Wireshark Deep Dive: Unmasking Cyber Attacks in IEC 61850 Substation Traffic + Video

Listen to this Post

Featured Image

Introduction:

In the realm of Operational Technology (OT) and critical infrastructure, network traffic is more than just data—it is a direct reflection of physical processes. For an Industrial Control Systems (ICS) security professional, Wireshark transcends its role as a simple packet analyzer to become a high-fidelity forensic sensor. Analyzing traffic within an IEC 61850-based digital substation allows defenders to detect sophisticated attacks that bypass traditional IT security tools by focusing on the unique behavioral logic of industrial protocols like GOOSE, SV, and MMS.

Learning Objectives:

  • Understand the forensic significance of GOOSE message sequencing (stNum/sqNum) to detect replay and injection attacks.
  • Learn to identify anomalies in Sampled Value (SV) streams that could indicate measurement spoofing.
  • Master filtering techniques for MMS (TCP/102) to detect unauthorized command execution on Intelligent Electronic Devices (IEDs).
  • Analyze Precision Time Protocol (PTP) traffic to identify time synchronization attacks that can blind protection systems.

You Should Know:

  1. The Forensic Analyst’s Toolkit: Setting Up Your Environment
    Before diving into protocol analysis, establishing a proper capture environment is critical. In substations, you cannot afford to be invasive.

– Passive Monitoring: Ensure you are connected to a SPAN port or a network TAP. Your analysis machine must never introduce traffic into the production network.
– Capture Filters: To avoid overwhelming your system with the high packet rates of Sampled Values (up to 4,800 packets per second), use capture filters to isolate specific traffic.
– Command: `tcpdump -i eth0 -s 0 -w substation_capture.pcap ether proto 0x88b8 or ether proto 0x88ba or tcp port 102 or udp port 319 or udp port 320`
– Display Filters in Wireshark: Once the capture is saved, use display filters for deep analysis. We will focus on these in the following sections.

  1. Analyzing GOOSE (Generic Object Oriented Substation Events) for Replay Attacks
    GOOSE messages are used for high-speed protection functions like tripping circuit breakers. They rely on a strict retransmission scheme.

– The Mechanism: When an event occurs, the `stNum` (State Number) increments by one. The `sqNum` (Sequence Number) resets to 0 and then counts up to a maximum before repeating until the next state change.
– The Anomaly: A replay attack involves capturing a legitimate “trip” packet and retransmitting it. If you see a packet with an old `stNum` but a current sqNum, or a sudden jump in `sqNum` without a corresponding `stNum` increment, you are likely seeing an attack.
– Step‑by‑step analysis:
1. Apply the Wireshark display filter: gocb or eth.type == 0x88b8.
2. In the packet details pane, expand the “GOOSE” section.

3. Monitor the `goose.stNum` and `goose.sqNum` fields.

  1. Add these as columns in Wireshark for live tracking.
  2. Use a command-line tool like `tshark` to isolate anomalies:

– Command: `tshark -r capture.pcap -Y “gocb” -T fields -e goose.stNum -e goose.sqNum | uniq`

3. Detecting SV (Sampled Value) Spoofing and Injection

Sampled Values digitize analog measurements from current and voltage transformers. An attacker injecting false values can cause protection relays to miscalculate impedance, leading to miscoordination.
– The Mechanism: A 60 Hz system typically sends 80 samples per cycle, resulting in 4,000 or 4,800 packets per second. The traffic is isochronous (strictly timed).
– The Anomaly: Gaps in the stream indicate network issues (DoS), but unexpected streams from unknown `src_mac` addresses indicate spoofing.
– Step‑by‑step guide:

1. Filter for SV traffic: `eth.type == 0x88ba`.

  1. Analyze the arrival rate using Wireshark’s Statistics > IO Graph. Set the interval to 1 ms. A healthy stream shows a flat, consistent line.
  2. Check the `svID` (Sampled Value ID) against your asset inventory. An unknown `svID` from a legitimate MAC is a red flag.
  3. Use a Lua script in Wireshark to detect gaps in sequence numbers (if the vendor implements them), though SV typically relies on time, not sequence, for ordering.

  4. Auditing MMS (Manufacturing Message Specification) for Rogue Commands
    MMS runs over TCP port 102 and is used for vertical communication (SCADA to IEDs) and horizontal configuration. It is a primary vector for attackers issuing direct control commands.

– The Mechanism: MMS uses client-server architecture. Operations like `write` or `execute` can control physical outputs.
– The Anomaly: An MMS write command originating from an IP address outside the SCADA server whitelist.
– Step‑by‑step guide:

1. Filter for MMS traffic: `tcp.port == 102`.

  1. Reassemble the TCP stream: Right-click a packet > Follow > TCP Stream.
  2. Look for the confirmed-RequestPDU. Specifically, filter for `mms.confirmedServiceRequest.write` to isolate write attempts.
  3. Identify the source IP. Use a command-line tool to extract all unique source IPs initiating MMS connections:

– Command: `tshark -r capture.pcap -Y “tcp.port==102 and tcp.flags.syn==1” -T fields -e ip.src | sort -u`
5. If you see an IP like 192.168.1.200 sending a write command to a relay, and your SCADA server is 10.10.1.100, you have a positive indicator of compromise.

  1. Securing the Time Domain: PTP (IEEE 1588) Analysis
    Protection functions depend on precise time synchronization. Manipulating time can blind differential protection schemes.

– The Mechanism: The Best Master Clock Algorithm (BMCA) ensures all devices sync to the Grandmaster (GM). Grandmasters announce their quality.
– The Anomaly: A rogue Grandmaster announcing a superior clock quality to hijack the timing domain, or excessive path delay indicating a man-in-the-middle (MitM) tap.
– Step‑by‑step guide:

1. Filter for PTP events: `ptp`.

  1. Examine `ptp.announce` messages. Look for the `grandmasterIdentity` field.
  2. Check the `grandmasterPriority1` and `grandmasterPriority2` fields. A lower number means higher priority. An attacker might set Priority1 to 0 to become the master.
  3. Monitor `ptp.delay_resp` messages for anomalies in the `delay` field. Sudden spikes or consistent asymmetry suggest a MitM device buffering and forwarding packets.

6. Hardening the Analysis Station (Linux/Windows)

Your analysis station itself is a target. Ensure it is hardened to prevent it from becoming a pivot point into the substation network.
– Linux Hardening:
– Disable unused services: `sudo systemctl disable –now cups bluetooth`
– Set firewall rules to only allow outgoing NTP and DNS, and incoming SSH from a management network.
– Command: `sudo ufw default deny incoming; sudo ufw default allow outgoing; sudo ufw allow from 192.168.1.0/24 to any port 22`
– Windows Hardening:
– Disable Network Discovery and File and Printer Sharing for the public/OT profile.
– Use `Set-NetFirewallProfile` in PowerShell to lock down the interface connected to the SPAN port.

What Undercode Say:

  • Key Takeaway 1: Passive is Paramount. In OT environments, the ability to detect attacks without disrupting operations is the ultimate superpower. Wireshark, when used passively, provides this visibility.
  • Key Takeaway 2: Behavior over Signatures. Traditional intrusion detection relies on known malware signatures. In an IEC 61850 substation, the “signature” of an attack is a violation of expected protocol behavior—like a `sqNum` reset or a rogue svID. Mastering the protocol specification is mastering defense.

Analysis:

The shift towards digital substations has collapsed the air gap between the physical and the digital. While this enables smarter grid management, it exposes protection mechanisms to cyber threats. The techniques outlined here shift the defender’s focus from “what is the malware doing” to “what is the grid doing.” An attacker injecting false SV values doesn’t need malware; they need to exploit protocol trust. By using Wireshark to baseline normalcy, engineers can turn the network itself into a grid sensor, detecting anomalies that indicate the early stages of a kinetic cyber attack. This forensic mindset transforms packet analysis from a reactive troubleshooting tool into a proactive defense capability.

Prediction:

As substation automation becomes more software-defined, we will see a rise in “protocol-aware” attacks that target the deterministic nature of GOOSE and SV. The future of OT security will move away from perimeter defense and towards “inside-out” visibility. Expect machine learning models trained on `stNum/sqNum` patterns and SV stream consistency to be integrated directly into next-generation firewalls, automating the anomaly detection currently performed manually in Wireshark. The Wireshark skills of today will become the baseline requirements for the Security Orchestration and Response (SOAR) playbooks of tomorrow.

▶️ Related Video (86% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Robertoherreralara Wireshark – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky