Skip to main content
SpringerLink
Log in

Novel Approach for Detecting Network Anomalies for Substation Automation based on IEC 61850

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

An SA (Substation Automation) system based on IEC 61850 is an intelligent substation; it has been receiving considerable attention as a core component of a smart grid. The explosive increase of threats to cyber security has been expanded to critical national infrastructures including the power grid. Substation Automation has also become a main target of cyber-attacks. Currently, various countermeasures such as firewalls, IDS (Intrusion Detection System)s, and anti-virus solutions have been developed, but to date, these have not sufficiently reflected the inherent features of Substation Automation based on IEC 61850. This study suggests a method of anomaly detection for MMS (Manufacturing Message Specification) and GOOSE (Generic Object Oriented Substation Events) packets, the main communication protocols of IEC 61850 Substation Automation. 3-Phase preprocessing, EM (Expect Maximization), and one-class SVM (Support Vector Machine) techniques are applied. The effectiveness of the suggested method is evaluated through experiments.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Barbosa RRR, Pras A (2010) Intrusion detection in SCADA networks. Mechanisms for autonomous management of networks and services. Springer, Berlin

    Google Scholar 

  2. Barbosa RRR, Sadre R, Pras A (2012) Towards periodicity based anomaly detection in SCADA networks. Emerging Technologies & Factory Automation (ETFA), 2012 I.E. 17th Conference on. IEEE

  3. Breunig MM et al (2000) LOF: identifying density-based local outliers. ACM Sigmod Rec 29(2), ACM

  4. Cheung S, Dutertre B, Fong M, Lindqvist U, Skinner K, Valdes A (2007) Using model-based intrusion detection for SCADA networks. SCADA Security Scientific Symposium

  5. Dempster AP, Laird NM, Rubin DB (1977) Maximum likelihood from incomplete data via the EM algorithm. J R Stat Soc Ser B Methodol 39:1–38

    MATH  MathSciNet  Google Scholar 

  6. Dussel P, Gehl C, Laskov P, Buber J-U, Stormann C, Kastner J (2010) Cyber-critical infrastructure protection using real-time payload-based anomaly detection. Critical Information Infrastructures Security

  7. Garitano I, Uribeetxeberria R, Zurutuza U (2010) A review of SCADA anomaly detection systems. Intelligent and Soft Computing

  8. Kirrmann H (2012) Introduction to the IEC 61850 electrical utility communication standard. ABB

  9. Markey EJ, Waxman HA (2013) Electric grid vulnerability: industry responses reveal security gaps.

  10. Mcafee. Application control. http://www.mcafee.com/us/products/application-control.aspx

  11. Pleijsier E (2013) Towards anomaly detection in SCADA networks using connection patterns

  12. Premaratne U, Samarabandu J, Sidhu T, Beresh B, Tan J-C (2008) Evidence theory based decision fusion for masquerade detection in IEC 61850 automated substations. Information and Automation for Sustainability, 2008. ICIAFS 2008. 4th International Conference on. IEEE

  13. Schölkopf B et al (2001) Estimating the support of a high-dimensional distribution. Neural Comput 13.7:1443–1471

    Article  Google Scholar 

  14. Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. Information Sciences

  15. Ten C-W, Hong J, Liu C-C (2011) Anomaly detection for cybersecurity of the substations. IEEE Transactions on Smart Grid

  16. Torfino. Torfino Modbus TCP enforcer. http://www.tofinosecurity.com/products/Tofino-Modbus-TCP-Enforcer-LSM

  17. US-CERT, Vulnerability note VU#468798

  18. US-CERT, Vulnerability note VU#372878

  19. Valdes A, Cheung S (2009) Communication pattern anomaly detection in process control systems. Technologies for Homeland Security, 2009. HST‘09. IEEE Conference on. IEEE

  20. Valdes A, Cheung S (2009) Intrusion monitoring in process control systems. System sciences, 2009. HICSS’09. 42nd Hawaii International Conference on. IEEE

  21. Yang D, Usynin A, Hines JW (2006) Anomaly-based intrusion detection for SCADA systems. 5th Intl. Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies (NPIC&HMIT 05)

  22. Zhu B, Sastry S (2010) SCADA-specific intrusion detection/prevention systems: a survey and taxonomy. Proceedings of the 1st Workshop on Secure Control Systems

Download references

Acknowledgements

This work was supported by the Power Generation & Electricity Delivery Core Technology Program of the Korea Institute of Energy Technology Evaluation and Planning(KETEP) granted financial resource from the Ministry of Trade, Industry & Energy, Republic of Korea (No. 20131020402090).

Author information

Authors and Affiliations

  1. Ajou University, Suwon, Gyeonggi-do, Republic of Korea

    Hyunguk Yoo & Taeshik Shon

Authors
  1. Hyunguk Yoo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Taeshik Shon
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Taeshik Shon.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Yoo, H., Shon, T. Novel Approach for Detecting Network Anomalies for Substation Automation based on IEC 61850. Multimed Tools Appl 74, 303–318 (2015). https://doi.org/10.1007/s11042-014-1870-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-014-1870-0

Keywords

Search

Navigation