Securing Substations, IEC 61850 Environments and Grid Control Systems
In 2016, the Industroyer malware, also known as CrashOverride, caused a one-hour power outage in part of Kyiv by speaking the native protocols of substation equipment directly. Unlike the 2015 attack that relied on hijacked operator screens, Industroyer contained dedicated modules for IEC 61850, IEC 60870-5-101 and 104, and OPC, allowing it to issue switching commands to protective relays autonomously. It was the first malware purpose-built to manipulate grid substations, and it proved that the digital substation is now a software attack surface, not just a physical one.
Industroyer, the 2016 malware that blacked out part of Kyiv, included a dedicated module for the IEC 61850 substation protocol, the first malware built to speak grid control protocols directly.
The Shift to Digital Substations
Traditional substations relied on hard-wired copper and electromechanical relays that were difficult to attack remotely. Modern digital substations replace this with Ethernet networks, intelligent electronic devices and the IEC 61850 standard, which dramatically improves operational flexibility but introduces a routable, software-defined attack surface. The protective relays, merging units and bay controllers that keep the grid stable now sit on a network that can, if poorly protected, be reached and manipulated.
IEC 61850 and Its Security Gaps
IEC 61850 defines fast, time-critical messaging within the substation, including GOOSE messages that trip breakers in milliseconds and Sampled Values that carry measurement data. These messages were designed for speed and determinism, not security, and in their base form carry no authentication, so a spoofed GOOSE message could trip a breaker or block protection from operating. While the IEC 62351 standard adds security to these protocols, adoption is uneven and many installed devices do not support it, leaving substation networks dependent on segmentation and monitoring for protection.
- GOOSE messages trip breakers in milliseconds with no native authentication
- Sampled Values carry measurement data that drives protection decisions
- MMS provides client-server control and configuration over TCP/IP
- IEC 62351 adds security but is unevenly supported by installed devices
Securing the Substation Attack Surface
Protecting a digital substation means treating the substation LAN as a sensitive control zone in its own right. Station-bus and process-bus traffic should be segmented and isolated from any wide-area or corporate connectivity, remote engineering access should be brokered through monitored jump hosts with MFA, and the discovery of any internet-facing substation interface is a critical finding. Many operators are surprised to learn that substation gateways, engineering interfaces or vendor remote-access links are reachable from outside, and closing that exposure is the highest-priority action.
Knowing What Is Exposed Before an Attacker Does
Substations are often geographically distributed and remotely managed, which means exposure tends to accumulate quietly: a maintenance modem left connected, a vendor VPN that was never decommissioned, a misconfigured gateway. The only reliable way to manage this is continuous external discovery that finds what is reachable from the internet across the whole estate, validates whether it is genuinely exploitable, and prioritises remediation. You cannot defend an exposed substation interface you do not know exists.
How Kyanite Blue and Hadrian Deliver This
Kyanite Blue uses Hadrian to continuously and autonomously discover every internet-facing asset across your substation and grid-control estate, including the remote sites, gateways and vendor links that traditional audits miss. Hadrian validates which exposures are genuinely exploitable rather than drowning your team in theoretical findings, and prioritises the ones that matter. Combined with our segmentation and monitoring services for the substation LAN itself, this gives operators assurance that the digital substation, the very surface Industroyer attacked, is not silently reachable from the outside.
Frequently Asked Questions
What makes IEC 61850 substations a security concern?
IEC 61850 replaces hard-wired relay logic with Ethernet-based messaging such as GOOSE and Sampled Values. These protocols were designed for speed rather than security and carry no native authentication, so on an unprotected network a spoofed message could trip a breaker or suppress protection, which is why segmentation and monitoring are essential.
How did Industroyer attack substations?
Industroyer included dedicated protocol modules for IEC 61850, IEC 60870-5-101 and 104, and OPC, letting it communicate directly with protective relays and issue switching commands autonomously. It blacked out part of Kyiv in 2016 and was the first malware purpose-built to manipulate grid substation equipment.
How do we find out if our substations are exposed to the internet?
Continuous external attack-surface discovery maps every reachable asset across your distributed substation estate, including forgotten maintenance modems and vendor VPNs, and validates which exposures are genuinely exploitable. This is how Kyanite Blue, using Hadrian, surfaces substation interfaces that should never be internet-facing.
Discover your substation exposure with Kyanite Blue
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.