IEC 61850 - MMS and GOOSE protocols in power substation automation. Security and segmentation

IEC 61850 is an international communication standard for power substation automation, developed by IEC Technical Committee 57. Unlike most industrial protocols, IEC 61850 is not a single protocol - it is a comprehensive data model and set of communication services that map to two fundamentally different network protocols: MMS (Manufacturing Message Specification) running on TCP/IP and GOOSE (Generic Object Oriented Substation Event) operating directly at Layer 2.

This duality means that securing an IEC 61850 environment requires a simultaneous approach to protecting both IP traffic and L2 traffic - an architectural challenge that every substation operator faces.

Architecture and communication model

MMS - Manufacturing Message Specification

MMS (ISO 9506) is an application layer protocol that IEC 61850 uses for:

Reading and writing measurement values and statuses
Configuring IED (Intelligent Electronic Device) devices
Transmitting reports and event logs
Transferring configuration files (SCL - Substation Configuration Language)

MMS runs on the TCP/IP stack, using TCP port 102 (ISO-TSAP). Communication follows a client-server model - an engineering workstation or SCADA system (MMS client) queries IED devices (MMS servers).

GOOSE - Generic Object Oriented Substation Event

GOOSE is a mechanism for fast event exchange between IED devices - typically trip signals, interlocking, and protection statuses. GOOSE was designed with a reaction time below 4 ms in mind (class P2/P3 per IEC 61850-5).

To achieve such times, GOOSE bypasses the TCP/IP stack and operates directly at Ethernet Layer 2 with EtherType 0x88B8. GOOSE messages are sent as multicast - each IED publishes its events, and interested devices subscribe to the appropriate groups.

SV - Sampled Values

The third communication mechanism in IEC 61850 - transmitting digital samples from current and voltage transformers (Merging Units). Like GOOSE, it operates at Layer 2 (EtherType 0x88BA). It replaces analog copper connections between instrument transformers and protection relays.

Technical parameters

Parameter	Value
MMS
OSI model layer	4-7 (TCP/IP)
Port	TCP 102 (ISO-TSAP)
Communication model	Client-server
Authentication	Optional (IEC 62351-4)
Encryption	TLS (IEC 62351-3)
GOOSE
OSI model layer	2 (Ethernet)
EtherType	0x88B8
Communication model	Publish-subscribe (multicast)
Authentication	None (IEC 62351-6 defines HMAC, but adoption is minimal)
Encryption	None
SV (Sampled Values)
EtherType	0x88BA
Authentication/Encryption	None
General
Application	Power substations
Standardization organization	IEC TC 57

Security assessment

IEC 61850 security requires separate analysis for each communication mechanism, as MMS and GOOSE have fundamentally different risk profiles.

MMS - threats and protection

MMS runs on TCP/IP, which enables the use of standard network protection mechanisms. However, in default configuration:

An MMS connection on TCP 102 requires no authentication
An MMS client can read values, change settings, and send commands to IEDs
The COSMICENERGY attack (2023) used the MMS protocol (via IEC 60870-5-104 as transport) to send control commands to substation devices

The IEC 62351 standard defines security extensions: TLS for the transport layer (part 3) and MMS authentication (part 4). Adoption is growing, but many legacy IEDs do not support these mechanisms.

GOOSE - fundamental security problem

GOOSE is the most sensitive element of the IEC 61850 ecosystem from a cybersecurity perspective:

No authentication - a GOOSE frame contains no mechanism for verifying the sender. Any device in the same L2 segment can publish a GOOSE message impersonating any IED.
Multicast - GOOSE messages are broadcast to all devices in the broadcast domain. An attacker sees the complete picture of events in the substation.
Critical consequences - a forged GOOSE message can trip a breaker, block a protection relay, or change an interlocking state - with direct consequences for power substation operation.

TIP

A GOOSE spoofing attack is documented in academic literature and has been demonstrated under laboratory conditions multiple times. A laptop with the libpcap library and knowledge of the GOOSE frame structure is sufficient to generate a forged event. The only effective protection is network isolation - GOOSE should not leave a dedicated VLAN.

IEC 62351-6 defines an HMAC (Message Authentication Code) mechanism for GOOSE frames, but its adoption by IED manufacturers remains minimal. The main barriers are computational overhead (HMAC must fit within the 4 ms budget) and lack of backward compatibility.

TIP

Before purchasing new IEDs for a power substation, it is worth verifying whether the device supports IEC 62351-6 (HMAC for GOOSE) and IEC 62351-3/4 (TLS/MMS authentication). This is an investment that will pay off with future regulatory requirements.

IEC 61850 network segmentation

The network architecture of an IEC 61850 substation typically divides into three levels (per IEC 61850-3): station bus (station level), process bus (field level), and the dispatch center interface. Segmentation must account for this hierarchy.

Practical recommendations

Isolate GOOSE in dedicated VLANs - this is the most important control. GOOSE frames (EtherType 0x88B8) should be confined to VLANs covering only the IEDs that exchange events with each other. One VLAN per protection group (e.g. VLAN for the line bay, separate for the busbar section).
Separate station bus and process bus - MMS traffic (station bus) and GOOSE/SV traffic (process bus) should travel through separate VLANs or - in installations with the highest SL - through physically separate switches.
Firewall with DPI at the station bus boundary - filtering MMS (TCP 102) based on IP addresses and - if the firewall supports it - based on MMS service types (e.g. allow reads, block writes).
Firewall/DMZ at the substation-dispatch center boundary - communication from the substation to the SCADA/EMS system should pass through a DMZ zone with protocol inspection (IEC 60870-5-104 or MMS).
Switches with VLAN pruning support - configure switches so that GOOSE/SV frames are not propagated to ports where subscribing devices are not connected. This limits the attack surface.
L2 traffic monitoring - IDS systems that understand GOOSE frame structure (e.g. StationGuard by OMICRON, Rhebo, Nozomi) detect anomalies: new GOOSE sources, publication frequency changes, unexpected values in data fields.
Redundancy with PRP/HSR - redundancy protocols (IEC 62439-3) typical for IEC 61850 substations add network complexity. Ensure that redundancy does not create uncontrolled communication paths that bypass segmentation.

More about designing zones and conduits in OT environments can be found in the article OT network segmentation - how to protect industrial systems.

Summary

IEC 61850 is a standard that revolutionized communication in power substations - replacing hundreds of copper cables with an Ethernet network. However, it introduced two fundamentally different risk profiles: MMS on TCP/IP (securable with standard measures and IEC 62351 extensions) and GOOSE on Layer 2 (practically unprotected in most deployments). Until IEC 62351-6 adoption becomes widespread, VLAN isolation remains the only effective mechanism for protecting GOOSE communication.

Sources

IEC 61850 - Communication networks and systems for power utility automation - official IEC standard
IEC 62351 - Power systems management and associated information exchange - Data and communications security - security standard for IEC 61850
CIGRE B5 - Protection and Automation - technical committee for substation automation
OMICRON StationGuard - IDS system for IEC 61850 substations
Hoyos, Dehus, Brown - “Exploiting the GOOSE Protocol” - GOOSE attack demonstration (IEEE, 2012)
NERC CIP Standards - security requirements for the energy sector (North America)