PRP and HSR - seamless redundancy for industrial networks. IEC 62439-3 in IEC 61850 substations
PRP and HSR per IEC 62439-3 - layer 2 redundancy with zero recovery time. PRP topology (two LANs) vs HSR (ring), RedBox, DANP/DANH.
In industrial networks requiring the highest level of availability, classic redundancy protocols (STP, RSTP) are insufficient. An RSTP recovery time of 1-2 seconds is an eternity in an electrical substation - GOOSE messages must reach protection relays within ≤3 ms regardless of any single network component failure.
The IEC 62439-3 standard (current edition: 2021) defines two layer 2 redundancy protocols with zero recovery time: PRP (Parallel Redundancy Protocol) and HSR (High-availability Seamless Redundancy). Both are foundational to the network architecture of the modern digital substation compliant with IEC 61850.
Shared principle
PRP and HSR are built on the same fundamental principle: every frame is transmitted simultaneously on two independent paths. The receiver accepts the first frame to arrive and discards the duplicate based on a unique identifier. If one path fails, the other delivers the frame without delay - there is no “failure detection” or “path switching” step.
Zero recovery time follows from the fact that redundancy is static - both paths are always active, unlike RSTP where one is active and the other is in blocking state.
PRP - Parallel Redundancy Protocol
PRP assumes two physically independent LANs (LAN A and LAN B) which may have any internal topology. Nodes with two interfaces (DAN - Doubly Attached Node) send each frame in parallel to both LANs. The receiving DAN verifies duplication and forwards only one copy to the upper layer.
Key fields:
| Element | Description |
|---|---|
| PRP Trailer (RCT - Redundancy Control Trailer) | 6 bytes appended at the end of the frame, before the FCS |
| - Sequence Number | 16 bits - frame sequence number |
| - LAN ID | 4 bits (0xA for LAN A, 0xB for LAN B) |
| - Size | 12 bits - PDU length |
| - PRP Suffix | 16 bits - marker 0x88FB |
Duplicate detection is based on the combination of sender MAC + Sequence Number. The receiver maintains a sequence window per sender and discards repetitions.
HSR - High-availability Seamless Redundancy
Instead of two LANs HSR uses a ring topology - each node has two ports (port A and port B) through which it forwards a frame simultaneously in both directions of the ring. The frame travels round the ring until it returns to the sender, which removes it.
Key HSR fields:
| Element | Description |
|---|---|
| HSR Tag | 6 bytes inserted after the MAC (before the payload EtherType) |
| - Path ID | 4 bits (sending port, A=0, B=1) |
| - LSDUsize | 12 bits (user data length) |
| - Sequence Number | 16 bits |
| - EtherType | 16 bits (0x892F = HSR) |
HSR allows a redundant network to be built with fewer switches than PRP (one ring instead of two LANs), at the cost of doubled bandwidth load in the ring (every frame travels the entire ring).
Device classes
IEC 62439-3 defines the types of devices participating in redundancy:
| Type | Expansion | Function |
|---|---|---|
| DANP | Doubly Attached Node for PRP | Dual-port PRP node |
| DANH | Doubly Attached Node for HSR | Dual-port HSR node |
| SAN | Singly Attached Node | Node without redundancy (standard Ethernet host) |
| RedBox | Redundancy Box | Bridge connecting a SAN to a PRP or HSR network |
| QuadBox | - | Connector between two HSR rings |
RedBox plays a key role: it lets devices that do not support PRP/HSR (e.g. older protection relays, engineers’ laptops) be attached to a redundant network without changing the end device’s software. The RedBox itself handles frame duplication towards the redundant network and duplicate removal towards the SAN.
Applications
IEC 61850 electrical substations - the headline use case. GOOSE messages (IEC 61850-8-1) must reach protection relays within ≤3 ms. Sampled Values (IEC 61850-9-2) digitise current and voltage measurements at 80 samples per cycle - 4000 samples/s for 50 Hz systems (Europe) or 4800 samples/s for 60 Hz (USA). Both protocols run at layer 2 and require a deterministic network with zero recovery time.
Industrial control systems - in critical continuous processes (petrochemical, power generation) where loss of communication between controllers and I/O is unacceptable.
Railway traction - traffic control systems, on-board automation, locomotive management systems.
Military applications - communication networks in defence systems where tolerance of failures and degradation attacks is required.
Cybersecurity of PRP/HSR
WARNING
PRP and HSR were designed for reliability, not security. They contain no authentication and no encryption. An attacker with access to one of the LANs (PRP) or the ring (HSR) can send frames that will be accepted by every receiver.
Specific attack vectors:
| Attack | Effect |
|---|---|
| Injection into a single PRP LAN | Access to LAN A alone suffices - even without LAN B the frame will be accepted (first copy wins) |
| Sequence Number exhaustion | The attacker generates frames with high sequence numbers, blocking future legitimate frames (duplicate drop) |
| RedBox bypass | Attacking a RedBox device allows frame injection as a single SAN |
| Ring desynchronisation (HSR) | Manipulation of frames in the ring can cause a “storm” or duplication |
In the IEC 61850 context, attacks on GOOSE are particularly dangerous - a forged trip message can operate a circuit breaker in a substation, and a forged “no trip” can delay the reaction to a fault.
IEC 62351 - the security layer
The answer to the security problem in IEC 61850/62439-3 networks is the IEC 62351 standard - a series of documents defining cryptographic mechanisms:
- IEC 62351-6 - security for GOOSE and Sampled Values (HMAC-SHA256 signatures, optional AES-GCM encryption)
- IEC 62351-3 - TLS for MMS (the upper IEC 61850 layer)
- IEC 62351-8 - rights management (RBAC)
Deploying IEC 62351 requires modern protection relays (with HMAC support for GOOSE) and PKI infrastructure for key management. Adoption in 2026 remains in its early phase - most substations operate without the IEC 62351 security layer.
Architectural recommendations
- PRP for new installations - when two independent networks are affordable, PRP is easier to diagnose than HSR. The absence of transit through other nodes simplifies problem analysis.
- HSR for constrained spaces - where a ring topology is sufficient and switch count matters (e.g. a relay cabinet in a compact substation).
- RedBox instead of legacy modernisation - when devices do not natively support PRP/HSR, a RedBox lets them be folded into the architecture without replacement.
- IEC 62351-6 for GOOSE - whenever the hardware allows it, enabling HMAC for trip messages is the minimum of hygiene in 2026.
- Layer 2 monitoring with dedicated tools - Wireshark supports PRP (filter
prp) and HSR (filterhsr), but production monitoring requires dedicated probes (Siemens RUGGEDCOM, Hirschmann) with contextual understanding of the 61850 protocols. - Physical separation of PRP networks - LAN A and LAN B should be physically distinct (different cabinets, different cable routes and, if possible, different power feeds). If both LANs share a common point of failure, the redundancy is illusory.
TIP
In an IEC 61850 substation the typical PRP architecture correctness test is to pull a cable from one DAN port during operation and verify that GOOSE communication remains uninterrupted (no switchover, no lost frame). If any frame is lost, the configuration does not meet the zero recovery time assumption.
Analysis and monitoring tools
Wireshark natively supports PRP (RCT trailer) and HSR (tag):
| Wireshark filter | Use |
|---|---|
prp | Frames with a PRP Redundancy Control Trailer |
hsr | Frames with an HSR tag |
goose | IEC 61850 GOOSE (typically over PRP/HSR) |
sv | IEC 61850 Sampled Values |
mms | IEC 61850 MMS (upper layer) |
Traffic samples and analysis tools:
- ITI/ICS-Security-Tools - GOOSE samples from the Illinois ADSC mock substation (normal, disturbances, attacks)
- smartgridadsc/IEC61850SecurityDataset - GOOSE security dataset
- cutaway-security/goosestalker - Python/Scapy tool for analysing and interacting with GOOSE traffic
- robidev/iec61850-dissector - extended IEC 61850 dissector for Wireshark
- mz-automation/libiec61850 - open source IEC 61850 library
Production OT monitoring supporting IEC 61850 + PRP/HSR:
- Siemens RUGGEDCOM - PRP/HSR probes with deep 61850 analysis
- Hirschmann Tofino - industrial firewall with GOOSE filtering
- Nozomi Guardian, Dragos Platform, Claroty CTD - IEC 61850 support (GOOSE, MMS, SV) in their dissectors
Open source tools:
- nsacyber/GRASSMARLIN - NSA Cybersecurity tool for passive mapping of ICS/SCADA topology (note: archived in 2023, compatibility with newer protocols should be verified)
Summary
PRP and HSR solve the redundancy problem in networks where even a two-second interruption is unacceptable. Both protocols are mature, well supported by leading automation vendors (Siemens RUGGEDCOM, Hirschmann, ABB, Moxa) and are the standard in modern substations. Cybersecurity, however, remains outside the scope of IEC 62439-3 itself - the complement is IEC 62351, whose adoption is only now accelerating.
Related articles: STP and RSTP, PROFINET.
Sources
- IEC 62439-3:2021 - Parallel Redundancy Protocol (PRP) and High-availability Seamless Redundancy (HSR) - current edition of the standard
- IEC 61850 - Communication networks and systems for power utility automation - digital substation standard
- IEC 62351 - Security for power system management - security layer
- iGrid Smart Guide - IEC 62439-3 - practical overview
- Wireshark PRP dissector documentation - PRP traffic analysis
Need help in this area?
Our experts will help you assess the risk and plan next steps.