Comparison of approaches for intrusion detection in substations using the IEC 60870-5-104 protocol

Electrical networks of transmission system operators are mostly built up as isolated networks without access to the Internet. With the increasing popularity of smart grids, securing the communication network has become more important to avoid cyber-attacks that could result in possible power outages...

Full description

Saved in:
Bibliographic Details
Published in:Energy Informatics 2020-10, Vol.3 (Suppl 1), p.1-17, Article 15
Main Authors: Egger, Michael, Eibl, Günther, Engel, Dominik
Format: Article
Language:English
Subjects:
Anomalies
Computer Science
Cybersecurity
Electrical networks
IEC 60870-5-104
Information Systems and Communication Service
Intrusion detection
Intrusion detection systems
Machine learning
Protocol (computers)
SCADA
Smart grid
Substations
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Electrical networks of transmission system operators are mostly built up as isolated networks without access to the Internet. With the increasing popularity of smart grids, securing the communication network has become more important to avoid cyber-attacks that could result in possible power outages. For misuse detection, signature-based approaches are already in use and special rules for a wide range of protocols have been developed. However, one big disadvantage of signature-based intrusion detection is that zero-day exploits cannot be detected. Machine-learning-based anomaly detection methods have the potential to achieve that. In this paper, various such methods for intrusion detection in substations, which use the asynchronous communication protocol International Electrotechnical Commission (IEC) 60870-5-104, are tested and compared. The evaluation of the proposed methods is performed by applying them to a data set which includes normal operation traffic and four different attacks. While the results of supervised and semi-supervised machine learning approaches are rather encouraging, the unsupervised and signature-based methods suffer from general bad performance and had difficulties to detect some attacks.
ISSN:2520-8942
2520-8942
DOI:10.1186/s42162-020-00118-4