Abstract: A system includes an intelligent electronic device (IED) of an electric power distribution system and a key device. The key device is configured to perform operations that include receiving a request from the TED for communication with an additional component of the electrical power distribution system, establishing a Media Access Control security key agreement (MKA) connectivity association with the TED in response to receipt of the request, generating a security association key (SAK) in response to receipt of the request, and distributing the SAK to the IED via the MKA connectivity association to enable the TED to use the SAK to communicate via a Media Access Control security (MACsec) communication link that is isolated from the key device.

Abstract: A controller for an electric power distribution system includes processing circuitry and a memory that includes instructions. The instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to determine that a first switch of the electric power distribution system is a primary switch communicatively coupled to an intelligent electronic device (IED) of the electric power distribution system, determine that a second switch of the electric power distribution system is a backup switch communicatively coupled to the TED, and distribute a first copy of a security association key (SAK) to the first switch and a second copy of the SAK to the second switch in response to determining that the first switch is the primary switch and the second switch is the backup switch to enable the first switch and the second switch to establish respective media access control security (MACsec) communication links with the IED.

Abstract: An intelligent electronic device (IED) of an electric power distribution system includes processing circuitry and a memory having instructions. The instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to determine establishment of setup criteria to operate in a passive mode, operate in the passive mode to communicate data without initiation of a media access control security key agreement (MKA) protocol in response to determination of the establishment of the setup criteria, receive activation data during operation in the passive mode, the activation data being indicative that a media access control security (MACsec) communication link is to be established, and operate in an active mode in response to receipt of the activation data to initiate the MKA protocol to establish the MACsec communication link.

Abstract: An intelligent electronic device (IED) includes memory and a processor operatively coupled to the memory. The processor is configured to establish, over a communication network of a power system, a communication link according to a media access control security (MACsec) Key Agreement (MKA). The TED receives a plurality of access control secure association keys (SAKs) via the communication link. The TED receives one or more checked-out SAKs indicating a request to access the TED The TED allows access based on the one or more checked-out access control SAKs matching at least one of the plurality of access control SAKs.

Abstract: An intelligent electronic device (IED) includes memory and a processor operatively coupled to the memory. The processor is configured to establish, over a communication network of a power system, a connection association (CA) with a receiving device using a MACsec Key Agreement (MKA). The processor is configured to automatically send device management information via the MKA process.

Abstract: An intelligent electronic device (IED) of an electric power distribution system includes processing circuitry and a memory that includes a tangible, non-transitory, computer-readable comprising instructions. The instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to receive operating data associated with the electric power distribution system, determine whether the operating data matches with expected operating data, generate a connectivity association key (CAK) based on the operating data in response to a determination that the operating data matches with the expected operating data, and establishing a connectivity association based on the CAK.

Abstract: An intelligent electronic device (IED) of an electric power distribution system includes processing circuitry and a memory that includes instructions. The instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to transmit a first data frame and a second data frame to a switch of the electric power distribution system, determine whether the switch transmits the first data frame and not the second data frame, and establish a media access control security key agreement (MKA) based on a determination of whether the switch transmits the first frame and not the second data frame.

Abstract: A system includes a parallel redundancy protocol (PRP) link redundancy entity (LRE) configured to receive data and copy the data to create a first copy of the data and a second copy of the data for transmission and a switch configured to cause operation between a first PRP media access control security (MACsec) mode and a second PRP MACsec mode to encrypt the data. The first PRP MACsec mode includes performing MACsec encryption on the data received by the PRP LRE prior to the data being copied by the PRP LRE, and the second PRP MACsec mode includes performing the MACsec encryption on the first copy of the data and the second copy of the data after the data has been copied by the PRP LRE.

Abstract: An intelligent electronic device (IED) of an electric power distribution system includes processing circuitry and a memory that includes a tangible, non-transitory, computer-readable comprising instructions. The instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to receive operating data associated with the electric power distribution system, determine whether the operating data matches with expected operating data, generate a connectivity association key (CAK) based on the operating data in response to a determination that the operating data matches with the expected operating data, and establishing a connectivity association based on the CAK.

Abstract: A key server device obtains authorization information of a user associated with an intelligent electronic device (TED). The key server communicates the authorization information to the TED, via a Media Access Control Security (MACsec) Key Agreement (MKA) protocol to allow the TED to authenticate the user. The key server receives one or more commands from the user. The key server communicates the one or more commands to the TED to allow the TED to perform operations based on the one or more commands.

Abstract: A control system of an electric power distribution system includes processing circuitry and a memory having instructions that, when executed by the processing circuitry, cause the processing circuitry to perform operations that include receiving an indication of a profile, generating a connectivity association key (CAK) based on the profile, distributing a copy of the CAK to a device of the electric power distribution system, and establishing a connectivity association with the device in accordance with the profile based on a verification that the device possesses the copy of the CAK.

Abstract: An intelligent electronic device (IED) of an electric distribution system includes processing circuitry and a memory having instructions. The instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to perform operations that include receiving an indication to establish a media access control security (MACsec) communication link in accordance with a confidential mode configured to block access to communication traffic associated with the MACsec communication link, indicating that the MACsec communication link is to be established in accordance with the confidential mode, receiving establishment of the MACsec communication link in accordance with the confidential mode, and communicating data via the MACsec communication link.

Abstract: A system has an intelligent electronic device (TED) and a switch configured to perform operations that include obtaining a rule associating a media access control security (MACsec) port identifier (PI) of the TED with a data flow, receiving a frame comprising data and the MACsec PI, and transmitting the data of the frame based on the data flow associated with the rule.

Abstract: A key server may establish an initial media access security (MACsec) connectivity association (CA) between a set of devices on a communication network of a power system. The key server may identify a device in the set of devices on the initial CA as a suspect device. The key server may communicate a new connectivity association key (CAK) of an independent CA to one or more other devices in the set of devices to cause the one or more other devices to join an independent CA without the suspect device.

Abstract: A system includes an entropy device configured to generate and distribute input entropy data and an intelligent electronic device (IED) of an electric power distribution system. The IED is configured to perform operations that include receiving the input entropy data distributed by the entropy device, generating a set of keys using the input entropy data, and establishing a Media Access Control Security (MACsec) communication link using the set of keys.

Abstract: A system includes a switch of an electric power distribution system, the switch being configured to receive data and to transmit data, and the system includes a controller configured to communicatively couple to the switch. The controller is configured to create a software defined network by instructing the switch to transmit data to a location, and the controller is configured to generate a set of keys and to provide the set of keys to the switch to enable the switch to communicate data via a Media Access Security (MACsec) communication link, a MACsec key agreement (MKA) connectivity association, or both.

Abstract: A system includes an intelligent electronic device (IED) of an electric power distribution system and a key device. The key device is configured to perform operations that include receiving a request from the TED for communication with an additional component of the electrical power distribution system, establishing a Media Access Control security key agreement (MKA) connectivity association with the TED in response to receipt of the request, generating a security association key (SAK) in response to receipt of the request, and distributing the SAK to the IED via the MKA connectivity association to enable the TED to use the SAK to communicate via a Media Access Control security (MACsec) communication link that is isolated from the key device.

Abstract: A system includes an intelligent electronic device (IED) and a proxy device communicatively coupled to the TED via a Media Access Control (MACsec) communication link. The proxy device is configured to perform operations that include receiving permissions data, receiving a request to perform an action associated with the TED, determining whether the action is authorized based on the permissions data, and transmitting data to the TED via the MACsec communication link in response to determining that the action is authorized.

Abstract: A system includes an intelligent electronic device (IED) and a control system configured to perform operations that include initiating establishment of a media access control security (MACsec) communication link via a MACsec key agreement (MKA) protocol, identifying information associated with the IED in response to initiation of the establishment of the MACsec communication link, the information being indicative of a protocol to be used by the IED to communicate data, and establishing a unidirectional MACsec communication link based on the information associated with the IED.

Abstract: A software defined network (SDN) switch of a communication network includes a memory and a processor operatively coupled to the memory. The SDN switch receives a media access control security (MACsec) frame of power system data. The SDN switch detects an SDN flow match based at least in part on a port identifier of the MACsec frame. The SDN switch performs an action based on the SDN flow match.