IEC 61850 is the IEC standard for communication networks and systems in power utility automation, first published in 2003 and now deployed in substations worldwide. It replaced the patchwork of proprietary protocols from different IED (Intelligent Electronic Device) vendors with a unified, interoperable framework. In doing so, it created a consistent attack surface across critical energy infrastructure that spans hundreds of utilities and thousands of substation installations globally.
The standard covers three main communication services, each with different security characteristics. Understanding how attackers can abuse these services — and how defenders can reduce that exposure without breaking operational continuity — is the core challenge for grid security teams.
The Three Attack Surfaces in IEC 61850
GOOSE: Generic Object Oriented Substation Event
GOOSE messages are the real-time protection signalling mechanism in IEC 61850. When a current differential relay detects a fault, it publishes a GOOSE message that tells circuit breakers to trip within milliseconds. This timing requirement — sub-10ms for protection operations — is why GOOSE operates directly over Ethernet (Layer 2, multicast) without TCP/IP overhead.
The security problem: GOOSE carries no authentication. Any device on the same Ethernet segment can publish a GOOSE message claiming to be any source IED, and receiving IEDs are designed to act on it. An attacker with access to the substation LAN (or the ability to inject Layer 2 traffic onto it) can:
- Spoof a GOOSE trip command: Cause a circuit breaker to trip when there is no actual fault, disconnecting generation or load
- Spoof a GOOSE inhibit: Suppress a legitimate protection action during an actual fault, preventing isolation and potentially damaging equipment
- GOOSE storm: Flood the LAN with GOOSE traffic to overwhelm IED processing capability, causing protection relays to miss or delay legitimate commands
These aren’t theoretical. Security researchers demonstrated GOOSE spoofing attacks on realistic substation testbeds in multiple published studies. The Industroyer/CrashOverride malware — used in the 2016 Ukraine power grid attack — included a GOOSE module that sent GOOSE commands to trip breakers.
Edition 2 and TLS: IEC 61850 Edition 2 introduced optional security extensions including digital signatures for GOOSE messages. The standard defines the mechanism; it does not mandate its use. Most deployed substations run Edition 1 or Edition 2 without the security extensions enabled, because adding authentication overhead conflicts with the sub-millisecond timing requirements and because security extensions require compatible IEDs throughout the substation — a full hardware replacement cycle.
Sampled Values (SV/SMV)
Sampled Values are the continuous stream of current and voltage measurements published by Merging Units (digital instrument transformers) to protection and metering IEDs. Like GOOSE, SV operates over Layer 2 Ethernet multicast without authentication.
Injecting spoofed Sampled Values into a substation LAN causes protection relays to see falsified electrical measurements. An attacker could cause relays to detect a fault where none exists (causing trips), or mask an actual fault from protection logic (preventing isolation). The manipulation of SV data requires precise timing synchronisation to be convincing — injected SV frames must match the expected time synchronisation pulse — but this is achievable by an attacker who has studied the target installation.
MMS: Manufacturing Message Specification
MMS is the application-layer protocol IEC 61850 uses for monitoring, configuration, and SCADA integration. Unlike GOOSE and SV, MMS runs over TCP/IP, which means it is routable across network boundaries and potentially reachable from outside the substation LAN.
MMS supports optional TLS encryption and certificate-based authentication. The operational reality in most substation deployments: TLS is not enabled, authentication is basic or absent, and MMS servers on IEDs listen on TCP port 102 with default configurations.
From a network with access to the substation SCADA/MMS network, an attacker can:
- Read all IED data: operational measurements, protection settings, event logs
- Modify protection settings: change relay pickup thresholds, time delays, and operating characteristics
- Send control commands: open/close circuit breakers and switches (subject to IED configuration)
- Read file system: IED configuration files often contain network topology and relay settings
In the 2015 Ukraine power grid attack, attackers used a combination of BlackEnergy malware and manual interaction with SCADA systems to open breakers. MMS-accessible IEDs that lack authentication represent a similar capability to any attacker who can reach the SCADA network.
Typical Substation Network Topology and Its Security Gaps
IEC 61850 deployments typically use a two-level network:
Station Bus: The Ethernet network connecting the HMI, protection IEDs, bay control units, and SCADA gateway. MMS, GOOSE, and SV all operate here. In many installations this is a single flat Ethernet network — no VLANs, no inter-bay segmentation.
Process Bus: Used in digital substations with Merging Units. SV and process-level GOOSE operate here. Physical separation from the Station Bus is the design intent; actual implementations sometimes bridge the two.
SCADA Integration: A SCADA gateway translates MMS to the SCADA master protocol (typically DNP3 or IEC 60870-5-104). This gateway may be connected to a corporate WAN or to a utility SCADA network accessible from engineering workstations, remote offices, and sometimes — through security gaps — from external networks.
The attack paths that have been exploited in real incidents follow this topology: compromise of an engineering workstation or corporate network, lateral movement to the SCADA integration network, access to the substation gateway, and then either direct MMS commands or GOOSE injection on the station bus.
Hardening Recommendations
Network Segmentation
GOOSE and SV traffic should not be able to leave the station bus network. If the station bus is a flat Ethernet network, VLAN segmentation can limit GOOSE propagation to the bays that need it — a bay protection relay does not need to receive GOOSE messages from another bay’s IEDs.
The SCADA/MMS network should be a separate VLAN with access control between the station bus and the SCADA integration layer. Firewall or unidirectional gateway between the SCADA network and any corporate or external network.
Intrusion Detection for GOOSE and SV
Because authentication can’t be added to existing GOOSE/SV deployments without hardware replacement, the practical defence is monitoring. IDS solutions designed for IEC 61850 environments — including offerings from Claroty, Nozomi Networks, and Dragos — can establish baselines of normal GOOSE and SV communication patterns and alert on anomalies: new source MAC addresses publishing GOOSE, unexpected GOOSE state changes outside normal operational conditions, or changes in SV sampling rates.
A GOOSE message from a MAC address not in the baseline is a strong anomaly indicator. A GOOSE trip command published outside a known maintenance window is worth an alert.
MMS Authentication and Access Control
For IEDs that support MMS with TLS and certificate authentication (IEC 61850 Edition 2 security extensions), enable it. Start with new IED purchases and stipulate security extension support in procurement specifications. For legacy IEDs that cannot be upgraded, compensating controls include: network-layer access control restricting MMS connections to authorised SCADA gateway IPs, monitoring MMS sessions for unusual command patterns, and requiring that protection setting changes go through a change management workflow with time-limited network access.
Engineering Workstation Security
Engineering workstations are the typical entry point to substation IEC 61850 networks. They run relay configuration software, have MMS access to all IEDs, and often have VPN connectivity from remote locations. Standard enterprise endpoint controls should apply: application allowlisting, removable media controls, network access logging, and MFA for remote access. The engineering workstation is a high-value target specifically because it has pre-authorised MMS access.
Time Synchronisation Security
IEC 61850 protection operations depend on precise time synchronisation — GPS-based PTP (IEEE 1588) or IRIG-B. An attacker who can manipulate time synchronisation signals can cause SV and GOOSE timing anomalies that confuse protection logic. Authenticate IEEE 1588 time sources where supported; monitor for GPS signal anomalies or spoofing indicators at substation clock sources.
The Regulatory Context
NERC CIP standards (specifically CIP-005 and CIP-007) require Electronic Security Perimeters and system security management for BES Cyber Systems — which includes substation protection and control systems in scope. IEC 62351 (the IEC standard for security in power systems communication) defines security requirements for IEC 61850 but is not mandated in most jurisdictions.
The practical position for most grid operators: NERC CIP compliance provides a floor, but the actual attack surface of IEC 61850 substations requires active hardening beyond the compliance baseline. Segmentation, monitoring, and engineering workstation security are the controls that reduce the risk of a substation being used as a stepping stone in a grid disruption campaign — regardless of compliance status.