Real-Time IDS for Digital Substations: From Lab to Field Deployment

This paper presents an end-to-end intrusion detection framework for digital substations, spanning dataset construction, model development, embedded deployment, and field-oriented validation. A hybrid dataset is leveraged, combining traffic traces collected from operational substations with laboratory-generated traces designed to emulate cyberattack behaviors that cannot be safely reproduced in critical infrastructure environments. On this basis, a machine learning-based intrusion detection system (IDS) is trained to identify anomalous IEC 61850 communications, with particular emphasis on GOOSE messaging and substation-specific traffic dynamics. To bridge the gap between offline analysis and operational use, the IDS is integrated into SecureBox, an embedded cybersecurity device engineered for substation deployment. The implementation supports real-time packet capture and on-the-fly feature extraction, enabling continuous monitoring directly at the network interface with minimal operational disruption. Alerts and telemetry are exported to higher-level monitoring components to facilitate centralized correlation and response. The proposed approach provides a practical and reproducible pathway from controlled experimentation toward field deployment-oriented IDS framework with preliminary laboratory validation and ongoing field evaluation, addressing common constraints such as limited availability of real attack traces, strict uptime requirements, and the need for low-overhead edge execution. The resulting framework establishes a reproducible methodology for transitioning IDS research from laboratory conditions toward real-world substation environments.