Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications Maëlle Kabir-Querrec Stéphane Mocanu Pascal Bellemain Jean-Marc.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Client Server. Server Client Model Servers- Wait for requests from clients - Sends requested data to client - May have to communicate with other servers.

The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.

Understanding the IEC Standard 李嘉凱指導教授：柯開維.

1 Reading Log Files. 2 Segment Format

Answers of Exercise 7 1. Explain what are the connection-oriented communication and the connectionless communication. Give some examples for each of the.

Substation Automation (S.A) System Project Supervisor: Stuart Wildy.

Introduction to Network Analysis and Sniffer Pro

Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.

A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.

EE 4272Spring, 2003 EE4272: Computer Networks Instructor: Tricia Chigan Dept.: Elec. & Comp. Eng. Spring, 2003.

EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.

The Mobile Code Paradigm and Its Security Issues Anthony Chan September 13, 1999.

1 Diagnostics Project Introduction Matt Morgan. 2 Diagnostic ’ s Project Purpose Develop the Network layer services for diagnostics on CAN for road vehicle.

Lecture 1 Overview: roadmap 1.1 What is computer network? the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  network.

.NET Mobile Application Development Introduction to Mobile and Distributed Applications.

Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.

Design and Implementation of SIP-aware DDoS Attack Detection System.

Intrusion Detection System Marmagna Desai [ 520 Presentation]

INTEROPERABILITY Tests IOP11/ IEC Interoperability with IEC IEC INTEROPERABILITY BETWEEN ABB, ALSTOM and SIEMENS STATUS REVIEW.

Substation Automation

AUT S.B.S. - Presentation name - Date - Language - Electronic File Name 1 SCHNEIDER ELECTRIC Solutions.

Join Us Now at: Enabling Interoperability for the Utility Enterprise And TESTING.

Shell and Flashing Images Commands and upgrades. RS-232 Driver chip – ST3232C Driver chip is ST3232C Provides electrical interface between UART port and.

© Siemens 2006 All Rights Reserved 1 Challenges and Limitations in a Back-End Controlled SmartHome Thesis Work Presentation Niklas Salmela Supervisor:

Module 1: Reviewing the Suite of TCP/IP Protocols.

CIS679: RTP and RTCP r Review of Last Lecture r Streaming from Web Server r RTP and RTCP.

LECTURE9 NET301. DYNAMIC MAC PROTOCOL: CONTENTION PROTOCOL Carrier Sense Multiple Access (CSMA): A protocol in which a node verifies the absence of other.

SCADA. 3-Oct-15 Contents.. Introduction Hardware Architecture Software Architecture Functionality Conclusion References.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Final Year Project Presentation by Daire O’Neill 4EE.

Introduction to Networked Graphics Part 4 of 5: Bandwidth Management & Scalability.

MAANAS GODUGUNUR SHASHANK PARAB SAMPADA KARANDIKAR.

ARMADA Middleware and Communication Services T. ABDELZAHER, M. BJORKLUND, S. DAWSON, W.-C. FENG, F. JAHANIAN, S. JOHNSON, P. MARRON, A. MEHRA, T. MITTON,

POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.

On the use of Reliable Multicast for Content Distribution Vassilis Chatzigiannakis

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Data Link Layer Part I – Designing Issues and Elementary.

1 Network Management: SNMP The roots of education are bitter, but the fruit is sweet. - Aristotle.

CCNA 3 Week 4 Switching Concepts. Copyright © 2005 University of Bolton Introduction Lan design has moved away from using shared media, hubs and repeaters.

Streaming Media Control n The protocol components of the streaming n RTP/RTCP n RVSP n Real-Time Streaming Protocol (RTSP)

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 4 Switching Concepts.

. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 4 Switching Concepts.

ECEN “Internet Protocols and Modeling”, Spring 2012 Course Materials: Papers, Reference Texts: Bertsekas/Gallager, Stuber, Stallings, etc Class.

The Problem of State. We will look at… Sometimes web development is just plain weird! Internet / World Wide Web Aspects of their operation The role of.

Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises: Lab 5 (Deep Packet Inspection)

Modeling and Simulating Time- Sensitive Networking Harri Laine.

Ethernet Overview it the IEEE standard for Ethernet.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Protocols and Architecture Slide 1 Use of Standard Protocols.

An SSCOP-based Link Layer Protocol for Wireless LANs Haoli Wang and Aravind Velayutham IEEE Global Telecommunications Conference 1-5 December, 2003 San.

0x440 Network Sniffing.

Network Security Introduction

Introduction Contain two or more CPU share common memory and peripherals. Provide greater system throughput. Multiple processor executing simultaneous.

Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises: Lab 4 (Network Packet Filtering)

Chapter 36 Network Management & SNMP. Network management monitors network related hardware & software; troubleshoot network problems Detects major failures.

Pertemuan 7 Introduction to LAN Switching and Switch Operation

Chi-Cheng Lin, Winona State University CS412 Introduction to Computer Networking & Telecommunication Data Link Layer Part II – Sliding Window Protocols.

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

Storage System Optimization. Introduction Storage Types-DAS/NAS/SAN The purposes of different RAID types. How to calculate the storage size for video.

2.10 Flow and Error Control Before that ...

Understand the OSI Model Part 2

Communication Networks NETW 501 Tutorial 3

Rivier College CS575: Advanced LANs Chapter 6: Logical Link Control

Kalyan Boggavarapu Lehigh University

CS412 Introduction to Computer Networking & Telecommunication

Substation Automation System

Chapter 2. Protocols and Architecture

Error Checking continued

Presentation transcript:

Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications Maëlle Kabir-Querrec Stéphane Mocanu Pascal Bellemain Jean-Marc Thiriet Eric Savary

gipsa-lab Content Introduction & objectives Substation Automation System IEC architecture GOOSE protocol Attack detection GOOSE attack resilient architecture Ethernet storm detection Corrupted GOOSE messages detection GreHack /20/2015 Maëlle Kabir-Querrec2 / 11

gipsa-lab Introduction & Objectives GreHack /20/2015 Maëlle Kabir-Querrec3 / North America Blackout Smart-grid  open & global networks IEC standard  interoparability "Communication networks and systems for power utility automation" security through isolation security through obscurity IntroductionSASAttack detectionConclusion Dedicated security measures are required!

gipsa-lab Substation Automation System - SAS IEC communication architecture 4 / 11 OSI mapping of IEC protocols IEC communication architecture IntroductionSASAttack detectionConclusion GreHack /20/2015 Maëlle Kabir-Querrec

gipsa-lab Substation Automation System - SAS GOOSE protocol 5 / 11GreHack /20/2015 Maëlle Kabir-Querrec GOOSE frame structure T0(T0) T3 T0 Transmission time T2T1 event T0 retransmission in stable conditions (no event for a long time) (T0) retransmission in stable conditions may be shortened by an event T1 shortest retransmission time after an event T2, T3 longer retransmission times until achieving stable conditions GOOSE transmission mechanism Attacks: Ethernet storm Fraudulent GOOSE messages IntroductionSASAttack detectionConclusion

gipsa-lab GOOSE attack detection GOOSE attack resilient architecture 6 / 11GreHack /20/2015 Maëlle Kabir-Querrec Resilient communication architecture Ethernet IED-supervision Ethernet IED-IED Modbus Bandwidth checker Corrupted GOOSE detector SCADA Request Alarm IED 1 IED coupling IED 2 supply 1 supply 2 coupling section 1 section 2 IntroductionSASAttack detectionConclusion

gipsa-lab GOOSE attack detection Bandwidth checker 7 / 11GreHack /20/2015 Maëlle Kabir-Querrec From ifstat Start ifstat in Modbus server mode Initialize Modbus server Wait for client connections While (ifstat runs) While (Client_Connection_Counter < Configured_Window) Mean_Bandwidth += Number_of_IN_Frames_Since_Last_Connection / Configured_Window Reset Client_Connection_Counter IntroductionSASAttack detectionConclusion Algo – bandwidth measurement

gipsa-lab GOOSE attack detection Corrupted GOOSE frame detector 8 / 11GreHack /20/2015 Maëlle Kabir-Querrec GOOSE attack timeline T0T0 T0T0 T0T0 T1T1 T0T0 T1T1 T1T1 T1T1 T1T1 T1T1 T1T1 T1T1 T1T1 T1T1 T0T0 Attack – false GOOSE messages Legitimate messages Inconsistent Sequence numbers Consecutive Sequence numbers GOOSE scapy master to: sniff GOOSE messages, decode them, change a Boolean variable value in Data Set modify StNum and SqNum appropriately, encode fraudulent message, send it. IntroductionSASAttack detectionConclusion Algo – fraudulent GOOSE message generator

gipsa-lab GOOSE attack detection Corrupted GOOSE frame detector 9 / 11GreHack /20/2015 Maëlle Kabir-Querrec From tcpdump / libpcap Results from fraudulent GOOSE detector (GICS platform) Start tcpdump in Modbus server mode Initialize Modbus server While (tcpdump runs) Get captured GOOSE message Get RxTime Get GOOSE PDU fields and store them Check Source_Address Check GoID Check StNum and SqNum Check RxTime IntroductionSASAttack detectionConclusion Algo – fraudulent GOOSE message detector Legitimate message Fraudulent message

gipsa-lab Conclusion & further work GOOSE traffic analyzer The whole architecture is not completed yet. 10 / 11GreHack /20/2015 Maëlle Kabir-Querrec IntroductionSASAttack detectionConclusion

gipsa-lab Questions & comments 11 / 11GreHack /20/2015 Maëlle Kabir-Querrec