The cyberattacks that occurred in recent years have raised concerns in critical infrastructures, including power system networks. Identifying ongoing attacks is essential to enable the energy industry to respond to adversaries. Many commercial products and research projects include machine learning based intrusion detection systems but there is still a need for understanding the data training requirements for those systems in order to successfully deploy them to protect power systems. This paper presents the development of an anomaly-based Intrusion Detection System (IDS) based on a machine learning methodology to create a whitelist. The system was implemented using GNU Octave. It was trained using traffic flow from real devices generated from a Virtual Site Acceptance Testing and Training (VSATT) platform where multi-vendor secondary devices were set up and communicated to each other. The system was then tested using different datasets which were also generated from the VSATT platform. Results show that the implemented IDS performed correctly under different case studies. The results also indicate that the learned traffic identifies GOOSE and MMS messages based on the normal behaviours from those protocols, but the presence of other messages might require manual inputs to be incorporated in the training dataset.
D.T. Dantas, H. Li, T. Charton, L. Chen, R. Zhang, Presented at the 15th International Conference on Developments in Power System Protection, DPSP, Liverpool, 9 - 12 March, 2020
KEYWORDS: Intrusion Detection System, Machine Learning, IEC 61850, IEC 62351, Operation Technology