Summary
The digitalization of substations is transforming how utilities manage cybersecurity across protection, automation, and control systems. With the widespread adoption of IEC 61850, substation communication has evolved into a highly interconnected, Ethernet-based environment where operational technology (OT) networks are directly linked to real-time protection functions. As a result, cybersecurity is no longer an isolated IT concern but a systemlevel requirement that directly affects reliability, safety, and operational continuity.
Read more Read lessIEC 61850 enables interoperability and engineering efficiency via standardized communication services such as Manufacturing Message Specification (MMS), Generic Object
Oriented Substation Event (GOOSE), and Sampled Measured Values (SMV). However, these benefits increase exposure to network-based and protocol-specific cyberthreats. At the same time, process bus communication, carrying GOOSE and SMV traffic, is tightly coupled with protection and control actions and therefore imposes strict constraints on latency, determinism, and availability [1]. From a utility perspective, even a single malicious or malformed message may lead to faulty operations in the protection system or service disruptions.
Conventional cybersecurity mechanisms, including perimeter firewalls, network segmentation, and passive intrusion detection, remain essential elements of a defense-in-depth strategy. These approaches are often insufficient for protection-critical environments where threats must be mitigated in real time and software-based inspection may introduce nondeterministic delays. This creates a gap between cybersecurity management objectives and operational requirements of IEC 61850-based substations.
To address the gap, this paper presents a Substation Real-time Intrusion Prevention
Module (SRIM) as part of a comprehensive cybersecurity approach for digital substations.
SRIM is a hardware-based, FPGA-accelerated intrusion prevention architecture designed for inline deployment within critical communication paths. By performing protocol-aware Deep
Packet Inspection (DPI) at line rate, SRIM enables deterministic enforcement of cybersecurity policies with mere microsecond-level latency, thereby aligning security controls with protection system performance requirements. Implemented in a Small Form-factor Pluggable (SFP) module, SRIM can be integrated into existing Ethernet switches without major architectural changes.
Experimental evaluation in a representative substation testbed demonstrates that SRIM achieves wire-speed throughput with deterministic microsecond-level latency, meeting the stringent timing requirements of process bus communication, In contrast to CPU-based processing approaches, which exhibit significant performance degradation under inspection workloads, the FPGA-based implementation maintains consistent performance, enabling reliable inline deployment without disrupting protection and control functions. These results validate the feasibility of hardware-accelerated, protocol-aware intrusion prevention for protection-critical IEC 61850 substation environments.
Additional informations
| Publication type | Session Materials |
|---|---|
| Reference | D2_10116_2026 |
| Publication year | |
| Publisher | CIGRE |
| Country | France |
| Study committees | |
| File size | 699 KB |
| Price for non member | 30 € |
| Price for member | 30 € |
Authors
WU Hsi-Chin - Moxa Inc. Taiwan; LU Hsin-Yu - Moxa Inc. Taiwan; HUANG Yu-Kang - Moxa Inc. Taiwan
Keywords
Substation Automation Systems (SAS), Digital Substation, Inline Protection, Real-time protection, Protocol-aware security, Intrusion prevention system (IPS), Generic Object Oriented Substation Event (GOOSE), and Sampled Measured Values (SMV)
