webinar register page

Zeek From Home - Detecting False Data Injection Attacks on GOOSE Protocol for Industrial Control Systems - Reservoir Labs
A weekly webinar presentation series where Zeek users, developers and invited guests can present on Zeek related topics. These presentations are recorded and shared with the community. You can find out more about Zeek From Home at: https://zeek.org/2020/03/31/zeek-from-home/

This Webinar will be about Detecting False Data Injection Attacks on GO

We present a Zeek-based system for real-time detection of false data injection attacks on the generic object-oriented substation events (GOOSE) protocol. The GOOSE protocol is used in IEC 61850 substations for the high-speed exchange of protection-related events. Because of its lack of authentication and encryption, GOOSE is vulnerable to man-in-the-middle attacks. An adversary with access to the substation network can inject carefully crafted messages to impact the grid’s availability.

In this talk, we first discuss the design and implementation of analytics that address a broad class of false data injection attacks. Those analytics include whitelisting, GOOSE semantic analysis, GOOSE poisoning detection, and physical behavior-based detection. The first two analytics address the detection of early indicators of an attack, including malformed and semantically invalid messages as well as violations of access control. Next, the GOOSE poisoning layer covers the detection of GOOSE header manipulation attacks. Finally, physical behavior-based detection uses rules related to the substation's physical architecture and safe operating ranges. That layer handles the attacks that involve harmful payload, either through injection of packets or by manipulation of in-transit packets.

If you have any questions please email akgraner@corelight.com or join the Zeek #webinars slack channel at: https://join.slack.com/t/zeekorg/shared_invite/enQtOTc3MzMxNDI1NDYxLTA1NzhhMTgxNWI1OTk2NjlkMTdjNzY1Nzk5NDk2ZDY1MDBkYWIxOWNjNDE2NDc2MGI5OWM3ZDllYzBmZmNhNDM

Sep 9, 2020 02:00 PM in Eastern Time (US and Canada)

Webinar is over, you cannot register now. If you have any questions, please contact Webinar host: Amber Graner.