Cyber Attacks Detection, Prevention, and Source Localization in Digital Substation Communication using Hybrid Statistical-Deep Learning

TL;DR

A novel method using hybrid statistical-deep learning for the detection, prevention, and source localization of IEC 61850 SV injection attacks is proposed and results demonstrate the method's suitability for practical deployment in IEC 61850-compliant digital substations.

Abstract

The digital transformation of power systems is accelerating the adoption of IEC 61850 standard. However, its communication protocols, including Sampled Values (SV), lack built-in security features such as authentication and encryption, making them vulnerable to malicious packet injection. Such cyber attacks can delay fault clearance or trigger unintended circuit breaker operations. While most existing research focuses on detecting cyber attacks in digital substations, intrusion prevention systems have been disregarded because of the risk of potential communication network disruptions. This paper proposes a novel method using hybrid statistical-deep learning for the detection, prevention, and source localization of IEC 61850 SV injection attacks. The method uses exponentially modified Gaussian distributions to model communication network latency and long short-term memory and Elman recurrent neural network to detect anomalous variations in the estimated probability distributions. It effectively discards malicious SV frames with minimal processing overhead and latency, maintains robustness against communication network latency variation and time-synchronization issues, and guarantees a near-zero false positive rate in non-attack scenarios. Comprehensive validation is conducted on three testbeds involving industrial-grade devices, hardware-in-the-loop simulations, virtualized intelligent electronic devices and merging units, and high-fidelity emulated communication networks. Results demonstrate the method's suitability for practical deployment in IEC 61850-compliant digital substations.

Figures (7)

• Figure 1: Hybrid statistical-deep learning-based intrusion detection, prevention, and attack source localization system architecture.
• Figure 2: Graphical interpretation of $F_{exp}$ value assignment.
• Figure 3: Schematic overview of the three experimental testbeds used to validate the proposed method.
• Figure 4: Comparison of EMG, Gaussian, and exponential distribution fits to the measured $F_{as}$.
• Figure 5: FPR and F1-score of the intrusion prevention method as a function of attacker injection error on the four (v)IEDs deployed across the first and second testbeds.