An IEC 61850 MMS Traffic Parser for Customizable and Efficient Intrusion Detection

Manufacturing Message Specification (MMS) protocol is widely used in IEC 61850-based substations to improve process automation. However, it could be vulnerable to various cyber threats. A common defense solution is to deploy intrusion detection systems (IDSes) to analyze network traffic for anomalies. However, several challenges remain for designing a protocol parser for IDS to dissect MMS packets, such as the need to support many MMS services and the complex data structure. Moreover, processing every MMS packet may overwhelm the IDS to impact the throughput and latency. In this work, we develop an MMS parser for the open-source Zeek IDS to analyze MMS traffic and detect intrusions. We explain the challenges of parsing MMS packets and detail our design choices. To reduce the processing load, we implement filtering rules in our parser to customize which MMS packets are used by Zeek rules for intrusion analysis. We formulated test cases to validate our parser's correctness and conducted experiments to evaluate its throughput and latency. Our results show that custom filtering of MMS packets can achieve higher throughput and lower delay compared to no filtering. We provide a case study to demonstrate how the parsed data can be used for designing IDS rules.