Smart grids are increasingly exposed to sophisticated cyber threats due to their reliance on interconnected communication networks, as demonstrated by real world incidents such as the cyberattacks on the Ukrainian power grid. In IEC61850 based smart substations, the Manufacturing Message Specification protocol operates over TCP to facilitate communication between SCADA systems and field devices such as Intelligent Electronic Devices and Programmable Logic Controllers. Although MMS enables efficient monitoring and control, it can be exploited by adversaries to generate legitimate looking packets for reconnaissance, unauthorized state reading, and malicious command injection, thereby disrupting grid operations. In this work, we propose a fully automated attack detection and prevention framework for IEC61850 compliant smart substations to counter remote cyberattacks that manipulate process states through compromised PLCs and IEDs. A detailed analysis of the MMS protocol is presented, and critical MMS field value pairs are extracted during both normal SCADA operation and active attack conditions. The proposed framework is validated using seven datasets comprising benign operational scenarios and multiple attack instances, including IEC61850Bean based attacks and script driven attacks leveraging the libiec61850 library. Our approach accurately identifies attack signature carrying MMS packets that attempt to disrupt circuit breaker status, specifically targeting the smart home zone IED and PLC of the EPIC testbed. The results demonstrate the effectiveness of the proposed framework in precisely detecting malicious MMS traffic and enhancing the cyber resilience of IEC61850 based smart grid environments.

翻译：智能电网因其对互联通信网络的依赖而日益面临复杂网络威胁，乌克兰电网遭受的网络攻击等现实事件已证实了这一点。在基于IEC61850的智能变电站中，制造报文规范协议通过TCP运行，以促进监控与数据采集系统与现场设备（如智能电子设备和可编程逻辑控制器）之间的通信。尽管MMS协议能实现高效监控，但攻击者可利用其生成看似合法的数据包进行侦察、非授权状态读取和恶意命令注入，从而破坏电网运行。本研究提出了一种面向IEC61850兼容智能变电站的全自动攻击检测与防御框架，以应对通过受控PLC和IED操纵过程状态的远程网络攻击。本文详细分析了MMS协议，并在正常SCADA运行和主动攻击条件下提取了关键的MMS字段值对。该框架通过七个数据集进行了验证，这些数据集包含良性操作场景和多种攻击实例，包括基于IEC61850Bean的攻击以及利用libiec61850库的脚本驱动攻击。我们的方法能准确识别携带攻击特征的MMS数据包，这些数据包试图破坏断路器状态，特别是针对EPIC测试平台的智能家居区域IED和PLC。结果表明，所提框架能精确检测恶意MMS流量，有效增强基于IEC61850的智能电网环境的网络韧性。