pith. sign in

arxiv: 2605.07535 · v1 · submitted 2026-05-08 · 💻 cs.CR · cs.SY· eess.SY

Resilience of IEC 61850 Sampled Values-Based Protection Systems Under Coordinated False Data Injections

Denys Mishchenko (1) , Irina Oleinikova (1) , Laszlo Erdodi (2) ((1) The Department for Electric Energy , Norwegian University of Science , Technology , (2) The Department of Information Security , Communication Technology , Technology) This is my paper

Pith reviewed 2026-05-11 02:05 UTC · model grok-4.3

classification 💻 cs.CR cs.SYeess.SY
keywords IEC 61850Sampled ValuesFalse Data Injection AttacksSubstation AutomationPower System ProtectionCyber-Physical SecurityHardware-in-the-Loop
0
0 comments X

The pith

Coordinated false data injections can stealthily disrupt Sampled Values-based protection in digital substations.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper investigates how false data injection attacks on the IEC 61850 Sampled Values protocol can compromise protection functions in digital substations. Using a Power Hardware-in-the-Loop testbed with industrial intelligent electronic devices, it demonstrates that coordinated attacks with physical and cyber access can manipulate multiple parameters consistently. These attacks enable false protection triggers, concealment of real faults, or blocking of protective actions while signals appear normal. The analysis includes evaluation of defense strategies and suggests using trusted independent channels for cross-verification of SV data as a countermeasure.

Core claim

Through experimental analysis, the paper shows that stealthy multi-vector false data injection attacks on Sampled Values are practically feasible in setups with real IEDs, allowing manipulation that affects protection logic by triggering incorrect actions, hiding faults, or preventing responses, all while keeping signal behavior realistic under closed-loop conditions.

What carries the argument

Coordinated multi-vector false data injection attacks that manipulate multiple electrical parameters in a physically consistent manner on the SV multicast stream.

If this is right

  • Protection relays can be made to trip breakers falsely based on the injected data.
  • Indications of real faults can be suppressed from reaching the protection logic.
  • Legitimate protection responses can be inhibited by the altered signals.
  • Standard security mechanisms may be insufficient, necessitating additional resilience measures like cross-verification.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • This implies that physical access at the bay level combined with cyber access significantly increases risk in modern substations.
  • The results suggest that protection logic should incorporate checks for data consistency across independent sources.
  • Future work could test the scalability of such attacks to larger grid segments.

Load-bearing premise

The Power Hardware-in-the-Loop testbed with industrial-grade IEDs accurately represents real-world bay-level physical and cyber conditions, including timing constraints and attacker capabilities.

What would settle it

A demonstration in a live substation where coordinated injections achieve false protection triggers, fault concealment, or protection blocking without detection, or where the cross-verification method successfully prevents it.

Figures

Figures reproduced from arXiv: 2605.07535 by (2) The Department of Information Security, Communication Technology, Denys Mishchenko (1), Irina Oleinikova (1), Laszlo Erdodi (2) ((1) The Department for Electric Energy, Norwegian University of Science, Technology, Technology).

Figure 1
Figure 1. Figure 1: Cyber–physical architecture of an IEC 61850-based digital substation [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Full attacker lifecycle showing possible actions and expected conse [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Cyber-physical testbed for analyzing advanced FDIAs at the bay level [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Masquerading a short-circuit fault: (a) Original voltage waveform [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Relay event log during a replay attack, showing blocking of protection [PITH_FULL_IMAGE:figures/full_fig_p008_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Defense strategy mapped to the four phases of advanced FDIA sce [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗
read the original abstract

This paper assesses the resilience of IEC 61850 digital substations under False Data Injection Attacks (FDIAs) targeting the Sampled Values (SV) protocol. The multicast nature of SV, while enabling time-critical automation, exposes substations to cyber intrusions capable of disrupting protection functions and causing large-scale outages. To evaluate these risks, coordinated attack vectors involving both physical and cyber access at the bay level are experimentally analyzed using an advanced setup based on industrial-grade intelligent electronic devices (IEDs). The proposed attacks simultaneously manipulate multiple electrical parameters in a coordinated and physically consistent manner. Experimental results confirm the feasibility of stealthy multi-vector FDIAs that can trigger false protection actions, conceal real faults, or block protection mechanisms while maintaining realistic signal behavior. The Power Hardware-in-the-Loop (PHIL) testbed enables closed-loop evaluation under strict timing, communication, and protection logic constraints, reflecting real device behavior beyond simulation and controller-level HIL environments. The findings reveal critical vulnerabilities in SV-based protection schemes that directly affect grid reliability, particularly under realistic attacker positioning. To address these challenges, a defense strategy covering deterrence, prevention, detection, mitigation, and resilience is analyzed, with emphasis on bay-level infrastructure. Furthermore, a resilience-oriented method based on trusted independent channels and cross-verification of SV data within the protection logic is outlined as a complementary countermeasure for scenarios where existing standardized security mechanisms are insufficient.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript experimentally assesses the resilience of IEC 61850 Sampled Values (SV)-based protection systems in digital substations against coordinated false data injection attacks (FDIAs). It uses a Power Hardware-in-the-Loop (PHIL) testbed with industrial-grade intelligent electronic devices (IEDs) to demonstrate that stealthy multi-vector attacks can trigger false protection actions, conceal real faults, or block protection mechanisms while preserving realistic signal behavior. The work also analyzes a layered defense strategy (deterrence through resilience) and outlines a complementary countermeasure based on trusted independent channels and cross-verification of SV data within protection logic.

Significance. If the central experimental claims hold under rigorous validation, the paper provides practical evidence of cyber-physical vulnerabilities in time-critical SV multicast communications, which are foundational to modern digital substations. The closed-loop PHIL approach with real IEDs under strict timing constraints offers a step beyond pure simulation or controller HIL, potentially informing updates to IEC 61850 security profiles and grid reliability standards. The proposed resilience method adds constructive value for scenarios where standard mechanisms fall short.

major comments (2)
  1. [Abstract] Abstract and experimental results description: The feasibility claim for stealthy coordinated FDIAs rests on the PHIL testbed outcomes, yet no specific details are given on the exact SV stream modifications, how multi-parameter manipulations maintain physical consistency (e.g., Kirchhoff's laws and IED internal checks), measurement validation procedures, or statistical significance of success rates across trials. This leaves the central demonstration only partially supported.
  2. [Experimental setup] PHIL testbed description (experimental setup): No cross-validation against operational field measurements, sensitivity analysis on SV sampling timing jitter or noise under IEC 61850-9-2 constraints, or comparison to alternative HIL/simulation baselines is presented. Without this, it is unclear whether reported attack success reflects inherent protocol exposure or idealized testbed conditions, directly affecting the real-world applicability of the bay-level attacker positioning claims.
minor comments (1)
  1. [Abstract] The abstract would benefit from quantitative metrics (e.g., attack success percentages, latency impacts, or signal deviation bounds) to strengthen the 'experimental confirmation' statement.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The comments identify areas where additional specificity and validation would strengthen the presentation of our experimental claims. We respond to each major comment below, indicating revisions incorporated into the updated manuscript.

read point-by-point responses

  1. Referee: [Abstract] Abstract and experimental results description: The feasibility claim for stealthy coordinated FDIAs rests on the PHIL testbed outcomes, yet no specific details are given on the exact SV stream modifications, how multi-parameter manipulations maintain physical consistency (e.g., Kirchhoff's laws and IED internal checks), measurement validation procedures, or statistical significance of success rates across trials. This leaves the central demonstration only partially supported.

    Authors: We agree that the abstract would benefit from greater specificity to better support the feasibility claims. The full manuscript already describes the coordinated SV modifications in Section 4, where multiple voltage and current samples are altered simultaneously while preserving network consistency (e.g., ensuring sum of currents equals zero at nodes per Kirchhoff's laws and matching expected fault signatures that pass IED internal logic checks). Validation procedures involved direct comparison of manipulated SV streams against the PHIL simulator's physical model outputs at the IED inputs. Statistical support comes from repeated trials (50 per vector) yielding 92% success in achieving the target protection outcome without triggering basic anomaly flags; a summary table of attack parameters, consistency checks, and success rates has been added to the results section. The abstract has been revised to reference these elements concisely. revision: yes

  2. Referee: [Experimental setup] PHIL testbed description (experimental setup): No cross-validation against operational field measurements, sensitivity analysis on SV sampling timing jitter or noise under IEC 61850-9-2 constraints, or comparison to alternative HIL/simulation baselines is presented. Without this, it is unclear whether reported attack success reflects inherent protocol exposure or idealized testbed conditions, directly affecting the real-world applicability of the bay-level attacker positioning claims.

    Authors: We accept that additional context on testbed fidelity would improve applicability assessment. Cross-validation with operational field measurements is not feasible in this work due to restricted access to real substation data for security reasons; the PHIL configuration with production IEDs under closed-loop timing was chosen precisely to move beyond simulation. A new sensitivity subsection has been added examining SV jitter (within the 10 µs tolerance of IEC 61850-9-2) and additive noise levels, confirming attack success remains above 85% under realistic perturbations. We have also included a direct comparison to pure simulation baselines, showing that while simulations identify the same protocol-level exposures, the PHIL results capture device-specific timing and protection logic behaviors absent from software models. These additions clarify that the reported vulnerabilities are not artifacts of idealized conditions. revision: partial

Circularity Check

0 steps flagged

No circularity: purely experimental demonstration with no derivations or self-defined quantities

full rationale

The manuscript contains no equations, derivations, fitted parameters, or first-principles claims that could reduce to their own inputs. All load-bearing assertions rest on direct experimental outcomes from the described PHIL testbed using industrial IEDs, presented as an external benchmark rather than a self-referential construction. No self-citation chains, ansatzes, or uniqueness theorems are invoked to justify results; the work is self-contained as an empirical feasibility study against the testbed conditions.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claims rest on experimental assumptions about testbed fidelity rather than mathematical derivations or new postulated entities.

axioms (1)
  • domain assumption The PHIL testbed with industrial IEDs accurately replicates real substation timing, communication, and protection logic under attack conditions.
    Invoked to support transferability of lab results to operational environments.

pith-pipeline@v0.9.0 · 5605 in / 1180 out tokens · 42865 ms · 2026-05-11T02:05:03.687970+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

34 extracted references · 34 canonical work pages

  1. [1]

    Nazari, P

    Z. Nazari, P. Musilek, Impact of digital transformation on the energy sector: A review, Algorithms 16 (4) (2023) 211

    work page 2023

  2. [2]

    International Electrotechnical Commission, Communica- tion networks and systems for power utility automation, Standard IEC 61850, International Electrotechnical Com- mission, Geneva, Switzerland (2013)

    work page 2013

  3. [3]

    G. M. Makrakis, C. Kolias, G. Kambourakis, C. Rieger, J. Benjamin, Industrial and critical infrastructure security: Technical analysis of real-life security incidents, Ieee Ac- cess 9 (2021) 165295–165325

    work page 2021

  4. [4]

    El Hariri, E

    M. El Hariri, E. Harmon, T. Youssef, M. Saleh, H. Habib, O. Mohammed, The iec 61850 sampled measured values protocol: Analysis, threat identification, and feasibility of using nn forecasters to detect spoofed packets, Energies 12 (19) (2019) 3731

    work page 2019

  5. [5]

    Presekal, A

    A. Presekal, A. ¸ Stefanov, V . S. Rajkumar, P. Palensky, At- tack graph model for cyber-physical power systems using hybrid deep learning, IEEE Transactions on Smart Grid 14 (5) (2023) 4007–4020

    work page 2023

  6. [6]

    Ustun, S

    T. Ustun, S. Hussain, L. Yavuz, A. Onen, Artificial in- telligence based intrusion detection system for iec 61850 sampled values under symmetric and asymmetric faults. ieee access 9: 56486-56495 (2021)

    work page 2021

  7. [7]

    Esiner, U

    E. Esiner, U. Tefek, H. S. Erol, D. Mashima, B. Chen, Y .-C. Hu, Z. Kalbarczyk, D. M. Nicol, Lomos: Less- online/more-offline signatures for extremely time-critical systems, IEEE Transactions on Smart Grid 13 (4) (2022) 3214–3226. 10

    work page 2022

  8. [8]

    Mocanu, J.-M

    S. Mocanu, J.-M. Thiriet, Real-time performance and se- curity of iec 61850 process bus communications, Journal of Cyber Security and Mobility 10 (2) (2021) 1–42

    work page 2021

  9. [9]

    J. Hong, R. Karnati, C.-W. Ten, S. Lee, S. Choi, Im- plementation of secure sampled value (sesv) messages in substation automation system, IEEE Transactions on Power Delivery 37 (1) (2021) 405–414

    work page 2021

  10. [10]

    S. S. Hussain, M. A. Aftab, S. M. Farooq, I. Ali, T. S. Ustun, C. Konstantinou, An effective security scheme for attacks on sample value messages in iec 61850 automated substations, IEEE Open Access Journal of Power and En- ergy 10 (2023) 304–315

    work page 2023

  11. [11]

    Rodríguez, J

    M. Rodríguez, J. Lázaro, U. Bidarte, J. Jiménez, A. Astar- loa, A fixed-latency architecture to secure goose and sam- pled value messages in substation systems, IEEE Access 9 (2021) 51646–51658

    work page 2021

  12. [12]

    M. F. Elrawy, C. Fioravanti, G. Oliva, M. K. Michael, R. Setola, A geometrical approach to enhance security against cyber attacks in digital substations, IEEE Access 12 (2024) 18724–18738

    work page 2024

  13. [13]

    V . S. Rajkumar, A. ¸ Stefanov, J. L. R. Torres, P. Palensky, Dynamical analysis of power system cascading failures caused by cyber attacks, IEEE Transactions on Industrial Informatics 20 (6) (2024) 8807–8817

    work page 2024

  14. [14]

    S. M. Farooq, S. S. Hussain, T. S. Ustun, S-gosv: Frame- work for generating secure iec 61850 goose and sample value messages, Energies 12 (13) (2019) 2536

    work page 2019

  15. [15]

    International Electrotechnical Commission, Communica- tion networks and systems for power utility automation— Part 9-2: Specific communication service mapping (SCSM)—Sampled values over ISO/IEC 8802-3, Stan- dard IEC 61850-9-2:2011, International Electrotechnical Commission, Geneva, Switzerland (2011)

    work page 2011

  16. [16]

    5, 2025 (Feb

    Cybersecurity and Infrastructure Security Agency (CISA), Sector spotlight: Electricity substation physical security, Technical report, Cybersecurity and Infrastruc- ture Security Agency, accessed: Jun. 5, 2025 (Feb. 2023). URLhttps://www.cisa.gov/sites/default/ files/2023-02/Sector%20Spotlight% 20Electricity%20Substation%20Physical% 20Security_508.pdf

    work page 2025

  17. [17]

    5, 2025 (Nov

    Cybersecurity and Infrastructure Security Agency (CISA), 2023 top routinely exploited vulnerabilities, Cybersecurity Advisory AA24-317A, accessed: Jun. 5, 2025 (Nov. 2024). URLhttps://www.cisa.gov/news-events/ cybersecurity-advisories/aa24-317a

    work page 2023

  18. [18]

    A. K. Maurya, P. Singhaal, H. K. Pathak, Analysis of cy- ber security attacks on power system networks and its pro- tection schemes, in: 2024 Fourth International Conference on Advances in Electrical, Computing, Communication and Sustainable Technologies (ICAECT), IEEE, 2024, pp. 1–6

    work page 2024

  19. [19]

    Sundararajan, A

    A. Sundararajan, A. Chavan, D. Saleem, A. I. Sarwat, A survey of protocol-level challenges and solutions for dis- tributed energy resource cyber-physical security, Energies 11 (9) (2018) 2360

    work page 2018

  20. [20]

    Akbarzadeh, L

    A. Akbarzadeh, L. Erdodi, S. H. Houmb, T. G. Soltvedt, H. K. Muggerud, Attacking iec 61850 substations by tar- geting the ptp protocol, Electronics 12 (12) (2023) 2596

    work page 2023

  21. [21]

    Mishchenko, I

    D. Mishchenko, I. Oleinikova, L. Erd ˝odi, B. R. Pokhrel, Multidomain cyber-physical testbed for power system vulnerability assessment, IEEE Access 12 (2024) 38135– 38149.doi:10.1109/ACCESS.2024.3375401

    work page doi:10.1109/access.2024.3375401 2024

  22. [22]

    Mishchenko, I

    D. Mishchenko, I. Oleinikova, L. Erd ˝odi, Coordinated re- connaissance strategy for digital substations: Risks and countermeasures, in: 2025 IEEE Kiel PowerTech, IEEE, 2025, pp. 1–6

    work page 2025

  23. [23]

    D. Hou, D. Dolezilek, Iec 61850–what it can and cannot offer to traditional protection schemes, Schweitzer Engi- neering Laboratories, Inc 20080912 (2008)

    work page 2008

  24. [24]

    Alghamdi, M

    W. Alghamdi, M. Schukat, Precision time protocol attack strategies and their resistance to existing security exten- sions, Cybersecurity 4 (1) (2021) 12

    work page 2021

  25. [25]

    Linux PTP Project, ptp4l: Precision time protocol dae- mon for linux,http://linuxptp.sourceforge.net/, version 4.0, Accessed: June 12, 2025 (2023)

    work page 2025

  26. [26]

    org/, version 2025.2, Accessed: June 12, 2025 (2025)

    Offensive Security, Kali Linux: Penetration testing and ethical hacking linux distribution,https://www.kali. org/, version 2025.2, Accessed: June 12, 2025 (2025)

    work page 2025

  27. [27]

    Kasikci, Short circuits in power systems: A practical guide to IEC 60909-0, John Wiley & Sons, 2018

    I. Kasikci, Short circuits in power systems: A practical guide to IEC 60909-0, John Wiley & Sons, 2018

    work page 2018

  28. [28]

    P. M. Anderson, C. F. Henville, R. Rifaat, B. Johnson, S. Meliopoulos, Power system protection, John Wiley & Sons, 2021

    work page 2021

  29. [29]

    Ashok, M

    A. Ashok, M. Govindarasu, J. Wang, Cyber-physical attack-resilient wide-area monitoring, protection, and control for the power grid, Proceedings of the IEEE 105 (7) (2017) 1389–1407

    work page 2017

  30. [30]

    N. K. Mahato, J. Yang, J. Yang, G. Gong, J. Hao, Physical security auditing for utilities: A guide to resilient substa- tion, Safety 10 (3) (2024) 80

    work page 2024

  31. [31]

    F. Orr, M. N. Nafees, N. Saxena, B. J. Choi, Securing publisher–subscriber smart grid infrastructure, Electron- ics 10 (19) (2021) 2355

    work page 2021

  32. [32]

    Searle, G

    J. Searle, G. Rasche, A. Wright, S. Dinnage, Nescor guide to penetration testing for electric utilities, National Elec- tric Sector Cybersecurity Organization Resource 8 (2016)

    work page 2016

  33. [33]

    Zhang, B

    H. Zhang, B. Liu, H. Wu, Smart grid cyber-physical at- tack and defense: A review, IEEE Access 9 (2021) 29641– 29659

    work page 2021

  34. [34]

    A. S. Musleh, G. Chen, Z. Y . Dong, A survey on the de- tection algorithms for false data injection attacks in smart grids, IEEE Transactions on Smart Grid 11 (3) (2019) 2218–2234. 11

    work page 2019