GOOSE is a communication protocol defined in the IEC61850 standard. It is used by Intelligent Electronic Devices (IEDs) in electrical substations to facilitate information exchange between devices. A GOOSE parser has been developed to enable detailed analysis of the transmitted data and allow rule-based identification of anomalies related to cybersecurity attacks. It is compatible with an older instance of Zeek Network Security Monitor (v2.6).
We have developed a synthesized dataset focusing on IEC 61850 GOOSE communication that is essential for automation and protection in smart grid. The dataset is intended to facilitate the research community to study the cybersecurity of substations. We present the physical system of a typical distribution level substation and several of its critical electrical protection operation scenarios under different disturbances, followed by several cyber-attack scenarios. We have generated a dataset with multiple traces that correspond to these scenarios and demonstrated how the dataset can be used to support substation cybersecurity research.
We conducted an empirical study with 6-month network traces collected in low-interaction smart grid honeypot systems deployed in geographically different regions on Amazon cloud platform. In particular, we discuss actual attack patterns observed as well as insights from the data-driven study on access/attack patterns, correlations among different locations, and dynamics in access sources, some of which are considered effective when configuring security mechanisms such as firewall and intrusion detection systems.