Digitalization of the power system eventually led to the implementation of the IEC 61850 standard for communication networks and systems for power utility automation, creating the digital substation. The combination of the substation equipment and its communication network and the ICT system for non-operational aspects together forms an interdependent Cyber-Physical Power System (CPPS). This system is prone to cyber attacks because mitigation strategies were designed for ICT systems and do not account for OT system requirements. As cyber attacks on CPPSs become more frequent and global tensions rise, research into cyber security vulnerabilities of the IEC 61850 Generic Object-Oriented Substation Event (GOOSE) protocol is becoming more pressing, as is the development of mitigation strategies for cyber attacks on this protocol.

This work proposes a Hardware-in-the-Loop (HiL) test setup to execute various GOOSE cyber attacks and thereby simulate a hacker's actions. This setup consists of a simple power system simulated on a Real-Time Digital Simulator (RTDS), a physical Intelligent Electronic Device (IED), and a communication network connecting all. The simulated power system communicates node voltages and breaker currents to the IED via IEC 61850 Sample Values (SV), and the IED responds by sending GOOSE traffic. An additional workstation is connected to the communication network to launch cyber attacks that cause physical impact on the simulated power system.

Secondly, the HiL setup is used to evaluate which alterations to the GOOSE packet will result in a physical impact on the simulated power system. Several attributes in the GOOSE PDU are modified, and together with changes in AllData (for circuit breaker tripping), the circuit breaker in the simulated power system should be tripped. An attempt is also made to block legitimate traffic during a fault, with an attack. Based on these findings, a cyber-physical dataset was constructed containing GOOSE communication network traffic recorded during normal operation, faults, and the examined cyber attacks that yielded physical impact.

Furthermore, an anomaly-based deep packet inspection (DPI) intrusion detection system (IDS) is proposed for the mitigation of cyber attacks. This DPI-IDS uses features from the GOOSE PDU attributes and a long short-term memory (LSTM) model to distinguish GOOSE packets from normal operation, faults, and cyber attacks. The LSTM's hyperparameters were optimized, and the complete DPI model was trained on primarily GOOSE traffic from normal operation and fault conditions. The performance of the DPI-IDS on the collected dataset was evaluated using several metrics. For all attacks in the dataset, the performance is evaluated separately to identify which attacks the DPI-IDS model performs best for.

The goal of the DPI-IDS is to classify legitimate traffic from malicious traffic. Normal operation traffic and traffic during faults should be classified correctly as legitimate traffic. Correct classification of malicious traffic would cause the traffic to be flagged, indicating to an operator to take action. Overall, the results of legitimate traffic identification (normal operation and faults) show that the DPI-IDS performs well on separating these two classes. However, the classification of malicious traffic is more difficult, due to the limited availability of malicious traffic in the training data. This underlines the importance of developing an effective mitigation strategy for cyber attacks on GOOSE communication traffic.