GOOSE Secure

Citation Author(s):
Oscar Andres
Tobar Rosero
Universidad Nacional de Colombia sede Medellín
Submitted by:
Oscar Tobar Rosero
Last updated:
Thu, 09/05/2024 - 16:57
DOI:
10.21227/jjv5-qg20
Data Format:
*.pcap *.csv
License:
Creative Commons Attribution
271 Views
Categories:
Power and Energy
Electric Utility
Smart Grid
Communications
Keywords:
Cyber Attacks; Evaluation Dataset; Substation Protection; smart grid; anomaly detection; GOOSE Protocol
0
0 ratings - Please login to submit your rating.
ACCESS DATASET CITE SHARE/EMBED

Abstract 

Currently, cybersecurity in digital substations is a topic of wide interest for companies and the academic community, which demands for its study the analysis of datasets (i.e., traffic collected during the operation of a substation). However, generating datasets from operational electrical systems presents certain limitations: 1) The generation of these datasets generally implies the operation under controlled or ideal conditions, disregarding the dynamics of real-world operations within a digital electrical substation; and 2) captured data often contains sensitive information, posing challenges for publication within the research community. 

This dataset development for cybersecurity research, focusing on the analysis of GOOSE spoofing attacks, given the critical role of GOOSE protocol in executing operational and control actions within digital substations. The dataset exposes the effectiveness of the attack by executing unwanted maneuvers or actions under various operational conditions, including both stable electrical system scenarios and situations where failures are present in the electrical system. The dataset was acquired from a laboratory testbed developed within a physical infrastructure that emulates the actual operation of a digital substation with two bays. It includes control and protection devices like IEDs and GPS time servers, all interconnected by an Ethernet switch.

Instructions: 

Test Scenarios

Four test scenarios are considered for data collection, as described below:

·         Scenario 1. DS traffic with stable electrical system operation

In this scenario, the devices are configured for joint and synchronous operation using typical protocols from a DS. They transmit operational messages in a stable state, i.e., reflecting a normal operation of the electrical system associated with the DS. Here, we use the traffic captures to analyze and characterize the data transmitted.

 

·         Scenario 2. DS traffic with electrical system failure events

Secondly, we considered the electrical system's operation in the presence of some failure events. For this purpose, we configured general triggers in the protection equipment derived from a specific protection function associated with the electrical variables. In this case, the traffic varies according to the failure events, and the captured data from this scenario shows significant variations compared to the traffic volume observed in the stable state. 

 

·         Scenario 3. DS traffic with message spoofing in stable electrical system operation

In this scenario, while the DS transmits information related to the electrical system's stable operation, a spoofing attack is executed by injecting additional traffic from an impersonating device. This attack aims to emulate the occurrence of a "fake" failure event within the electrical system. Consequently, the system responds incorrectly due to a misinterpretation resulting from the spoofed messages. This condition might potentially lead to the collapse of the electrical system, even during stable operation.

 

·         Scenario 4. DS traffic with message spoofing in the presence of electrical system failure events

In this scenario, the modification of operational variables within the network is proposed to supplant functionalities of the devices during a "real" electrical system failure event, causing additional failures in the operation of the DS. When an event occurs in the electrical network, a burst of information is triggered in the DS, making the system more vulnerable to computer attacks.

 

Collection temporality

During the testing process and the achievement of the dataset, we intend to collect the information transmitted within a DS, including system activation and recovery events in case of failure actions during a set period. For this, in each test scenario, we capture 180 seconds (3 minutes) of data flow, taking as a reference point the messages transmitted from IED 1 as a case study but including the log of the messages exchanged between the different devices involved in the test process.

 

Dataset Structure

This dataset stands out for using physical infrastructure that emulates the behavior of a real substation with different operating states.

The captures of the different test scenarios are stored in pcapng format and subsequently exported to CSV format. This choice allows for structured and standard data, which might facilitate identifying and analyzing communication protocols and cybersecurity in this test environment. Below, we highlight and briefly describe the attributes associated with the captured and storage traffic columns in CSV format:

No. - This column, assigned from the traffic analytic tool (Wireshark), identifies the number or arrival order of the messages captured in the dataset. It might identify data sequence, packet loss, and atypical behavior. However, it is not an original value associated with the communication protocol (GOOSE) and is only used as a reference in the analysis.

Time - The time column identifies the time elapsed from the capture's beginning until each message's arrival. It might evaluate the stream's behavior, periodicity, and possible anomalies. However, it is a value that depends on the communication system; therefore, it is only used as a reference in the analysis.

Source - This column is associated with the MAC address of each device that generates traffic.

Destination - The attribute in this column is associated with the MAC set as the destination of each message published in layer 2. This is a fundamental factor for the publisher/subscriber communication schemes in DSs, particularly in protocols like GOOSE messaging.

Protocol - This attribute allows us to identify which communication protocol is under analysis at a particular time and facilitates the classification and separation of protocols.

Boolean - This attribute is a fixed variable to identify state changes and periodic behavior with GOOSE messaging. The boolean variable indicates operating states or maneuver commands transmitted using GOOSE messaging in DSs.

Length - This attribute identifies the size in bytes corresponding to each message transmitted in the DS.

 

Info. - The information attribute is a descriptive space that establishes specific characteristics associated with particular communication protocols. In some cases, it informs about the function devices or messages perform, the type of message, and, in some cases, the identification of malformed packets or errors in data transmission.

Dataset Files

LOGIN TO ACCESS DATASET FILES

 

QUESTIONS?