Detail publikace

Security Analysis of the GOOSE Communication Protocol Using Statistical Profiling

WACHIURI, S.

Originální název

Security Analysis of the GOOSE Communication Protocol Using Statistical Profiling

Anglický název

Security Analysis of the GOOSE Communication Protocol Using Statistical Profiling

Jazyk

en

Originální abstrakt

The study focuses on the cybersecurity implementation that can extract anomalies in the operation of the GOOSE messaging approach. The peer-to-peer communications in IEC 61850 integrated substation protection and control system are based on what is defined as GOOSE messages. These communications use multicast Ethernet communications and represent the asynchronous reporting of the IEDs functional state based on the message exchange. GOOSE messages replace the hard-wired control signals exchanged between IEDs for status switching. Notably, GOOSE messages are not command-drivers and therefore do not tell any receiving IEDs what to do. They just indicate that a new event has occurred, what that even is and the time when it happened. The practical demonstration of this study, therefore, implements a statistical fingerprint on the GOOSE message to illustrate a scenario that identifies a correct (non-anomalous) GOOSE message from an incorrect (possibly compromised) GOOSE message. The study implements a statistical algorithm that mimics a supervised learning approach based on a training dataset and a testing dataset. Comparatively, the datasets are tested to distinguish the datasets that have a known traffic flow (correct GOOSE message) from the ones whose traffic flow is unknown or experienced an attack (incorrect GOOSE message).

Anglický abstrakt

The study focuses on the cybersecurity implementation that can extract anomalies in the operation of the GOOSE messaging approach. The peer-to-peer communications in IEC 61850 integrated substation protection and control system are based on what is defined as GOOSE messages. These communications use multicast Ethernet communications and represent the asynchronous reporting of the IEDs functional state based on the message exchange. GOOSE messages replace the hard-wired control signals exchanged between IEDs for status switching. Notably, GOOSE messages are not command-drivers and therefore do not tell any receiving IEDs what to do. They just indicate that a new event has occurred, what that even is and the time when it happened. The practical demonstration of this study, therefore, implements a statistical fingerprint on the GOOSE message to illustrate a scenario that identifies a correct (non-anomalous) GOOSE message from an incorrect (possibly compromised) GOOSE message. The study implements a statistical algorithm that mimics a supervised learning approach based on a training dataset and a testing dataset. Comparatively, the datasets are tested to distinguish the datasets that have a known traffic flow (correct GOOSE message) from the ones whose traffic flow is unknown or experienced an attack (incorrect GOOSE message).

Dokumenty

BibTex


@techreport{BUT168670,
  author="Simon {Wachiuri}",
  title="Security Analysis of the GOOSE Communication Protocol Using Statistical Profiling",
  annote="The study focuses on the cybersecurity implementation that can extract anomalies
in the operation of the GOOSE messaging approach. The peer-to-peer communications
in IEC 61850 integrated substation protection and control system are based on
what is defined as GOOSE messages. These communications use multicast Ethernet
communications and represent the asynchronous reporting of the IEDs functional
state based on the message exchange. GOOSE messages replace the hard-wired
control signals exchanged between IEDs for status switching. Notably, GOOSE
messages are not command-drivers and therefore do not tell any receiving IEDs
what to do. They just indicate that a new event has occurred, what that even is
and the time when it happened.
The practical demonstration of this study, therefore, implements a statistical
fingerprint on the GOOSE message to illustrate a scenario that identifies
a correct (non-anomalous) GOOSE message from an incorrect (possibly compromised)
GOOSE message. The study implements a statistical algorithm that mimics
a supervised learning approach based on a training dataset and a testing dataset.
Comparatively, the datasets are tested to distinguish the datasets that have
a known traffic flow (correct GOOSE message) from the ones whose traffic flow is
unknown or experienced an attack (incorrect GOOSE message).",
  address="NEUVEDEN",
  chapter="168670",
  edition="NEUVEDEN",
  howpublished="print",
  institution="NEUVEDEN",
  year="2020",
  month="august",
  pages="0--0",
  publisher="NEUVEDEN",
  type="report"
}