RNN for intrusion detection in digital substations based on the IEC 61850

Abstract

Network communication has become a reality within electrical power systems. The IEC 61850 standard establishes the protocols and requirements for digital communications in substations. However, despite enhanced connectivity and integration benefits, network communication has also introduced cyber threats to these environments. Intrusion detection systems based on machine learning have emerged as a potential solution to address these threats in the context of IEC 61850-based communication. Literature indicates that algorithms using decision trees have shown enhanced effectiveness in detecting attacks on GOOSE protocol communication, alongside some exploration of deep learning techniques. Thus, this work examines the use of deep learning, specifically recurrent neural networks (RNNs), for intrusion detection in GOOSE protocol communication. To achieve this, a realistic electrical power system simulation was conducted using a Real-Time Digital Simulator (RTDS) combined with a physical Intelligent Electronic Device (IED) in a hardware-in-the-loop (HIL) setup. Four types of cyber-attacks were executed during the simulation: masquerade, replay, message injection, and poisoning attack. Network traffic datasets were also generated and made publicly available, with each frame sample clearly labeled as normal or malicious. Subsequently, the Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), Bidirectional LSTM (BiLSTM), Gated Recurrent Unit (GRU), and Bidirectional GRU (BiGRU) algorithms were trained and tested to detect the so-called masquerade attack, a more stealthy type of attack in the context of the GOOSE protocol. The results indicated that recurrent neural networks performed better than decision tree-based algorithms in detecting masquerade attacks. Additionally, RNNs also improve detection performance in multi-class problems by classifying network traffic into four types of attacks and normal behavior.