University of Illinois Urbana-Champaign

Flock: a framework for alert aggregation and reasoning in GOOSE messages

Battista, Jude; Nahrstedt, Klara; Valdes, Alfonso; McFly, Sjane

Permalink

https://hdl.handle.net/2142/115076

Description

Title
Flock: a framework for alert aggregation and reasoning in GOOSE messages
Author(s)
  • Battista, Jude
  • Nahrstedt, Klara
  • Valdes, Alfonso
  • McFly, Sjane
Issue Date
2022-10-18
Keyword(s)
GOOSE Protocol, Alert Aggregation, Causal Reasoning, Network Simulation
Abstract
IEC 61850 specifies the Generic Object Oriented Substation Event (GOOSE) protocol as one option for low latency communication of substation-related events. Due to its strict timing requirements, GOOSE lacks any form of encryption or authentication and has only minimal integrity guarantees. These absences render the protocol vulnerable to a variety of communication anomalies, including adversarial action. In particular, an adversary with access to the substation network can launch a variety of man in the middle (MITM) attacks. While protocol alterations have been proposed to add security to GOOSE traffic, the complexity of rolling out changes on an international level have prevented wide-scale adoption of any such updates. Rather than attempting to change GOOSE, we propose the creation of tools to allow operators to mitigate some of the risks of the protocol while retaining its strengths. To that end, we have developed a GOOSE simulation pipeline including data generation, anomaly detection, alert handling, causal reasoning and data visualization components. The simulator is designed to be modular, allowing operators to swap components to better fit their network capabilities. A number of lines of research have already been opened into anomaly detection, allowing us to focus our efforts on alert handling. The sheer volume of alert traffic on an active substation network presents operators with the pervasive threat of alert fatigue. In order to combat this, we propose a novel form of alert aggregation and processing, offering operators a condensed view of any threats to the system. To facilitate the handling of these threats, our causal reasoning system traces the alerts back to their most likely cause, generating an initial hypothesis for operators to investigate.
Publisher
University of Illinois Urbana-Champaign
Type of Resource
text
Language
en
Handle URL
https://hdl.handle.net/2142/115076
Sponsor(s)/Grant Number(s)
Department of Energy under grant DE-OE0000780

Owning Collections

Research and Publications - Illinois Informatics Institute PRIMARY