IEC 61850 transformed substation automation. It replaced hardwired copper connections with standardized Ethernet-based communication between intelligent electronic devices (IEDs). GOOSE messages trip breakers in under 4 milliseconds. MMS connects IEDs to SCADA systems. Sampled Values stream real-time voltage and current measurements.
But this transformation came with a trade-off. By moving protection and control communications onto Ethernet, substations inherited all the cybersecurity risks that come with networked systems.
GOOSE messages have no built-in authentication. MMS runs over TCP with no encryption by default. Any device on the substation LAN can send a spoofed GOOSE message that trips a circuit breaker — and the receiving IED will execute it without question.
IEC 62351 was developed to address these gaps. It is the companion security standard for IEC 61850, covering TLS for MMS, message authentication for GOOSE and Sampled Values, role-based access control, and network monitoring.
This guide explains the specific threats to IEC 61850 systems, maps each IEC 62351 part to the protocol it protects, and gives you concrete steps to secure your substation.
In This Guide
1. Why IEC 61850 Is Vulnerable
IEC 61850 was designed for interoperability, speed, and reliability — not security. The original standard (published 2003–2005) included no security mechanisms.
| Protocol | Transport | Security Built-in |
|---|---|---|
| GOOSE | Layer 2 Ethernet multicast | None — no authentication, no encryption |
| MMS | TCP/IP (port 102) | None by default — relies on network isolation |
| Sampled Values | Layer 2 Ethernet multicast | None — no authentication, no encryption |
The core problem is that GOOSE and Sampled Values operate directly at Ethernet Layer 2. They bypass TCP/IP entirely. This gives them the speed needed for protection functions (under 4 ms), but it also means they cannot use standard IP-based security mechanisms like TLS or firewalls.
Any device connected to the substation Ethernet network can:
- Listen to all GOOSE and SV traffic (they are multicast — sent to all ports)
- Inject spoofed GOOSE messages with forged trip commands
- Inject false Sampled Values to make protection relays see incorrect measurements
- Connect to any IED’s MMS server and read or write data without authentication
- Flood the network with traffic to delay time-critical protection messages
2. Threats to GOOSE Communication
GOOSE is the most critical and most vulnerable protocol in IEC 61850. A single spoofed GOOSE message can trip a circuit breaker and cause a power outage.
Attack Types
| Attack | How It Works | Impact |
|---|---|---|
| GOOSE spoofing | Attacker crafts a fake GOOSE frame with a higher stNum (state number) than the legitimate publisher. The subscriber accepts it as a newer, valid message. | False trip/close commands executed by IEDs. Breakers open or close without a real fault. |
| GOOSE replay | Attacker captures a legitimate GOOSE trip message and retransmits it later. | Protection operations triggered at the wrong time. |
| GOOSE flooding (DoS) | Attacker floods the network with high volumes of GOOSE frames. | Legitimate GOOSE messages are delayed beyond the 4 ms requirement. Protection functions fail. |
| GOOSE data manipulation | Attacker intercepts and modifies GOOSE data values (analog measurements, status bits) before they reach subscribers. | Operators and automation logic make decisions based on false data. |
Why GOOSE Is Easy to Attack
- GOOSE frames are multicast — every device on the VLAN receives them.
- There is no authentication — the subscriber cannot verify the sender.
- The stNum/sqNum mechanism is predictable — an attacker who captures one GOOSE frame can calculate the next valid sequence number.
- GOOSE runs at Layer 2 — standard IP firewalls cannot filter it.
3. Threats to MMS Communication
MMS (Manufacturing Message Specification) handles client/server communication between IEDs and SCADA/HMI systems over TCP/IP on port 102.
Attack Types
| Attack | How It Works | Impact |
|---|---|---|
| Unauthorized access | Attacker connects to an IED’s MMS server — no authentication required by default. | Attacker reads all process data, configuration, and settings. |
| Unauthorized control | Attacker sends MMS write commands to change settings or issue control operations. | Setpoints changed, breakers operated, protection disabled. |
| Man-in-the-middle | Attacker intercepts MMS traffic between SCADA and IED. Modifies readings or commands in transit. | Operators see false data. Control commands are altered. |
| Reconnaissance | Attacker queries IED data models to map the substation — logical nodes, data objects, datasets. | Detailed intelligence for planning further attacks. |
MMS Advantage Over GOOSE
MMS runs over TCP/IP, which means standard network security tools (TLS, firewalls, VPNs) can be applied. This makes MMS easier to protect than GOOSE.
4. Threats to Sampled Values
Sampled Values (SV) carry real-time analog measurements — voltage and current waveforms — from merging units to protection IEDs. Like GOOSE, SV operates at Ethernet Layer 2.
Risks
- False data injection: An attacker injects spoofed SV streams with manipulated voltage/current values. Protection relays see a fault that does not exist — or miss a real fault.
- Denial of service: Flooding the network delays legitimate SV messages. If samples arrive late, protection relays cannot calculate fault conditions accurately.
- No authentication: Like GOOSE, SV has no built-in sender verification.
The consequences of SV attacks are severe. Protection relays use these measurements to detect faults and trip breakers. If the measurements are wrong, the relay either fails to trip during a real fault (risk of equipment damage or safety hazard) or trips unnecessarily (power outage).
5. IEC 62351: The Security Standard Explained
IEC 62351 is the security companion to IEC 61850 (and other TC 57 protocols). It was developed by IEC Technical Committee 57 Working Group 15, starting in the early 2000s. The series has been significantly updated over the years — many parts have gone from Technical Specifications to full International Standards.
As of the 2025/2026 compiled edition (IEC 62351:2026 SER), the series contains over 20 documents spanning 2,570 pages. It is not a single document — it is a series of parts, each addressing a different protocol or security function.
Core Parts
| Part | Current Edition | Title | What It Protects |
|---|---|---|---|
| 62351-1 | 2007 (TS) | Introduction to security issues | Overview of threats, requirements, and countermeasures |
| 62351-2 | 2008 (TS) | Glossary of terms | Definitions |
| 62351-3 | 2023 (IS) | Profiles including TCP/IP | TLS for MMS, IEC 60870-5-104, and other TCP-based protocols |
| 62351-4 | 2018 + Amd1:2020 (IS) | Profiles including MMS | Authentication and access control for MMS sessions |
| 62351-5 | 2023 (IS) | Security for IEC 60870-5 and DNP3 | Authentication for serial and TCP telecontrol protocols |
| 62351-6 | 2020 (IS) | Security for IEC 61850 profiles | Message authentication for GOOSE and Sampled Values |
| 62351-7 | 2025 (IS) | Network and system management | Security monitoring objects, SNMP MIBs for IED health monitoring |
| 62351-8 | 2020 (IS) | Role-based access control (RBAC) | User roles and permissions for IED access |
| 62351-9 | 2023 (IS) | Cyber security key management | Certificate enrollment (SCEP/EST), PKI, symmetric key distribution (GDOI) |
| 62351-10 | 2012 (TR) | Security architecture guidelines | Architecture recommendations and risk assessment |
| 62351-11 | 2016 (IS) | Security for XML documents | Security for CIM (IEC 61968/61970) XML payloads |
| 62351-12 | 2016 (TR) | Resilience and security of DER | Security for distributed energy resources |
| 62351-13 | 2016 (TR) | Guidelines for security of SD-WAN | Security for wide-area networks |
Conformance Testing Parts (100-series)
| Part | Edition | Purpose |
|---|---|---|
| 62351-100-1 | 2018 (TS) | Conformance test cases for IEC 62351-5 |
| 62351-100-3 | 2020 (TS) | Conformance test cases for IEC 62351-3 (TLS) |
| 62351-100-4 | 2023 (TS) | Conformance test cases for IEC 62351-4 (MMS security) |
| 62351-100-6 | 2022 (TS) | Conformance test cases for IEC 62351-6 (GOOSE/SV security) |
💡 Important: The documents you may have from 2007–2012 are outdated. Parts 3, 5, 6, 7, 8, and 9 have all been significantly revised. Part 9 (key management) is entirely new. Always reference the latest editions when designing or auditing substation security.
For IEC 61850, the most important parts are 62351-3 (TLS for MMS), 62351-6 (GOOSE/SV authentication), 62351-8 (role-based access control), and 62351-9 (key management and certificate infrastructure).
6. IEC 62351-3: TLS for MMS and TCP/IP Profiles
IEC 62351-3 (current edition: 2023, upgraded from Technical Specification to full International Standard) specifies how to use TLS to protect TCP-based protocols, including MMS.
What It Provides
- Encryption: All MMS traffic between client (SCADA) and server (IED) is encrypted. Eavesdropping becomes impossible.
- Authentication: Both client and server authenticate using X.509 digital certificates during the TLS handshake. No anonymous connections.
- Integrity: TLS ensures that messages cannot be modified in transit without detection.
Key Requirements
- TLS version 1.2 or higher is required.
- Cipher suites must include AES encryption and SHA-based hashing.
- For substation internal communication, the specification recommends the cipher suite TLS_DH_RSA_WITH_AES_128_SHA to reduce CPU overhead on IEDs.
- Both the SCADA client and each IED must be provisioned with digital certificates signed by a trusted Certificate Authority (CA).
Practical Considerations
- Certificate management is the biggest challenge. Every IED needs a certificate, and certificates expire and must be renewed.
- Legacy IEDs may not support TLS due to limited processing power.
- TLS adds latency to MMS communication — acceptable for monitoring and control, but not suitable for time-critical protection (which uses GOOSE, not MMS).
7. IEC 62351-6: Security for GOOSE and Sampled Values
IEC 62351-6 (current edition: 2020, upgraded from Technical Specification to full International Standard) is the most challenging part because GOOSE and SV have strict timing requirements (under 4 ms) and operate at Layer 2 where TLS cannot be used.
Approach: Message Authentication Code (MAC)
IEC 62351-6 adds a digital signature (HMAC — Hash-based Message Authentication Code) to each GOOSE and SV frame. The subscriber can verify that the message came from a legitimate publisher and has not been tampered with.
What It Provides
- Authentication: The subscriber verifies the sender using the HMAC appended to the message.
- Integrity: Any modification to the GOOSE/SV frame invalidates the HMAC — the subscriber rejects it.
- Replay protection: Sequence numbers and state counters combined with the HMAC prevent replay attacks.
What It Does NOT Provide
- Encryption is not recommended for time-critical GOOSE and SV. The IEC 62351-6 specification explicitly states that for applications requiring 4 ms response times, encryption is not recommended due to processing overhead. Instead, confidentiality is provided by restricting GOOSE/SV traffic to a dedicated VLAN.
- Encryption is optional for GOOSE/SV applications where the 4 ms delivery requirement is not a concern.
Practical Challenges
- Adding HMAC computation to every GOOSE frame increases processing time on IEDs. Older IEDs may not have the CPU capacity.
- Key distribution is complex — all publishers and subscribers for a given GOOSE dataset must share the authentication key.
- Not all IED vendors have implemented IEC 62351-6 yet. Check with your vendor before specifying it.
8. IEC 62351-8: Role-Based Access Control
IEC 62351-8 (current edition: 2020, upgraded to full International Standard) defines a role-based access control (RBAC) system for power system devices. It determines who can do what on each IED.
Defined Roles
| Role | Permissions |
|---|---|
| VIEWER | Read-only access to process data and measurements |
| OPERATOR | Read data + issue control commands (open/close breakers) |
| ENGINEER | Read data + modify settings and configuration |
| INSTALLER | Full access during commissioning phase |
| SECADM | Security administrator — manages certificates, keys, and access policies |
| SECAUD | Security auditor — read-only access to security logs and audit trails |
| RBACMNT | RBAC maintenance — manages role assignments |
How It Works
- Each user or client application is assigned a role.
- The role is encoded in the user’s X.509v3 digital certificate (as an extension).
- When the client connects to an IED (via MMS/TLS), the IED reads the certificate, extracts the role, and enforces access control.
- An OPERATOR can read data and control breakers, but cannot change protection settings. An ENGINEER can change settings, but may not have control authority.
Why It Matters
Without RBAC, anyone with MMS access to an IED can do anything — read, write, control, reconfigure. RBAC limits the damage an attacker (or an accidental misconfiguration) can cause.
9. Practical Protection Measures Beyond IEC 62351
IEC 62351 addresses protocol-level security. But a secure substation also needs network-level and physical-level protection.
Network Segmentation
- Separate VLANs for GOOSE, SV, MMS, and management traffic. GOOSE and SV must never share a VLAN with general IT traffic.
- Use managed industrial Ethernet switches with VLAN support, port security, and traffic prioritization (IEEE 802.1Q priority tagging).
- No connection between the substation LAN and the corporate IT network without a firewall and DMZ.
Network Redundancy
- Use PRP (Parallel Redundancy Protocol) or HSR (High-availability Seamless Redundancy) per IEC 62439-3 for critical GOOSE and SV traffic.
- Do not use RSTP (Rapid Spanning Tree Protocol) for protection-grade GOOSE — its recovery time is too slow.
Firewall and Access Control
- Deploy industrial firewalls between the station bus and external connections (SCADA WAN, engineering access).
- Use deep packet inspection firewalls that understand IEC 61850 MMS — standard port-based firewalls are not enough.
- Block MMS port 102 from all sources except authorized SCADA and engineering workstations.
Physical Security
- Lock all network switches, patch panels, and IED communication ports.
- Disable unused Ethernet ports on switches.
- Use tamper-evident enclosures for communication equipment in unmanned substations.
Monitoring and Intrusion Detection
- Deploy OT-specific intrusion detection systems (Dragos, Nozomi Networks, Claroty) that can parse GOOSE, MMS, and SV traffic.
- Monitor for GOOSE spoofing indicators: unexpected stNum jumps, GOOSE frames from unknown MAC addresses, duplicate GOOSE control block references.
- Log all MMS connections and control commands for audit purposes.
- Monitor ARP tables for changes that could indicate ARP spoofing attacks.
Software-Defined Networking (SDN)
SDN is emerging as a strong countermeasure for GOOSE spoofing. In an SDN-based substation network, the switch controller enforces strict flow rules — only authorized publishers can send GOOSE frames to specific multicast addresses. Any spoofed GOOSE frame from an unauthorized port is dropped and an alert is generated.
10. IEC 61850 Substation Security Checklist
Use this checklist when designing, commissioning, or auditing a digital substation:
IEC 62351 Implementation:
- IEC 62351-3 (TLS) enabled on all MMS connections
- IEC 62351-6 (HMAC authentication) enabled on GOOSE and SV where supported
- IEC 62351-8 (RBAC) configured with appropriate roles for operators, engineers, and administrators
- IEC 62351-9 (key management) implemented — PKI infrastructure with certificate enrollment (SCEP/EST) and symmetric key distribution (GDOI)
- Digital certificates provisioned on all IEDs and SCADA clients
- Certificate management plan in place (renewal, revocation, CA infrastructure)
Network:
- Separate VLANs for GOOSE, SV, MMS, and management traffic
- PRP or HSR redundancy for critical protection traffic
- Industrial managed switches with port security and VLAN enforcement
- No direct connection between substation LAN and corporate IT without firewall/DMZ
- MMS port 102 restricted to authorized SCADA and engineering IPs only
Monitoring:
- OT intrusion detection system deployed on the substation network
- GOOSE spoofing detection enabled (stNum anomalies, unknown MAC addresses)
- All MMS control commands logged for audit
- ARP monitoring active on all VLANs
- Security events forwarded to central SIEM
Physical:
- Network switches and patch panels in locked cabinets
- Unused Ethernet ports disabled
- Tamper-evident seals on communication equipment at unmanned sites
- Engineering laptop access restricted and logged
Maintenance:
- IED firmware updated to latest version with IEC 62351 support
- Default passwords changed on all device web interfaces
- Unused services (HTTP, Telnet, FTP, SNMP) disabled on IEDs
- Security configuration included in SCL files and version-controlled
Summary
IEC 61850 brought massive benefits to substation automation — interoperability, reduced wiring, faster protection, and standardized data models. But it also introduced cybersecurity risks that did not exist with hardwired systems.
GOOSE is the most vulnerable protocol because it operates at Layer 2 with no authentication. A single spoofed GOOSE message can trip a breaker and cause a blackout. MMS is vulnerable to unauthorized access and man-in-the-middle attacks. Sampled Values can be manipulated to blind protection relays.
IEC 62351 addresses these threats at the protocol level: TLS for MMS (Part 3), HMAC authentication for GOOSE and SV (Part 6), and role-based access control (Part 8). But protocol-level security alone is not enough. A secure substation requires network segmentation, dedicated VLANs, industrial firewalls, redundancy protocols, physical security, and continuous monitoring.
The threat is real and growing. Research teams have demonstrated practical GOOSE spoofing attacks that cause relay misoperations. Threat groups are actively developing tools that target industrial protocols. Start implementing IEC 62351 where your devices support it, and build defense-in-depth around the protocols that do not yet have full security support.