Exploring Cross-Substation Transfer Learning for Improving Cybersecurity in IEC 61850 Substations
The information security of IEC 61850-compliant substations is a growing concern for researchers and industry practitioners. IEC 62351, developed to address such concerns, recommends the use of intrusion detection systems (IDSs) as a defense, prompting extensive research on their development, partic...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11077139/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849318115750445056 |
|---|---|
| author | Filip Natvig Lars Nordstrom Goran N. Ericsson |
| author_facet | Filip Natvig Lars Nordstrom Goran N. Ericsson |
| author_sort | Filip Natvig |
| collection | DOAJ |
| description | The information security of IEC 61850-compliant substations is a growing concern for researchers and industry practitioners. IEC 62351, developed to address such concerns, recommends the use of intrusion detection systems (IDSs) as a defense, prompting extensive research on their development, particularly in data-driven approaches. Data-driven IDSs rely on high-quality and comprehensive training data. However, capturing complete datasets for each unique substation at scale is challenging due to the diverse and dynamic operating states between substations. Transfer learning (TL) has been shown to improve model performance in data-scarce environments; however, to the best of our knowledge, no prior work has formulated its use in the context of knowledge transfer between IEC 61850 substations. To address this gap, we propose cross-substation transfer learning (XSTL), a strategy that leverages knowledge transfer between substations that share the same protocol stack but differ in architecture. We demonstrate the value of XSTL using two publicly available datasets collected from substations with contrasting architectures, and show that XSTL can improve IDS performance compared to training IDSs in an isolated manner. Using data from a generic object-oriented substation event (GOOSE) flooding attack, we show that IDS performance is significantly improved in cross-domain tests (using data from two different substations) compared with baseline tests (using data from one substation), with statistical analyses confirming the significance of the improvement. These findings indicate that XSTL can reduce reliance on large datasets, thereby enabling more practical and scalable IDS development across substations where collecting diverse training data is challenging. |
| format | Article |
| id | doaj-art-75d84288816f4e3b9ea0b8ee8f1a4351 |
| institution | Kabale University |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-75d84288816f4e3b9ea0b8ee8f1a43512025-08-20T03:50:59ZengIEEEIEEE Access2169-35362025-01-011311950011951110.1109/ACCESS.2025.358792311077139Exploring Cross-Substation Transfer Learning for Improving Cybersecurity in IEC 61850 SubstationsFilip Natvig0https://orcid.org/0009-0005-6285-3054Lars Nordstrom1https://orcid.org/0000-0003-3014-5609Goran N. Ericsson2Department of Electrical Engineering, Uppsala University, Uppsala, SwedenDepartment of Electric Power and Energy Systems, KTH Royal Institute of Technology, Stockholm, SwedenDepartment of Electrical Engineering, Uppsala University, Uppsala, SwedenThe information security of IEC 61850-compliant substations is a growing concern for researchers and industry practitioners. IEC 62351, developed to address such concerns, recommends the use of intrusion detection systems (IDSs) as a defense, prompting extensive research on their development, particularly in data-driven approaches. Data-driven IDSs rely on high-quality and comprehensive training data. However, capturing complete datasets for each unique substation at scale is challenging due to the diverse and dynamic operating states between substations. Transfer learning (TL) has been shown to improve model performance in data-scarce environments; however, to the best of our knowledge, no prior work has formulated its use in the context of knowledge transfer between IEC 61850 substations. To address this gap, we propose cross-substation transfer learning (XSTL), a strategy that leverages knowledge transfer between substations that share the same protocol stack but differ in architecture. We demonstrate the value of XSTL using two publicly available datasets collected from substations with contrasting architectures, and show that XSTL can improve IDS performance compared to training IDSs in an isolated manner. Using data from a generic object-oriented substation event (GOOSE) flooding attack, we show that IDS performance is significantly improved in cross-domain tests (using data from two different substations) compared with baseline tests (using data from one substation), with statistical analyses confirming the significance of the improvement. These findings indicate that XSTL can reduce reliance on large datasets, thereby enabling more practical and scalable IDS development across substations where collecting diverse training data is challenging.https://ieeexplore.ieee.org/document/11077139/Cybersecuritydeep learningtransfer learningIEC 61850IEC 62351intrusion detection |
| spellingShingle | Filip Natvig Lars Nordstrom Goran N. Ericsson Exploring Cross-Substation Transfer Learning for Improving Cybersecurity in IEC 61850 Substations IEEE Access Cybersecurity deep learning transfer learning IEC 61850 IEC 62351 intrusion detection |
| title | Exploring Cross-Substation Transfer Learning for Improving Cybersecurity in IEC 61850 Substations |
| title_full | Exploring Cross-Substation Transfer Learning for Improving Cybersecurity in IEC 61850 Substations |
| title_fullStr | Exploring Cross-Substation Transfer Learning for Improving Cybersecurity in IEC 61850 Substations |
| title_full_unstemmed | Exploring Cross-Substation Transfer Learning for Improving Cybersecurity in IEC 61850 Substations |
| title_short | Exploring Cross-Substation Transfer Learning for Improving Cybersecurity in IEC 61850 Substations |
| title_sort | exploring cross substation transfer learning for improving cybersecurity in iec 61850 substations |
| topic | Cybersecurity deep learning transfer learning IEC 61850 IEC 62351 intrusion detection |
| url | https://ieeexplore.ieee.org/document/11077139/ |
| work_keys_str_mv | AT filipnatvig exploringcrosssubstationtransferlearningforimprovingcybersecurityiniec61850substations AT larsnordstrom exploringcrosssubstationtransferlearningforimprovingcybersecurityiniec61850substations AT gorannericsson exploringcrosssubstationtransferlearningforimprovingcybersecurityiniec61850substations |