Poisoned GOOSE: Exploiting the GOOSE Protocol

Kush,N., Ahmed, E., Branagan,M. and Foo, E.

    This paper presents a vulnerability within the generic object oriented substation event (GOOSE) communication protocol. It describes an exploit of the vulnerability and proposes a number of attack variants. The attacks sends GOOSE frames containing higher status numbers to the receiving intelligent electronic device (IED). This prevents legitimate GOOSE frames from being processed and effectively causes a hijacking of the communication channel, which can be used to implement a denial-of-service (DoS) or manipulate the subscriber (unless a status number roll-over occurs). The authors refer to this attack as a poisoning of the subscriber. A number of GOOSE poisoning attacks are evaluated experimentally on a test bed and demonstrated to be successful.
Cite as: Kush,N., Ahmed, E., Branagan,M. and Foo, E. (2014). Poisoned GOOSE: Exploiting the GOOSE Protocol. In Proc. Twelfth Australasian Information Security Conference (AISC 2014) Auckland, New Zealand. CRPIT, 149. Parampalli, U. and Welch, I. Eds., ACS. 17-22
pdf (from crpit.com) pdf (local if available) BibTeX EndNote GS