Early Detection of GOOSE Denial of Service (DoS) Attacks in IEC 61850 Substations

The availability of communication in IEC 61850 substations can be hindered by Denial of Service (DoS) that result from an advanced Generic Object Oriented Substation Event (GOOSE) poisoning attacks. To the best of our knowledge, most of the available approaches in the literature are unable to detect similar attacks and none of them can offer the detection in an early manner. Thus, we develop the Early Detection of Attacks for GOOSE Network Traffic (EDA4GNeT) method that takes into account the specific features of IEC 61850 substations and offers a good trade-off between detection performance and detection time. To validate the efficiency of the novel anomaly detection method against those specific GOOSE poisoning attacks, a comparison with the closest works to ours is conducted in a similar use case representing a T1-1 substation. Results demonstrate the possibility of an early detection approximately 37 time samples ahead and an average detection rate of EDA4GNeT of more than 99% with a low false positive rate of less than 1 %.