An Advanced Generative AI-Based Anomaly Detection in IEC61850-Based Communication Messages in Smart Grids

Security incidents in digital substations can create notable difficulties for the consistent and stable functioning of power systems. To address these issues, implementing defense and mitigation strategies is essential. Identifying and detecting irregularities in information and communication technology (ICT) is vital to maintaining secure interactions between devices in digital substations. This paper proposes a task-oriented dialogue (ToD) system for anomaly detection (AD) in multicast message datasets, such as generic object-oriented substation events (GOOSE) and sampled values (SV) in digital substations using generative AI (GenAI). The proposed ToD model demonstrates significant advantages over the human-in-the-loop (HITL) approach, particularly in error rate, adaptability, and scalability. Specifically, compared to HITL, the ToD model achieves a reduction in false positives (FPs) of up to 20% and enhances the accuracy of AD by up to 17.5%, resulting in a general accuracy of 97.5%. Moreover, the system shows a substantial improvement in advanced evaluation metrics, including a Matthews Correlation Coefficient (MCC) of 0.95, highlighting its robust capability to accurately differentiate between normal and anomalous events. The ToD model adapts effectively to new attack scenarios without extensive retraining, unlike traditional machine learning (ML) models or HITL, which require frequent updates. This adaptability significantly reduces implementation time compared to HITL, as the model requires fewer manual interventions and updates. These findings are supported by a comparative analysis using standard and advanced evaluation metrics. The generation and extraction of datasets of IEC 61850 communications were performed using a hardware-in-the-loop (HIL) testbed, ensuring the robustness of the proposed approach in practical scenarios.