Cybersecurity breaches in digital substations can pose significant challenges to the stability and reliability of power system operations. To address these challenges, defense and mitigation techniques are required. Identifying and detecting anomalies in information and communication technology (ICT) is crucial to ensure secure device interactions within digital substations. This paper proposes a task-oriented dialogue (ToD) system for anomaly detection (AD) in datasets of multicast messages e.g., generic object oriented substation event (GOOSE) and sampled value (SV) in digital substations using large language models (LLMs). This model has a lower potential error and better scalability and adaptability than a process that considers the cybersecurity guidelines recommended by humans, known as the human-in-the-loop (HITL) process. Also, this methodology significantly reduces the effort required when addressing new cyber threats or anomalies compared with machine learning (ML) techniques, since it leaves the models complexity and precision unaffected and offers a faster implementation. These findings present a comparative assessment, conducted utilizing standard and advanced performance evaluation metrics for the proposed AD framework and the HITL process. To generate and extract datasets of IEC 61850 communications, a hardware-in-the-loop (HIL) testbed was employed.

翻译：数字化变电站中的网络安全漏洞可能对电力系统运行的稳定性与可靠性构成重大挑战。为应对这些挑战，需要采取防御与缓解技术。识别和检测信息通信技术（ICT）中的异常，对于确保数字化变电站内设备间的安全交互至关重要。本文提出一种面向任务的对话（ToD）系统，用于利用大语言模型（LLMs）对数字化变电站中的多播消息（例如，通用面向对象变电站事件（GOOSE）和采样值（SV））数据集进行异常检测（AD）。与由人类推荐的网络安全指南所驱动的、称为人在回路（HITL）的过程相比，该模型具有更低的潜在错误率以及更好的可扩展性和适应性。此外，与机器学习（ML）技术相比，此方法在应对新的网络威胁或异常时所需的工作量显著减少，因为它不影响模型的复杂性和精度，并能提供更快的实施。这些发现通过利用标准和先进的性能评估指标，对所提出的AD框架和HITL过程进行了比较评估。为生成和提取IEC 61850通信数据集，采用了硬件在环（HIL）测试平台。