Threat model for IEC 61850 based substation automation system

Threat models have major importance in the area of computer systems security, as they can help identify oversights in the security requirements of a system and influence the design of protection mechanisms. The objective of this paper is to improve the understanding of threats specific to the substation automation system based on the IEC 61850 standard. This would make the discussion and understanding of the protection mechanisms for IEC 61850 more fruitful. So, in this paper, we have developed a detailed threat model for a substation automation system based on the IEC 61850 standard. The developed threat model is based on attack trees and provides a visual and comprehensive overview of potential attack scenarios. The construction of the attack tree follows a top-down approach, starting with the attacker’s goal and encompassing all potential sequences of steps to achieve this goal. When considering possible ways to achieve a goal, we utilise the MITRE ATT&CK framework and take the specifics of the IEC 61850 substation automation system model into account. We used the threat model to discuss the effect of applying communication protection mechanisms to protect IEC 61850 substation automation system (SAS). While a few other threat models exist for IEC 61850 substation automation system, the model we presented here is significantly more comprehensive, it is adaptable and based on a novel threat modelling method that incorporates the MITRE attack pattern in the process of constructing an attack tree. One of the key findings of this article is the identification of the four fundamentally different ways to sabotage an IEC 61850 SAS. Other findings are related to the adaptivity of the attack tree, limitations of the attack tree, and mapping of known attacks on IEC 61850 SAS onto the attack tree.