Skip to Main content Skip to Navigation
Conference papers

Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications

Maëlle Kabir-Querrec 1, 2 Stéphane Mocanu 1 Pascal Bellemain 3 Jean-Marc Thiriet 2 Eric Savary 4
2 GIPSA-SAIGA - GIPSA - Signal et Automatique pour la surveillance, le diagnostic et la biomécanique
GIPSA-DA - Département Automatique, GIPSA-DIS - Département Images et Signal
3 GIPSA-Services - GIPSA-Services
GIPSA-lab - Grenoble Images Parole Signal Automatique
Abstract : GOOSE protocol is used for critical protection operations in the power grid, as standardized by IEC61850. It thus has strong real-time constraints that make very hard to implement any security means for integrity and confidentiality such as encryption or signature. Our answer to this lack of dedicated cybersecurity measures is to check legitimacy of every GOOSE messages flowing over the managed network. When detectors issue an alert, the SCADA informs field devices to discard GOOSE communication and run an alternative protection strategy. This article focuses on the GOOSE attack detectors we developed: one dedicated to Ethernet storm and the other one to fraudulent GOOSE frames. The paper first introduces main GOOSE protocol mechanisms and gives a brief state of the art regarding GOOSE attack management before presenting our architecture and the detectors.
Document type :
Conference papers
Complete list of metadatas

Cited literature [6 references]  Display  Hide  Download
Contributor : Maëlle Kabir-Querrec <>
Submitted on : Thursday, December 3, 2015 - 4:31:52 PM
Last modification on : Thursday, November 19, 2020 - 1:01:17 PM
Long-term archiving on: : Friday, March 4, 2016 - 2:30:39 PM


Files produced by the author(s)


  • HAL Id : hal-01237725, version 1


Maëlle Kabir-Querrec, Stéphane Mocanu, Pascal Bellemain, Jean-Marc Thiriet, Eric Savary. Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications. GreHack 2015, Verimag, Nov 2015, Grenoble, France. ⟨hal-01237725⟩



Record views


Files downloads