Risk–Observability Mismatch in an IEC 61850 Digital Substation: A Structured Cyber-Physical Assessment

IEC 61850 digital substations depend on communication services whose compromise can affect protection, supervision, and control. Existing work has advanced substation threat modeling, cyber-physical testbeds, and intrusion detection, but the relation between structured threat priority and operational observability remains under-characterized. This article examines that relation in a smart grid simulator (SGSim)-based IEC 61850 digital-substation environment. DFD-guided STRIDE analysis, CVSS v3.1 scoring, likelihood–impact prioritization, and ATT&CK for ICS mapping produce a 47-threat inventory. Three high-priority scenarios are then validated using packet-capture evidence and SCADA/HMI observations: a volumetric denial-of-service (DoS) attack against the IEC 60870-5-104 supervisory path, a TCP SYN flood targeting the same service endpoint, and a GOOSE false data injection (FDI) attack targeting event communication. The analysis distinguishes risk priority, operational observability, and operational consequence, and evaluates each attack across network, service, and operator planes. The results show that, in the studied environment, the validated high-priority attacks do not disclose their severity through a common visibility pattern. The volumetric DoS case is strongly visible and primarily compromises communication availability; the SYN flood weakens control recoverability while remaining weakly visible at the operator plane; and the GOOSE FDI case preserves communication continuity while falsifying the represented operational state. These findings indicate that visible disruption alone is insufficient for interpreting cyber-physical severity in the studied SGSim-based digital substation.