Cyberattacks identification in IEC 61850 based substation using proximal support vector machine

Abstract

Maintaining the reliable, efficient, secure and multifunctional IEC 61850 based substation is an extremely challenging task, especially in the ever-evolving cyberattacks domain. This challenge is also exacerbated with expending the modern power system (MPS) to meet the demand along with growing availability of hacking tools in the hacker community. Few of the most serious threats in the substation automation system (SAS) are DoS (Denial of Services), MS (Message Suppression) and DM (Data Manipulation) attacks, where DoS is due to flood bogus frames. In MS, hacker inject the GOOSE sequence (sqNum) and GOOSE status (stNum) number. In the DM attacks, attacker modify current measurements reported by the merging units, inject modified boolean value of circuit breaker and replay a previously valid message. In this paper, an intelligent cyberattacks identification approach in IEC 61850 based SAS using PSVM (proximal support vector machine) is proposed. The performance of the proposed approach is demonstrated using experimental dataset of recorded signatures. The obtained results of the demonstrated study shows the effectiveness and high level of acceptability for real side implementation to protect the SAS from the cyberattacks in different scenarios.

Keywords

False data injection Man-In-The-Middle intrusion detection system GOOSE MMS SVM information and communication technologies substation automation system telephone switching based remote control unit digital communication network

1 Introduction

Generally, conventional power system network is formulated in form of a smart-grid with incorporation of the advanced ICT (Information and Communication Technologies) for the communication in between the protective devices through the LANs (Local Area Networks) of the substation and/or TCP (Transmission Control Protocol)/IP (Internet Protocol) networks by using high speed Ethernet. The utilization of these ICTs enable the optimal level of operation and control of the smart-grid with minimal level of restrictions. Therefore, several schemes for the ICTs have been developed and followed the standard communication protocol for smart power system applications.

The communication in smart SAS (Substation Automation System) is a key component to maintain the real-time operations. Initially, TSbRCU (Telephone Switching based Remote Control Unit) was utilized in power station in early 1930. In 1960, the DCN (Digital Communication Network) become more popular through the DAS (Data Acquisition System) to collect the measured dataset automatically. The main problem with DAS is to operate at LBCC (Low Bandwidth Communication Channel). Due to this, DCN based on DAS is not a proper solution for transmission of signals in between protecting devices. Thereafter, a standard communication protocol based on IEC 61850 is developed for the electric SAS by using IEEE 802-3 high speed Ethernet to communicate in between IEDs (Intelligent Electronic Devices). Generally, IEDs also support to sample/collect the dataset, transmit the dataset, multi-port communication, security and interoperability of different devices. Due to these reasons, the utilization of IEC 61850 based communication protocols is increased in the SAS throughout the world, which leads the high concerns for the cybersecurity and its associated cyber-attacks in modern power system substation (MPSS).

The energy is becoming a prime concern due to its effect on economy, nation security, and society. So, its generation, transmission, distribution and demand matching are the key factor in the 21^st century to prevent the blackout condition. In this regard, numerous researches have studied to protect the SAS from the cyberattacks which effect the security of the system. For an example of a security breach like: 1) integrity breach due to FDI (False data Injection), MITM (Man-In-The-Middle); 2) confidentiality breach due to Eavesdropping, theft; 3) availability breach due to DoS, DDoS; 4) authentication breach due to malware, Trojan; and 5) authorization breach due to malware, Trojan, spoofing etc. Moreover, authors in [1 –6] presented an IDS (Intrusion Detection System) to analyze the threats in the recent years. In [1]. Authors detect the insider threats by using specification-based detection method. In [2], authors identify the routing attacks by using anomaly based detection method. In [3], authors developed the hybrid signature and specification based detection method for identification of the multiple conventional attacks (MCA) as well as system disturbance. In [4] and [5], authors developed anomaly based detection method for MCA and DoS respectively. In [6], authors detect the security attacks of MCA by using signature based method. Apart of this, authors in [7 –10] presented an FDI (False Data Injection) to analyze the threats and detect for the prevention of the system. Moreover, in [11 –13] authors presented and demonstrated ITD (Insider Threats Detection).

In this study, a signature based cyberattacks identification in IEC 61850 based substation using PSVM (proximal support vector machine) is proposed. The main reason to opt PSVM as an identifier that it is very fast algorithm in process, compared with other ICT and advance machine learning algorithms.

2 Brief Detail of IEC 61850

IEC 61850 is a standard which define the communication protocols for IEDs at electrical power substation. In IEC 61850, the pulled away or detached data model can be mapped to a number of protocols. These protocols are GOOSE (Generic Object Oriented Substation Event), MMS (Manufacturing Message Specification), SVM (Sampled Measured Values) and WS (Web Services –future services). These protocols of IEC 61850 are used to receive the essential response times less than 4 milliseconds for all protective relaying through the LANs of the substation and/or TCP/IP networks by using Ethernet. Moreover, IEC 61850 is an OOP (Object Oriented Protocol) as compared with older protocols which are SOP (Signal Oriented Protocols) such as 10004, 21015 from devices 1,2, etc.

IEC TC 57 (Technical Committee from 22 participating countries) was established in 1964 to fulfill an urgent need to develop a standard in the field of communications between equipments and systems to control the electric power system. The IEC 61850 is a series of standards as mentioned in Table 1, out of them some are directly related to substation automation of the power system (SAPS), which are highlighted into green colour.

Table 1
IEC 61850 series of standards [14]

Standard Remark/ Explanation

IEC 61850-1 2013: Introduction and overview

IEC 61850-1-2 2020: Communication networks and systems for power utility automation (CNSPUA) - Part 1-2: Guideline on extending IEC 61850

IEC 61850-2 2003: Glossary

2019: CNSPUA - Part 2: Glossary

IEC 61850-3 2013: General requirement

IEC 61850-4 2011: System and project management specification for communication between of IEDs

IEC 61850-5 2013: Communication requirements for functions and device models

IEC 61850-6 2009: Configuration language for communication in electrical substations related to IEDs

IEC 61850-7-1 2011: Basic communication structure (BCS)- Principles and models

IEC 61850-7-2 2010: BCS - ACSI

IEC 61850-7-3 2010: BCS - Common Data Classes

IEC 61850-7-4 2010: BCS - Compatible logical node classes and data classes

IEC 61850-7-6 2019: CNSPUA - Part 7-6: Guideline for definition of Basic Application Profiles (BAPs) using IEC 61850

IEC 61850-7-7 2018: CNSPUA - Part 7-7: Machine-processable format of IEC 61850-related data models for tools

IEC 61850-7-410 2012: BCS - Hydroelectric power plants - Communication for monitoring and control

IEC 61850-7-420 2009: BCS - Distributed energy resources logical nodes

IEC 61850-7-500 2017: CNSPUA - Basic information and BCS - Use of logical nodes for modeling application functions and related concepts and guidelines for substations

IEC 61850-7-510 2012: BCS - Hydroelectric power plants - Modelling concepts and guidelines

IEC 61850-8-1 2011: Specific communication service mapping (SCSM) - Mappings to Manufacturing Message Specification MMS (ISO 9506-1 and ISO 9506-2) and to ISO/IEC 8802-3

IEC 61850-8-2 2018: Mapping to Extensible Messaging Presence Protocol (XMPP)

IEC 61850-9-2 2011: SCSM - Sampled values over ISO/IEC 8802-3

IEC61850-9-3 2016: CNSPUA - Precision time protocol profile for power utility automation

IEC 61850-10 2012: Conformance testing

IEC 61850-80-1 2016: CNSPUA - Guideline to exchanging information from a CDC-based data model using IEC 60870-5-101 or IEC 60870-5-104

IEC 61850-80-3 2015: CNSPUA - Mapping to web protocols - Requirements and technical choices

IEC 61850-80-4 2016: CNSPUA - Translation from the COSEM object model (IEC 62056) to the IEC 61850 data model

IEC 61850-90-1 2010: CNSPUA - Use of IEC 61850 for the communication between substations

IEC 61850-90-2 2016: CNSPUA - Using IEC 61850 for communication between substations and control centres

IEC 61850-90-3 2016: CNSPUA - Using IEC 61850 for condition monitoring diagnosis and analysis

IEC 61850-90-4 2013: CNSPUA - Network engineering guidelines

IEC 61850-90-5 2012: CNSPUA - Use of IEC 61850 to transmit synchrophasor information according to IEEE C37.118

IEC 61850-90-6 2018: CNSPUA - Use of IEC 61850 for Distribution Feeder Automation System

IEC 61850-90-7 2013: CNSPUA - Object models for power converters in distributed energy resources (DER) systems

IEC 61850-90-8 2016: CNSPUA - Object model for E-mobility

IEC 61850-90-9 2020: CNSPUA - Object Models for Batteries

IEC 61850-90-10 2017: CNSPUA - Object Models for Scheduling

IEC 61850-90-11 2020: CNSPUA - Methodologies for modelling of logics for IEC 61850 based applications

IEC 61850-90-12 2020: CNSPUA - Wide area network engineering guidelines

IEC 61850-90-17 2017: CNSPUA - Using IEC 61850 to transmit power quality data

Standard	Remark/ Explanation
IEC 61850-1	2013: Introduction and overview
IEC 61850-1-2	2020: Communication networks and systems for power utility automation (CNSPUA) - Part 1-2: Guideline on extending IEC 61850
IEC 61850-2	2003: Glossary
	2019: CNSPUA - Part 2: Glossary
IEC 61850-3	2013: General requirement
IEC 61850-4	2011: System and project management specification for communication between of IEDs
IEC 61850-5	2013: Communication requirements for functions and device models
IEC 61850-6	2009: Configuration language for communication in electrical substations related to IEDs
IEC 61850-7-1	2011: Basic communication structure (BCS)- Principles and models
IEC 61850-7-2	2010: BCS - ACSI
IEC 61850-7-3	2010: BCS - Common Data Classes
IEC 61850-7-4	2010: BCS - Compatible logical node classes and data classes
IEC 61850-7-6	2019: CNSPUA - Part 7-6: Guideline for definition of Basic Application Profiles (BAPs) using IEC 61850
IEC 61850-7-7	2018: CNSPUA - Part 7-7: Machine-processable format of IEC 61850-related data models for tools
IEC 61850-7-410	2012: BCS - Hydroelectric power plants - Communication for monitoring and control
IEC 61850-7-420	2009: BCS - Distributed energy resources logical nodes
IEC 61850-7-500	2017: CNSPUA - Basic information and BCS - Use of logical nodes for modeling application functions and related concepts and guidelines for substations
IEC 61850-7-510	2012: BCS - Hydroelectric power plants - Modelling concepts and guidelines
IEC 61850-8-1	2011: Specific communication service mapping (SCSM) - Mappings to Manufacturing Message Specification MMS (ISO 9506-1 and ISO 9506-2) and to ISO/IEC 8802-3
IEC 61850-8-2	2018: Mapping to Extensible Messaging Presence Protocol (XMPP)
IEC 61850-9-2	2011: SCSM - Sampled values over ISO/IEC 8802-3
IEC61850-9-3	2016: CNSPUA - Precision time protocol profile for power utility automation
IEC 61850-10	2012: Conformance testing
IEC 61850-80-1	2016: CNSPUA - Guideline to exchanging information from a CDC-based data model using IEC 60870-5-101 or IEC 60870-5-104
IEC 61850-80-3	2015: CNSPUA - Mapping to web protocols - Requirements and technical choices
IEC 61850-80-4	2016: CNSPUA - Translation from the COSEM object model (IEC 62056) to the IEC 61850 data model
IEC 61850-90-1	2010: CNSPUA - Use of IEC 61850 for the communication between substations
IEC 61850-90-2	2016: CNSPUA - Using IEC 61850 for communication between substations and control centres
IEC 61850-90-3	2016: CNSPUA - Using IEC 61850 for condition monitoring diagnosis and analysis
IEC 61850-90-4	2013: CNSPUA - Network engineering guidelines
IEC 61850-90-5	2012: CNSPUA - Use of IEC 61850 to transmit synchrophasor information according to IEEE C37.118
IEC 61850-90-6	2018: CNSPUA - Use of IEC 61850 for Distribution Feeder Automation System
IEC 61850-90-7	2013: CNSPUA - Object models for power converters in distributed energy resources (DER) systems
IEC 61850-90-8	2016: CNSPUA - Object model for E-mobility
IEC 61850-90-9	2020: CNSPUA - Object Models for Batteries
IEC 61850-90-10	2017: CNSPUA - Object Models for Scheduling
IEC 61850-90-11	2020: CNSPUA - Methodologies for modelling of logics for IEC 61850 based applications
IEC 61850-90-12	2020: CNSPUA - Wide area network engineering guidelines
IEC 61850-90-17	2017: CNSPUA - Using IEC 61850 to transmit power quality data

3 Brief detail of attacks encountered in IEC 61850 based substation

Generally, SAPS suffers with different types of attacks such as intrusion attacks, MITM (Man-In-The-Middle) attacks, DoS attacks, and FDI (false data injection) attacks. The intrusion attacks effect the integrity, confidentiality and authenticity of the GOOSE, VM and substation LAN and/or TCP/IP network. The MITM attacks effect the integrity, confidentiality and authenticity of the MMS. Similarly, DoS attacks effect the authenticity of the MMS. Finally, FDI effect the authenticity, and physical security of the IEDs. Due to these attacks, confidentiality, integrity, availability and physical security are effected, so that unauthorized access of information, unauthorized modification, theft of information, and unauthorized access of IEDs or nodes will be performed by attacker. That is why power system network is failed to meet the customer demand. For the detailed information, reader may refer [15 –20] for intrusion attacks for GOOSE and SV, [21] for intrusion attacks for substation LAN, [22] for MITM attacks for MMS, [23] for DoS attacks for MMS, and [24, 25] for FSI attacks for IEDs.

To manage these attacks scenarios in the smart power substation, IEC TC 57 address the distinct cybersecurity issues related with communication protocols for IEDs of IEC 61850. The IEC TC 57 developed the IEC 62351 to provide the cybersecurity solution for all possible attacks on IEC 61850. The IEC 62351 is a series of standards as mentioned in Table 2 along with its brief detail.

Table 2
IEC 62351 series of standards [26]

Standard Remark/ Explanation

IEC 62351 2020: Power systems management and associated information exchange (PSAIE) - Data and communications security (DCS)

IEC 62351-1 2007: PSAIE - DCS - Part 1: Communication network and system security - Introduction to security issues

IEC 62351-2 2008: PSAIE - DCS - Part 2: Glossary of terms

IEC 62351-3 2014 (AMD1), 2018(AMD2), 2020(CSV): PSAIE - Part 3: Communication network and system security - Profiles including TCP/IP

IEC 62351-4 2018(AMD1),2020(CSV): PSAIE - DCS - Part 4: Profiles including MMS and derivatives

IEC 62351-5 2013: PSAIE - DCS - Security for IEC 60870-5 and derivatives

IEC 62351-6 2020: PSAIE - DCS - Security for IEC 61850

IEC 62351-7 2017: PSAIE - DCS - Network and System Management (NSM) data object models

IEC 62351-8 2020: PSAIE - DCS - Role-based access control for power system management

IEC 62351-9 2017: PSAIE - DCS - Cyber security key management for power system equipment

IEC 62351-10 2012: PSAIE - DCS - Security architecture guidelines

IEC 62351-11 2016: PSAIE - DCS - Security for XML documents

IEC 62351-12 2016: PSAIE - DCS - Resilience and security recommendations for power systems with DER cyber-physical systems

IEC 62351-13 2016: PSAIE - DCS - Guidelines on security topics to be covered in standards and specifications

IEC 62351-90-1 2018: PSAIE - DCS - Guidelines for handling role-based access control in power systems

IEC 62351-90-2 2018: PSAIE - DCS - Deep packet inspection of encrypted communications

IEC 62351-100-1 2018: PSAIE - DCS - Conformance test cases for IEC TS 62351-5 and IEC TS 60870-5-7

IEC 62351-100-3 2018: PSAIE - DCS - Conformance test cases for the IEC 62351-3, the secure communication extension for profiles including TCP/IP

Standard	Remark/ Explanation
IEC 62351	2020: Power systems management and associated information exchange (PSAIE) - Data and communications security (DCS)
IEC 62351-1	2007: PSAIE - DCS - Part 1: Communication network and system security - Introduction to security issues
IEC 62351-2	2008: PSAIE - DCS - Part 2: Glossary of terms
IEC 62351-3	2014 (AMD1), 2018(AMD2), 2020(CSV): PSAIE - Part 3: Communication network and system security - Profiles including TCP/IP
IEC 62351-4	2018(AMD1),2020(CSV): PSAIE - DCS - Part 4: Profiles including MMS and derivatives
IEC 62351-5	2013: PSAIE - DCS - Security for IEC 60870-5 and derivatives
IEC 62351-6	2020: PSAIE - DCS - Security for IEC 61850
IEC 62351-7	2017: PSAIE - DCS - Network and System Management (NSM) data object models
IEC 62351-8	2020: PSAIE - DCS - Role-based access control for power system management
IEC 62351-9	2017: PSAIE - DCS - Cyber security key management for power system equipment
IEC 62351-10	2012: PSAIE - DCS - Security architecture guidelines
IEC 62351-11	2016: PSAIE - DCS - Security for XML documents
IEC 62351-12	2016: PSAIE - DCS - Resilience and security recommendations for power systems with DER cyber-physical systems
IEC 62351-13	2016: PSAIE - DCS - Guidelines on security topics to be covered in standards and specifications
IEC 62351-90-1	2018: PSAIE - DCS - Guidelines for handling role-based access control in power systems
IEC 62351-90-2	2018: PSAIE - DCS - Deep packet inspection of encrypted communications
IEC 62351-100-1	2018: PSAIE - DCS - Conformance test cases for IEC TS 62351-5 and IEC TS 60870-5-7
IEC 62351-100-3	2018: PSAIE - DCS - Conformance test cases for the IEC 62351-3, the secure communication extension for profiles including TCP/IP

4 Developed attack scenarios and its dataset

In this study, IEC 18650 based substation security dataset has been collected from experimental set (created in lab based proto-type) and open access data base [27], which includes normal data, disturbances data and attack-scenarios dataset. The Fig. 1 of the [27] represents the one-line diagram of a power substation of 66/11 kV system, which has been used to generate these datasets. This power system diagram includes the four-buses, 18 IEDs (Intelligent Electronic Devices), 10 feeders (i.e., 6 are used to connect the loads and 4 are used to connect other substations), 2 transformers, several circuit breakers.

Fig. 1

Proposed approach framework.

The three main types of attack scenarios of GOOSE attacks are created such as: 1) DoS (denial of services), 2) MS (message suppression) and 3) DM (data manipulation). The Dos attack is created in a malicious attempt by the attacker to block IED through flooding bogus frames. The MS attacks are created through hijacking of communication channel through the changing GOOSE header fields from the updating/receiving the IED from the message. Similarly, the DM attacks are created by injecting the modified network payloads into the main network, which is effect the grid stability. The collected datasets under these three attack scenarios are used for the further study.

5 Proposed approach

The proposed intelligent cyberattacks identification approach for IEC 61850 based SAS using PSVM is presented in Fig. 1, which is comprises into six-parts as follow: 1) PART-1: experiment setup for digital substation based on IEC-61850, 2) PART-2: online measurement of the datasets (i.e., current, voltage, power, harmonics and frequency etc.), 3) PART-3: data pre-processing (data analysis), 4) PART-4: training and testing dataset matrices formation, 5) PART-5: design the PSVM model, and 6) PART-6: train the designed PSVM model then test its performance with test dataset. Once optimal level of training and testing is performed then developed model may be recommended for the further uses in real-side SAS implementation.

5.1 PSVM based model formulation [28 –32]

Generally, PSVM is utilized for classification problems [28]. Due to its high processing speed and limited number of lines in whole coding, it is widely used for both linear as well as non-linear problems. PSVM is the advanced version of the standard SVM. In the SVM, the dataset is classified with a separating plane of narrow band, whereas in PSVM, the separating plan is bigger with the high level of the proximity. The hyperplane for SVM and PSVM is shown in Figs. 2 and 3 respectively.

Fig. 2

The standard SVM classifier in the w-space of Rⁿ with error margin $\frac{2}{∥ w ∥}$ [xx].

Fig. 3

The PSVM classifier in the (ω, λ)- space of Rⁿ⁺¹ with error margin $\frac{2}{∥ \begin{matrix} ω \\ γ \end{matrix} ∥}$ [xx].

Figure 4 shows the procedure of PSVM implementation. PSVM is taken as m data points in Rⁿ⁺¹ represented using two matrices as matix Q (m × n) and diagonal matrix G (m × m) with labeled of±1. The label±1 represents the class of each row of matrix Q. The mathematical implementation for classifier using PSVM is shown in following steps [28 –32]:

Fig. 4

Flow Chart for PSVM Implementation [16].

Step# 1: Express M as: M = G [Q - ɛ]

Where ɛ= m × 1 which is a vector of 1 and

Calculates η using positive different μ values: $η = μ ((1 - M {(\frac{1}{μ} + M^{'} M)}^{- 1}) M^{'}) ɛ$ (8)

η can also be calculated as: $η = μ * (1 - (M * ϑ))$ (9)

where ϑ is represented as: $ϑ = (speye (n + 1) / μ + M^{'} * M) ∖ Y$ (10)

and Y = sum (M) ′.

The optimal value for μ is defined as per the expert experience (range:10⁶ to 0.01). It is suggested that bigger value of μ provides superior fitting for training data, most of cases, μ = 1 is best.

Step# 2: Calculate (ω, λ) $ω = Q^{'} * G η; λ = - ɛ^{'} * G η and τ = η / μ$ (11)

The maximization of the margin accordance to location (λ) and orientation (ω) w.r.t. origin.

Step# 3: New unlabeled dataset of X_new is classified as: $({Xnew}^{'} ω - λ) = {\begin{matrix} > 0, \\ < 0, \\ = 0, \end{matrix} \begin{matrix} then \\ then \\ then \end{matrix} \begin{matrix} Xnew \in A +; \\ Xnew \in A -; \\ \begin{matrix} Xnew \in A + \\ or Xnew \in A -; \end{matrix} \end{matrix}$ (12)

The detected label of tested new dataset is represented by Equation 13: $f (Xnew) = sign (ω^{'} * Xnew - λ)$ (13)

Where, f (Xnew)=negative, then dataset is classified as class#1 (A -), and f (x)=positive, then dataset is classified as class#2 (A+),

For the multi-class problem, multiple binary PSVM classifiers are developed in a combination.

5.2 PSVM based cyberattacks identification model formulation

Based on proposed approach as represented in Fig. 1, the cyberattacks identification model using PSVM (CAIM) for SAS is given in Fig. 5.

Fig. 5

Classification approach using PSVM models.

The CAIM for SAS includes three-binary PSVM classifiers which are utilized to classify four (i.e., healthy operation and three cyberattacks: DoS, MS, and DM) conditions of the SAS.

For the demonstration of the PSVM CAI performance, PSVM#1 (model-1) is trained with the whole training dataset and segregate the healthy condition from the all faulty conditions (i.e., DoS, MS and DM). For this, the used code for healthy condition representation is -1. Now, PSVM#2 (model-2) is trained by using ghettoized faulty data from model-1 for three faults scenarios. The used code at the output side of PSVM#2 is -1 for ghettoizing the faults conditions “Dos and MS” from the “DM”. Now, PSVM#3 (model-3) is trained by using the ghettoised faulty data of “DoS and MS” achieved from model-2 for two faults conditions. The used code at the output side of PSVM#3 is -1 to ghettoize the faults condition “DM” from the “DoS”. In the summary of all output codes utilized for representation of all conditions at the output side of the PSVM models are represented in Table 3.

Table 3

Summary codification of all developed PSVM models

Fault Category	PSVM Model#1	PSVM Model #2	PSVM Model #3
Healthy	–1	Θ	Θ
DoS	+1	–1	Θ
MS	+1	–1	+1
DM	+1	+1	–1

Θ = not in use.

6 Results and discussion

In this section, the performance analysis of the developed CAIM for SAS is presented. The results demonstration is performed by using experimental datasets of four different operating condition of SAS under two different categories, as shown in Table 4. The Table 4 shows the highest identification accuracy of the particular CAIMs out of all developed models with variation of Nu values. The category#1 and category#2 are the based on voltage and current signatures respectively. Three different CAIM are developed for each category to classify the four operating conditions of the SAS. The classification accuracy for category#1 is varies from 91.05 to 99.83 (for training phase), 90.55 to 96.63 (for testing phase). And the average diagnosis accuracy for category#1 is 96.85 and 94.27 for training and testing phase respectively. Apart of this, the class-wise classification accuracy for the proposed PSVM model of category2 has been represented in Table 5, which shows the diagnosis accuracy for each type of fault along with healthy operating condition.

Table 4
PSVM based performance analysis of recorded raw data and its EEMD

Dataset used PSVM Phase PSVM1 PSVM2 PSVM3 Average

Category1: Vbased Train 99.67 91.05 99.83 96.85

Test 96.63 90.55 95.64 94.27

Category2: Ibased Train 97.15 99.56 100 98.9

Test 97 97.19 97.25 97.15

Dataset used	PSVM Phase	PSVM1	PSVM2	PSVM3	Average
Category1: Vbased	Train	99.67	91.05	99.83	96.85
	Test	96.63	90.55	95.64	94.27
Category2: Ibased	Train	97.15	99.56	100	98.9
	Test	97	97.19	97.25	97.15

Table 5

Proposed model’s class-wise classification accuracy for PSVM1 to PSVM3

PSVM model/Data sets used	Type of attacks for identification	Training Phase Performance (%)			Testing Phase Performance (%)
		MSE	RMSE	Accuracy	MSE	RMSE	Accuracy
PSVM model#1	Healthy	2.85	1.69	97.15	3.0	1.73	97.0
	Faulty
PSVM model#2	DoS &MS	0.44	0.66	99.56	2.81	1.68	97.19
	DM
PSVM model#3	DoS	0.0	0.0	100.0	2.75	1.66	97.25
	MS
Average accuracy (%)		1.1	1.05	98.9	2.85	1.69	97.15

In this study, twelve different PSVM models for the case of PSVM#1 are developed with variation of twelve different Nu-values (Range: -1 to 100) and similar study is performed for all other PSVM models (i.e., PSVM#2 and PSVM#3) as shown in Fig. 6 to Fig. 8 for both categories. Hence, total thirty six PSVM models are developed and analyzed for the category#1. Similarly, thirty six PSVM models are developed and analyzed for the category#2 as well. Hence, in this study, total seventy two PSVM models are designed and analyzed for both categories of study. Moreover, the evaluated w and gamma for all PSVM models are represented in Figs. 9, 10 and 11 respectively.

Fig. 6

Traing and testing accuracy with variation of Nu-value for PSVM#1.

Fig. 7

Traing and testing accuracy with variation of Nu-value for PSVM#2.

Fig. 8

Traing and testing accuracy with variation of Nu-value for PSVM#3.

Fig. 9

Evaluated weight value for all PSVM models for category#1.

Fig. 10

Evaluated weight value for all PSVM models for category#2.

Fig. 11

Evaluated Gamma value for all PSVM models –vG for category#1 and iG for category#2.

7 Conclusion

In this study, different cyberattacks have been identified and analyzed. The proposed approach for cyberattacks identification in IEC 61850 based SAS using proximal support vector machine has been developed and demonstrated for four different case scenarios such as healthy and three attacks scenarios (i.e., DoS, MS and DM). The performance of the proposed approach has been demonstrated using experimental dataset of recorded signatures under two different categories. The total 72 intelligent models have been developed and demonstrated to validate its performance. The obtained results of the demonstrated study shown the effectiveness and high level of acceptability for real side implementation to protect the SAS from the cyberattacks in different scenarios.

Footnotes

Acknowledgment

”The authors extend their appreciation to the Researchers Supporting Project at King Saud University, Riyadh, Saudi Arabia, for funding this research work through the project number RSP-2020/278”.

References

Bao

, et al., BLITHE: Behavior rule based insider threat detection for smart grid, IEEE Internet Things J 3(2) (2016), 190–205.

Thanigaivelan

N.K.

, et al., Distributed internal anomaly detection system for Internet-of-Things, in Proc. 13th IEEE Annual Consumer Communications & Networking Conference (CCNC), Las Vegas, NV, USA, (2016), pp. 319–320, Jan. 9-12.

Pan

, et al., Developing a hybrid intrusion detection system using data mining for power systems, IEEE Trans Smart Grid 6(6) (2015), 3104–3113.

Faisal

M.A.

, et al., Data-stream-based intrusion detection system for advanced metering infrastructure in smart grid: A feasibility study, IEEE Syst J 9(1) (2015), 31–44.

Lee

T.-H.

, et al., A lightweight intrusion detection scheme based on energy consumption analysis in 6lowpan, in Advanced Technologies, Embedded and Multimedia for Human-centric Computing. Springer, (2014), pp. 1205–1213.

, et al., A malicious pattern detection engine for embedded security systems in the Internet of Things, Sensors 14(12) (2014), pp. 24188–24211.

Liu

, Ning

and Reiter

M.K.

, False data injection attacks against state estimation in electric power grids, ACM Trans Inf Syst Secur 14(1) (2011), 13.

Yang

, et al., On false data-injection attacks against power system state estimation: Modeling and countermeasures, IEEE Trans Parallel Distrib Syst 25(3) (2014), 717–729.

Huang

, et al., Bad data injection in smart grid: attack and defense mechanisms, IEEE Commun Mag 51(1) (2013), 27–33.

10.

Esmalifalak

, et al., Effect of stealthy bad data injection on network congestion in market based power system, in Proc. 2012 IEEE Wireless Communications and Networking Conference (WCNC), Paris, France, Apr. 1-4, 2012, pp. 2468–2472.

11.

Chen

, et al., Detecting anomalous insiders in collaborative information systems, IEEE Trans Dependable Secure Comput 9(3) (2012), 332–344.

12.

Ambre

and Shekokar

, Insider threat detection using log analysis and event correlation, Procedia Comput Sci 45 (2015), pp. 436–445.

13.

Legg

P.A.

, et al., Automated insider threat detection system using user and role-based profile assessment, IEEE Syst J 11(2) (2017), 503–512.

14.

IEC 61850 standard and its series. Access on 30-04-2020 at https://webstore.iec.ch/searchform&q=IEC%2061850

15.

Hong

, et al., Detection of cyber intrusions using network-based multicast messages for substation automation, in ISGT 2014, pp. 1–5, 2014.

16.

Kush

E.N.

, et al., Poisoned GOOSE: Exploiting the GOOSE Protocol, in, Twelfth Australasian Information Security Conference (AISC 2014) 149 (2014), 17–22.

17.

da Silva

L.E.

and Coury

D.V.

, A new methodology for real-time detection of attacks in IEC 61850-based systems, Electr Power Syst Res 143 (2017), 825–833.

18.

Caserza Magro

, et al., Safety related functions with IEC 61850 GOOSE messaging, Int J Electr Power Energy Syst 104 (2019), 515–523.

19.

El Hariri

, et al., The IEC 61850 Sampled Measured Values Protocol: Analysis, Threat Identification, and Feasibility of Using NN Forecasters to Detect Spoofed Packets, Energies 12(19) (2019), 3731.

20.

Hong

, et al., Integrated Anomaly Detection for Cyber Security of the Substations, IEEE Trans Smart Grid 5(4) (2014), 1643–1653.

21.

Premaratne

U.K.

, et al., An Intrusion Detection System for IEC61850 Automated Substations, IEEE Trans Power Deliv 25(4) (2010), 2376–2383.

22.

Kang

, et al., Investigating cyber-physical attacks against IEC 61850 photovoltaic inverter installations, in 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA), (2015), pp. 1–8.

23.

Choi

, et al., Intrusion Detection of NSM Based DoS Attacks Using Data Mining in Smart Grid, Energies 5(10) (2012), 4091–4109.

24.

Chattopadhyay

, et al., Toward Threat of Implementation Attacks on Substation Security: Case Study on Fault Detection and Isolation, IEEE Trans Ind Informatics 14(6) (2018), 2442–2451.

25.

Chlela

, et al., Real-time testing platform for microgrid controllers against false data injection cybersecurity attacks, in 2016 IEEE Power and Energy Society General Meeting (PESGM), (2016), 1–5.

26.

IEC 62351 standard and its series. Access on 30-04-2020 at https://webstore.iec.ch/searchform&q=IEC%2062351&FUZZY=1

27.

Biswas

, et al., A Synthesized Dataset for Cybersecurity Study of IEC 61850 based Substation, 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Beijing, China, 2019, pp. 1-7, doi: 10.1109/SmartGridComm.2019.8909783

28.

Fung

and Mangasarian

O.L.

, Proximal Support Vector Machine Classifiers Available at: (accessed on 30-04-2020) ftp://ftp.cs.wisc.edu/pub/dmi/tech-reports/01-02.ps

29.

Malik

and Mishra

, Fault Identification of Power Transformers Using Proximal Support Vector Machine (PSVM), in Proc. IEEE Int Conf on Power Electronics (IICPE 2014), 8-10 Dec. 2014,. Doi: 10.1109/IICPE.2014.7115842

30.

Mittal

A.P.

, et al., External Fault Identification Experienced by 3-Phase Induction Motor Using PSVM, in Proc. IEEE Int Conf on Power India (PIICON 2014), to be held on 5-7 Dec. 2014. Doi: 10.1109/POWERI.2014.7117762

31.

Malik

and Mishra

, Proximal Support Vector machine (PSVM) Based Imbalance Fault Diagnosis of Wind Turbine Using Generator Current Signals, Elsevier Energy Procedia 90 (2015), Pp. 593-603, 15-17 Dec. 2015. Doi: https://doi.org/10.1016/j.egypro.2016.11.228

32.

Malik

and Chack

, A Novel Intelligent Transmission Line Fault Diagnosis Model Based on EEMD and Multiclass PSVM, Book chapter in Applications of Artificial Intelligence Techniques in Engineering, Advances in Intelligent Systems and Computing 698, Pp. 85-92, 2018. Doi: https://doi.org/10.1007/978-981-13-1819-1_9.

Cyberattacks identification in IEC 61850 based substation using proximal support vector machine

Abstract

Keywords

1 Introduction

2 Brief Detail of IEC 61850

5.1 PSVM based model formulation [28–32]

Table 4 PSVM based performance analysis of recorded raw data and its EEMD Dataset used PSVM Phase PSVM1 PSVM2 PSVM3 Average Category1: Vbased Train 99.67 91.05 99.83 96.85 Test 96.63 90.55 95.64 94.27 Category2: Ibased Train 97.15 99.56 100 98.9 Test 97 97.19 97.25 97.15

Footnotes

Acknowledgment

References

5.1 PSVM based model formulation [28 –32]

Table 4
PSVM based performance analysis of recorded raw data and its EEMD

Dataset used PSVM Phase PSVM1 PSVM2 PSVM3 Average

Category1: Vbased Train 99.67 91.05 99.83 96.85

Test 96.63 90.55 95.64 94.27

Category2: Ibased Train 97.15 99.56 100 98.9

Test 97 97.19 97.25 97.15