IEC 61850/62351 Substation Automation Systems Cryptographic (SASCrypt) IP Core secures the strict real-time traffic used in the Substation Automation Systems and in new Smart Grid premises. As an example, it protects GOOSE and Sample-Measured-Values (SMV) frames used to communicate critical equipment within these premises like Merging Units or IEDs. This IP implements the new IEC 62351-6 standard that ensures interoperability and allows coexisting IEC 61850 protected and non protected traffic in the same network. This standard defines the encryption and authentication mechanisms that shall be applied to Layer 2 IEC 61850 frames. This low-latency IP Core is capable of encrypting, decrypting and authenticating GOOSE or SMV at wire-speed.
A very important topic in the scope of IEC 62351 is the keys management and distribution used for the protection. SASCrypt IP Core allows different schemes for security keys introduction into the equipment. Since an static way to introduce the keys into the IP till a fully automated solution for security key management as defined in IEC 62351-9: “Cyber security Key management for Power System Equipment”.
SASCrypt IP Core integrates a proprietary low-latency cryptographic cipher specifically optimized for this task. This cipher module provides the required performance with an optimum resource utilization and introducing a delay of few microseconds. Indeed, SASCrypt IP allows modifying at synthesis time the trade-off between the supported data throughput and the required FPGA resources for the implementation.
The most relevant configurable parameters that allow an optimized implementation are:
- The type of IEC 61850 messages that must be secure
- The multiplication latency applied in the cipher
- The multiplication engine used in the cipher
- The implementation scheme used for key storage and management logic for up to 100 different IEC 61850 datasets
In addition to the protection functionality, SASCrypt IP Core IP Core also supports IEEE 1588 V2 One Step Transparent Clock Peer-to-Peer (P2P) functionality. This feature allows compensating the residence time of PTP frames as well as the delay of each link.
SASCrypt IP Core can be used in combination with SoC-e MES IP Core as well as HSR-PRP Switch IP to introduce Ethernet switching capabilities in the equipment combined with the security.
SASCrypt IP is supported on the following Xilinx FPGA Families:
- 6-Series (Spartan, Virtex)
- 7-Series (Zynq, Spartan, Artix, Kintex, Virtex)
- Ultrascale (Kintex, Virtex)
- Ultrascale+ (Zynq MPSoC, Kintex, Virtex)
SASCrypt IP is designed to be seamless integrated in your FPGA designs by taking advantage of the new Xilinx Vivado Tool, that allows to use the IP Cores in a graphical user interface and configure IP parameters in an easy way.
- Layer 2 IEC61850 GOOSE and SMV (Sampled Measured Values) encryption, decryption and authentication
- High performance AES-GCM engine
- Microsecond range delay
- Flexible customization:
- Type of IEC 61850 messages that must be securized
- Multiplication Latency (Resource usage)
- Multiplication Engine (Timing optimization)
- Key storage and management logic for up to 100 different datasets
- Full-duplex 10/100/1000 Mbps Ethernet Interfaces
- Half-duplex 10/100 Mbps Ethernet Interfaces
- MII/RMII/GMII/RGMII/SGMII/QSGMII Physical Layer device (PHY) interfaces
- 1000 Mbps AXI-Stream interfaces
- Copper and Fiber optic media interfaces: 10/100/1000Base-T, 100Base-FX, 1000Base-X
- Time Synchronization
- IEEE 1588v2 Stateless Transparent Clock functionality (P2P – Layer 2/ E2E – Layer 2)
- Default, Power utility Profules IEC 61850-9-3
- Compatible with SoC-e IEEE 1588 IP Cores (1588Tiny, PTB – PreciseTimeBasic)
- MDIO, UART, AXI4-Lite management interfaces
- Drivers are provided with IP Core purchase (*)
Block Diagram of the IEC 61850/62351 Substation Automation Systems Cryptographic IP Core