Presentation is loading. Please wait.

Presentation is loading. Please wait.

Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications Maëlle Kabir-Querrec Stéphane Mocanu Pascal Bellemain Jean-Marc.

Published byHector Hawkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications Maëlle Kabir-Querrec Stéphane Mocanu Pascal Bellemain Jean-Marc."— Presentation transcript:

1 Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications Maëlle Kabir-Querrec Stéphane Mocanu Pascal Bellemain Jean-Marc Thiriet Eric Savary

2 gipsa-lab Content Introduction & objectives Substation Automation System IEC 61850 architecture GOOSE protocol Attack detection GOOSE attack resilient architecture Ethernet storm detection Corrupted GOOSE messages detection GreHack 2015 11/20/2015 Maëlle Kabir-Querrec2 / 11

3 gipsa-lab Introduction & Objectives GreHack 2015 11/20/2015 Maëlle Kabir-Querrec3 / 11 2003 North America Blackout Smart-grid  open & global networks IEC 61850 standard  interoparability "Communication networks and systems for power utility automation" security through isolation security through obscurity IntroductionSASAttack detectionConclusion Dedicated security measures are required!

4 gipsa-lab Substation Automation System - SAS IEC 61850 communication architecture 4 / 11 OSI mapping of IEC 61850 protocols IEC 61850 communication architecture IntroductionSASAttack detectionConclusion GreHack 2015 11/20/2015 Maëlle Kabir-Querrec

5 gipsa-lab Substation Automation System - SAS GOOSE protocol 5 / 11GreHack 2015 11/20/2015 Maëlle Kabir-Querrec GOOSE frame structure T0(T0) T3 T0 Transmission time T2T1 event T0 retransmission in stable conditions (no event for a long time) (T0) retransmission in stable conditions may be shortened by an event T1 shortest retransmission time after an event T2, T3 longer retransmission times until achieving stable conditions GOOSE transmission mechanism Attacks: Ethernet storm Fraudulent GOOSE messages IntroductionSASAttack detectionConclusion

6 gipsa-lab GOOSE attack detection GOOSE attack resilient architecture 6 / 11GreHack 2015 11/20/2015 Maëlle Kabir-Querrec Resilient communication architecture Ethernet IED-supervision Ethernet IED-IED Modbus Bandwidth checker Corrupted GOOSE detector SCADA Request Alarm IED 1 IED coupling IED 2 supply 1 supply 2 coupling section 1 section 2 IntroductionSASAttack detectionConclusion

7 gipsa-lab GOOSE attack detection Bandwidth checker 7 / 11GreHack 2015 11/20/2015 Maëlle Kabir-Querrec From ifstat Start ifstat in Modbus server mode Initialize Modbus server Wait for client connections While (ifstat runs) While (Client_Connection_Counter < Configured_Window) Mean_Bandwidth += Number_of_IN_Frames_Since_Last_Connection / Configured_Window Reset Client_Connection_Counter IntroductionSASAttack detectionConclusion Algo – bandwidth measurement

8 gipsa-lab GOOSE attack detection Corrupted GOOSE frame detector 8 / 11GreHack 2015 11/20/2015 Maëlle Kabir-Querrec GOOSE attack timeline T0T0 T0T0 T0T0 T1T1 T0T0 T1T1 T1T1 T1T1 T1T1 T1T1 T1T1 T1T1 T1T1 T1T1 T0T0 Attack – false GOOSE messages Legitimate messages Inconsistent Sequence numbers Consecutive Sequence numbers GOOSE scapy master to: sniff GOOSE messages, decode them, change a Boolean variable value in Data Set modify StNum and SqNum appropriately, encode fraudulent message, send it. IntroductionSASAttack detectionConclusion Algo – fraudulent GOOSE message generator

9 gipsa-lab GOOSE attack detection Corrupted GOOSE frame detector 9 / 11GreHack 2015 11/20/2015 Maëlle Kabir-Querrec From tcpdump 4.7.4 / libpcap 1.7.4 Results from fraudulent GOOSE detector (GICS platform) Start tcpdump in Modbus server mode Initialize Modbus server While (tcpdump runs) Get captured GOOSE message Get RxTime Get GOOSE PDU fields and store them Check Source_Address Check GoID Check StNum and SqNum Check RxTime IntroductionSASAttack detectionConclusion Algo – fraudulent GOOSE message detector Legitimate message Fraudulent message

10 gipsa-lab Conclusion & further work GOOSE traffic analyzer The whole architecture is not completed yet. 10 / 11GreHack 2015 11/20/2015 Maëlle Kabir-Querrec IntroductionSASAttack detectionConclusion

11 gipsa-lab Questions & comments 11 / 11GreHack 2015 11/20/2015 Maëlle Kabir-Querrec

Download ppt "Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications Maëlle Kabir-Querrec Stéphane Mocanu Pascal Bellemain Jean-Marc."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Client Server. Server Client Model Servers- Wait for requests from clients - Sends requested data to client - May have to communicate with other servers.

Client Server. Server Client Model Servers- Wait for requests from clients - Sends requested data to client - May have to communicate with other servers.
The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.

The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.
Understanding the IEC 61850 Standard 101598047 李嘉凱 指導教授:柯開維.

Understanding the IEC Standard 李嘉凱 指導教授:柯開維.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Answers of Exercise 7 1. Explain what are the connection-oriented communication and the connectionless communication. Give some examples for each of the.

Answers of Exercise 7 1. Explain what are the connection-oriented communication and the connectionless communication. Give some examples for each of the.
Substation Automation (S.A) System Project Supervisor: Stuart Wildy.

Substation Automation (S.A) System Project Supervisor: Stuart Wildy.
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.

Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.

A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.
EE 4272Spring, 2003 EE4272: Computer Networks Instructor: Tricia Chigan Dept.: Elec. & Comp. Eng. Spring, 2003.

EE 4272Spring, 2003 EE4272: Computer Networks Instructor: Tricia Chigan Dept.: Elec. & Comp. Eng. Spring, 2003.
EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.

EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.
The Mobile Code Paradigm and Its Security Issues Anthony Chan September 13, 1999.

The Mobile Code Paradigm and Its Security Issues Anthony Chan September 13, 1999.
1 Diagnostics Project Introduction Matt Morgan. 2 Diagnostic ’ s Project Purpose Develop the Network layer services for diagnostics on CAN for road vehicle.

1 Diagnostics Project Introduction Matt Morgan. 2 Diagnostic ’ s Project Purpose Develop the Network layer services for diagnostics on CAN for road vehicle.
Lecture 1 Overview: roadmap 1.1 What is computer network? the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  network.

Lecture 1 Overview: roadmap 1.1 What is computer network? the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  network.
.NET Mobile Application Development Introduction to Mobile and Distributed Applications.

.NET Mobile Application Development Introduction to Mobile and Distributed Applications.
Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.

Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.
OPC Alarm.NET.

OPC Alarm.NET.
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Similar presentations

Ads by Google