Saturday, August 31, 2013

Vulnerability in multiple Triangle MicroWorks’ products

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported on August 28, 2013 the following vulnerability:

Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in multiple Triangle MicroWorks’ products and third‑party components. Triangle MicroWorks has produced an update that mitigates this vulnerability. Adam Crain has tested the update to validate that it resolves the vulnerability.

This vulnerability could be exploited remotely.

The following Triangle MicroWorks products are affected:

  • SCADA Data Gateway, v2.50.0309 through v3.00.0616
  • DNP3 .NET Protocol components, v3.06.0.171 through v3.15.0.369
  • DNP3 ANSI C source code libraries, v3.06.0000 through v3.15.0000

Click HERE to access the complete report.

Friday, August 30, 2013

Siemens Siprotec 5: IEC 61850 Edition 2 certified

The Siprotec 5 protection devices are the first devices of their kind on the market worldwide to be certified under IEC 61850, Edition 2. Thanks to the certification under IEC 61850, Edition 2, these Siemens products have the "future built right in," for long-term investment security.

All Siemens protection device series provide two new Ethernet redundancy protocols – HSR (high-availability seamless redundancy) and PRP (parallel redundancy protocol).

These new products prove that IEC 61850 is THE standard for energy delivery systems.

Click HERE for the press release.

More on Siprotec 5 could be found HERE.

Friday, August 23, 2013

Cyber security key management for power system equipment

IEC TC 57 has just published a new committee draft:57/1388A/CD

IEC 62351-9:
Power systems management and associated information exchange – Data and communications security – Part 9: Cyber security key management for power system equipment

Closing date for comments is: 2013-11-15

Please contact your TC 57 national body to get a copy of the CD.

The present document cancels and replaces the previous document 57/1388/CD and differs merely by the project number IEC 62351-9 (previously IEC TS 62351-9); the document is intended to be issued as an IEC International Standard (IS) and no longer as an IEC Technical Specification (TS).

The normative clauses are:

7 General key management requirements
8 Asymmetric key management
9 Symmetric key management

I highly recommend to review that document to make sure to get a consistent set of requirements applicable for all IEDs in the whole energy market – not only in the electric power delivery system.

Saturday, August 17, 2013

Die Energiewende braucht mehr als Messeinrichtungen!

Eine sehr interessante Untersuchung von Ernst & Young im Auftrag des Bundes-Wirtschaftsministeriums kommt zu einer – neu entdeckten – alten Weisheit, die von den vdi-Nachrichten treffend so zusammengefasst und kommentiert wird:

“Ohne die Ausrüstung aller Stromerzeugungsanlagen, die nach dem Erneuerbare-
Energien-Gesetz (EEG) gefördert werden, mit intelligenten Messsystemen [Anmerk. K. Schwarz: gemeint ist die Kombination von Mess- und Steuertechnik] ist die flächendeckende Einführung von Smart Metern in Deutschland volkswirtschaftlicher Unsinn.” Die Investitionen ohne intelligente Steuerungs- UND Regelungsfunktionen (!) wäre mehr als Unsinn!!

Die vdi-Nachrichten führen weiter aus: “Als größtes Hindernis auf dem Weg zu Smart Grids entpuppt sich ausgerechnet das EEG. Dessen Rechtsrahmen gibt in Hinsicht auf intelligente Zähler und digitale Anlagensteuerung nicht viel her und führt in der Praxis eher zurück ins steuerungstechnische Mittelalter.

Viel mehr gibt es zu diesem Thema fast nicht zu sagen!

Klicken Sie HIER für den Beitrag in den vdi-Nachrichten.
HIER für die BMWI-Pressemeldung (!!).
HIER für die Gesamtstudie von Ernst & Young

In der BMWI-Pressemeldung wird ausgesagt: “Die Bezahlbarkeit von Energie für den Verbraucher ist dabei oberste Leitlinie."

Hat der Schreiber der Aussage mit der Bezahlbarkeit wirklich die Studie gelesen – oder sie nicht verstehen können oder nicht verstehen wollen!?!?

Das wichtigste Ziel muss sein, dass Energie sicher und hoch-verfügbar bereitgestellt wird – sonst gehen die Lichter aus! Vergessen darf man bei alledem auch nicht, das die derzeitige Infrastruktur zum guten Teil in die Jahre gekommen ist und auch noch – zusätzlich zu den intelligenten Systemen – erneuert werden muss!

Erneuerbare Energien und erneuerte Netzinfrastrukturen müssen Hand in Hand gehen! Für beide sind Normen sehr wichtig!

Thursday, August 15, 2013

Hirschmann Switches provide integrated IEC 61850 Server

The new 8.0 release (The Classic Switch Software) increases again the feature range for managed switches from the MACH, MICE, Rail and OCTOPUS families from Hirschmann™.
Depending on the switch family, these include an integrated IEC61850 server for seamless integration into data networks for power generation and distribution. A PTP power profile according to IEEE C37.238 also allows to accurately synchronizing these networks. Thanks to support for Jumbo frames, which ensure optimum utilization of user data, high-resolution video applications are also possible.
Furthermore, in addition to extensions for PROFINET and Ethernet/IP, the new release for all four switch families offers additional mechanisms for detecting overload situations as well as improved diagnostic and encryption mechanisms.

Click HERE to get more information on the new release providing an IEC 61850 Server.

To my knowledge, they were the first manufacturer that supported an IEC 61850 Server in their Ethernet Switches.

Wednesday, August 14, 2013

Next Public Training Frankfurt, 16.-18. October 2013

The next public training conducted by Karlheinz Schwarz (NettedAutomation) will take place at the NH Hotel in

Frankfurt-Mörfelden (Germany), 16.-18. October 2013

3 day IEC 61850/61400-25 Seminar/Hands-on Training (NettedAutomation) with with several embedded Controller Development Kits (RTOS, ...), Starter Kit (Windows DLL), and several other demo software.

Details for the event in Frankfurt (Germany) can be found here

For the last two years almost all training events are conducted as customized courses. This is the most efficient way to get your hands on the subject.

A list of training courses and other information could be downloaded:

Get a FREE IEC 61850 Development Kit (HW and SW)- worth 1,290 Euro; as a special GIFT we offer you a free IEC 61850/61400-25 Development Kit, with an ready to go API and example application source code in C/C++ (the kit is included in the regular attendance fee).

The Kit may be used during the course.

Or receive a deep discounted fee (without a Development Kit).

The hands-on training will also comprise use of IEC 61850 to IEC 60870-5-104 Gateway:

For the training we will use DLLs, com.toms, DK61, ... several other tools.

IEC 61850-90-4 Network Engineering – Just Published

IEC just published a crucial document on network engineering:

IEC/TR 61850-90-4 ed1.0
Communication networks and systems for power utility automation -
Part 90-4: Network engineering guidelines

Congratulation to the editors of this great technical report – worth to study in detail!

IEC/TR 61850-90-4:2013 is intended for an audience familiar with network communication and/or IEC 61850-based systems and particularly for substation protection and control equipment vendors, network equipment vendors and system integrators. This Technical Report focuses on engineering a local area network focused on the requirements of IEC 61850-based substation automation. It outlines the advantages and disadvantages of different approaches to network topology, redundancy, clock synchronization, etc. so that the network designer can make educated decisions. In addition, this report outlines possible improvements to both substation automation and networking equipment. This Technical Report addresses the most critical aspects of IEC 61850, such as protection related to tripping over the network. This Technical Report addresses in particular the multicast data transfer of large volumes of sampled values from merging units. It also considers the high precision clock synchronization and "seamless" guaranteed transport of data across the network under failure conditions that is central to the process bus concept.

This 250+ page report could be used as a compendium of solutions for the various applications found in power automation systems. The communication infrastructure is one of the crucial aspects of the future energy delivery system – in the electric power world, gas delivery, heating and cooling systems as well as in E-Mobility. The recommendations given in this new part of IEC 61850 could be applied in many application domains even outside the energy world.

As you may have seen, network infrastructure vendors like MOXA and Kyland have integrated IEC 61850/MMS in their infrastructure.

Click HERE to download the preview of IEC/TR 61850-90-4 ed1.0
Click HERE if you want to buy the report.

Tuesday, August 13, 2013

KYLAND – IEC 61850 Modeling for Switch Management

Kyland is proud of using IEC 61850 for information exchange of network management information. They write in a white paper:


The IEC61850 Modeling technology can be used to manage industrial Ethernet switches based on IEC61850 protocols. This white paper describes the models and typical applications of the technology. …

In the development of IEC61850, Ethernet switches constitute the communication platform between process layer and substation layer networks. IEC61850 does not take Ethernet switches as devices. However, the monitoring, management, and configuration of Ethernet switches will be gradually incorporated into the entire system in actual applications, which is required by running the system normally, fault diagnosis and alarming.

… Therefore, developing IEC61850-based industrial Ethernet switches management model is one of the key technologies for convenient management of a smart grid.

… Besides key protection, measurement, and monitoring functions, more and more monitoring systems (including the management and monitoring system for communication facilities such as industrial Ethernet switches) will be incorporated into the IEC61850 management system with its openness and interoperability. In the near future, intelligent unmanned substations and infrastructure will be a reality.”

Kayland has defined two specific logical nodes:

ZSWM is the switch management node, a general feature of a switch; ZSWP is the switch port management node, management and status information of a switch port.

ZSWP is based on port. Therefore, each device can contain multiple ZSWP instances:

PortCsPktNum - Number of collision packets
PortCrcPktNum - Number of CRC packets
PortShortPktNum - Number of short packets
PortLongPktNum - Number of long packets
PortBCPktNum - Number of broadcast packets
PortMCPktNum - Number of multicast packets
PortRcvPktNum - Number of total packets received
PortRcvOctetNum - Number of total octets received

More to come.

MMS – Makes Management Simpler

Click HERE for the Kayland White paper.

MOXA’s Dual Protocol Approach: MMS and SNMP

MOXA has announced to support a dual protocol approach in their communication infrastructure: IEC 61850/MMS and SNMP.

This is no surprise: already in the first year of standardization of IEC61850 EdF (France) proposed to use SNMP (simple network management protocol) to carry IEC 61850 payload modeled in a specialized MIB. There was very little support for SNMP.

It is natural that the communication infrastructure also provides IEC 61850/MMS access to the many data objects used in switches, routers and other equipment. IEC 61850-7-4 Edition 2 has a lot of new – communication related – logical nodes that are linked directly to network management like “Physical communication channel supervision” logical node (LCCH):

RxCnt - Number of received messages
RedRxCnt - Number of received messages on redundant channel
TxCnt - Number of sent messages

This is related to the communication infrastructure … Or?

Click HERE for details from MOXA.

MOXA concludes in a White paper:

“Moxa’s new line of PowerTrans IEC 61850 switches now come with full MMS compatibility, with a complete implementation of IEC 61850 data modeling and a built-in MMS server. Our entire line of substation computers, switches, and other associated hardware all still feature our own enhanced SNMP support (with custom MIB files), but Moxa welcomes any inquiry into further customizing our switches, embedded computers, and other substation IT hardware with full or enhanced MMS support, made to your order.”

New Merging Unit from Alstom according to 9-2LE

Alstom Grid is offering a new Merging Unit according to 9-2LE that supports the integration of conventional current and voltage samples into a all digital substation:


Click HERE to download a brochure on the Merging Unit.

According to the UCAIUG Users Group there are now 10 Merging Units certified by the Users Group.

Saturday, August 10, 2013

Eine Sprache für das Stromnetz – IEC 61850

Kürzlich erschien ein sehr beachtenswerter sechs-seitiger Artikel zur Anwendung der IEC 61850 beim Anschluss dezentraler Erzeuger wie die Photovoltaik in der Zeitschrift photovoltaik: “Eine Sprache für das Stromnetz” (von Dipl.-Ing. Heiko Schwarzburger MA).

Auszug: “Italien hat das Kommunikationsprotokoll IEC 61850 zum Gesetz erhoben. In Deutschland herrscht hingegen Kleinstaaterei. So werden die Netze zum Nadelöhr und ihre Modernisierung zum Milliardengrab.
Die Uhr tickt, doch vielen Anlagenbetreibern ist das gar nicht bewusst: Bis Ende 2013 müssen auch Solaranlagen mit 30 bis 100 Kilowatt Leistung durch den Netzbetreiber regelbar sein. In den vergangenen Monaten wurde diese Vorschrift zunächst bei Anlagen mit mehr als 100 Kilowatt umgesetzt, nun sind die kleineren Generatoren dran. Wer die erforderliche Technik nicht nachrüstet, riskiert den Netzanschluss und die Einspeisevergütung. …
Könnte, würde, sollte: In der Realität haben die Netzbetreiber das Sagen, nicht die Vernunft. So hat Eon Bayern im vergangenen Jahr in seinem Netzgebiet rund 5.500 regenerative Kraftwerke – Photovoltaik, Windräder, Biogasanlagen – mit Leistungen ab 100 Kilowatt ausgerüstet. Fernwirktechnik gab es nur für 150 Kraftwerke, die mehr als ein Megawatt leisten. An alle anderen lieferte Eon Bayern die unzureichenden Rundsteuerempfänger aus, keine Steuerboxen mit Fernwirktechnik. „Wir müssen die Kosten für die Betreiber im Blick haben“, sagt Markus Schwürzenbeck, Leiter des Einspeisemanagements bei Eon. „Sie bekommen von uns einen Rundsteuerempfänger für 356 Euro geliefert.“
Für 400 Euro wäre Fernwirktechnik auch für kleine Anlagen ab 30 Kilowatt verfügbar gewesen, beispielsweise durch die Firma IDS. Das Unternehmen lieferte unlängst 17.000 Geräte an die Lechwerke aus. Wegen der hohen Stückzahl gehen die Kosten runter. Oder könnten sinken, denn das ist bisher ein Einzelfall. Ein Massenmarkt für intelligente Steuersysteme ist nicht in Sicht.

Kleinstaaterei wie im Mittelalter

Das zweite Problem: In Deutschland gibt es rund 900 Netzbetreiber und Stadtwerke. Im Laufe der Jahrzehnte haben sie tausende Lösungen entwickelt, um ihre Generatoren zu steuern. Jedem Tierchen sein Plaisierchen: Da tobt sich die deutsche Kleinstaaterei so richtig aus. Auf ein einheitliches Kommunikationsprotokoll konnten oder wollten sich die Netzbetreiber bisher nicht einigen. „Die Rundsteuerempfänger haben in der Regel vier Relaiskontakte, die vom Wechselrichter ausgelesen werden“, erläutert der SMA-Experte. „Dafür werden unterschiedliche Standards verwendet. Die Vereinheitlichung der Protokolle wäre sinnvoll.

So wird das Netz zum Nadelöhr der Energiewende … Soll das Netz nicht zum Engpass für die Energiewende werden und dem Steuerzahler unnötige Milliardensummen abverlangen, braucht es eine Steuerung von unten. Und schon zeichnet sich ab, dass die Modelle zur schnellen Netzsteuerung noch komplexer werden. Nämlich dann, wenn Batterien und Elektroautos in die Strombilanzen eingreifen. Das Netz als freien Marktplatz für Strom aus allen erdenklichen Quellen zu definieren und dafür die technischen Voraussetzungen zu schaffen, das ist ohne einheitlichen Standard in der Datenkommunikation nicht möglich. Das Netz braucht eine Lingua franca, nicht nur in Italien.“

Für eine gewisse Übergangszeit (sicher von mehreren Jahren) wird das Fernwirkprotokoll IEC 60870-5-104 noch eine wichtige Rolle spielen. Auf Geräteebene in Schaltanlagen und Erzeugungsanlagen werden allerdings heute schon zunehmend Geräte mit IEC 61850 und IEC 61400-25 eingesetzt, die über ein Gateway zu IEC 60870-5-104 angeschlossen werden. Mit diesen Gateways wir den Netzleitsystemen eine Schonfrist über einen Migrationspfad hin zu IEC 61850 geboten. Damit werden neue Möglichkeiten nach IEC 61850 und IEC 61400-25 ermöglicht, ohne gleich in der Breite die Netzleistellen-Kopplung verändern zu müssen. Technisch wäre das sicher heute schon möglich! Neben den Netzleitstellen benötigen zunehmend auch andere Dienststellen und Gruppen Informationen über den Prozess, die Prozessautomatisierung und die Kommunikationsinfrastruktur: Asset Monitoring im engeren und weitesten Sinne – hier werden Daten sehr oft direkt mittels IEC 61850 und IEC 61400-25 ausgetauscht!

In der Normung der IEC 61850 wurde diese Migration schon vor etwa 10 Jahren beschrieben. Als Ergebnis dieser Arbeiten wurde 2008 der Teil IEC 61850-80-1 veröffentlicht:


Hier klicken, um den gesamten Artikel “Eine Sprache für das Stromnetz” zu lesen.

Wednesday, August 7, 2013

IEC 61850 Control Model – What is the function of SelectWithValue?

Somebody asked the other day these good questions:

“I tried to understand what “select with value”  or SelectWithValue (SelVal) means, but without success.

What I did understand is it is used for   Select before operate with enhanced security.

Question: What is the purpose of SelectWithValue ?  What is the difference between normal Select and SelecWithValue?”

… questions that have some hidden answer in IEC 61850-7-2 …

You have to look at the service parameters exchanged with the SelectWithValue service request (which is part of the IEC 61850-7-2 control model) – see figure:


The use of the various parameters is this (excerpt, example):

ctlVal (e.g. OPEN) could be used to check against the interlocking information (Logical Node CILO). If opening is not allowed, the server could already at this stage return saying: opening is not allowed.

The ctlNum could be used to guarantee a sequence … further:


With the T a server could figure out that the SelectWithValue is too old to be processed …

I guess this gives a good understanding of the general objective.

In the case of Select, you don’t have these.

Monday, August 5, 2013

List of 5,000+ abbreviations in IEC 61850 and related documents

Please find a list of 5,000+ abbreviations used in IEC 61850 and related documents:


Click Here for the complete document [163 pages pdf, 6 MB]

Substation Automation Handbook On Sale

The famous Substation Automation Handbook by Dr. Klaus-Peter Brand, Volker Lohmann, and Dr. Wolfgang Wimmer is on Sale … deeply discounted:


The new price is now:


The book is a must for all people involved in substation automation:

Click Here for the new order form.

Click Here for some excerpts.

Download IEC 61850 Blog Content as single PDF Document (August 05, 2013)

For those readers of the blog that want to get the complete content as
a single pdf document, it is just a click away … it contains all 800+ posts
from 2008 until 2013-08-05. Once you have downloaded the file you
can easily browse the content … search … mark … copy …

Download all posts of the IEC 61850 blog in a single pdf [8,6 MB, 
631 pages DIN A4]

You may also subscribe to the blog to automatically receive updates … as many people do:


Sunday, August 4, 2013

Could a Counter Interrogation Service bring the European Power or Gas Networks down?

Good question! Easy to answer: Yes! It depends on the standard and implementation used.

Early May 2013 it almost happened in Europe. What? During a test of a new control center communication and application an IEC 60870-5-101 or –104 Broadcast “Counter interrogation” command went out to interrogate counters from ALL RTUs somehow “connected”. The command was received and answered by all these RTUs. Obviously one RTU responded with a “Broadcast” response … and obviously there was a “loop” somewhere in the network … it ended up in flooding the network for days!!!

The operators had very severe problems to get status and measurements from the process – because first the network was sending bunches of messages back and forth and around. Second, when experts started to “break” the “loops” and disconnect from the neighboring network they could “cool” down the traffic but lost some awareness of the system’s situation. After a few days they fixed some software … but they did not yet find the device that caused the trouble. According to a report from experts involved.

Hm!? That’s really a crucial issue with a standard protocol in operation for 15 or 20 years.

Here is why this could happen at all: During the days IEC 60870-5-101 was designed, people thought that the communication is strictly hierarchical and looks like a tree (top-down) – see next figure from 101: 


For counter interrogation the broadcast is often used in order to catch the counter values at a certain time, let’s say 20:00 h. To freeze the value at 20:00 h the control center has to send out a broadcast counter interrogation to freeze the value at 20:00 h (+/- some seconds – due to travel time …).

Next it can send another command to start sending the values from the RTUs to the control center.

That means: A lot of messages have to be sent at the same time … to reach all RTUs … in star topologies, or “looped” networks, … how to control such a process if you have hundreds of RTUs … owned by different utilities … blablabla …

The issue is here: People thought that you could start system-wide synchronous functions by synchronizing through timeliness messages. That may work in simple topologies … but … in Smart Grid systems with many (many) meters, it is unlikely that this approach will work reliably.

How does IEC 61850 solve that requirement? It defines a concept of time-wise synchronized RTUs (or generally speaking IEDs). The control center can send a command to freeze well in advance – an hour or two … so that no message shower will occur around 20:00 h. The IEC 61850 server stores the time when it has to freeze the corresponding value(s). The server can then send the frozen values via a data set and report control block, or can the data set or log it.

The synchronization is completely decoupled from the freezing and retrieving process.

The process is configured using the common data class BCR (Binary Counter Reading):


This model really is based on the (bad) experience with 101 and 104 … and … it works … and does not flood the network!

The broadcast command in 101 and 104 SHOULD be REMOVED … at least utilities should no longer rely on it!!! Take this very serious … as many other utility experts do.

Friday, August 2, 2013

Logical Nodes and Data Models for Steam and Gas Turbines

IEC has just published a committee draft (CD) with a proposal for new models to be used in steam and gas turbines:

57/1383/CD - AIEC 61850-7-410 A1:
Amendment 1 to IEC 61850-7-410: Communication networks and systems for power utility automation – Part 7-410: Basic communication structure – Hydroelectric power plants – Communication for monitoring and control

Comments could be provided until 2013-11-01

The draft contains the details of the following new logical nodes (with some 120 data objects):

EBCF Block control function. This LN will represent one physical device that coordinates the control of the thermal pressure of the steam generator and the electrical power regulation of turbine / generator system
EFCV Fuel control valve. This LN will represent the physical device of fuel control valve related to the gas turbine in a thermal power plant.
EGTU Gas turbine production unit. This LN represents the physical device of the GT and the generator combination in a thermal power plant. It is intended as an extended rating plate that allows settings of data. It also acts as a placeholder for the current operating conditions of the unit.
ESCV Steam control valve. This LN will represent the physical device of inlet control valve of the steam turbine in a thermal power plant.
ESPD Speed monitoring. This LN is derived from HSPD
ESTU Steam turbine production unit. This LN represents the physical device of the ST and the generator combination in a thermal power plant. It is intended as an extended rating plate that allows settings of data. It also acts as a placeholder for the current operating conditions of the unit.
EUNT Thermal unit operating mode. The present status of the production unit
FDBF Dead-band filter. This LN represents a settable filter for dead-band

Trip matrix. This LN represents a matrix for linking various trip functions to equipment that shall be tripped or controlled during a fault.

GUNT Production unit operating mode. The present status of the production unit

Supervision of electrical conductivity in water. This logical node represents a system for monitoring of electrical conductivity in water.


Measurement of electrical conductivity in water. This logical node represents a generic device for measuring the conductivity in water.

The LN Group E stands for “Enthalpy”; Enthalpy is a measure of the total energy of a thermodynamic system.