The widespread deployment and integration of the IEC 61850 standard in electrical substations, hydroelectric power plants, wind power plants, etc., adds a new challenge to security event analysis, namely what IEC 61850 events are to be deemed as being relevant from the security perspective.

Probably the very first data objects to look at are those which are explicitly related to security. In IEC 61850 the set of such data objects may include security violation counters, number of counter resets, authorization failures, access control failures, service privilege violations, and inactive associations. These data objects reside in logical nodes referred to as generic security application logical nodes (GSAL). Although GSAL logical nodes have been defined especially for monitoring access control scheme violations, their attributes are retrievable as any other process related data attributes.

The transition of logical nodes into degraded mode could also be worth recording and analyzing since a logical node in degraded mode cannot operate correctly. A common cause of the passage of logical nodes into degraded mode is reception of corrupted data, and some attacks may generate physical and logical traffic which is not IEC 61850 compliant.

A series of events potentially related to security could be derived by following a specification based intrusion detection approach. Examples of these events may include violations of data attribute types, or violations of functional constraints.