Archive/Living Off the Land Attacks on IEC 61850 Substations
Living Off the Land Attacks on IEC 61850 Substations
Robin Eriksen Birkeland, Siv Hilde Houmb
July 3, 2026
en

Abstract

Power from Shore (PfS) is becoming more widespread for offshore petroleum installations, which have introduced new dependencies and the potential for a single point of failure. In addition, the cyber threat landscape is increasing, with state-sponsored actors demonstrating the capabilities and willingness to target Operational Technology (OT) systems. Threat actors have been seen using living off the land techniques, such as with the Industroyer malware, which utilized legitimate but malicious IEC 104 commands to open circuit breakers. To evaluate these vulnerabilities, in this study, a Design Science Research approach was applied to map a generalized substation and develop a Software-in-the-Loop simulator, which was used to test a specific attack vector against substation automation systems. The results confirm that an adversary with local network access can successfully inject valid IEC 61850 Manufacturing Message Specification (MMS) commands to trigger unauthorized circuit breaker operations. Furthermore, it is also shown that a simulated substation can be used as a tool when developing OT malware.

IPC Classification

G06H04B60H01

Keywords

livinglandattacks61850substationsappliedsciencespowershorebecomingmorewidespreadoffshorepetroleuminstallationswhichintroduceddependenciespotentialsinglepointfailureadditioncyber
Reference this publication

€ 4.00