,(((,QWHUQDWLRQDO&RQIHUHQFHRQ&RPPXQLFDWLRQV&RQWURODQG&RPSXWLQJ7HFKQRORJLHVIRU6PDUW*ULGV6PDUW*ULG&RPP
Security Monitoring of IEC 61850 Substations
Using IEC 62351-7 Network and System
Management1
Abdullah Albarakati∗ , Chantale Robillard∗ , Mark Karanfil∗ , Marthe Kassouf† , Rachid Hadjidj∗ , Mourad Debbabi∗ ,
and Amr Youssef∗
∗ Concordia Institute for Information Systems Engineering, Concordia University
† Hydro Qubec Research Institute (IREQ)
Montreal, Canada
Abstract—Network and system management (NSM) plays an
important role in ensuring end-to-end security of power systems.
As defined in IEC 62351-7, NSM provides system security
awareness through the collection of a large amount of data in
order to monitor the power grid operational environments. In
this paper, we follow the IEC 62351-7 guidelines to develop an
NSM platform for IEC 61850 substations. Then, on top of the
developed platform, we build a hybrid, deep learning and rule-
based, anomaly detection system. Furthermore, considering IEC
61850 protocols, we develop a list of potential cyber attacks
on the substation that are likely to impact the power grid
availability. The effectiveness of the proposed anomaly detection
system against the identified attacks is confirmed by testing it
on an IEEE 8-Bus system in the presence of NSM using a smart
grid testbed.
Index Terms—Anomaly detection, rule-based detection, net-
work and system management, NSM, IEC 61850, IEC 62351-7,
smart grid, security
I. I NTRODUCTION
The introduction of Information and Communication Tech-
nologies (ICT) into the power grid is reshaping the grid
as we know it by developing an advanced monitoring and
control infrastructure to create a more reliable grid, the
smart grid. This reformation spans across the different grid
domains, establishing digital substations, investing in wide
area monitoring systems, and deploying advanced metering
infrastructure among others. Along with this reformation on
the grid, working groups have been developing standards
that guide the grid’s transformation. This includes digital
substation automation standards namely IEC 61850 [1], data
and communication security standards, namely IEC 62351 [2].
Working Group 15 of the IEC TC57 addresses the end-
to-end security requirements of the grid through the different
parts of IEC 62351, and focuses on the management of the
1 The research reported in this article has been supported by the
NSERC/Hydro-Qubec Thales Senior Industrial Research Chair in Smart Grid
Security
978-1-5386-8099-5/19/$31.00 2019
c IEEE
information infrastructure through part 7 [3]. Indeed, the man-
agement of the grid’s information infrastructure is crucial to
providing the necessary high levels of security and reliability
in power system operations [4]. This includes the definition
of Network and System Management (NSM) data objects that
reflect which information is needed to manage the information
infrastructure [4]. However, the IEC 62351 does not address
the use of the defined objects, how they can be leveraged to
provide insights about the system security, or what solutions
can be developed on top of the collected information to detect
and mitigate cyber attacks targeting the smart grid.
In this paper, we adopt the security recommendations pro-
vided by IEC 62351-7 edition 2017 to develop a hybrid
anomaly detection system on top of the NSM data objects.
In particular, we design and implement an NSM platform
for IEC 61850 substations including the NSM data objects
defined by IEC 62351-7 [3]. The NSM data collected by
the platform is used by a combined deep learning and rule-
based anomaly detection system to detect the occurrence of
cyber attacks. The developed approach is evaluated using real
time co-simulation with hardware-in-the-loop capability. The
outcome of the performed experiments demonstrate the need
for such a system and its usefulness in providing a more secure
and reliable smart grid infrastructure.
The main contributions of this paper can be summarized as
follows:
1) Design and implementation of IEC 62351-7 [3] compli-
ant NSM monitoring and data collection platform.
2) Presentation of a methodology to elaborate Denial of
Service (DoS) attacks on IEC 61850 communication protocols.
3) Development of a deep learning and rule-based anomaly
detection system on top of the developed NSM platform.
The rest of the paper is structured as follows. Section II
introduces our system model. The NSM platform architecture
and design are outlined in section III. Section IV presents the
cyberattack elaboration methodology on IEC 61850 system.
Our anomaly detection scheme is introduced in section V and
section VI presents the experimentation results. Section VII
k,(((
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ&RPPXQLFDWLRQV&RQWURODQG&RPSXWLQJ7HFKQRORJLHVIRU6PDUW*ULGV6PDUW*ULG&RPP

covers the related work. Finally, our concluding remarks and

future work are provided in section VIII. NSM Agent

II. S YSTEM M ODEL Monitored Database

The system under consideration in this work is a power
substation as mandated by the IEC 61850 standard [1], along
with the security requirements introduced in IEC 62351,
especially IEC 62351-7 [3]. The IEC 62351-7 standard targets
Network and System Management (NSM) of the power grid
information infrastructure. The standard specifies the data that
is to be collected through NSM, and this data corresponds to
power system information that must be monitored to ensure
that the integrity of intelligent electronic devices (IEDs) and
their digital communications is maintained
Currently, the monitoring performed in power systems is
considered to be inadequate, as existing SCADA systems do
not provide the complete information required to help diagnose
problems in the network or at end devices [3]. However, in our
study, we consider well-defined and standardized NSM data
objects, tailored specifically to power systems, that represent
information about the devices being monitored. IEDs present
in the substation can populate the NSM data objects with
corresponding values, and expose them in such a way for a
remote management system to retrieve using the Simple Net-
work Management Protocol (SNMP). These populated NSM
data objects can then provide a wealth of new information to
monitor the health of the communication network and end
devices, locate problems such as degraded performance or
system failures, and raise alerts associated with cyber threats.
III. NSM A RCHITECTURE AND D ESIGN
Our NSM platform consists of agents and a manager,
who together communicate using SNMP to collect usage and
statistical data from intelligent electronic devices (IEDs) at the
substation for the purpose of security monitoring. This com-
munication is secured using the built-in mechanisms available
within SNMPv3 [5]. The overall architecture of our system is
depicted in Figure 1.
At the core of this system, we have the NSM agents
associated with the IEDs and network components present
in the substation. For IEDs complying with IEC 62351-7
requirements, we can collect the required NSM data from
the agents already implemented on those IEDs. As for other
components, our agent consists of a proxy that periodically
reads data logs stored at the IED using available services such
as syslog or Secure Shell (SSH), and by observing traffic flow
passing through the IED, maps it to management information
base (MIB) objects matching NSM data objects, and loads
them into a persistence lightweight database. This database is
queried by the SNMP agent to retrieve information relevant to
the monitored IED.
The NSM manager queries all agents for MIB object values,
and stores these values in a database as name-value pairs.
In addition to queries, NSM agents can push information to
the manager in the form of SNMP traps based on previously
defined conditions. The developed detection engine, which will
Devices Write Read
Read
Proxy SNMP Agent
NSM Manager SNMPv3
Write SNMP
Manager
NSM
Database
User Read\Write
query
HTTPS Detection
Web Server
Engine
Fig. 1. Architecture of network and system management (NSM) system
be presented in section V, retrieves, sorts, and analyzes the
collected MIB objects for any anomalies. Anomaly alerts can
then be accessed through a web client.
IV. C YBER ATTACK M ETHODOLOGY
In order to assess the usefulness of NSM in providing end-
to-end security at the substation level as defined by IEC 62351-
7 [3], we define a comprehensive list of cyber attacks against
the involved communications protocols, namely GOOSE and
IEEE C37.118, and time synchronization that could target the
IEC 61850 substation. Then, we test those attacks against
NSM capabilities.
A. Threat Model
We consider a Dolev-Yao attacker [6] who can be an
outsider or an insider with malicious intentions. The attacker
gains access to the substation network, and is interested in
performing DoS attacks on the IEC 61850 communication
protocols in use. We assume that the attacker has sufficient
knowledge about the structure and semantics of the messages
exchanged over the network, and can reside in the network
for the period needed to successfully execute the attacks. To
carry on these attacks, the attacker can inject a Protocol Data
Unit (PDU), capture a PDU and replay it later, modify a PDU,
drop a PDU and delay a PDU.
B. Cyber Attack Elaboration Methodology
To systematically elaborate DoS attacks on IEC 61850’s
GOOSE protocol, we consider the IEC 61850 and IEC 62351
[7] standards to establish a list of conditions, which we refer to
as DoS conditions. These DoS conditions identify the variables
to be manipulated in order to effectively discard PDU(s) by
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ&RPPXQLFDWLRQV&RQWURODQG&RPSXWLQJ7HFKQRORJLHVIRU6PDUW*ULGV6PDUW*ULG&RPP
TABLE I
D O S CONDITIONS FOR GOOSE MESSAGES ACCORDING TO IEC
STANDARDS
# DoS condition
1 Actual length of PDU does not match its length field
2 PDU has lower stNum than previous PDU: does not
apply if stNum overflows (IEC 62351-6 only)
3 PDU is outside skew period of 10 to 120 s (IEC 62351-
6 only)
4 Time elapsed between last 2 PDUs > TAL (causes
stNum reset in IEC 62351-6)
5 PDU has unexpected value for confRev
6 PDU has the test flag on: only applies if subscriber
accepts simulated values
7 PDU digital signature is not valid: does not apply if
signatures are not used (IEC 62351-6 only)
TABLE II
L IST OF CYBERATTACKS ON ICS PROTOCOLS
ID Attack
G1 Modify PDU length (malformed PDU)
G2 Modify, inject or replay PDU with higher stNum
G3 Modify PDU t to outside skew period
G4 Delay PDUs until they are outside skew period
G5 Modify, inject or replay PDU with smaller TAL to
force TAL expiration
G6 Drop PDUs until TAL expiration
G7 Delay PDU until TAL expiration
G8 Modify PDU confRev field
G9 Modify, inject or replay PDU with test flag on
G10 Invalidate digital signature
C1 Replay outdated data to hide system state
C2 Delay measurements to drop them
C3 Inject false data to change system state
C4 Inject command frame to stop communication
T1 Delay PTP messages to affect time synchronization
T2 Inject fake GPS signal to control time synchronization
the subscriber or degrade the quality of the PDU. This is
expected to deeply impact the substation operations as GOOSE
messages are used to send critical trip messages; if they are
ignored or delayed, equipment will be subject to unwanted
impacts. The identified DoS conditions and variables are listed
in Table I.
To successfully perform a DoS attack, an attacker has to use
one of the conditions stated in Table I. Based on the attacker
capabilities, we elaborate 16 different denial-of-service (DoS)
attacks. The defined attacks are summarized in Table II.
Attacks tailored for GOOSE are labeled G1 to G10. Some
of the attacks found in this manner are already documented
in the literature such as G2 (defined as “GOOSE poisoning
attack” [8]), and G7 is described in [9].
As for synchrophasor protocols, we use IEEE C37.118
to transfer measurements. This protocol is subject to delay,
replay, malformed packet, and false data injection attacks. We
list and label these attacks from C1 to C4 in Table II.
Finally, all IEDs at the substation are time synchronized
either through PTP [10] or IRIG-B empowered by a GPS

clock. Hence, the synchronization mechanisms are subject to
delay or spoofing attacks. These attacks are shown in Table
II as T1 to T2, and take the form of delay attack on PTP or
GPS spoofing [11].
V. A NOMALY D ETECTION
In what follows we describe how we leverage the collected
NSM data to build anomaly detection models capable of
detecting and localizing cyber attacks in a substation.
A. Machine Learning-based Anomaly Detection
The machine learning-based anomaly detection approach is
carried through the following steps:
1) Data Preprocessing: To acquire data for the learning
approach, we use our smart grid testbed presented in [12].
In particular, we deploy the NSM architecture presented in
section III on the testbed, and collect NSM data needed for
training and tuning our models. For further details about our
testbed, the reader is referred to [12].
The data collected form the testbed is then visualized and
analyzed using statistical tools to detect trends and correla-
tions. This analysis allows us to select, in the next stage, the
type of tools to use for the detection of anomalies resulting
from failures or cyber attacks in the substation. This data
consists of vectors of more than 300 MIB values periodically
collected at a regular pace of 10 seconds from all devices in
the substation. We consider the collected vector as a snapshot
of the state of the substation under study. A sequence of
snapshots is stored in a database during a period of 24 hours
during the normal operations of the substation, assuming that
there are no anomalies during that time. The objective of this is
to learn the normal behavior of the substation and use it latter
on as a reference to detect anomalies. This data is preprocessed
in a sequence of four steps: filtering, encoding, regularization,
and normalization.
In the filtering step, all MIB objects identified as static
or with no relevance to anomaly detection are discarded.
These objects are carefully selected based on their seman-
tics as described in the IEC standard. An example of such
objects include MAC address and IP address of the IEDs. In
the second step, MIB objects belonging to categorical types
are encoded into numerical values using one hot encoding,
such as MIB object to report the time synchronization status
(e.g. ”cLKEClockIssue”) and MIB object has boolean value
(e.g. ”gSESL2ConfRevMis”). For the third step, MIB objects
showing an increasing (cumulative) trend are individually
regularized using differencing and turned into a rate over time.
A stationary time series maintains parameters such as the mean
and variance relatively constant over time, and is better suited
for time series analysis using machine learning tools [13].
Before using this data for training machine learning models,
we pass it through a normalization phase which scales each
numerical MIB object to the range [0,1]. At the end of this
stage, the data is ready for analysis and training of the prepared
models.
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ&RPPXQLFDWLRQV&RQWURODQG&RPSXWLQJ7HFKQRORJLHVIRU6PDUW*ULGV6PDUW*ULG&RPP
Fig. 2. Linear correlations between MIB objects reflecting the substation
network state.
2) Data Analysis: Two possible tools are of relevance in
our context: time series analysis [13] and machine learning
[14]. We conduct statistical analysis to reveal the magnitude
of correlation, as well as autocorrelation that exists within each
MIB object. Autocorrelation is the correlation between a signal
and a delayed version of this signal. The correlation between
two MIB objects X and Y is calculated as
cov(X, Y )
ρXY =
σX σY
where cov denotes the covariance, σX and σY represent the
standard deviations of X and Y respectively.
Figure 2 reveals high correlation between some of the MIB
objects we have associated with the state of the substation
network. Changes to the substation state do not randomly
occur. Hence, a change that appears in one part of the
substation can be associated with or triggered by some change
in another part of the substation.
On the other hand, Figure 3 reveals a high autocorrelation
within the same MIB object. This suggests that the current
state of the substation is highly correlated with its previous
states. The figure shows strength and type of relationship
between values and their lags. Also, We can observe that
the correlation becomes weaker as the lag increases. The
autocorrelation function (ACF) presented in Eq. (2) is used to
observe the correlation within the same MIB object in different
lag. k is the lag; k = (1, 2, ...), Yi is the value of Y at time step
i, Ȳ is the mean of Y , and N is the number of observation.
N −k
i=1 (Yi − Ȳ )(Yi+k − Ȳ )
rk = N
2
i=1 (Yi − Ȳ )

Fig. 3. Auto correlations in MIB objects reflecting the substation network
state.
3) Anomaly Detection Model Construction Approach:
The correlation results presented above motivated us to adopt
an anomaly detection approach based on forecasting. The idea
is to collect SNMP snapshots from the substation during its
normal operation. This data is used to build a machine learning
prediction model (PM) that captures the normal substation
behavior. This model will be used latter on to predict the
future state of the substation from its previous states using
a sliding windows of previous states. The predicted state will
be compared with the current observed state, and anomalies
are detected if the difference between these 2 states is above
a certain threshold T H.
More formally, raw data Dt =(d1,t , d2,t , , dm,t ) is collected
during normal operations of the substation in a time period
(1)
[T1 , T2 ] where T1 <t<T2 and (di,t is the value collected
from MIB object i at time t). Dt is preprocessed into the
multivariate time series Xt = (x1,t , x2t , , xn,t ), T1 <t<T2 .
Xt is considered as the snapshot of the substations state
at time t. A machine learning PM is trained to predict Xt
from the previous states Xt−1 , Xt−2 , ...., Xt−p , where p is the
prediction time window size. The maximum learning error for
the training data is used as threshold T H.
The prediction model (PM) itself can be constructed in
different ways, but some considerations need to be taken
into account. Given that our data is shaped in the form of
a multivariate time series, sequence models such as Recurrent
Neural Network (RNN), Gated Recurrent Units (GRU) and
Long Short-Term Memory (LSTM) give better results com-
pared to other machine learning models [15]. Furthermore,
NN models actively competed with classical statistical models,
such as ARIMA [16], [17]. Also, Neural Network (NN) mod-
els outperform classical statistical models [18], [19]. Another
recent study also shows that NN models outperform classical
statistical models by comparing the prediction accuracy of
LSTM model and ARIMA forecast model [20].
Since we want our anomaly detection mechanism to be
(2)
able to tell which MIB objects are involved in the anomaly,
our anomaly detection should work at the level of each MIB
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ&RPPXQLFDWLRQV&RQWURODQG&RPSXWLQJ7HFKQRORJLHVIRU6PDUW*ULGV6PDUW*ULG&RPP

TABLE III checking conditions on previously seen snapshots within a

A COMPARISON OF THE PRECISION BETWEEN MULTIPLE MODELS USING certain time range. An example of this rule is monitoring
DIFFERENT METRICS
MIB object ”iEDLastEventTs 0” which is reporting a wrong
Metrics Model 500 epoch 1k epoch 10k epoch password attempt. Anomaly is detected if this MIB object
LSTM 0.534083 0.889692 0.968965 value is repeated within a very short duration.
r2 score GRU 0.617717 0.793529 0.891098
SimpleRNN 0.422864 0.581742 0.773451
VI. E XPERIMENTAL E VALUATION
LSTM 0.006895 0.001632 0.000459 A. Experimental Setup
RMS GRU 0.005657 0.003055 0.001612 We evaluate our anomaly detection approach on the standard
SimpleRNN 0.00854 0.006189 0.003352
IEEE 8-Bus transmission system presented in Figure 4 which
shows the entire transmission system composed of several
object. One way to achieve this goal is to create a separate substations. The substation where NSM is deployed along
prediction model P Mi for each MIB object i. Eventually, our with our anomaly detection approach is shaded in gray, and
prediction model will be the collection of all of them, i.e, the detailed schema of this substation is presented in Figure
P M =(P M1 , P M2 , ..., P Mn ). 5. This substation is composed of a power generator, step-
4) Model Implementation Details: As described above, up transformer, several relays at the bay level, along with
our prediction model is a collection of n models, i.e., the gateways at the station level. All those components are
P M =(P M1 , ..., P Mn ), where each P Mi is used to predict equipped with NSM agents that collect MIB objects to be
one MIB object from a window of size w of the last collected used as input for our anomaly detection approach. Using our
snapshots. Throughout our work, the utilized PM is a deep testbed [12], we simulate this system under normal conditions,
recurrent network composed of 3 layers, each layer has a and in the case of a fault simulated on one of the transmission
number of cells equal to the window size. The reason behind lines as shown in Figure 4. This allows us to collect data
using multiple layers is to allow older snapshots to have a pertaining to both situations, and to train our neural networks
better impact on the forecasted results [21]. The output of the for different circumstances.
last cell in the last layer is used as an input to a neural network
%XV
to compute the forecasted MIB. In the case of a numerical * %XV 308
%XV
308
MIB object, the neural network preforms a regression, and 5 08 08 5
&% &%
has one single output, where the activation function in the 5 08
* %XV %XV *
last layer is linear. In the case of a categorical MIB object, &%

the last layer of the networks is a softmax activation layer

5 08 08 5
with as many outputs as the number of possible values for * %XV
&% &%
the MIB object. We implemented three variants of our model 08

using RNN, GRU and LSTM, and compared their performance  


%XV
5
'\QDPLF/RDG


in terms of learning speed and accuracy. 






As expected RNN being the simplest sequence model was 

 308

 %XV
the fastest to train, followed by GRU than LSTM. LSTM 


*
experienced the longest training time due to its complexity.
In term of prediction accuracy, LSTM and GRU show a Fig. 4. IEEE 8-Bus system schema.
slightly better accuracy than RNN. It should be noted however
that all models successfully predicted the input signal. On the
other hand, LSTM and GRU were more accurate. The R2 160DJHQW
$QDORJVLJQDO 160
(coefficient of determination) and root mean square (RMS) *DWHZD\ 6WDWLRQ/HYHO
/D\HUWUDIILF PDQJHU
/D\HUWUDIILF
used to measure the accuracy of prediction are shown in Table
III. As an outcome of this comparison, we decided to use 6WDWLRQ%XVVZLWFK'13&6103373
LSTM rather than GRU and RNN. 5HOD\ 5HOD\ 5HOD\ 308 %D\/HYHO
B. Rule based anomaly detection approach 3URFHVV%XVVZLWFK69*226(6103373
The rule based anomaly detection approach aims at comple-
menting the learning based part by enforcing rules to detect 08 08 08
%XV 3URFHVV/HYHO
anomalies directly on the snapshots as they are fed to the
&7 97 &% %XV
detection engine. We use simple rules to check if a certain
MIB value is within a certain range or it has been changed. &7 97
An example of this rule is a change on the MIB object ”iED- &7 97 &%
ConfigurationVersion 0”, which is reporting the configuration
changes, will be anomaly if this change is not scheduled. Fig. 5. The communication schema of the IEC 61850 substation with NSM.
Moreover, we define more complicated rules that involve
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ&RPPXQLFDWLRQV&RQWURODQG&RPSXWLQJ7HFKQRORJLHVIRU6PDUW*ULGV6PDUW*ULG&RPP
TABLE IV
T HE SEQUENCE OF EVENTS
Time (seconds) Events
1 3-phase to ground fault
1.73813 Relay 2 send trip command
1.73903 CB 2 received trip command
1.73918 CB 2 tripped
1.98203 Relay 1 send trip command
1.98293 CB 1 received trip command
1.98308 CB 1 tripped
4.5 3-phase to ground fault cleared
7 Relay 2 and 1 are reset
B. Operational scenario
The duration of the designed operational scenario is 7
seconds. A 3-phase to ground fault is simulated on the
transmission line. When this fault is triggered, the overcurrent
protection relay should record this fault and react if needed.
There are five relays installed on the system to protect the
equipment from being damaged. The relay can detect the
fault due to the measurements received from the MU using
SV protocol. The reaction (trip command) of the relays is
transported using GOOSE messages. Table IV shows the
sequence of events caused by the fault, and the steps to return
the system to stable operation. CB1 and CB2 are tripped when
the fault is triggered. This behavior is considered as a normal
behavior.
C. Attack Execution and Detection
Next, we present some of the cyber attacks performed in
the substation, along with their physical impacts on the power
system model. In addition to that, we present the outcome
of the detection system in the presence of those attacks. Our
detection is based on statistical data and Boolean data received
from NSM. The learning component depends on the statistical
data, while the Boolean data is used for rule based detection.
1) Attack Detection Using Statistical Data:
a) Injecting GOOSE PDU with higher stNum: The
objective of this attack is to interrupt the communication be-
tween the publisher (e.g. relay) and the subscriber (e.g. circuit
breaker (CB)) in the substation, and prevent the subscriber
from processing messages sent by the publisher in normal
and faulty conditions as well. We perform this attack by
poisoning CB2 with a GOOSE message carrying stNum larger
than that stored at its publisher (Relay 2). To illustrate the
impact of this attack, we consider the faulty condition where
a fault is simulated on a transmission line as shown in Figure
4. Due to this fault, CB1 and CB2 are expected to trip in
response to commands issued through GOOSE messages by
their respective relays. However, due to the desynchronized
status between CB2 and its publisher, CB2 ignores the received
GOOSE messages from Relay 2 and does not trip.
The impact of this attack escalates in the form of a cascading
failure. As a result, the simulated fault cascades to another area
and causes relays 4 & 5 to trip in order to isolate the fault
from the system. This tripping disconnects generator 5 from

the system, thus causing a blackout at the load connected to
bus 7.
The detection of this attack is possible through the analysis
of NSM data using the deep machine learning approach
described above. Our LSTM model monitors the behavior
of the communication between the IEDs/RTUs, including the
rate at which the PDUs are communicated over the network.
This monitoring raises an alert, and thus detects the GOOSE
poisoning attack.
b) Modifying GOOSE PDU with higher stNum: In this
variant of the attack, the attacker modifies a communicated
PDU by changing its stNum to a higher value to achieve the
same objective of the previous attack. In the injection attack,
the attacker is detected because the PDU per second rate is
changed. However, in this attack, the attacker stays undetected
by just modifying one of the transmitted packets to reach his
objective. Thus, the PDU per second rate maintains its normal
value. Our detection system is not capable to detect this attack
since there is no MIB-object that reflects the attack activity.
c) Delaying GOOSE PDU until time allowed to live
(TAL) expiration: This attack can be executed even in the
presence of message encryption and authentication. In terms
of physical impact, it has an impact similar to that of injecting
or modifying a GOOSE packet. However, in this attack, the
targeted subscriber (CB2) does not drop the critical tripping
command. Rather, CB2 trips and responds late to the publisher
(Relay 2). To enforce this delay, the attacker introduces a
delay of 100 ms between each packet in order to reach a
total delay of 4 seconds. As a result, the system experiences
blackout due to the delayed response from CB2. Nevertheless,
our detection system detects the presence of this attack based
on the change of the MIB object ”gSESL2RxPduPerSecond”
that report the rate per second.
d) Delaying GOOSE PDUs until they are outside skew
period: In this attack the attacker aims at avoiding detection.
So, the attacker introduces a small amount of delay (1 ms)
between the packets to reach a total delay of 4 seconds. This
attack takes longer time to execute and reach the targeted delay
of 4 seconds. The attack generates the same physical impact
as the delayed GOOSE PDU until TAL expiration. This attack
is not detectable due to the normal variation in the network
delay. The small amount of delay does not violate the expected
rate per second, and consequently the threshold of the LSTM
model.
2) Attack Detection Using Non-Statistical Data: The de-
veloped anomaly detection system is capable on detecting
anomalies based on NSM data objects, rather than just sta-
tistical data related to the system functionality. Indeed, using
MIB objects related to the device performance, and reporting
on the status of the device such as time synchronization status,
password brute-force attack, and unauthorized configuration
change, we can detect attacks that alter the device status.
VII. R ELATED W ORK
One of the recommended protocols to implement NSM Data
Objects (DOs) is SNMP [3]. When using this protocol, the
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ&RPPXQLFDWLRQV&RQWURODQG&RPSXWLQJ7HFKQRORJLHVIRU6PDUW*ULGV6PDUW*ULG&RPP
NSM DOs are implemented as SNMP MIBs, much like other
existing MIBs such as TCP-MIB [22]. In the literature, we
can find research that proposes attack detection mechanisms
based on data from SNMP MIBs. However, unlike our work,
None of them apply these techniques to the smart grid context
or rely on the NSM DOs of IEC 62351-7.
Yu et al. propose a mechanism to detect flooding attacks
based on data collected using SNMP and machine learning
with Support Vector Machine (SVM) [23]. This work sug-
gests that Intrusion Detection System (IDS) can benefit from
information available in SNMP MIBs, but there is insufficient
integration between the two to enable this to happen. In
a further work by Yu et al. [24], an improved system is
proposed where the C4.5 algorithm is used instead of SVM.
Additionally, using association rule mining, this system can
extract the rules used to classify flooding attacks into the three
different types.
In a similar vein to the above, Priya et al. propose a Protocol
Independent Detection and Classification (PIDC) system to de-
tect Distributed Reflection Denial of Service (DRDoS) attacks
using SNMP MIB data [25]. The intention is to classify TCP
and Domain Name System (DNS) DRDoS attacks respectively.
Much like the work by Yu et al. [23], this research only
attempts to detect one kind of attack, namely DRDoS.
VIII. C ONCLUSION AND F UTURE W ORK
The secure operation of the substation is a cornerstone for
end-to-end security of the smart grid. Recently, network and
system management at the substation has been standardized
in IEC 62351-7 to provide an additional layer of security.
In this paper, we presented an implementation of an NSM
platform for the IEC 61850 substations that complies with
the IEC 62351-7 specifications. Furthermore, we defined a
methodology for the elaboration of attacks on the communica-
tion protocols used in the substation. In addition, we built an
anomaly detection system on top of the data collected through
NSM. The developed system uses statistical data as well as
values reported by the NSM data objects to detect cyber attacks
on the substation. Finally, we concluded our study with testing
the developed approach on different types of attacks, and its
effectiveness was evaluated.
As a continuation for this work, we intend to enhance our
NSM-based anomaly detection approach by considering fur-
ther NSM objects and to complement this approach with deep
packet inspection of the exchanged traffic. This is expected
to improve our attack detection capabilities, and harden the
security of the substation.
R EFERENCES
[1] International Electrotechnical Commission, “IEC 61850 communication
networks and systems for power utility automation,” International Elec-
trotechnical Commission Std, 2010.
[2] International Electrotechnical Commission and others, “Power systems
management and associated information exchange - Data and Commu-
nication Security,” IEC62351.
[3] IEC/TS 62351-7, “Power systems management and associated informa-
tion exchange data and communications security part 7: Network and
system management (NSM) data object models,” 2017.

[4] F. Cleveland, “Enhancing the reliability and security of the information
infrastructure used to manage the power system,” in 2007 IEEE Power
Engineering Society General Meeting, June 2007, pp. 1–8.
[5] W. Stallings, SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-
Wesley Longman Publishing Co., Inc., 1998.
[6] D. Dolev and A. Yao, “On the security of public key protocols,” IEEE
Transactions on information theory, vol. 29, no. 2, pp. 198–208, 1983.
[7] IEC/TS 62351-6, “Power systems management and associated informa-
tion exchange data and communications security part 6: Security for
IEC 61850.”
[8] N. Kush, E. Ahmed, M. Branagan, and E. Foo, “Poisoned goose: ex-
ploiting the goose protocol,” in Proceedings of the Twelfth Australasian
Information Security Conference-Volume 149. Australian Computer
Society, Inc., 2014, pp. 17–22.
[9] M. Strobel, N. Wiedermann, and C. Eckert, “Novel weaknesses in iec
62351 protected smart grid control systems,” in Smart Grid Commu-
nications (SmartGridComm), 2016 IEEE International Conference on.
IEEE, 2016, pp. 266–270.
[10] “IEEE Standard for a Precision Clock Synchronization Protocol for
Networked Measurement and Control Systems,” IEEE Std 1588-2008
(Revision of IEEE Std 1588-2002), pp. 1–269, July 2008.
[11] B. Moussa et al., “Security Assessment of Time Synchronization Mech-
anisms for the Smart Grid,” IEEE ComST, vol. 18, no. 3, 2016.
[12] A. Albarakati et al., “OpenStack based evaluation framework for smart
grid cyber security,” in 2018 IEEE International Conference on Com-
munications, Control, and Computing Technologies for Smart Grids
(SmartGridComm) (IEEE SmartGridComm’18), Aalborg, Denmark, Oct.
2018.
[13] G. E. Box, G. M. Jenkins, G. C. Reinsel, and G. M. Ljung, Time series
analysis: forecasting and control. John Wiley & Sons, 2015.
[14] I. H. Witten, E. Frank, M. A. Hall, and C. J. Pal, Data Mining: Practical
machine learning tools and techniques. Morgan Kaufmann, 2016.
[15] Y. LeCun, Y. Bengio, and G. Hinton, “Deep learning,” nature, vol. 521,
no. 7553, p. 436, 2015.
[16] N. K. Ahmed, A. F. Atiya, N. E. Gayar, and H. El-Shishiny, “An empiri-
cal comparison of machine learning models for time series forecasting,”
Econometric Reviews, vol. 29, no. 5-6, pp. 594–621, 2010.
[17] A. K. Palit and D. Popovic, Computational intelligence in time series
forecasting: theory and engineering applications. Springer Science &
Business Media, 2006.
[18] G. Bontempi, S. B. Taieb, and Y.-A. Le Borgne, “Machine learning
strategies for time series forecasting,” in European business intelligence
summer school. Springer, 2012, pp. 62–77.
[19] A. Sfetsos and A. Coonick, “Univariate and multivariate forecasting
of hourly solar radiation with artificial intelligence techniques,” Solar
Energy, vol. 68, no. 2, pp. 169–178, 2000.
[20] S. McNally, J. Roche, and S. Caton, “Predicting the price of bitcoin using
machine learning,” in 2018 26th Euromicro International Conference
on Parallel, Distributed and Network-based Processing (PDP). IEEE,
2018, pp. 339–343.
[21] I. Goodfellow, Y. Bengio, and A. Courville, Deep Learning. MIT Press,
2016, http://www.deeplearningbook.org.
[22] R. Raghunarayan, “Management information base for the transmission
control protocol (tcp),” Tech. Rep., 2005.
[23] J. Yu, H. Lee, M.-S. Kim, and D. Park, “Traffic flooding attack detection
with snmp mib using svm,” Computer Communications, vol. 31, no. 17,
pp. 4212–4219, 2008.
[24] J. Yu, H. Kang, D. Park, H.-C. Bang, and D. W. Kang, “An in-depth
analysis on traffic flooding attacks detection and system using data
mining techniques,” Journal of Systems Architecture, vol. 59, no. 10,
pp. 1005–1012, 2013.
[25] P. M. Priya, V. Akilandeswari, S. M. Shalinie, V. Lavanya, and M. S.
Priya, “The protocol independent detection and classification (pidc)
system for drdos attack,” in 2014 International Conference on Recent
Trends in Information Technology. IEEE, 2014, pp. 1–7.