Smart grids have undergone a profound digitization process, integrating new data-driven control and supervision techniques, resulting in modern digital substations (DS). In this scenario, the IEC 61850 standard was created with the aim of systematizing the deployment of DS by standardizing all the communications that are involved in their operation. The standard includes, apart from several communication protocols, a data model and a substation configuration language (SCL), allowing the integration of multi-vendor devices in the substation. They provide information about the topology of the substation and the configuration of all control devices that are deployed.

We present a solution for IEC 61850 Substations that make use of these features of the IEC 61850 standard to address two of the main concerns of utilities companies: cybersecurity risks associated to the supply chain, and the detection of hidden activity of a hacker inside the substation.

The solution takes the Substation Configuration Description (SCD) as input to generate, in the first case, an accurate and complete inventory of the devices, associated software and services that are deployed into the substations. This information contributes to a rapid identification of vulnerable components deployed into their Operational Technologies (OT) environments and triggering an incident response process to analyze, triage and remediate the detected vulnerabilities. In the second case the solution incorporates information about the substation components and the information they exchange to generate detection rules for each specific substation improving the results of the intrusion detection systems.