Enhanced cybersecurity for digital substations: a hybrid SDN-IDS with active threat mitigation and fault localization

Mohammed S. Alshehri; Sajid Mehmood; Jaroslav Frnda; Asma Hassan Alshehri; Faisal S. Alsubaei; Rashid Amin

doi:10.1007/s11235-025-01365-0

Enhanced cybersecurity for digital substations: a hybrid SDN-IDS with active threat mitigation and fault localization

Mohammed S. Alshehri
, Sajid Mehmood
, Jaroslav Frnda
, Asma Hassan Alshehri
, Faisal S. Alsubaei
, Rashid Amin

Computer Sciences

Research output: Contribution to journal › Article › peer-review

Abstract

The increasing digitalization of substations leaves key power infrastructure with more vulnerability to cyberattacks. We present a more advanced model of cybersecurity that can be used in digital substations and propose it as an alternative to the current model in this paper. Unlike the existing literature, which is more of an isolated detection model or protocol-specific vulnerability, Our solution combines multi-feature attack detection and performs an adaptive weighting to obtain the full accuracy and robustness against evolving threats. It has been demonstrated that the system achieves higher detection rates and lower false positive rates than state-of-the-art on a variety of experiments using typical attack scenarios. Beyond this, the framework addresses practical deployment challenges with scalability, interoperability and smart grid standards. The value of this work lies in a complete solution to address the literature gap between theory and the practical needs of cybersecurity in digital substations.

Original language	English
Article number	131
Journal	Telecommunication Systems
Volume	88
Issue number	4
DOIs	https://doi.org/10.1007/s11235-025-01365-0
State	Published - Dec 2025

Keywords

Digital substations
Fault localization
Generic object-oriented substation event (GOOSE)
Hardware-in-the-Loop (HIL)
Hybrid detection
IEC 61850
Intrusion detection system (IDS)
Network security among others
Software-defined networking (SDN)

Access to Document

10.1007/s11235-025-01365-0

Cite this

@article{887816acc96c4f1ba72ed37f0c87b706,

title = "Enhanced cybersecurity for digital substations: a hybrid SDN-IDS with active threat mitigation and fault localization",

abstract = "The increasing digitalization of substations leaves key power infrastructure with more vulnerability to cyberattacks. We present a more advanced model of cybersecurity that can be used in digital substations and propose it as an alternative to the current model in this paper. Unlike the existing literature, which is more of an isolated detection model or protocol-specific vulnerability, Our solution combines multi-feature attack detection and performs an adaptive weighting to obtain the full accuracy and robustness against evolving threats. It has been demonstrated that the system achieves higher detection rates and lower false positive rates than state-of-the-art on a variety of experiments using typical attack scenarios. Beyond this, the framework addresses practical deployment challenges with scalability, interoperability and smart grid standards. The value of this work lies in a complete solution to address the literature gap between theory and the practical needs of cybersecurity in digital substations.",

keywords = "Digital substations, Fault localization, Generic object-oriented substation event (GOOSE), Hardware-in-the-Loop (HIL), Hybrid detection, IEC 61850, Intrusion detection system (IDS), Network security among others, Software-defined networking (SDN)",

author = "Alshehri, \{Mohammed S.\} and Sajid Mehmood and Jaroslav Frnda and Alshehri, \{Asma Hassan\} and Alsubaei, \{Faisal S.\} and Rashid Amin",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2025.",

year = "2025",

month = dec,

doi = "10.1007/s11235-025-01365-0",

language = "English",

volume = "88",

journal = "Telecommunication Systems",

issn = "1018-4864",

publisher = "Springer Netherlands",

number = "4",

}

TY - JOUR

T1 - Enhanced cybersecurity for digital substations

T2 - a hybrid SDN-IDS with active threat mitigation and fault localization

AU - Alshehri, Mohammed S.

AU - Mehmood, Sajid

AU - Frnda, Jaroslav

AU - Alshehri, Asma Hassan

AU - Alsubaei, Faisal S.

AU - Amin, Rashid

N1 - Publisher Copyright: © The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2025.

PY - 2025/12

Y1 - 2025/12

N2 - The increasing digitalization of substations leaves key power infrastructure with more vulnerability to cyberattacks. We present a more advanced model of cybersecurity that can be used in digital substations and propose it as an alternative to the current model in this paper. Unlike the existing literature, which is more of an isolated detection model or protocol-specific vulnerability, Our solution combines multi-feature attack detection and performs an adaptive weighting to obtain the full accuracy and robustness against evolving threats. It has been demonstrated that the system achieves higher detection rates and lower false positive rates than state-of-the-art on a variety of experiments using typical attack scenarios. Beyond this, the framework addresses practical deployment challenges with scalability, interoperability and smart grid standards. The value of this work lies in a complete solution to address the literature gap between theory and the practical needs of cybersecurity in digital substations.

AB - The increasing digitalization of substations leaves key power infrastructure with more vulnerability to cyberattacks. We present a more advanced model of cybersecurity that can be used in digital substations and propose it as an alternative to the current model in this paper. Unlike the existing literature, which is more of an isolated detection model or protocol-specific vulnerability, Our solution combines multi-feature attack detection and performs an adaptive weighting to obtain the full accuracy and robustness against evolving threats. It has been demonstrated that the system achieves higher detection rates and lower false positive rates than state-of-the-art on a variety of experiments using typical attack scenarios. Beyond this, the framework addresses practical deployment challenges with scalability, interoperability and smart grid standards. The value of this work lies in a complete solution to address the literature gap between theory and the practical needs of cybersecurity in digital substations.

KW - Digital substations

KW - Fault localization

KW - Generic object-oriented substation event (GOOSE)

KW - Hardware-in-the-Loop (HIL)

KW - Hybrid detection

KW - IEC 61850

KW - Intrusion detection system (IDS)

KW - Network security among others

KW - Software-defined networking (SDN)

UR - https://www.scopus.com/pages/publications/105019754900

U2 - 10.1007/s11235-025-01365-0

DO - 10.1007/s11235-025-01365-0

M3 - Article

AN - SCOPUS:105019754900

SN - 1018-4864

VL - 88

JO - Telecommunication Systems

JF - Telecommunication Systems

IS - 4

M1 - 131

ER -

Enhanced cybersecurity for digital substations: a hybrid SDN-IDS with active threat mitigation and fault localization

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this