Exploring Cross-Substation Transfer Learning for Improving Cybersecurity in IEC 61850 Substations

Exploring Cross-Substation Transfer Learning for Improving Cybersecurity in IEC 61850 Substations

The information security of IEC 61850-compliant substations is a growing concern for researchers and industry practitioners. IEC 62351, developed to address such concerns, recommends the use of intrusion detection systems (IDSs) as a defense, prompting extensive research on their development, partic...

Full description

Saved in:
Bibliographic Details
Main Authors: Filip Natvig, Lars Nordstrom, Goran N. Ericsson
Format: Article
Language:English
Published: IEEE 2025-01-01
Series:IEEE Access
Subjects:
Cybersecurity
deep learning
transfer learning
IEC 61850
IEC 62351
intrusion detection
Online Access:https://ieeexplore.ieee.org/document/11077139/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The information security of IEC 61850-compliant substations is a growing concern for researchers and industry practitioners. IEC 62351, developed to address such concerns, recommends the use of intrusion detection systems (IDSs) as a defense, prompting extensive research on their development, particularly in data-driven approaches. Data-driven IDSs rely on high-quality and comprehensive training data. However, capturing complete datasets for each unique substation at scale is challenging due to the diverse and dynamic operating states between substations. Transfer learning (TL) has been shown to improve model performance in data-scarce environments; however, to the best of our knowledge, no prior work has formulated its use in the context of knowledge transfer between IEC 61850 substations. To address this gap, we propose cross-substation transfer learning (XSTL), a strategy that leverages knowledge transfer between substations that share the same protocol stack but differ in architecture. We demonstrate the value of XSTL using two publicly available datasets collected from substations with contrasting architectures, and show that XSTL can improve IDS performance compared to training IDSs in an isolated manner. Using data from a generic object-oriented substation event (GOOSE) flooding attack, we show that IDS performance is significantly improved in cross-domain tests (using data from two different substations) compared with baseline tests (using data from one substation), with statistical analyses confirming the significance of the improvement. These findings indicate that XSTL can reduce reliance on large datasets, thereby enabling more practical and scalable IDS development across substations where collecting diverse training data is challenging.
ISSN:2169-3536

Similar Items