefact that PDC simply aggregates data from multiple PMUsduring the encoding process whereas control application indecoding process performs deep inspection of received packetto separate data of each PMU and analyze each and every bitaccording to Config. message. This obviously depends on theprocessing power of the devices performing PDC and controlapplication functionalities (Raspberry Pi in this case).

50

100

150

200

250

300

350

400

10 20 30 40 50 60 70 80 90 100

Late

ncy (

ms)

Number of PMUs

Transmission & encoding latencyTransmission & decoding latency

Figure 6. Transmission & encoding/decoding latencies when PDC aggregatesdata from multiple PMUs.

Compared to UDP, TCP provides several benefits such asflow and error control, reliability and guaranteed delivery ofdata. However, TCP is normally not suggested for high ratereal-time transmission of messages. To analyze the suitabilityof TCP for real-time transmissions, Fig. 7 reports packet losswith increasing data rate. For each data rate, 10,000 packetswere transmitted and number of lost packets were counted. Itcan be observed in Fig. 7 that the packet loss increases rapidlywith increase in the data transmission rate. This is due to thefact that each lost packet causes an interval of packets loss. IfTCP waits for the recovery of lost packets, data transmissionrate will be affected leaving worst effects on the performanceof real-time applications as well as throughput. Another limi-tation of TCP is its incapability to support multicast instead ofestablishing 1-1 connection which also increases the networkbandwidth requirements.

C. Resource Requirements

This section analyzes the resource requirements in terms ofCPU and bandwidth. For applications to perform well, theminimum required processing power and bandwidth should beavailable. Fig. 8 presents the minimum required resources withincrease in data transmission rate. It can be observed in Fig.8(a) that CPU usage of the application increases with increasein data transmission rate. Fig. 8(a) depicts results obtained onRaspberry Pi and will be different for other types of devicesdepending on the available CPU power. The device processingpower also affects the message encoding/decoding latencies asreported in Section VI-C.

Table IILATENCIES FOR DIFFERENT TYPES OF MESSAGES.

Using UDP Using TCP

Min Average Max Std. Dev. Min Average Max Std. Dev.

Data 4.83 ms 10.28 ms 19.71 ms 1.96 ms 9.62 ms 11.07 ms 15.03 ms 1.13 msConfig 7 ms 8.74 ms 17.26 ms 1.42 ms 7.82 ms 9.57 ms 13.57 ms 1.19 msCommand 4.07 ms 5.89 ms 9.75 ms 1.39 ms 4.79 ms 6.44 ms 11 ms 1.21 msHeader 4.17 ms 6.28 ms 13.83 ms 1.54 ms 5.98 ms 7.03 ms 11.89 ms 1.34 ms

0

20

40

60

80

100

120

100 200 300 400 500 600 700 800 900 1000

Num

ber

of Lost P

ackets

Data Messages per second

Figure 7. Packet loss with increase in data transmission rate using TCP astransport protocol.

The bandwidth requirement is the most critical factor forany communication protocol. High data rate on low band-width links can cause traffic congestion which will in turnresult in packet loss. In computing, bandwidth is the bit rateor maximum throughput that can be supported by a givencommunication medium. It can be observed in Fig. 8(b) andFig. 8(c) that bandwidth requirement increases linearly withincrease in data transmission rate. Further, the bandwidthrequirement depends on the message size. Large size messages(e.g, including more phasors) have significant high bandwidthrequirement especially at high data transmission rates. Further,the bandwidth requirement also has strong connection withthe communication overhead. TCP communication overhead ishigher than UDP resulting in 3-4 times increase in bandwidthrequirement at a given data rate. With TCP, IEEE C37.118-2based communication requires roughly 500 kbps at 100 datamessages per second transmission rate which is lower thanthe maximum bandwidth of most Internet access technologiesexcept the dialup (dialup/modem: 56 kbps, ADSL lite: 1.5Mbps, ADSL1: 8 Mbps, ADSL2+: 24 Mbps, wireless 802.11b:11 Mbps, wireless 802.11g: 54 Mbps, wireless 802.11n: 600Mbps, Gigabit Ethernet: 1 Gbps, etc). Some Internet accesstechnologies may not provide enough bandwidth for highsynchrophasor data transmission rates (especially for PDC thataggregates data from multiple PMUs).

D. Remarks

Based on the latencies, observed packet loss and bandwidthrequirement, TCP is an ideal choice only for low data ratereliable transmissions. Its performance gets worse under high

data rates and low available channel bandwidth. On the otherhand, UDP has low bandwidth requirements, has low com-munication overhead and does not cause incremental latencyin case of packet loss. This makes it suitable for high datarate and real-time transmissions. However, it is unreliable anddoes not guarantee the delivery of data. Due to pros and consof each transport protocol, the mixed approach will be idealchoice for IEEE C37.118-2 based communication system.The mixed approach will use reliable TCP for infrequentmessages (Config, Command, Header) and non-reliable UDPfor frequent Data messages. The benefits of mixed approachinclude reliable transmission of critical information (e.g., Con-fig message is very important for receiver to understand howto decode received Data messages, Command messages whichcontrol whole communication between two peers, etc) andminimum latency and low packet loss for real-time streaming(Data messages). Another advantage of mixed approach is itssuitability for both client-server as well as multicast mode oftransmission.

VII. CONCLUSIONS

Synchrophasors have become an integral part of the modernpower system and their applications are continuously evolv-ing. Many synchrophasor applications involve transmissionof messages over the Internet. IEEE C37.118-2 is the welltested and most widely used communication standard fortransmission of synchrophasors data. This paper presented anoverview of IEEE C37.118-2 standard highlighting its mainfeatures and capabilities. IEEE C37.118-2 standard does nothave any embedded security mechanism which makes it highlyvulnerable to cyber attacks. This paper analyzed how differenttypes of cyber attacks can exploit vulnerabilities and impactthe operations of any synchrophasor application based onIEEE C37.118-2.

To overcome IEEE C37.118-2 vulnerabilities, this paper rec-ommended a GDOI based security mechanism and addressedits effectiveness. GDOI provides enhanced security and protec-tion against man-in-the-middle, connection hijacking, replay,reflection and denial-of-service attacks. Finally, the paperpresented detailed performance evaluation of IEEE C37.118-2and analyzed network overhead, resource requirements (e.g.,bandwidth, CPU), communication latencies and their impacton the data transmission rate. The reported results provideenough information about the required resources and networkcharacteristics before designing any synchrophasor applicationbased on IEEE C37.118-2 standard.

0

20

40

60

80

100

100 200 300 400 500 600 700 800 900 1000

CP

U u

sage (

%)

Data Messages per second

(a) CPU usage

0

20

40

60

80

100

120

140

160

10 20 30 40 50 60 70 80 90 100

Min

required c

apacity (

kbps)

Data Messages per second

1 phasor, all integers1 phasor, all floats

10 phasors, all integers10 phasors, all floats

(b) Bandwidth (using UDP)

0

100

200

300

400

500

600

10 20 30 40 50 60 70 80 90 100

Min

re

qu

ire

d c

ap

acity (

kb

ps)

Data Messages per second

1 phasor, all integers1 phasor, all floats

10 phasors, all integers10 phasors, all floats

(c) Bandwidth (using TCP)

Figure 8. Resource requirements with increase in data transmission rate.

ACKNOWLEDGEMENTS

This work was funded by the EPSRC CAPRICA project(EP/M002837/1).

REFERENCES

[1] E. Schweitzer, Y. Gong, and M. Donolo, “Advanced real-time syn-chrophasor applications,” in 35th Annual Western Protective RelayConference, 2008.

[2] J. Stewart, T. Maufer, R. Smith, C. Anderson, and E. Ersonmez,“Synchrophasor security practices,” in 14th Annual Georgia Tech Faultand Disturbance Analysis Conference, 2011.

[3] K. E. Martin, D. Hamai, M. G. Adamiak, S. Anderson, M. Begovic,G. Benmouyal, G. Brunello, J. Burger, J. Y. Cai, B. Dickerson,V. Gharpure, B. Kennedy, D. Karlsson, A. G. Phadke, J. Salj, V. Sk-endzic, J. Sperr, Y. Song, C. Huntley, B. Kasztenny, and E. Price,“Exploring the ieee standard c37.1182005 synchrophasors for powersystems,” in IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 23,NO. 4. IEEE, 2008.

[4] G. Allgood, L. Bass, B. Brown, K. Brown, S. Griffin, J. Ivers,T. Kuruganti, J. Lake, H. Lipson, J. Nutaro, J. Searle, and B. Smith,“Security profile for wide-area monitoring, protection, and control,” inThe UCAIug SG Security Working Group, 2011.

[5] T. Morris, S. Pan, J. Lewis, J. Moorhead, N. Younan, R. King, M. Fre-und, and V. Madani, “Cyber security risk testing of substation phasormeasurement units and phasor data concentrators,” in Seventh AnnualWorkshop on Cyber Security and Information Intelligence Research(CSIIRW ’11). ACM, 2011.

[6] B. Sikdar and J. Chow, “Defending synchrophasor data networks againsttraffic analysis attacks,” in IEEE Transactions on Smart Grid, Vol:2,Issue: 4. IEEE, 2011.

[7] S. D’Antonio, L. Coppolino, I. Elia, and V. Formicola, “Security issuesof a phasor data concentrator for smart grid infrastructure.” in 13thEuropean Workshop on Dependable Computing. ACM, 2011.

[8] L. Coppolino, S. DAntonio, and L. Romano, “Exposing vulnerabilitiesin electric power grids: An experimental approach,” in InternationalJournal of Critical Infrastructure Protection vol:7(1), pp:51-60. EL-SEVIER, 2014.

[9] D. Shepard, T. Humphreys, and A. Fansler, “Evaluation of the vul-nerability of phasor measurement units to gps spoofing attacks,” inInternational Journal of Critical Infrastructure Protection, 2012.

[10] D.-Y. Yu, A. Ranganathan, T. Locher, S. Capkun, and D. Basin,“Short paper: detection of gps spoofing attacks in power grids,” inInt. conference on Security and privacy in wireless & mobile networks.ACM, 2014.

[11] W. F. Boyer and S. A. McBride, “Study of security attributes of smartgrid systemscurrent cyber security issues,” in INL, USDOE, BattelleEnergy Alliance LLC., Rep INL/EXT-09-15500, 2009.

[12] T. Baumeister, “Literature review on smart grid cyber security,” inUniversity of Hawaii, Technical Report, 2010.

[13] Y. Yan, Y. Qian, H. Sharif, and D. Tipper, “A survey on cyber security forsmart grid communications,” in Communications Surveys and Tutorials,vol.14, no.4, pp.998-1010. IEEE, 2012.

[14] S. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanismsagainst distributed denial of service (ddos) flooding attacks,” in Com-munications Surveys and Tutorials, vol. 15, no. 4, pp. 2046-2069. IEEE,2013.

[15] C. Beasley, X. Zhong, J. Deng, R. Brooks, and G. K. Venayagamoorthy,“A survey of electric power synchrophasor network cyber security,”in 5th IEEE PES Innovative Smart Grid Technologies Europe (ISGTEurope). IEEE, 2014.

[16] B. Weis, S. Rowles, and T. Hardjono, “The group domain of interpreta-tion,” in Internet Engineering Task Force (IETF) Request For Comments(RFC): 6407, Oct. 2011.

[17] L. L. Grigsby, “Wide-area monitoring and situational awareness,” inPower System Stability and Control - Third Edition, Volume 5. CRC

Press, 2012.