This study addresses the threat to power grid security posed by adversaries exploiting the Manufacturing Message Specification (MMS) protocol in IEC 61850-based smart substations to launch remote process disturbances, such as unauthorized data reads or malicious command injections. To counter this, the authors propose a real-time defense framework that integrates deep parsing of MMS protocol messages with automated anomaly detection. By modeling IEC 61850 communication behaviors and extracting key field-value pair features, the framework enables precise identification and blocking of attacks generated via IEC61850Bean and libiec61850 scripts, as implemented on the EPIC testbed. Experimental validation using seven datasets—comprising both real-world traffic and simulated attack scenarios—demonstrates the approach’s high efficacy in detecting MMS traffic containing known attack signatures, thereby significantly enhancing the cyber resilience of smart grids.

Smart grids are increasingly exposed to sophisticated cyber threats due to their reliance on interconnected communication networks, as demonstrated by real world incidents such as the cyberattacks on the Ukrainian power grid. In IEC61850 based smart substations, the Manufacturing Message Specification protocol operates over TCP to facilitate communication between SCADA systems and field devices such as Intelligent Electronic Devices and Programmable Logic Controllers. Although MMS enables efficient monitoring and control, it can be exploited by adversaries to generate legitimate looking packets for reconnaissance, unauthorized state reading, and malicious command injection, thereby disrupting grid operations. In this work, we propose a fully automated attack detection and prevention framework for IEC61850 compliant smart substations to counter remote cyberattacks that manipulate process states through compromised PLCs and IEDs. A detailed analysis of the MMS protocol is presented, and critical MMS field value pairs are extracted during both normal SCADA operation and active attack conditions. The proposed framework is validated using seven datasets comprising benign operational scenarios and multiple attack instances, including IEC61850Bean based attacks and script driven attacks leveraging the libiec61850 library. Our approach accurately identifies attack signature carrying MMS packets that attempt to disrupt circuit breaker status, specifically targeting the smart home zone IED and PLC of the EPIC testbed. The results demonstrate the effectiveness of the proposed framework in precisely detecting malicious MMS traffic and enhancing the cyber resilience of IEC61850 based smart grid environments.