SH-SDS: a new static-dynamic strategy for substation host security detection

Power grid and substation

The power grid has evolved into a cyber-physical system, integrating intelligent communication and control technologies, which typically consists of power plants, electricity facilities (such as household electricity, industrial electricity, etc.), transmission towers, substations, and others, is used to transmit and distribute electric power (Fang et al., 2012), as shown in Fig. 1. For example, televisions and computers, as well as larger industrial machinery and equipment used in factories, are all electrical facilities integral to daily life and industrial processes, forming an essential part of the overall power system. Transmission towers serve as the support structures for transmission lines, playing a crucial role in fixing and supporting these lines to ensure the stability and reliability of the power system. Similarly, substations act as vital components within the power grid, functioning as intricate nodes where voltage is transformed and regulated. The smart grid’s cyber and physical components are deeply interconnected. Advances in communication and information technologies have been utilized to enhance the monitoring and control of power system. The interconnected nature of digital communications, remote control of devices, and data streams among intelligent machines create a larger attack surface. An attacker can potentially compromise cyber infrastructures and manipulate the control system, leading to physical damage.

Overall, the power grid is a sophisticated network that generates electrical power at power plants. It is converted and distributed through electricity facilities, and supported and controlled by transmission towers and substations. In modern power grids, integrating technology brings both advancements and challenges. Protecting against cyber threats becomes critical for the digital infrastructure and preventing potential physical damage to the power system.

The smart substation adopts advanced and reliable intelligent equipment, enhancing the information sharing and interoperability among intelligent power equipment and achieving the sharing of digital substation information, network communication platform, and standardized information (Yuan et al., 2021; Huang, 2018). The application of the standard IEC 68150 communication protocol in the smart substation provides a data platform for intelligent applications (Kim et al., 2019). Compared to traditional substations, intelligent substations have enhanced interoperability, reconfigurability, controllability, maintainability, and flexibility (Kezunovic et al., 2010). However, with the improvement of substation intelligence capabilities, smart substations are also more susceptible to network attacks (Tong et al., 2018; Yang et al., 2021). In the past, private protocols have been commonly used for communication between different devices in substations, and the goal of ensuring network security is achieved by limiting the propagation range of communication protocols. However, the IEC 61850 and communication protocols used in intelligent substations are public. Network attacks on substations can more easily issue incorrect instructions to smart devices inside the substation by tampering with communication, leading to misoperation of devices inside the substation and causing negative impacts on the safe and stable operation of the power grid (Gaspar et al., 2023; Karantaev et al., 2021). Therefore, it is necessary to study the network security of intelligent substations.

Cyberattack detection system in substations

The network security protection measures for smart substations can be divided into two methods: baseline verification and intrusion detection. The baseline verification improves the network security protection level of the host before the attack occurs (Pattanavichai, 2017), while intrusion detection methods detect and block attacks when it occurs (AydN, Zaim & Ceylan, 2009).

Security baseline verification is a passive security protection technology that includes system status, system security configuration, and system vulnerabilities (Zhang & Li, 2023; Fang et al., 2012; Liu & Hu, 2023; Chen et al., 2017, 2021; Wang, Yang & Liu, 2020; Sun, 2020; Rotella, 2018). It is the minimum requirement to ensure information security. By checking the baseline and rectifying issues, the overall security level of the host can be improved, achieving protection against attacks. For example, Lina & Dongzhao (2020) present a security SDS architecture which provided an open interface to change the network security configuration file, then resist network security attacks. Zhang & Li (2023) analyze the current security status of computer network information to propose an computer network information security protection evaluation method, which has an important practical significance for the security protection of enterprise computer network information. Liu & Hu (2023) design a security baseline automatic verification method based on the SCAP protocol, which takes into account the national standard for host security level protection, to achieve an improvement in the ability of domestic autonomous computer terminals to resist security risks. Chen et al. (2021) design a security baseline evaluation model that includes operational processes and scoring algorithms to suite for power intelligent IoT terminals. However, the main restriction of the existing research methods on baseline verification is that they hardly consider the network security of the substation secondary system.

IDSs (Intrusion Detection Systems) are security mechanisms designed to identify and respond to unauthorized activities or potential security incidents within a computer network or systems, which detect attacks when they happen or after they have taken place (AydN, Zaim & Ceylan, 2009). This distinction leads to two main types of IDSs: the signature-based IDSs and the anomaly-based IDSs. In real time, the signature-based IDSs identify known attack patterns or signatures in network traffic or system logs, alerting when a match is found (Jin, Chung & Xu, 2021). The anomaly-based IDSs establish a typical network or system behavior baseline and trigger alerts or alarms when deviations from this baseline are detected. Anomalies may indicate potential attacks or security incidents (Emanet, Karatas Baydogmus & Demir, 2023). IDS plays a crucial role in enhancing the security posture of computer networks and systems by providing a proactive means to identify and respond to security threats. These are integral to a comprehensive cybersecurity strategy, working alongside other security measures such as firewalls, antivirus software, and security policies. Sun (2020) propose reinforcement methods for Windows hosts and constructed a multi-level active defense system to address security threats within enterprise networks. Table 1 provides insights into recent researches on other IDSs, including models or systems, used methods, and solving problems. However, most researches focus on methods to resist intrusion, and these are rarely used in substation secondary systems. Unlike ordinary intrusion detection, substation host security detection aims to connect through a local area network. It faces a relatively single type of intrusion and requires higher work efficiency when conducting intrusion detection.

In response to attacks that maliciously modify data, Li et al. (2022) enhance IEC61850 message security using a message authentication code function and dynamic keys in Hash-MAC calculations to minimize key cracking risks, alongside difference sequence variance for detecting abnormal packets, increasing detection accuracy. Sun et al. (2022) enhance the ProbeSpace self-attention and self-distillation mechanisms with Informer, addressing long sequence network traffic issues by focusing on time series features, thus boosting efficiency. Valenzuela, Wang & Bissinger (2013) deploy multivariate statistical process control for data integrity, utilizing principal component analysis to distinguish between regular and irregular power system subspaces for information leakage analysis. Yang et al. (2020) introduce a Conditional Deep Belief Network (CDBN) based intrusion detection mechanism to quickly and accurately identify attack features, demonstrating the model’s effectiveness in real-time detection. Sahu et al. (2021) combine network and physical data for intrusion detection, testing the model’s efficacy with various learning approaches proving its accuracy in identifying network intrusions to safeguard the power system.

However, the dynamic nature of keys may require robust mechanisms for key distribution, rotation, and storage, which can be challenging to implement and maintain. Cryptographic operations, such as message authentication code generation, can introduce computational overhead. Anomaly detection techniques, like difference sequence variance, may lead to false positives. Therefore, we develop SH-SDS for automated security detection in substations, structuring detection into two phases: initial strategy library creation via RG Algorithm and detailed item-by-item testing using the SG algorithm. This process yields a targeted detection list, with SH-SDS comparing outcomes against set benchmarks to generate comprehensive reports. Demonstrated practical efficiency and effectiveness underscore SH-SDS’s role as a pivotal security tool for substations.

Substation networks

Substations, comprising primary and secondary systems, are crucial in transforming, distributing, and controlling electrical energy. The primary system comprises circuit breakers, main transformers, and other electrical equipment for power transmission. The secondary system monitors, controls, and protects the primary equipment, consisting of hosts and embedded devices carrying different functions connected through information networks (Matta et al., 2012). The master station receives the status of equipment from the secondary system of the substations and issues control commands for primary and secondary equipment in the substations. The overview of the network between substations and master stations is illustrated in Fig. 2.

The described architecture of a substation provides an overview of the network configuration and security measures in place. Here are some key components for network security protection in substations.

Cyber security threat model in substation

Power grid operation data, equipment operating permissions, and the stable operation of the power system may all be targets of attackers. Attackers may attack the power grid through network or social engineering means. Threat modeling is a technique for identifying security risks. For substation network security, threat modeling assesses all potential methods that could compromise system confidentiality, integrity, and availability from an attacker’s viewpoint, thereby mitigating such threats. This article utilizes the STRIDE model for network security threat modeling, analyzing risks related to spoofing, tampering, repudiation, information disclosure, denial of service, and evaluation of privilege, as shown in Table 2 (Sheikh & Singh, 2022). Some possible protective measures are also listed.

The STRIDE model outlines cyber threats to substations and some countermeasures. The intrusion through the dispatching data network can be effectively prevented by the dedicated vertical encryption authentication gateway, so we focus on the near-source attacks of intruders. After entering the substation, intruders can directly connect their computers to the internal network of the substation and obtain the addresses of other hosts in the substation through address sniffing, or obtain operational permissions and even administrator privileges of any host in the substation through dictionary attacks, brute force cracking, and other methods. Furthermore, intruders can remotely connect to the host that can control the primary equipment of the substation through high-risk ports or SSH, operate the power grid equipment and cause power grid failures. Here are some key components for network security protection in substations.

• Network configuration. The substation architecture involves a local network connected to an external WAN (Wide Area Network) through a router, which serves as the gateway between the potentially less secure external WAN and the internal local network of the substation.

• Perimeter security. The router connecting the local network to the WAN is secured using conventional perimeter security measures.

• Local network division. The local network is subdivided into two main parts: the guard net and the automation network. The guard net is designed to contain IEDs responsible for safeguarding the energy distribution network. These devices focus on detecting and responding to electrical issues such as short circuits or ground faults. The automation network connects IEDs and RTUs (Remote Terminal Units) and facilitates automated operations within the substation. While the two parts (guard net and automation network) work independently, they are physically connected within the communication network. It implies that there is a level of connectivity between the guard net and the automation network. The physical connection between them suggests the need for careful design and security measures to prevent unauthorized access or potential security vulnerabilities.

Static detection strategies can effectively detect missing or incorrect configuration items for network security protection measures such as password complexity and audit logs, but they have limited accuracy when facing network security protection measures such as high-risk port disabling and whitelisting. Dynamic detection strategies can effectively solve this problem. However, dynamic detection strategies are also powerless when facing static problems. Therefore, a static-dynamic strategy is necessary.

Substation host security detection method structure

The architecture of our SH-SDS is illustrated in Fig. 3. SH-SDS consists of five modules: (1) Data generation module, (2) strategy generation module, (3) detection module, (4) report module, and (5) user interaction module.

These modules are briefly described as follows.

1. Data generation module. We collect all substations’ security detection items, requirements, and methods. We build an index library to store the substation security detection. In the future, if there are new security detection items, they can be added directly to the library for storage. At the same time, new items can be obtained from the library for substation host security detection without reconfiguration.

2. Strategy generation module. We employ Algorithm 2 with the target substation host to effectively generate a static-dynamic strategy from the substation host security detection library. Static-dynamic strategy for target substation host is used to conduct security detection, which can conduct comprehensive testing.

3. Detection module. SH-SDS performs target substation host security detection based on the generated static-dynamic strategy. For each item to be tested, we use the specified method to check item by item whether it meets safety requirements.

4. Report module. After the detection of all items, SH-SDS reports the result, which includes system information, IP, and analysis.

5. User interaction module. SH-SDS displays the graphic interface for engineers. Engineers can start detection using the graphic interface. Users can also get a report of detection through the user interaction module. The user interaction module allows simpler operations.

These modules are very significant for the security detection of hosts in substations. The detection is conducted by SH-SDS instead of engineers, improving the speed and accuracy of security detection.

Data collection and preprocessing

Strategy generalization

The traditional host network security detection strategy is mainly focused on static strategies. However, only static strategies are insufficient; some items must be detected through dynamic strategies. Thus, building an active detection strategy that combines dynamic and static strategies is necessary, making the substation host security detection more comprehensive.

When a substation host security inspection work is carried out, we need to obtain a target host security inspection project file first. Then, the items in the file are matched with the static strategy library and the dynamic strategy library to obtain the security detection configuration file, which is the target host’s security detection strategy. The strategy generation algorithm we use is shown in Algorithm 2.

Algorithm 2 is stable and the time complexity is O(n), where n is the length of target items TI.

In Algorithm 2, we mention matching, which is used to find if the target item is in the library. When we need to match the target item with the item in the library, firstly, we set the target items as TI and the items in the library as LI. For computers, items are strings, actually. Thus, in the process of computers, TI is stored as Eq. (6) and LI is stored as Eq. (7).

(6) $$TI=T{I}_{0}T{I}_1...T{I}_{n-1}$$

(7) $$LI=L{I}_{0}L{I}_1...L{I}_{n-1}$$

The first step we need to know if $T{I}_m$ matches $L{I}_n$ is to find the prefix and suffix with the most extended length in TI. If there is $T{I}_{0}T{I}_1...T{I}_{k-1}T{I}_k=T{I}_{j-k}T{I}_{j-k-1}...T{I}_{j-1}T{I}_j$, there are identical prefixes and suffixes with a maximum length of $k+1$. Then we need to construct an array named $\alpha$. $\alpha$ is as Eq. (8).

(8) $$\alpha =\{\begin{array}{c}0whenj=1\hfill \\ 1unmatch\hfill \\ max\{k|1<k<jandT{I}_{0}T{I}_1...T{I}_{k-1}T{I}_k=T{I}_{j-k}T{I}_{j-k-1}...T{I}_{j-1}T{I}_j\}\end{array}$$

When TI unmatched LI, j = $\alpha$[j], the number of TI moves to the right is j − $\alpha$[j] = 0. When $T{I}_{j-k}T{I}_{j-k-1}...T{I}_{j-1}T{I}_j$ matched $L{I}_{i-k}L{I}_{i-k-1}...L{I}_{i-1}l{i}_i$ as well as $T{I}_j$ unmatched $L{I}_i$, $\alpha$[j] = k, which means the same prefix and suffix with $T{I}_j$ maximum length of k in $L{I}_i$ that does not contain $T{I}_j$. That means as Eq. (9).

(9) $$T{I}_{0}T{I}_1...T{I}_{k-1}T{I}_k=T{I}_{j-k}T{I}_{j-k-1}...T{I}_{j-1}T{I}_j$$

We set the j = $\alpha$[j], and let TI moves j − $\alpha$[j] to the right, which $T{I}_{0}T{I}_1...T{I}_{k-1}$ matches $L{I}_{0}L{I}_1...L{I}_{j-1}$. Then let $T{I}_k$ continue to match $L{I}_j$.

The complexity of this calculation process is O(m + n), where m is the length of TI and n is the length of LI. The best complexity performs as O(m) while the worst complexity performs as O( $m^2$). We use this calculation method to find the item that matches the target items in the static and dynamic libraries. Then, we use Algorithm 2 to generate a static and dynamic detection strategy. The security detection configuration file is obtained by matching the host network security detection project file with the static and dynamic strategy libraries. It serves as a strategy file used in security detection.

Security detection

According to the generated dynamic and static detection strategy, the security detection of the target host of the substation is carried out. The flow chart is shown in Fig. 4.

Firstly, we must configure the target host’s dynamic and static strategy files and start SH-SDS. Secondly, the target items and their ID, configuration requirements, and detection methods are identified automatically. Finally, the configuration requirements of each item are compared according to the detection method in the strategy file, and the detection results are obtained.

The inspection report is summarized based on the results of each project obtained by network safety inspection. The report’s contents include system information, device IP, results, and problems with various test items. Through the security detection report, users can notice the security detection results for the target host and correct the returned problems. The whole process of safety detection is efficient and automatic.

System performance testing

We conduct performance testing and quantitative evaluation of SH-SDS. We conduct tests in both simulated and real environments. In simulated environment, we conduct the performance testing configuration, the CPU is i7-10610U, the memory is 4GB, and the operating system includes Ubuntu 16.04.7, Ubuntu 22.04.1, and Kylin 3.3. In real environment, the CPU is Hygon 3285, the memory is 64GB and the operating system is Kylin 3.3. We conduct multiple experiments in simulated environment, including the SH-SDS, the openSCAP software, and manual inspection. The openSCAP is an open-source host automatic scanning tool developed by Redhat, mainly composed of tools and baseline libraries. It maintains great flexibility and interoperability, making it widely used in Linux systems (Liu & Hu, 2023). After configuring detection content in the baseline library of openSCAP, we perform security checks on the host through the terminal. Manual inspection is based on the requirements of the detection items, manually entering commands one by one in the terminal according to the prescribed method and manually judging whether the host is safe based on the returned results.

We conduct statistics and analysis on the results of the same host security testing items. The calculation methods for various items are as follows. The software size refers to the amount of space occupied by the software on the system disk, which is composed of code segment size and data segment size. It can be viewed using the ‘ls – l’ command. The CPU utilization is shown in Eq. (10) (Yu-Wei, Dong & Shu-Cheng, 2018). The response time is the time it takes for the user to initiate a request and receive the result returned from the software. The user-friendliness is evaluated based on whether the software has an interface and whether the interface is convenient for human–computer interaction. The accuracy is calculated as Eq. (11). The false positive rate is calculated as Eq. (12) while the false negative rate is calculated as Eq. (13). We obtain the following performance test results, as shown in Table 5.

(10) $$CPUutilization=\frac{theusagetimeofCPU}{totalrunningtimeofthesoftware}\times 100\mathrm{\%}$$ (11) $$Accuracy=\frac{{\sum }_{i=1}^n\frac{numberofitemswithcorrectresultsintesti}{totalnumberofitemsini}}{n}\times 100\mathrm{\%}$$ (12) $$Falsepositiverate(FPR)=\frac{FP}{FP+TN}\times 100\mathrm{\%}$$ (13) $$Falsenegativerate(FNR)=\frac{FN}{FN+TP}\times 100\mathrm{\%}.$$

From the test results, we can see that both the size of SH-SDS and CPU utilization are smaller than that of openSCAP. Regarding response time, SH-SDS is shorter than openSCAP and takes much less time than manual inspection. Regarding user-friendliness, SH-SDS has developed a graphical interface to display and export detection results. At the same time, openSCAP software does not have a graphical interface, which is not intuitive regarding results display. In terms of accuracy, SH-SDS and openSCAP perform relatively well, both of which are better than the accuracy of manual inspection.

Performance and accuracy

In a simulated environment, we test the speed and accuracy of different security detection items, including the complexity of system login password, update cycle of system login password, and other 12 items, which are the most important in substation host security detection. We construct dynamic and static combination test projects in the test data set and adjusted the number of test items. The test results are depicted in Fig. 6.

In the simulated tests, the SH-SDS demonstrated remarkable consistency in response time across varying numbers of detection items, as depicted in Fig. 6A. The blue background represents the confidence interval around the mean response time, indicating the variability and reliability of the measurements across different numbers of items tested. This uniformity in performance indicates the software’s stability in operation. Furthermore, Fig. 6B reveals that the accuracy of the detection tests is exceptionally high, nearing 100% across all trials. These findings underscore the robustness of SH-SDS, which maintains high accuracy without compromising speed, even as the complexity of the tasks varies. This balance of speed and precision showcases the system’s efficacy in dynamic and static security detection scenarios.

We conduct ablation experiments on the above test data using static strategies, dynamic strategies, and dynamic-static strategies. The experimental results are shown in Table 6.

Table 6 reveals that the static strategy excels with purely static items, reaching 99.67% accuracy. However, it falters to 5.13% with only dynamic items. Conversely, the dynamic strategy soars to 97.43% accuracy with dynamic items but drops significantly with static ones. The integrated static-dynamic strategy outperforms both, demonstrating superior adaptability and robustness across varied test conditions, indicating its comprehensive efficacy in security detection.

In addition, we also test it in a real environment and compare it with the traditional manual detection method. The test results are illustrated in Fig. 7.

In Fig. 7A, the proposed SH-SDS exhibits the highest accuracy at Substation C. It surpasses manual detection at all sites, with the most significant improvement at Substation C, which is nearly 100%. This enhanced accuracy stems from SH-SDS’s automation and sophisticated algorithms, which mitigate human error and deliver consistent, high-precision security checks across substations. Based on detection time Fig. 7B, the proposed SH-SDS has the lowest detection time at Substation A. It outperforms manual detection at all substations, most notably at Substation C, which is approximately 98% faster. This significant efficiency gain is due to the automation of the detection process, which minimizes human intervention and speeds up the overall time required for security checks, showing the proposed SH-SDS’s capacity for rapid analysis and response in substation security.

System operability test

We use an actual host security detection operation to show the software’s operation process, as follows.

• 1)

  After copying the software to the host, we run the software using the command terminal.

• 2)

  After we open the software, click the ‘scan’ button to detect the host, as shown in Fig. 8A.

• 3)

  After the scanning is completed, we can view the inspection results on the software interface, or output the scanning results in the specified format, as shown in Fig. 8B.

• 4)

  After completing the rectification of the abnormal items scanned out, we click ‘back’ button to return to the main interface and the detection can be performed again.