Security in the GOOSE protocol

Posted date 06/08/2020
Author
INCIBE (INCIBE)
GOOSE

The implementation of the IEC 61850 standard in electrical substations was aimed at transforming from the analogue model to the digital model, and thus being able to monitor a greater number of parameters faster. It is at this point that the implementation of cybersecurity measures was necessary to ensure the stability and reliability of the electricity grid.

The IEC 61850 standard sets out a series of rules for the consistent organisation of information, so that it can be interpreted by any type of Intelligent Electronic Device (IED) typical of substations. The GOOSE (Generic Object Oriented Substation Events) protocol is part of the protocols that make up this standard for the transmission of information on the state of the switches, alarms or the temperature of the transformers.

GOOSE protocol

The purpose of the messages in the GOOSE protocol is to provide, in a fast and viable way, a data exchange between two or more IEDs within an Ethernet network.

GOOSE messages are sent periodically to the network or spontaneously when an event occurs. The period between two messages, when there is no event, is called T0. When an event is detected, a message is sent immediately. At this point, a message chain is generated with a time separation not established in the protocol, but which is usually exponential until stable retransmission is reached.

Event transmission time

- Event transmission time. Source: SlideShare -

The frame format of the GOOSE protocol has twelve fields. One of them is the APDU (Application Protocol Data Unit), which describes the 12 parameters that organize the formation and sending of messages:

  • gocbRef: unique reference to the associated control block that controls the GOOSE message.
  • timeAllowedToLive: time you have to wait for the receiver for the next message.
  • datSet: string describing the name of the data set.
  • goID: is the identifier of the IED that sends the message.
  • t: time stamp indicating a new GOOSE event.
  • stNum: number of times a GOOSE message has been sent when there has been a change in the values of the data set.
  • sqNum: saves the time increment every time a GOOSE message has been sent repeatedly.
  • test: indicates whether the message is a test message or not.
  • confRev: counts how many times the configuration of the data set has changed.
  • ndsCom: boolean value that indicates whether the control block needs to be reconfigured.
  • numDatSetEntries: contains the number of elements that make up the data set.
  • allData: data exchanged in the message (bool, integer, float…). Multiple values can be included in the same message.

GOOSE protocol frame format

- GOOSE protocol frame format. Source: MDPI -

Example of a GOOSE frame in Wireshark

- Example of a GOOSE frame in Wireshark. Source: MDPI -

Weaknesses of the GOOSE protocol

Latency is the main barrier that arises when implementing security measures, especially in electrical system infrastructures, where immediacy is a key element to be able to operate properly. The definition of the GOOSE protocol establishes a maximum delay of 4 ms for certain messages, so the security measures to be applied, such as those described in IEC 62351, must comply with this requirement. As a direct consequence of these requirements, encryption measures or any other measure that increase the lag or latency are excluded.

In order to achieve an encryption of the data in a time of less than 4 ms, a high-powered CPU installed in the IEDs would be required. This may be a problem, since, when introducing a new CPU, a redesign of hardware is necessary and, in most cases, this involves the need to certify the new design.

However, work is already being done to improve encryption times. Thus, in November 2011, Siemens published a patent that implemented a group key method for the GOOSE model that allows security with low latency.

Cybersecurity in IEC 61850

As already mentioned in article Standard IEC 61850, all for one and one for all, the standard does not give recommendations related to cybersecurity in GOOSE layer 2 messages. Later, some security deficiencies were revealed in this protocol, but they were considered of little importance due to the physical isolation of the network. This situation is very different today, due to connections with devices outside the substation or with control centers, exposing the network to different attack vectors.

In 2007 a standard was developed, called IEC 62351, which provided a series of security measures for the GOOSE messages in IEC 61850, among others. The measures provided by this update regarding the GOOSE protocol were as follows:

  • Authentication of data transferred through digital signatures.
  • Prevention of information espionage.
  • Phishing.
  • Intruder detection in messages.

How to protect GOOSE

Since some security researchers demonstrated that the GOOSE protocol could be compromised through different cyberattacks, the need to apply defence mechanisms that ensured the integrity of this protocol was evident. The attacks that were identified were based on:

  • Traffic modification: capturing packages and modifying some parameters could lead to alerts on substation switches.
  • Denial of Service (DoS): sending more packages than the number of packages allowed in the time interval, ensuring that the attacked IED did not respond to requests.
  • Repeat: capture of packages between two IEDs to be sent later without modification, achieving a possible opening of the switch without authorisation.

One of the solutions to protect the integrity of the GOOSE protocol is the so-called TSA (Trust System Architecture). This architecture consists of a switch, a firewall and an intruder detector, and locates possible security attacks in the protocol. The main advantage of this mechanism is that a comprehensive and complete security solution (detection, alert, control and blocking) is achieved.

TSA (Trust System Architecture) for GOOSE

- TSA (Trust System Architecture) for GOOSE. Source: ResearchGate -

  • The firewall is configured to recognise the traffic authorisation signature.
  • The parameters of each package are checked by three methods:
    • stNum (state number) and sqNum (sequence number): the stNum parameter is read first and compared with the previous stNum value through a series of rules. Then, it is checked that the sqNum field is not initialised to zero when it should not be and is consistent with the stNum value.
    • Time: a time count check is made so that it matches the GOOSE message policy. The rule is that the difference between the generated time and the reception time cannot be greater than 4 ms.
    • Data integrity: in this module, the trust system verifies whether the indicator containing the binary control value is changed from false to true or vice versa. According to IEC 61580 standard, when the binary control value is changed, the GOOSE message number must also be changed to the next number in the sequence and the sqNum needs to be reset to zero.

Other solutions, apart from the TSA, involve physical security and the application of techniques to prevent attacks in layer 2. The latter is achieved by implementing VLAN and disabling unused ports. Other defensive techniques could be to add switches and routers specific to the IEC 61850 standard with deep inspection of the GOOSE messages, although this solution has the disadvantage of increasing the message sending time.

Conclusion

Given that some electrical substations are critical infrastructure, their safety is an indispensable requirement. As shown in this article, the GOOSE protocol, as defined in the IEC 61850 standard, does not have specific security measures, so it is necessary to implement the controls and measures set out in other standards, such as those set out in IEC 62351, or the use of common security devices in the network.