Verification of security measures for smart substations based on visualized simulation

Due to the application of network communication for smart substations, the security measures of secondary equipment become implicit and complicated, which makes it difficult to verify the security measures. This article proposes a strategy for the verification of security measures for smart substations. Firstly, based on SCD, ICD and SPCD, the model for smart substations is constructed. Secondly, a formalized description mechanism for security measures is presented for computer processing. Finally, the security measures are verified through the simulation on MATLAB/Simulink. Through the application of a 220kV smart substation, it proves that the verification scheme is intuitional and effective.


Introduction
Since the smart grid strategy was implemented by the State Grid Corporation of China in 2009, the application of Smart Substation Engineering Based on IEC61850 standard has developed rapidly. So far, more than 4000 smart substations have been put into operation. At the end of the 13th Five-Year Plan, it is estimated that 8000 new smart substations will be built. China has become the country with the largest number of smart substations in operation [1][2][3][4] .
The main characteristics of intelligent substation are that a large number of cables in the secondary system is replaced by the network communication system of "three layers and two networks". The relationship between the secondary system is constructed by SCD [5] . The secondary hard connection relationship of the conventional integrated automation system is replaced by the corresponding relationship between data packets. The secondary system shows the characteristics of virtual loop [6] , and the whole secondary circuit becomes a "black box". The AC circuit of analog quantity sampling adopts SV message communication, and the information of tripping protection, input and outflow adopts GOOSE message communication. Due to the unique communication characteristics of smart substation, during its reconstruction, expansion and installation overhaul, the operation of secondary equipment security measures is often composed of various requirements brought by GOOSE/SV soft platen, hard platen at the exit of tripping switch, hard plated for maintenance, etc. It is implicit and complicated and has many platens and no "obvious electrical disconnection point". On the other aspect, the differences of power grid between regions bring about different forms of security tickets whose reliability is hard to be estimated effectively. Because of the lack of effective secondary verification method, when operating the inspection, the maintainer cannot verify the working and isolation condition and cannot absolutely avoid negative effect that may be caused by inspecting operations. An effective verification method is needed for smart substations to verify the effective IOP Conf. Series: Earth and Environmental Science 461 (2020) 012002 IOP Publishing doi:10.1088/1755-1315/461/1/012002 2 isolation of maintenance equipment and operation equipment caused by secondary security measures operation.
Various technical schemes are being studied for the solution to effectively verify the operation safety of the security measures of secondary devices in smart substations [7][8] . Aiming at error proof, an automatic check technology of security measures to reduce operational errors is proposed [9] . specific strategies and basic principles of error-proof operations of soft platen at the aspect of its applications in smart substations are proposed [10] . This paper adopts logical expressions to formalize the error-proof logic of soft platen and the implementation of backstage-monitoring. However, these two articles adopt either implicit isolation principles or logical error-proof expressions to achieve security check, the complexity of which will increase with the geometric series when facing wholesubstation modeling, and these methods will be too difficult to be utilized in secondary security check in smart substations.
Firstly, starting from the SCD file of smart substation, SPCD file (Substation Physical Configuration Description, State Grid Enterprise Standard "Technical Specification for Modeling and Coding of Optical Fiber Circuits in Smart Substations") of physical configuration of smart substation and ICD file of IED static configuration description, this article combines the former three files to establish information model of smart substation and includes all secondary security operation objects to verify the integrity of security check. Then, by proposing a computer-readable formalized description mechanism of security ticket, the data interface of security ticket is provided for automatic secondary security check of smart substation. On the basis of the above two, a method of security check for intelligent substation based on the simulation of MATLAB/Simulink platform is proposed

Correctness Check of Configuration File
The SCD file of configuration of smart substation stipulated by IEC61850 contains a large number of primary and secondary equipment configuration information of substation [11][12][13]. Therefore, SCD file is an important information source for secondary security check of smart substation. Through SCD, the network topology of primary and secondary circuits of smart substation can be basically built. On the other hand, the main object of secondary safety measures is the soft platen. Although there is a logical node modeling in the SCD, the corresponding relationship information between the soft platen and the secondary circuit is difficult to obtain in the SCD and needs to be obtained in the ICD file. Finally, the secondary security measures of smart substation also include: overhaul of hard platen, optical fiber and CT/PT terminals, etc. All the above objects lack information in the SCD, so they must be obtained by SPCD, which is the physical configuration description file of smart substation [14]. In summary, SCD, ICD and SPCD constitute the information source of smart substation modeling.
Therefore, the reliability of security isolation check depends on the accuracy of modeling, and the modeling is based on SCD, ICD and SPCD configuration files. Therefore, the correctness of the above three configuration files is the fundamental premise of security isolation check in smart substations.
SCD file grammar check based on XML Schema has been given in IEC 61850 specification [15]. However, only checking SCD at the grammatical level cannot meet the needs of subsequent information modeling based on SCD files. Semantic correctness verification of SCD files is a more important part. Its definition of correctness can be graded according to the semantic intensity to form a progressive verification scheme. Grading must satisfy the following two properties: ① The less information needed, the lower semantic intensity definition of correctness has. ②The definition of high-level correctness includes the lower one. Therefore, SCD correctness can be graded based on semantic strength. After the first step is passed, the next step is checked.
For ICD files and SPCD files, the correctness checks can also be carried out by the abovementioned scheme of grammar and semantic intensity grading verification. IOP Conf. Series: Earth and Environmental Science 461 (2020) 012002 IOP Publishing doi:10.1088/1755-1315/461/1/012002 3

Formalized Description Mechanism
Traditional maintenance and security measures are all in the form of natural language, which cannot adapt to computer application processing. In order to realize the automation application of intelligent substation, this paper proposes the following formalized description mechanism of security measures: Where, Bay is the interval information, which contains name and desc attributes, adopted in interval modeling of primary devices. Task is maintenance task information, which contains two attributes: type and desc. Operation is the maintenance operation information, including name, iedName, type, connection, state and desc information.
(2) Property description a) The type attribute of Task represents the type of maintenance tasks based on the classification of maintenance tasks in National Dialogue 92 [12]. For example, "P1" means protection of type 1 maintenance tasks; b) The name attribute of the Operation is the name of the operation object; c) The iedName attribute of Operation denotes the name of the IED to which the operation object belongs. For example, "PL2214A" denotes line protection PL2214A; d) The type attribute of Operation represents the type information of the operation object. For example, "SV-IN" indicates that SV receives the soft platen; e) The connection attribute of Operation represents objects connected by loops controlled by the operation object; f) State attribute represents the state after the operation. For example, "ON" means from withdrawal to investment; g) Desc attribute represents the specific Chinese description of the security operation.

</Bay>
The formalized description mechanism in XML language format provides a data interface for computer automatic identification of security tickets, which is suitable for security ticket parsing in security ticket check.

Security Verification Method
Aiming at the need of security check in smart substation, this paper presents a method based on Simulation of MATLAB/Simulink platform. The checked objects include: the retreat of soft and hard platens, optical fiber plug-in and disconnection of CT/PT terminals, and all the possible objects involved in the operation and maintenance of smart substations. The main target of security check is to isolate the equipment under maintenance from the operating one completely.
Specific simulation implementation steps are as follows: • (1) According to the SCD files of smart substations, ICD files and SPCD files of each device in the smart sub-stations, a static simulation model suitable for the security check of the intelligent substation is established.
• (2) Read the primary and secondary device status before the security operations and the location of each operation object, by on-line monitoring devices of smart substation, and set the same status and location in the simulation model. • (3) Transform various forms of security tickets that may be used in current smart substations by the formalized description mechanism, and the achieve format and computer-readable formalized description security tickets.
• (4) Read the security ticket (formalized description mechanism), analyze its meaning automatically by computer, and change the state of the corresponding operation object in the simulation model accordingly.
• (5) Read the maintenance task and automatically determine the devices set to be maintained according to the task.
• (6) According to the set of maintenance devices, the characteristic signal is applied to the corresponding devices in the simulation model, and whether the accessible devices of the characteristic signal are all the devices to be maintained is checked. If there are exceptions, the error will be reported and the check will stop. • (7) After the verification, the isolation between the maintenance equipment and the operation equipment meets the requirements of the follow-up maintenance work.
The specific process of the above-mentioned smart substation security check simulation is shown in Fig. 1.

Simulation Modeling Technology
The foundation of security check is the construction of static simulation model of smart substation, which is mainly obtained from SCD files of smart substation, ICD files of secondary system devices and SPCD files.

Modeling Strategy
Because the intelligent substation is a complex network system, and the MATLAB/Simulink platform is a visual simulation environment, if all devices and their topological connections are built in the front-end visual inter-face, the simulation model will be extremely complex and violate the original intention of visual simulation. Therefore, this paper proposes a hierarchical simulation model building strategy, which makes full use of the encapsulation ability of the sub-module of MATLAB/Simulink, and divides the simulation model into device layer, spacer layer and system layer from bottom to top. The system layer, as the front-end visual interface of the simulation environment, is not encapsulated. The other two layers are encapsulated independently according to the separation of spacer and interval. In the process of modeling, we adopt the strategy of encapsulating from bottom to top and modeling layer by layer. IOP Conf. Series: Earth and Environmental Science 461 (2020) 012002 IOP Publishing doi:10.1088/1755-1315/461/1/012002 5

Figure 1 Security verification process of a smart substation
This layer is the modeling of independent IEDs for smart substation. In this layer, each IED device is encapsulated as an independent module. In view of the fact that the simulated security check target is the isolation state between devices, the internal state transition logic of each device can be simplified as an "and" gate. There is only one input and output port outside each module, and all input and output of the device are bundled and encapsulated internally.
The input port of the device is obtained by ExtRef under IED tag in SCD file, and the output port is obtained by FCDA under IED tag in SCD file. All the output ports add monitoring modules to track the output change of the device. The information of SV and GOOSE soft platen of device configuration is obtained from SCD file according to 1396 model [16]. The corresponding relationship between the soft platen and the secondary circuit of the device is not described in the SCD file. Firstly, the template library of the corresponding relationship be-tween the soft platen and the secondary circuit in the ICD file can be established by the mapping relation be-tween the ICD file and the virtual terminal table which contains in equipment manufacturer's instructions. In the process of modeling, by reading the device model and searching the ICD file template library, the corresponding relationship between the secondary circuit and the soft platen in SCD file is obtained. Then the soft platen of the device is modeled as a series switch module on the corresponding secondary circuit and placed inside the device module. IOP Conf. Series: Earth and Environmental Science 461 (2020) 012002 IOP Publishing doi:10.1088/1755-1315/461/1/012002 6 Hard connection relationships of optical fibers corresponding to the input and output loops of the device, CT/PT terminals, maintenance and tripping hard-pressed boards, are obtained from the secondary loop port information of SCD file and the physical loop description file SPCD. Then the intensive series switch module is modeled and placed inside the device module.
A typical bus protection module is shown in Fig. 2.

Spacer Layer Modeling
This layer is for the modeling of each operation interval of smart substation. Each interval is encapsulated into a separate module, which is composed of several device modules. The division of substation interval is carried out in accordance with the industry standard "Standard Model Description Document for Smart Substations (SSD)".

Figure 2. Simulation model of bus protection
There is only one input and output port outside each interval module, and all the input and output secondary circuits connected with other intervals are bound and encapsulated internally.
The secondary virtual loop and its corresponding physical hard connection between the devices in the spacer module are supported by SCD and SPCD files. Based on the port modeling of each device already completed in the device layer, the secondary circuit connection between devices can be established by the corresponding relationship between ExtRef and FCDA of each device in SCD file, and the internal topology modeling of the spacer module can be completed.
Typical line spacing simulation module is shown in Fig. 3.

System Layer Modeling
This layer is the model of the whole smart substation and the visual interface of the front end of the simulation environment. Its basic structure is several spacer modules contained in the substation. Secondary virtual loops between spacer modules and their corresponding physical connections are given by SCD files and SPCD files.
The construction strategy and data support of security check simulation static module are shown in Fig. 4.   Assuming that the formalized description of the above-mentioned maintenance tasks has been generated in various forms, such as manual ticket issuance or automatic generation, the following specific steps are given for the simulation of security verification: (1) Based on the SCD files, ICD files and SPCD files of each IED in the smart substation, a static model for security check simulation is generated on MATLAB/Simulink platform according to the modeling strategy de-scribed in Section 3 of simulation modeling technology.
(2) Read the secondary equipment status and the location of each operation object before the security operation, and set the corresponding numbered equipment and operation object of the simulation model in the same state, then the initial model for the security check simulation of the smart substation is set up.
(3) Read the formalized description of the overhaul task as described in Section 1.3 in turn. Analyze its se-mantics and change the position of the corresponding operating object in the simulation model, for example: <Operation name="1LP5" iedName="PM220A" type="Tr-OUT" connection="PL2215A" state="OFF" desc="退出母线保护对应 PL2215A 线路的 GOOSE 跳闸软压板"/> The corresponding operation of the security ticket is to set the "1LP5" soft platen of the "PM220A" device in the simulation model in the "OFF" state. After reading and simulating all security tickets, the simulation model of security check is in the state of completion of security operation. (5) Set the simulation time of MATLAB/Simulink platform in the "inf" state (infinite length), and start the simulation. Taking PL2214A as an example, the output signal of PL2214A is forcibly set as the characteristic signal.
(6) All the devices in the simulation model are got through to get the set of devices that output characteristic signals B: [PL2214A, PM220A, IL2214A].
(7) For any equipment belonging to Set B, check whether it belongs to Set A. If not, the program alarms.
(8) Going through the remaining equipment in Set A, check its isolation from operating equipment, following the above steps (5-7). If they are all passed, the security check is completed.

Utility Analysis
The formalized description of security ticket is the basis of the verification mechanism of security ticket pro-posed in this paper. For the current security ticket written in natural language, only need to increase the conversion link from ordinary security ticket to formal-description one.
Section 5.1 simulation examples show that the security check proposed in this paper is based on visual MATLAB/Simulink platform for model simulation. Its intuitive graphical display mode can help maintenance personnel accurately grasp the status of various primary and secondary equipment in smart substation before operation, and strengthen the management and control of maintenance operation.
At the same time, the simulation of security check process is "one-to-one correspondence". The verification of security ticket can be carried out completely or partly according to the actual division of labor.

Conclusion
Aiming at the characteristics of complex object, large number of platens, being implicit and complicated and no "obvious electrical disconnection point" in the security measures for secondary maintenance of smart substations, this paper proposes a security check mechanism based on the simulation of MATLAB/Simulink platform. Its main characteristics and advantages are as follows.
(1) In view of the current situation that configuration files are not standardized, the strategy of their correct-ness check is proposed, which ensures the integrity and correctness of configuration files and provides information support for the generation of simulation module of security check.
(2) Based on SCD files, SPCD files and ICD files, the logical and physical loops of primary and secondary systems in intelligent substations are modeled in a hierarchical form. A concise and intuitive visual human-computer interaction interface is realized and the integrity of the signal and modeling is guaranteed at the same time.
(3) Aiming at the disadvantage that the current secondary security measures in natural language are difficult to adapt to computer processing, a formalized description mechanism of security measures is proposed, which provides data structure support for computer automatic identification and analysis of security tickets.
(4) A security check mechanism based on MATLAB/Simulink is proposed to simulate the actual isolation state of smart substation in an intuitive visual way, to meet the needs of various operators for security check, and to adapt to various application scenarios such as operation and maintenance.
In summary, the proposed method of secondary security check for smart substation based on visual simulation of MATLAB/Simulink platform complements the shortage of secondary safety check for smart substation, provides error correction defense line before actual operation, and enhances the reliability and security of security check, and guarantees the reliable and stable operation of the smart substation and the power system it belongs to during the maintenance task. IOP Conf. Series: Earth and Environmental Science 461 (2020) 012002 IOP Publishing doi:10.1088/1755-1315/461/1/012002 9