ML based Intrusion Detection System for IEC 61850 MMS

Abstract

Cyberattacks targeting operational technology (OT) systems, such as power grids, have evolved into highly sophisticated threats. In the last two decades state-sponsored adversaries have increasingly weaponized protocol-compliant attacks, as was the case in Industroyer malware that masquerades attack using legitimate protocol format. These attacks exploit trusted communication frameworks, such as the IEC 61850 -Manufacturing Message Specification (MMS), to compromise Intelligent Electronic Devices (IEDs) and destabilize grid operations. MMS is a cornerstone of communication in a smart grid and can be exploited using its feature, remote control command execution on IEDs. Recent research efforts to enhance smart grid security have primarily focused on the IEC 61850 protocol, particularly the Generic Object-Oriented Substation Events (GOOSE) protocol. Some studies have also examined the MMS, but these approaches remain limited, mainly addressing generic TCP/IP networking issues. This project aims to explore potential opportunities for advancing MMS protocol security, enabling detection of not only basic attacks (e.g., replay attacks) but also malware intrusions. Leveraging the strengths of one-class classifier ML models, the project addresses the challenge of limited MMS attack data availability while also providing resilience against potential zero-day attacks.

This project consists of two key components: i) Rule-based NIDS - Implementing MMS service error and signature-based rules. ii) MMS Service Anomaly - Detecting intrusions using top-ranked MMS application layer protocol features.