TSNZeek: An Open-source Intrusion Detection System for IEEE 802.1 Time-sensitive Networking

TL;DR

TSNZeek is an open-source intrusion detection system tailored for IEEE 802.1 TSN networks, enhancing security monitoring with minimal performance impact and effective threat detection.

Contribution

It extends Zeek with TSN-specific parsing and detection capabilities, providing the first open-source security tool for IEEE 802.1 TSN protocols.

Findings

Detects various TSN threats effectively

Imposes only ~5% CPU overhead

Works in real TSN testbed environment

Abstract

IEEE 802.1 Time-sensitive Networking~(TSN) standards are envisioned to replace legacy network protocols in critical domains to ensure reliable and deterministic communication over off-the-shelf Ethernet equipment. However, they lack security countermeasures and can even impose new attack vectors that may lead to hazardous consequences. This paper presents the first open-source security monitoring and intrusion detection mechanism, TSNZeek, for IEEE 802.1 TSN protocols. We extend an existing monitoring tool, Zeek, with a new packet parsing grammar to process TSN data traffic and a rule-based attack detection engine for TSN-specific threats. We also discuss various security-related configuration and design aspects for IEEE 802.1 TSN monitoring. Our experiments show that TSNZeek causes only ~5% CPU overhead on top of Zeek and successfully detects various threats in a real TSN testbed.