Received November 25, 2020, accepted December 18, 2020, date of publication December 24, 2020,

date of current version January 5, 2021.

Digital Object Identifier 10.1109/ACCESS.2020.3047341

Intrusion Detection Against MMS-Based

Measurement Attacks at Digital Substations
RUOXI ZHU 1 , (Graduate Student Member, IEEE), CHEN-CHING LIU1 , (Life Fellow, IEEE),
JUNHO HONG 2 , (Member, IEEE), AND JIANKANG WANG3 , (Member, IEEE)
1 TheBradley Department of Electrical and Computer Engineering, Virginia Polytechnic Institute and State University, Blacksburg, VA 24061, USA
2 Department of Electrical and Computer Engineering, University of Michigan–Dearborn, Dearborn, MI 48128, USA
3 Department of Electrical and Computer Engineering, The Ohio State University, Columbus, OH 43210, USA

Corresponding author: Ruoxi Zhu ([email protected])

This work was supported by the National Science Foundation at Virginia Tech, a Collaborative Project with The Ohio State University,
under Grant ECCS-1824577.

ABSTRACT Information and Communications Technology (ICT) supports the development of novel control
and communication functions for monitoring, operation, and control of power systems. However, the high-
level deployment of ICT also increases the risk of cyber intrusions for Supervisory Control And Data
Acquisition (SCADA) systems. Attackers can gain access to the protected infrastructures of the grid and
launch attacks to manipulate measurements at the substations. The fabricated measurements can mislead the
operators in the control center to take undesirable actions. The Intrusion Detection System (IDS) proposed in
this paper is deployed in IEC 61850 based substations. The proposed IDS identifies falsified measurements
in Manufacturing Messaging Specification (MMS) messages. By cross-checking the consistency of electric
circuit relationships at the substation level in a distributed manner, the falsified measurements can be detected
and discarded before the malicious packets are sent out of the substations through DNP3 communication.
A cyber-physical system testbed is used to validate the performance of the proposed IDS. Using the IEEE
39-bus test system, simulation results demonstrate high accuracy of the proposed substation-based intrusion
detection system.

INDEX TERMS Cyber security of substation, measurement-based attack, MMS, IEC 61850, intrusion
detection, SCADA.

I. INTRODUCTION False data injection attacks (FDIAs) are well studied as a

As complex cyber-physical systems, modern power grids threat to cyber security of a smart grid [3]. Under the assump-
utilize layers of ICT to maintain system reliability and effi- tion that the adversary has the knowledge of system con-
ciency. The fast-increasing connectivity through industrial figuration, malicious measurements may be able to bypass
control systems is known to be a source of vulnerabilities bad data detection [4]. Research has been conducted on the
that can be exploited for potential cyber intrusions [1]. Sub- attack model of FDIAs, impact of FDIAs, and vulnerability
stations in a smart grid play an important role to integrate assessment for state estimation with respect to FDIAs [5]–[7].
the functions of communication and power infrastructures. Phasor Measurement Units (PMUs) are used as counter-
In December 2016, the new malware,‘‘CRASHOVERRIGE,’’ measures to defend against FDIAs [8]–[10]. By analyzing
is deployed to compromise transmission level substations the behavior of FDIAs, data driven and machine learning
in Ukraine [2]. In comparison with the malware ‘‘Black- methods are exploited to detect attacks in real-time [11]–[13].
Energy3,’’ used in the cyberattack in Ukraine, December However, the previous work is mostly centralized, which is
2015, the new malware is capable of understanding and not designed to detect FDIAs before falsified measurements
compromising industrial processes to disrupt the operations arrive at the control center level. To prevent the malicious
at substations. measurements from intrusion into software applications at the
Much of the literature on cyber security of power grids is control center, e.g., the Energy Management System (EMS),
concerned with the SCADA system in the transmission level. it is important to detect and stop the falsified measurements
before they are sent out of the substations.
The associate editor coordinating the review of this manuscript and IEC 62351 standard is developed to handle the security
approving it for publication was Pedro R. M. Inácio . of multi-protocol messaging [14]. However, currently no

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
1240 VOLUME 9, 2021
R. Zhu et al.: Intrusion Detection Against MMS-Based Measurement Attacks at Digital Substations

industrialized solution is deployed in Substation Automation 2) Developing a distributed IDS in the substation level,
Systems (SASs). On the other hand, DNP3 Secure Authen- which accurately determines the attack targets especially
tication (DNP3-SA) [15] provides a security mechanism for the cyberattack against multiple substations. Test results
communication between substations and the control center; show that proposed IDS is efficient and promising for
however, it is not able to detect attacks in which falsified mea- the real-time environment.
surements are encapsulated in the payload of DNP3 packets 3) Analyzing the potential attack path of measurement
before authentication and integrity checking. Hence, substa- attacks in the substation network. Based on the attack
tions are vulnerable to such attacks on measurements. path, the attack model is developed for the measurement
Motivated by the critical need to detect measurement attacks.
attacks at the substation level, this paper is concerned with The remaining of this paper is organized as follows:
the study of attack paths in SAS and defense actions. Vari- Section II describes vulnerabilities at the substation level.
ous studies in the literature have explored the cyber defense In Section III, the technical approach is provided. Section IV
of substation automation. The risk and vulnerability assess- establishes the feasibility of the proposed algorithm with
ment is proposed for SCADA and IEC 61850 based substa- respect to different attack scenarios. Section V discusses the
tions [16], [17]. To counter the threats to an IEC 61850-based software testbed for validation of the IDS. Section VI shows
substation, a signature-based IDS is developed based on the simulation results and performance of the IDS. Finally,
the data collected by simulating the attacks on IEDs [18]. the conclusions and future work are given in Section VII.
In [19]–[22], a comprehensive IDS integrates protocol speci-
fication, and logical behaviors for detecting abnormal behav- II. PROBLEM FORMULATION
iors within the cyber-physical systems. Based on IEC 61850 IEC 61850 based SAS enables different devices to coopera-
standards, the collaborative intrusion detection system pro- tively maintain system properties in a modernized substation.
posed in [23] monitors and detects cyberattacks by screening Specifically, based on functionalities, the physical devices
the characteristics of Generic Object Oriented Substation are organized in three levels: the process, bay, and station
Events (GOOSE) and Sample Value (SV) packets at each levels. To support communication properties in SAS, IEC
IED. Game-theoretic techniques are used in [24] to optimize 61850 based protocols, e.g., GOOSE, SV and MMS, are used.
the security mechanism for a large number of substations SV messages are used for sharing measurements of Current
against coordinated attacks. Since the ICT-based IDS has Transformers (CTs)/Voltage Transformers (VTs) with protec-
a limited impact on such intrusions that bypass the cyber tive IEDs. Since there is a built-in security mechanism in
defense, some studies propose defense strategies according SV streams, e.g., Message Authentication Code (MAC) in
to physical nature of the power system. To detect intrusions IEC 62351-6, for ensuring integrity, the proposed method to
against the protection system, context information based detect and mitigate measurement-based attacks against MMS
defense is proposed [25], [26]. By learning the pattern of messages does not affect the substation protection scheme.
attack data, an IDS is proposed [27] for IEEE 1815.1-based As a new function for cyber security, the proposed IDS is
network at substations. focused on MMS messages to prevent falsified measurements
Regarding the detection of measurement attacks, several from being sent out of the substations.
issues are observed: 1) Existing methods identify false mea- In digital substations, MMS communication uses a
surements based on state estimation and bad data detection client/server model for reporting, monitoring, and control
in the control center level. In other words, the technology between IEDs and the SCADA system. As shown in Fig. 1,
does not detect measurement-based attacks at the substations in order to transmit the measurement data to the SCADA
before malicious measurements arrive at the control cen- system, the gateway as MMS client sends ‘‘read-request’’
ters. 2) The specification-based IDS at the substation level to access the information contained in the IED objects.
is not able to identify false measurements if the fabricated Then, the corresponding IED, as MMS server, sends the
data is encapsulated with legitimate headers. 3) Cyberattacks response back with the measurement data encapsulated in
targeting measurements at multiple substations cannot be MMS messages. As a line of defense to detect the mea-
detected by local substation IDSs without a system strategy. surement attack at SAS, the proposed IDS is configured
4) Although IEC 62351-4 specifies the cyber security of to detect/mitigate the falsified measurements within MMS
MMS, it is not commonly applied. messages before they are sent to the control center through
The proposed IDS in this paper is able to identify falsi- DNP3 communication.
fied measurements in MMS messages. Based on the law of In the cyberattack against Ukrainian power grid [2],
physics of the electrical network, a distributed IDS against the adversary takes control of servers in the substations
measurement attacks in the substation is proposed. The con- through unauthorized remote access. Once the station net-
tributions of this paper are: work is compromised, the attackers will be capable of
1) Proposing a new method to identify contaminated mea- eavesdropping MMS communication and injecting mali-
surements at the substation level. By doing so, falsified cious packets. Without cyber security scanning at the
measurements will be intercepted before they are sent to substation level, fabricated measurements will be sequen-
the control center. tially transmitted through DNP3 polling. The proposed

VOLUME 9, 2021 1241

 R. Zhu et al.: Intrusion Detection Against MMS-Based Measurement Attacks at Digital Substations

2) CONTROL CENTER LEVEL

Once the control center receives malicious DNP3 pack-
ets, system operators can be misled by fabricated measure-
ments or triggered alarms and take undesirable actions. For
example, multiple substations may send falsified high volt-
ages at the substations. In response, operators may decide
to switch off capacitor banks at these substations, leading to
actual low voltage conditions in the power grid.

B. IMPLEMENTATION OF DISTRIBUTED IDS AT THE

SUBSTATION
1) LAW OF PHYSICS
The proposed IDS applies the law of physics to detect anoma-
lies in the measurements. The measurement system in IEC
61850 based substations includes sensing elements and IEDs.
CT and VT (or Low-Power Voltage Transformers (LPVT)
and Low–Power Current Transformers (LPCT)) are instru-
ment transformers for current and voltage measurements.
Note that CT/VT and the Merging Unit (MU) are subject
to measurement errors, which may cause a violation of the
FIGURE 1. Attack path of measurement attacks. detection rules, e.g., KCL, KVL or Ohm‘s Law. The accuracy
of CT/VT and MUs under a normal condition is expressed
defense action is a distributed IDS at the substation level. by the accuracy class of the instrument [29]. To distin-
Falsified measurements are identified based on law of physics guish between measurement errors and cyberattacks, rules of
of the power network: Kirchhoff’s Current Law (KCL), the proposed IDS shown in Table 1 include the coefficient
Kirchhoff’s Voltage Law (KVL) and Ohm‘s law. The dis- kceri /kveri , given for each instrument i, i = 1, 2, . . . , n.
tributed nature of the proposed IDS enables each sub- They specify the tolerance in measurement errors. Current
station IDS to cross check the measurements with other and voltage measurements are assumed to be synchronized
substations. phasors with time stamps.
a) KCL: The current, iexit (ienter ), denotes current phasors
III. TECHNICAL APPROACH AT SUBSTATION LEVEL exiting (entering) the substation. When applying KCL to line
This section describes the potential measurement attack path currents at different voltage levels, the effect of a transformer
on MMS messages and implementation of the proposed IDS must be considered. The compensation includes the magni-
at the substations. tude and phase-shift determined by the transformation ratio
and connection of the windings [30]. As shown in Table 1,
when the difference between the summation of iexit and that
A. MEASUREMENT ATTACK PATH IN SAS
of ienter is within the error tolerance, KCL is considered
Based on vulnerabilities with respect to measurement attacks,
satisfied.
the attack path in the SAS is illustrated in Fig. 1.
TABLE 1. IDS rules for measurement attacks.
1) BAY LEVEL AND STATION LEVEL
The substation network is accessed from the remote access
point or internal network. Once adversaries compromise the
targeted substation through unauthorized access, they will
gain access to the bay level devices through the station net-
work. Sequentially, the adversary executes the attacks against
measured values through MMS communication between the
IED and gateway.
As shown in Fig. 1, MMS messages are converted to
DNP3 at the gateway according to IEEE Std 1815.1 [28],
which defines the way data structures are mapped. The fal- b) KVL: For any loop in the circuit graph, KVL requires
sified measurements indicate a change in the system states, that the algebraic sum of voltage drops on all branches around
which creates the event data at the DNP3 outstation. Once the loop be zero. vn denotes the voltage phasor at node n.
an event polling is received, the DNP3 outstation at the Correspondingly, kvern is the error coefficient of the voltage
substation will send the malicious data to the DNP3 master measurement. For each loop, one of the buses is assigned
at the control center [15]. to be the responsible bus. Based on the inter-communication

1242 VOLUME 9, 2021

R. Zhu et al.: Intrusion Detection Against MMS-Based Measurement Attacks at Digital Substations

between substations, the responsible bus is tasked to verify the UDP/IP protocol and then forward Routable-SV (R-SV)
KVL with measurements from other nodes in this loop. When over WAN. Once the local PDC receives data from other
the summation of branch voltages in the loop does not exceed substations, the real-time measurement will be transmitted to
the error tolerance, KVL holds. the proposed IDS, where the data stream is parsed with local
c) Ohm‘s Law: In Table 1, current phasor ijk denotes the measurements according to the proposed rules.
line current between two substations j, k, and zline denotes the
line impedance. vj , vk are the voltage phasors from substation 4) TIME SYNCHRONIZATION
j and k and kverj , kverk kcerjk are the error coefficients of vj , To synchronize local measurements with the measurements
vk and ijk , respectively. Given the limit of the error tolerance, from other substations, IED supporting IEC 61850-90-5 gen-
Ohm‘s Law between vj and vk is verified with local measure- erates time stamps of the measurements to provide GPS syn-
ment ijk and voltage measurement vk from substation k. chronized time for the IDS. Once a substation PDC receives
synchronized measurements from other substations, it will
2) DEPLOYMENT OF THE IDS IN SAS align the data according to the time stamps. Each substa-
Since MMS messages are the attack targets, the proposed tion, as a distributed node of the proposed IDS, analyzes the
IDS, as a novel security feature, is integrated with the gateway measurements based on time stamps of the packets. There-
as shown in Fig. 1. Based on the proposed IDS, synchronized fore, the communication delay between substations does not
measurements are needed for verification by the three rules. impact the accuracy of the IDS.
Therefore, IEDs with IEC/TR 61850-90-5 capability are
needed to provide synchronized data at the substation [31]. C. SPECIFICATION OF IDS
Figure 3 describes functions of the proposed IDS. First, the
3) DISTRIBUTED ARCHITECTURE module of packet filtering filters out irrelevant traffic. Only
To cross check measurements with other substations, MMS messages responding to the data access request will
the enabling technology of the proposed algorithm is the proceed to the packet parsing module. Synchronized data
wide-area communication of synchronized measurements. from other substations are transmitted from the substation
IEC/TR 61850-90-5 is developed for exchanging syn- PDC to the IDS as an input. At the module of packet parsing,
chrophasor data between different LANs through WANs measurement messages with time stamps are generated based
based on IEC 61850 standard [31]. To secure the communica- on local sample values. Using synchronized measurements
tion over public network, IEC 61850-90-5 provides message from local and other buses, circuit laws in Table 1 are used
authentication and integrity mechanisms, including Group to identify possible violations. After all rules are checked,
Domain of Interpretation (GDOI) key distribution model, the IDS triggers alarms if any violation is detected. For
Hash based Message Authentication Code (HMAC), and mitigation, the proposed IDS will discard malicious data once
Transport Layer Security (TLS). The proposed distributed a violation is verified. Meanwhile, the IDS will transmit
IDS shown in Fig. 2 uses IEC 61850-90-5 for secure trans- actual measurements with time stamps to the gateway. Hence,
mission of the synchronized data. the control center is not impacted by measurement attacks
that take place in the substations.

FIGURE 3. Specification of IDS.

IV. COMPUTATIONAL ALGORITHMS

This section shows that the law of physics used in the IDS
FIGURE 2. Communication mechanism between the substations. can be used to detect false measurements under various
attack scenarios. From the system topology, the adjacency
As shown in Fig. 2, the synchronized data will be sent matrix A of the graph-theoretic model of a power system
from the IED to the substation Phasor Data Concentrator is defined [32]. As shown in (1), the column with label nd
(PDC). IEC 61850-90-5 will map the measurement data onto and row with label br corresponds to each node and branch,

VOLUME 9, 2021 1243

 R. Zhu et al.: Intrusion Detection Against MMS-Based Measurement Attacks at Digital Substations

0
respectively. Loads and generators are treated as branches that the ith voltage measurement is falsified. Similarly, I b =
connected to the ground node. Nonzero entries ‘‘100 and ‘‘−100 T cur I b , T cur = daig (λ1 , λ2 , . . . , λm ). λi 6 = 1 means that the
in each row represent the polarity of the connection. ith branch current is falsified. The adversary can choose any
T cur , T vol to construct the malicious measurements. Thus,
nd 1 nd 2 . . . ndn
there are two attack scenarios:
br1 
1 −1 . . . 0

Scenario1: Suppose voltage and current measurements are
br2  0 1 −1 ...  (1)
A= . attacked at multiple substations, and T cur , T vol are matrices
.. ...
 
 0 1 −1  and not scalar.
brm −1 . . . 0 1 According to (3), the falsified current measurements are
verified as follows:
The branch voltage vector is a linear combination of the
0
corresponding nodal voltages, i.e., AT I b = AT (T cur I b ) 6 =AT I b = 0 (4)
V b = AV n (2)
Both voltage and current measurements are verified by
where V b , V n denotes the vector of branch voltages (voltage Ohm‘s law:
drops on branches) and nodal voltages, respectively.
T cur diag (Zline ) I b = T cur AV n 6 =AT vol V n (5)
According to KCL, the sum of all currents at each node
equals 0, which is formulated by the matrix AT in (3). Inequalities (4) and (5) show that this proposed attack will
AT I b = 0 (3) be detected by KCL and Ohm‘s law.
Scenario 2: Suppose voltage and current measurements are
where I b is the vector of all branch currents. attacked at multiple substations and Tvol = µ1 , Tcur = µ2 ,
where µ1 , µ2 are scalar.
A. MEASUREMENT ATTACKS AT A SINGLE SUBSTATION a) If µ1 6 = µ2 ,
Let v0nj = vnj represent the observed voltage measurement
at bus j, where  6 = 1 means that the voltage measurement AT (T cur I b ) = µ1 AT I b = 0 (6)
is falsified. Similarly, i0jk = εjk ijk , εjk denotes the attack
Thus, KCL will fail to detect such attacks that all branch
model of current measurement. εjk 6 = 1 means
that the current currents in the system are falsified by the factor µ1 . However,
measurement is falsified. Then εjk − 1 ijk represents the
inequality (5) is satisfied, thus Ohm‘s law will detect such
value added to the original measurement.
attacks.
Scenario 1: multiple branch currents at bus j are falsified:
b) If Tvol = Tcur = µ, measurements at all buses are
a) If (εexit − 1) iexit 6 = (εenter − 1) ienter :
P P
multiplied by the same factor µ as follows:
X 0 X X
iexit = iexit + (εexit − 1) iexit
X X T cur diag (Zline ) I b = T cur AV n = µAV n = AT vol V n (7)
6= ienter + (εenter − 1) ienter
X Equations (6), (7) show that the attack targeting all buses
= ienter ,
0
in the system by the same factor can avoid being detected by
the proposed IDS. However, it is unlikely that all of the large
then
PKCL will be violated. number of buses will be attacked at the same time.
b) If (εexit − 1) iexit = (εenter − 1) ienter :
P
X 0 X X X0
iexit = εexit iexit = εenter ienter = ienter , C. KVL DETECTION
Measurement attacks that cannot be detected by Ohm‘s law
In this case, KCL will fail to detect the malicious current and KCL are analyzed based on the KVL detection. Under
measurements. However, Ohm‘s law will be violated by i0jk : this specific scenario, the falsified voltage and current mea-
i0jk zline = (εjk ijk )zline 6 = ijk zline = vnj − vnk . surement v0j , i0kj satisfy KCL and Ohm‘s law at bus j:
Scenario 2: voltage measurement at bus j is falsified:
For any branch current ijk , ijk zline 6 = v0nj − vnk . Thus, Ohm‘ 0 0
vk − vj = ikj zkj (8)
s law of the IDS will be violated at bus j.
Scenario 3: voltage and current measurements are attacked Normally, KVL is satisfied around each loop, i.e., i12 z12 +
at bus j : . . .+in1 zn1 = 0. However, under the attack given by (8), KVL
For any line at bus j, if i0jk zline 6 = v0nj − vnk , the IDS will for the related loop is expressed as:
detect the attack by Ohm‘s law. 0
v1 − v2 + . . . +vk − vj + vj − vj+1 + . . . +vn − v1
B. MEASUREMENT ATTACKS AT MULTIPLE SUBSTATIONS 0
0 = i12 z12 + . . .+ikj zkj + . . . +in1 zn1 6 = 0 (9)
Let V n = T vol V n represent the vector of voltage measure-
ments that may contain falsified data. T vol defines the attack Inequality (9) indicates that KVL is able to uncover such
model, where T vol = diag (ε1 , ε2 , . . . , εn ) .εi 6 = 1 means attacks that cannot be detected by KCL and Ohm‘s Law.

1244 VOLUME 9, 2021

R. Zhu et al.: Intrusion Detection Against MMS-Based Measurement Attacks at Digital Substations

V. TESTBED SETUP
A cyber-physical system testbed is developed to simulate the
measurement attacks and implement the proposed IDS at the
substation level. Simulations are performed on an embedded
computer. The IEEE 39-bus system is implemented in an
industry level power system simulator. As the physical system
layer in the co-simulation environment, the simulated voltage
and current measurements are exported to a simulated sub-
station automation system in real-time. A commercial grade
IEC 61850 source code is embedded to implement the MMS
communication. To detect measurement attacks, the proposed
IDS will parse the data flow of local measurements and
synchronized data from other substations. Fig. 4 illustrates
the data flow of the proposed testbed.

FIGURE 5. Independent circuit loops for IEEE 39 bus system.

ground form a circuit loop with the transmission line between

node 31 and node 32.
For the IDS measurement checking, a responsible
node (bus) is predefined for each loop. For instance, node 11,
node 12 and node 13 in loop 1 send packets to the responsi-
ble node, node 10, such that the current measurements from
each node in loop 1 are extracted from the payload of the
packets for KVL validation.

VI. EXPERIMENTATION & EVALUATION

A. INTRUSION DETECTION RESULTS
Measurement attacks targeting single or multiple substations
FIGURE 4. Data flow of cyber-physical system testbed. are simulated. A stealth false data injection attack is simulated
for comparison between the proposed substation level IDS
Communication between the substations is needed to iden- and a control center EMS based IDS. Representative attack
tify falsified measurements using KVL and Ohm‘s Law. scenarios are developed for simulation and validation of the
Industrial communication protocols (e.g., IEC 61850 and IEC proposed IDS.
61850-90-5) are used to establish the communication network Based on the concept of ‘‘undetectable’’ malicious mea-
among substations. Each of the 39 substations is assigned surements, e.g., [3]–[7], a general attack model can be con-
a unique address in LAN. Data packets with measurements structed by zbad = z + a, where z denotes the original
are sent to the destination IP address of the corresponding measurements and a is the attack vector. To bypass the bad
substations. Since data streaming among substations is trans- data detection in state estimation, if the attacker uses an
mitted in a distributed manner [31], data exchange between attack vector a = Hc, where H is the measurement matrix
substations is executed in parallel using multiprocessing on used in state estimation, and c is an arbitrary nonzero vector,
the proposed simulation environment. the threshold of bad data detection will not be violated. How-
For KCL validation, IDS in substation LAN will parse ever, the proposed stealth attack will undermine the results of
local current measurements. Moreover, using the proposed state estimation.
ICT network, every substation checks Ohm‘s Law with local In this attack scenario, the original measurements are gen-
voltage measurements as well as those transmitted from other erated by combining the power flow results with measure-
substations. For KVL validation, the loops in the IEEE 39 bus ment errors. The measurements of voltage magnitudes at
system are detected by the circuit analysis tool in Python. bus 11 and bus 13 are falsified with a constructed vector c.
As shown in Fig. 5, there are 21 independent loops in the The injected error shown in Fig. 6 represents the difference
graph. The dashed lines in the figure represent the loops between the voltage magnitudes of power flow results and
including ground node, generator nodes, and load nodes. For manipulated results of state estimation. It is noted that the
instance, the yellow dashed line between node 15 and node differences at bus 11 and bus 13 are significant.
16 indicates that the loads which are connected to ground Table 2 shows the detection results of the stealth attack.
form a loop in the circuit with the transmission line between By the IDS, the malicious voltage measurements violate
bus 15 and bus 16. The blue dashed line between node 31 and Ohm‘s law at bus 11 and 13, which triggers the alerts
node 32 shows that the two generators which are connected to at 0.078 and 0.095 seconds at each substation. However,

VOLUME 9, 2021 1245

 R. Zhu et al.: Intrusion Detection Against MMS-Based Measurement Attacks at Digital Substations

The detection of KVL usually takes more time to complete.

Ohm‘s Law detection is relatively fast since the time delay
is based solely on the transmission delay of other buses. For
KCL, the detection is the fastest as there is no need for com-
munication with other substations. Once an alert is triggered
by a violation, the IDS warning is triggered. Therefore, DT of
a particular measurement attack is determined by the fastest
alert.

FIGURE 6. Difference between the original and estimated measurements B. PERFORMANCE OF THE IDS
after a stealth attack. 1) DETECTION TIME (DT)
Using Monte Carlo simulation, the measurement attacks tar-
the norm of measurement residuals, kzbad − Xest k, is less geting a random bus in IEEE 39 bus system are executed
than the threshold, referred to the Chi-squares table. Thus, 1000 times on the proposed testbed. DT as a performance
without the proposed substation IDS, this attack can suc- metric is measured for each attack.
cessfully inject malicious errors and bypass bad data detec-
tion. Much research has been concerned with the detection
of stealth attacks targeting state estimation. Usually it is
assumed that attackers have full/partial knowledge of the cur-
rent system configuration. However, the proposed substation
IDS is able to detect and mitigate the falsified measurements
before they are sent out of the substation, whether the attacks
are independent or coordinated.

TABLE 2. IDS rules for stealth attack.

Table 3 shows the detection results for different attack

scenarios. For scenarios 1, the attacker falsified the voltage
measurements by increasing the magnitude of measurements
to 1.3 times. As current measurements are not fabricated,
KCL and KVL are not violated according to the detection
algorithms. From the detection results in Table 3, Ohm‘s
Law at bus 10 successfully detects the attack, IDS warning
is triggered as a response.
For scenario 2, current measurements on the line between
bus 10 and bus 13 are falsified at bus 10, causing a violation of
KCL and Ohm‘s Law at bus 10. The IDS warning at bus 10 is
triggered. Since the falsified current violates KVL of Loop 1
(including buses 10,11, 12, 13), KVL alert is also triggered.
For scenario 3, all current measurements at bus 11 and bus
13 are falsified by increasing the line current to 3 times of FIGURE 7. Distribution of detection time of each rule in IDS.
the measurements. KCL fails to detect this attack. However,
Ohm‘s Law successfully detects this measurement attack at Fig. 7 illustrates the distribution of DT under single-bus
buses 11 and 13. KVL alerts are triggered by Loop 1 and and two-bus attacks, respectively. From the distribution of the
Loop 2. Thus, IDS warning at both buses is triggered. results, KVL detection requires more time to check the detec-
Similarly, if both voltage and current measurements are tion rule. As the responsible bus in the loop validates KVL by
falsified at scenarios 4 and 5, the proposed IDS is able to collecting the measurement packets from other buses in the
detect the measurement-based attack by checking IDS rules. loop, the latency is caused by the highest transmission delay
As shown in Table 3, Detection Time (DT) is estimated by over all buses in the loop. Specifically, the maximum DT
the time difference between the time stamp in the messages observed from KVL detection reached 0.15 second, as this
and the time when the scanned packet is detected by any rule. loop is the largest loop in the system with 8 substations.

1246 VOLUME 9, 2021

R. Zhu et al.: Intrusion Detection Against MMS-Based Measurement Attacks at Digital Substations

TABLE 3. IDS performance for measurement attack scenarios.

The communication between buses is efficient. Indeed,

checking of the Ohm‘s Law is completed within 0.1 second.
As validation of KCL is processed at the local substation
without any confirmation information from outer network,
DT for KCL is around 0.01 second. In Fig. 7, the maximum
DT is lower than 0.2 second, which is smaller than the cyclical
time of DNP3 polling. Hence, the proposed IDS is able
to identify falsified measurements before the measurement
messages are sent out by DNP3 outstation.
A histogram comparing the results is shown in Fig. 7(a) and
(b). It is noted that the DT distribution of single-bus attacks is
close to that of two-bus attacks as expected. The reason is that
the proposed IDS checks the consistency of measurements in
a distributed manner at the substation level.
The general DT distribution for various attack scenarios
FIGURE 8. Distribution of detection time for attacks targeting multiple
in 39-bus system is given in Fig. 8. In order to evaluate the per- substations.
formance of the proposed IDS under multiple cyberattacks,
substations are randomly selected by the measurement attack.
The Y axis in Fig. 8 represents the number of substations
that are attacked simultaneously. For each attack scenario,
the detection time of the attack is the time when the first
alert is triggered by the IDS. In Fig. 8, the band represented
by the box gives the maximum, minimum, and median of
the detection time over 100 experiments, respectively. The
outliers are defined as red points located outside the box. FIGURE 9. Detection rate with different traffic rates.
By comparing the respective median of each box, all medians
are close to each other, and fall under 0.025s. The results show
that, for a broad range of attacks, the distributed IDS responds experiments are repeated 100 times. The error bar is cal-
within a short time. culated based on the standard deviation of the results.
Fig. 9 shows the impact of traffic rate for DR. The results
2) DETECTION RATE (DR) show that the IDS is able to detect the falsified data in the
The accuracy of the proposed IDS is measured by DR, which mixed data stream. In other words, if the attacker floods
is the ratio of TP (number of attacked instances IDS correctly the system with duplicate packets at a rate of 1000 packets
detects) and FN +TP (overall number of the attack instances). per second, the alarms are triggered once the first fabricated
measurement is captured. Therefore, the mitigation strategy is
TP
DR = (10) able to prevent the substation from further flooding. However,
FN + TP it is observed that DR declines from 100% to 93%, when
Measurement packets mixed with the falsified measure- the sending rate exceeds 1000 packets per second. The error
ments are sent in different rates. For a given rate, the bar indicates the low performance of the IDS when the data

VOLUME 9, 2021 1247

 R. Zhu et al.: Intrusion Detection Against MMS-Based Measurement Attacks at Digital Substations

traffic is too fast. Along with the increase of traffic speed, [12] Y. Wang, M. M. Amin, J. Fu, and H. B. Moussa, ‘‘A novel data analyt-
the delay time between any two packets becomes too small. ical approach for false data injection cyber-physical attack mitigation in
smart grids,’’ IEEE Access, vol. 5, pp. 26022–26033, 2017, doi: 10.1109/
The IDS is not fast enough to identify each packet within the ACCESS.2017.2769099.
mixed data stream at such a high speed, causing the falsified [13] Z. Wang, Y. Chen, F. Liu, Y. Xia, and X. Zhang, ‘‘Power system security
measurements in the missing packets to be misclassified. under false data injection attacks with exploitation and exploration based
on reinforcement learning,’’ IEEE Access, vol. 6, pp. 48785–48796, 2018,
doi: 10.1109/ACCESS.2018.2856520.
VII. CONCLUSION [14] Power Systems Management and Associated Information Exchange—Data
In this paper, the potential attack path of measurement attacks and Communications Security—Part 6: Security for IEC 61850, 1.0,
Standard IEC 62351-6, IEC, 2007.
at the substation level is established. The performance of [15] IEEE Standard for Electric Power Systems Communications-Distributed
the proposed IDS has been validated by simulation with Network Protocol (DNP3), IEEE Standard 1815-2012, Oct. 2012.
realistic measurement attacks. The proposed method achieves [16] C.-W. Ten, C.-C. Liu, and G. Manimaran, ‘‘Vulnerability assessment of
cybersecurity for SCADA systems,’’ IEEE Trans. Power Syst., vol. 23,
a high level of detection accuracy under high speed traffic of no. 4, pp. 1836–1846, Nov. 2008, doi: 10.1109/tpwrs.2008.2002298.
measurement messages. By the proposed IDS, measurement [17] N. Liu, J. Zhang, and X. Wu, ‘‘Asset analysis of risk assessment for IEC
attacks are detected within the substations, thereby avoiding 61850-based power control systems—Part I: Methodology,’’ IEEE Trans.
Power Del., vol. 26, no. 2, pp. 869–875, Apr. 2011, doi: 10.1109/TPWRD.
the impact of falsified measurements on system operation in 2010.2090950.
the control center. For the future work, collaborative IDSs [18] U. K. Premaratne, J. Samarabandu, T. S. Sidhu, R. Beresh, and J.-C. Tan,
with communication among the substations should be stud- ‘‘An intrusion detection system for IEC61850 automated substations,’’
IEEE Trans. Power Del., vol. 25, no. 4, pp. 2376–2383, Oct. 2010, doi: 10.
ied so that the distributed IDSs will be able to work as 1109/TPWRD.2010.2050076.
a team to detect various attack types targeting the digital [19] Y. Yang, H.-Q. Xu, L. Gao, Y.-B. Yuan, K. McLaughlin, and
substations. S. Sezer, ‘‘Multidimensional intrusion detection system for IEC 61850-
based SCADA networks,’’ IEEE Trans. Power Del., vol. 32, no. 2,
pp. 1068–1078, Apr. 2017, doi: 10.1109/TPWRD.2016.2603339.
ACKNOWLEDGMENT [20] A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. N. Fovino, and
The authors would like to thank Mr. Randy Steele, American A. Trombetta, ‘‘A multidimensional critical state analysis for detecting
intrusions in SCADA systems,’’ IEEE Trans. Ind. Informat., vol. 7, no. 2,
Electric Power, for his helpful discussions. pp. 179–186, May 2011, doi: 10.1109/TII.2010.2099234.
[21] C.-W. Ten, J. Hong, and C.-C. Liu, ‘‘Anomaly detection for cybersecurity
of the substations,’’ IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 865–873,
REFERENCES
Dec. 2011, doi: 10.1109/TSG.2011.2159406.
[1] C.-C. Liu, A. Stefanov, J. Hong, and P. Panciatici, ‘‘Intruders in the grid,’’ [22] J. Hong, C.-C. Liu, and M. Govindarasu, ‘‘Integrated anomaly detection for
IEEE Power Energy Mag., vol. 10, no. 1, pp. 58–66, Jan. 2012, doi: cyber security of the substations,’’ IEEE Trans. Smart Grid, vol. 5, no. 4,
10.1109/MPE.2011.943114. pp. 1643–1653, Jul. 2014, doi: 10.1109/tsg.2013.2294473.
[2] D. I. J. Slowik. CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric [23] J. Hong and C.-C. Liu, ‘‘Intelligent electronic devices with collaborative
Power Event as a Protection-Focused Attack. Accessed: 2019. [Online]. intrusion detection systems,’’ IEEE Trans. Smart Grid, vol. 10, no. 1,
Available: https://dragos.com/wp-content/uploads/CRASHOVERRIDE. pp. 271–281, Jan. 2019, doi: 10.1109/tsg.2017.2737826.
pdf [24] M. Touhiduzzaman, A. Hahn, and A. K. Srivastava, ‘‘A diversity-based
[3] R. Deng, G. Xiao, R. Lu, H. Liang, and A. V. Vasilakos, ‘‘False substation cyber defense strategy utilizing coloring games,’’ IEEE Trans.
data injection on state estimation in power systems—Attacks, impacts, Smart Grid, vol. 10, no. 5, pp. 5405–5415, Sep. 2019, doi: 10.1109/
and defense: A survey,’’ IEEE Trans. Ind. Informat., vol. 13, no. 2, TSG.2018.2881672.
pp. 411–423, Apr. 2017, doi: 10.1109/TII.2016.2614396. [25] R. Macwan, C. Drew, P. Panumpabi, A. Valdes, N. Vaidya, P. Sauer,
[4] Y. Liu, P. Ning, and M. K. Reiter, ‘‘False data injection attacks against state and D. Ishchenko, ‘‘Collaborative defense against data injection attack in
estimation in electric power grids,’’ ACM Trans. Inf. Syst. Secur., vol. 14, IEC61850 based smart substations,’’ in Proc. IEEE Power Energy Soc.
no. 1, pp. 1–33, May 2011, doi: 10.1145/1952982.1952995. Gen. Meeting (PESGM), Jul. 2016, pp. 1–5, doi: 10.1109/PESGM.2016.
[5] O. Kosut, L. Jia, R. J. Thomas, and L. Tong, ‘‘Malicious data attacks on the 7741376.
smart grid,’’ IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 645–658, Dec. 2011, [26] S. Sheng, W. L. Chan, K. K. Li, D. Xianzhong, and Z. Xiangjun, ‘‘Context
doi: 10.1109/TSG.2011.2163807. information-based cyber security defense of protection system,’’ IEEE
[6] G. Hug and J. A. Giampapa, ‘‘Vulnerability assessment of AC state estima- Trans. Power Del., vol. 22, no. 3, pp. 1477–1481, Jul. 2007, doi: 10.1109/
tion with respect to false data injection cyber-attacks,’’ IEEE Trans. Smart TPWRD.2006.886775.
Grid, vol. 3, no. 3, pp. 1362–1370, Sep. 2012, doi: 10.1109/TSG.2012. [27] S. Kwon, H. Yoo, and T. Shon, ‘‘IEEE 1815.1-based power system security
2195338. with bidirectional RNN-based network anomalous attack detection for
[7] B. Chen, H. Li, and B. Zhou, ‘‘Real-time identification of false data cyber-physical system,’’ IEEE Access, vol. 8, pp. 77572–77586, 2020,
injection attacks: A novel dynamic-static parallel state estimation based doi: 10.1109/ACCESS.2020.2989770.
mechanism,’’ IEEE Access, vol. 7, pp. 95812–95824, 2019, doi: 10.1109/ [28] IEEE Standard for Exchanging Information Between Networks Implement-
ACCESS.2019.2929785. ing IEC 61850 and IEEE Std 1815(TM) [Distributed Network Protocol
[8] T. T. Kim and H. V. Poor, ‘‘Strategic protection against data injec- (DNP3)], IEEE Standard 1815.1-2015, Dec. 2015.
tion attacks on power grids,’’ IEEE Trans. Smart Grid, vol. 2, no. 2, [29] R. Minkner and E. O. Schweitzer, ‘‘Low power voltage and current
pp. 326–333, Jun. 2011, doi: 10.1109/TSG.2011.2119336. transducers for protecting and measuring medium and high voltage sys-
[9] A. Giani, E. Bitar, M. Garcia, M. McQueen, P. Khargonekar, and K. Poolla, tems,’’ in Proc. Western Protective Relay Conf., Spokane, WA, USA,
‘‘Smart grid data integrity attacks,’’ IEEE Trans. Smart Grid, vol. 4, no. 3, 1999.
pp. 1244–1253, Sep. 2013, doi: 10.1109/TSG.2013.2245155. [30] L. Sevov, Z. Zhang, I. Voloh, and J. Cardenas, ‘‘Differential protection for
[10] J. Zhao, G. Zhang, and R. A. Jabr, ‘‘Robust detection of cyber attacks power transformers with non-standard phase shifts,’’ in Proc. 64th Annu.
on state estimators using phasor measurements,’’ IEEE Trans. Power Conf. Protective Relay Eng., Apr. 2011, pp. 301–309, doi: 10.1109/CPRE.
Syst., vol. 32, no. 3, pp. 2468–2470, May 2017, doi: 10.1109/TPWRS. 2011.6035631.
2016.2603447. [31] Communication Networks and Systems for Power Utility Automation—Part
[11] Y. He, G. J. Mendis, and J. Wei, ‘‘Real-time detection of false data 90-5: Use of IEC 61850 to Transmit Synchrophasor Information According
injection attacks in smart grid: A deep learning-based intelligent mecha- to IEEE C37.118, Standard IEC TR 61850-90-5:2012, 2012.
nism,’’ IEEE Trans. Smart Grid, vol. 8, no. 5, pp. 2505–2516, Sep. 2017, [32] F. H. Branin, ‘‘Computer methods of network analysis,’’ Proc. IEEE,
doi: 10.1109/TSG.2017.2703842. vol. 55, no. 11, pp. 1787–1801, Nov. 1967, doi: 10.1109/PROC.1967.6010.

1248 VOLUME 9, 2021

R. Zhu et al.: Intrusion Detection Against MMS-Based Measurement Attacks at Digital Substations

RUOXI ZHU (Graduate Student Member, IEEE) JUNHO HONG (Member, IEEE) is currently an
received the M.S. degree in electrical engineering Assistant Professor of electrical and computer
from Virginia Tech, in 2020, where she is currently engineering with the University of Michigan–
pursuing the Ph.D. degree. Her research interests Dearborn. He has been working on cybersecurity
include cyber-physical security of power systems, of energy delivery systems with the Department of
and voltage stability monitoring and control. Energy sponsored projects in the areas of substa-
tion, microgrid, HVDC, FACTS, and high-power
EV charger.

CHEN-CHING LIU (Life Fellow, IEEE) is cur- JIANKANG WANG (Member, IEEE) is currently
rently an American Electric Power Professor and an Assistant Professor of electrical and com-
the Director of the Power and Energy Center, puter engineering with The Ohio State Univer-
Virginia Tech. He is also an Adjunct Full Pro- sity, where she is also an Adjunct Professor with
fessor with University College Dublin, Ireland. the Department of Integrated System Engineering.
He is a member of the U.S. National Academy of She was appointed as a Lead Technical Specialist
Engineering. with California ISO, in 2018. Her research inter-
ests include electricity markets, renewable energy,
PEV integration, and power system cyber-security.

VOLUME 9, 2021 1249