A smart grid network is a part of critical infrastructure, and its interruption or blackout may cause fatal consequences on energy production, distribution, and eventually lives of people. Smart grid networks can be a target of cyber attacks coming from the outside or the inside of the network. Traditional smart grid protection includes firewalls and IDS/IPS devices that are usually deployed on edges of the network where they inspect incoming and outgoing traffic. This approach is adequate to cope with external threats. In case of internal threats caused by, for instance, the malware infecting the control station, it is not easy to detect malicious activity commonly masked as legitimate communication at the network edge. For the successful identification of cyber security attacks, two essential elements are necessary.

The first is the visibility of the Industrial Control System (ICS) communication, which enables a smart grid operator to see real-time transmissions in the network. The second important part is an anomaly detection system that analyzes monitoring data and identifies possible cyber security attacks. This paper presents a novel system for monitoring ICS/SCADA protocols based on IP flows extended with application layer data obtained from ICS packet headers. The monitoring system provides an in-depth insight into ICS communication. By applying statistical-based methods or creating communication profiles using probabilistic automata, common security attacks, as well as unknown threats, can be identified. The proposed approach is demonstrated on IEC 60870-5-104 communication.

智能电网是关键基础设施的一部分，其中断或停电可能对能源生产，分配以及最终人员生命造成致命后果。智能电网可以成为来自网络外部或内部的网络攻击的目标。传统的智能电网保护包括防火墙和IDS / IPS设备，它们通常部署在它们检查传入和传出流量的网络边缘。这种方法足以应付外部威胁。在例如由感染控制站的恶意软件引起的内部威胁的情况下，要检测通常被掩盖为网络边缘合法通信的恶意活动并不容易。为了成功识别网络安全攻击，需要两个基本要素。

第一个是工业控制系统（ICS）通信的可视性，它使智能电网运营商能够看到网络中的实时传输。第二个重要部分是异常检测系统，该系统分析监视数据并识别可能的网络安全攻击。本文提出了一种基于IP流的ICS / SCADA协议监控系统，该IP流扩展了从ICS数据包头获得的应用层数据。该监视系统提供了对ICS通信的深入了解。通过应用基于统计的方法或使用概率自动机创建通信配置文件，可以识别常见的安全攻击以及未知威胁。IEC 60870-5-104通信中演示了所建议的方法。