The Digital Forensics of Cyber-Attacks at Electrical Power Grid Substation

Our research presented in this article comprises of network based cyber-attacks in a laboratory setup consisting of a power grid substation implemented as a hardware-in-theloop simulation with hardware (Intelligent Electronic Devices a.k.a. IEDs), and the analysis on how these cyber-attacks can be detected using network forensics. The investigated cyber-attacks exploit the IEC 61850 MMS and GOOSE protocols, and one of the attacks has been already implemented in an existing malware. Additionally we organized a cybersecurity themed workshop for energy sector companies in Finland. The workshop participants were given a task to search for the aforementioned cyber-attacks from network traffic captures. The key finding from the workshop is that for the domain expert it is crucial to know different kind of cyber-attack scenarios in order to detect and mitigate them in a timely manner.