Security Analysis of the GOOSE Communication Protocol Using Statistical Profiling

report

English

The study focuses on the cybersecurity implementation that can extract anomalies in the operation of the GOOSE messaging approach. The peer-to-peer communications in IEC 61850 integrated substation protection and control system are based on what is defined as GOOSE messages. These communications use multicast Ethernet communications and represent the asynchronous reporting of the IEDs functional state based on the message exchange. GOOSE messages replace the hard-wired control signals exchanged between IEDs for status switching. Notably, GOOSE messages are not command-drivers and therefore do not tell any receiving IEDs what to do. They just indicate that a new event has occurred, what that even is and the time when it happened. The practical demonstration of this study, therefore, implements a statistical fingerprint on the GOOSE message to illustrate a scenario that identifies a correct (non-anomalous) GOOSE message from an incorrect (possibly compromised) GOOSE message. The study implements a statistical algorithm that mimics a supervised learning approach based on a training dataset and a testing dataset. Comparatively, the datasets are tested to distinguish the datasets that have a known traffic flow (correct GOOSE message) from the ones whose traffic flow is unknown or experienced an attack (incorrect GOOSE message).

WACHIURI, S.

3. 8. 2020

Brno

23

https://www.fit.vut.cz/research/publication/12330/