Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

Alerga: Alert Aggregation and Reasoning in GOOSE Simulation Pipeline

Conference ·
; ; ;
IEC 61850 specifies the Generic Object Oriented Substation Event (GOOSE) protocol as one option for low latency communication of substation-related events. Due to its strict timing requirements, GOOSE lacks any form of encryption or authentication and has only minimal integrity guarantees. These absences render the protocol vulnerable to a variety of communication anomalies, including adversarial action. In particular, an adversary with access to the substation network can launch man in the middle (MITM) attacks. We propose Alerga, a set of tools to allow operators to mitigate some of the risks of the protocol while retaining its strengths. To that end, we have developed first a GOOSE simulation pipeline including data generation, anomaly detection, alert handling, causal reasoning and data visualization components. The simulator is designed to be modular, allowing operators to swap components to better fit their network capabilities. The volume of alert traffic on a substation network threatens operators with alert fatigue. In order to combat this, we secondly present a novel form of alert aggregation and processing, offering operators a condensed view of any threats to the system. Thirdly, to facilitate the handling of these threats, our causal reasoning system traces the alerts back to their most likely cause, generating an initial hypothesis for operators to investigate.
Research Organization:
National Renewable Energy Laboratory (NREL), Golden, CO (United States)
Sponsoring Organization:
U.S. Department of Energy (DOE)
DOE Contract Number:
AC36-08GO28308
OSTI ID:
2293497
Report Number(s):
NREL/CP-5T00-88766; MainId:89545; UUID:1a06be3a-c786-42fc-96ce-e7d8bd0d0094; MainAdminId:71774
Country of Publication:
United States
Language:
English

References (8)

ED4GAP: Efficient Detection for GOOSE-Based Poisoning Attacks on IEC 61850 Substations conference November 2020
Exploiting the GOOSE protocol: A practical attack on cyber-infrastructure conference December 2012
CAPTAR: Causal-Polytree-based Anomaly Reasoning for SCADA Networks conference October 2019
ACRE: Abstract Causal REasoning Beyond Covariation conference June 2021
Denial-of-Service Attack on IEC 61850-Based Substation Automation System: A Crucial Cyber Threat towards Smart Substation Pathways journal September 2021
Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations journal October 2020
An Intrusion Detection System for IEC61850 Automated Substations journal October 2010
EDMAND: Edge-Based Multi-Level Anomaly Detection for SCADA Networks conference October 2018

Similar Records

ChatGPT and Other Large Language Models for Cybersecurity of Smart Grid Applications
Conference · Fri Oct 04 00:00:00 EDT 2024 · OSTI ID:2477400
Data-Centric Communication Framework for Multicast IEC 61850 Routable GOOSE Messages over the WAN in Modern Power Systems
Journal Article · Fri Jan 24 23:00:00 EST 2020 · Applied Sciences · OSTI ID:1801316

Related Subjects

GOOSE
MATHEMATICS AND COMPUTING
alert aggregation
causal reasoning
network simulation