An Distributed Cyberattack Diagnosis Scheme for Malicious Protection Operation based on IEC 61850

Abstract

Substation automation systems (SAS) are known to be vulnerable to cyber attacks due to the weaknesses of security features (e.g., encryption, authenticity). These issues were demonstrated by the recent Ukranian cyber attack event on 2016. The security mechanisms located at the SAS need to identify cyberattacks and faults occur in protection operations distributively in efficient manner. This work presents a novel distributed cyberattack diagnosis solution (DCDS) for the SAS, based on the backward reachability graph analysis of behavioral Petri-net (BPN). The proposed distributed BPN model for the SAS is developed based on the IEC 61850 protocol. The distributed diagnoser solution produces a local diagnosis result to detect attacks which is consistent and correct without the use of centralized diagnosis scheme. A case study on the SAS is provided to verify our proposed DCDS based on different scenarios that successfully identified cyberattack and other substation (e.g., relay malfunction, normal fault)events. Also, this DCDS is evaluated in the Mininet computer network emulator by using an open-source library (libiec61850) to exchange the SAS messages through IEC 61850.