Quantum-Resistant Crypto-Agile Inline Authentication and Encryption Framework for IEC 61850 Digital Substations

Smart electricity grids increasingly rely on communication between distributed subsystems, leading to an increased attack surface. Standards for smart grid communication security, such as IEC 62351, do not sufficiently cover the developments of quantum computing. To bridge this gap, we propose a novel quantum-resistant crypto-agile authentication and encryption framework. The framework safeguards the confidentiality, authenticity, integrity, and non-repudiation of industrial network communication using a bump-in-the-wire approach. The framework is tailored to the strict time constraints of low-latency protocols deployed in IEC 61850 digital substations. To evaluate the framework and demonstrate its applicability in digital substations, we conduct a performance analysis and a laboratory-based experiment using intelligent electronic devices, merging units, and I/O boxes communicating via the GOOSE and SV protocol. The results show that the framework is able to secure low-latency digital substation communication, as authenticated and encrypted frames achieve a transfer time below 3 ms. Moreover, the laboratory-based experiment indicates that the novel bypass-capable architecture of the framework enables deployment via retrofitting of existing substations, as it allows adaption to partially incompatible environments via configurable fine-grained bypassing of network streams.