A new methodology for real-time detection of attacks in IEC 61850-based systems

This paper presents a new methodology to detect spoofing attacks concerning Generic Object Oriented Substation Event (GOOSE) messages in IEC 61850 communication systems. The methodology is based on anomaly detection, in which GOOSE messages are characterized by observing the correct operation of the power system and any variation of the normal behavior is classified as an intrusion. To validate this methodology, a pulse generation logic was configured to communicate among Intelligent Electronic Devices (IEDs), which were prone to replication attacks and tampering messages. The results show that the IEDs are vulnerable to such attacks, and that the Intrusion Detection Systems (IDS) of corporate networks are not able to deal with specific attacks in IEC 61850. Considering this, real time tools are needed to analyze GOOSE messages in order to identify intrusion. The software proposed in this paper was very efficient in detecting replication and falsification messages.