Unmasking Ethernet ghosting: A stealthy threat to OT power utilities

Graphic depicting electrical transmission equipment with stylised lock to represent security (omicron)


By Eric Heindl Cybersecurity Analyst—Power Utility Communication, Omicron

In an era marked by an increasing reliance on digital systems within the energy sector, the safeguarding of critical infrastructure emerges as a paramount concern.

Among the linchpins of this critical infrastructure are electrical substations, entrusted with the vital role of ensuring the dependable and secure delivery of electricity to homes and industries. These modern substations, powered by digital technologies, lean on the IEC 61850 communication networks for orchestrating seamless interoperability and integrating a diverse array of devices and functions. While this digital transformation undeniably bolsters operational efficiency and effectiveness, it simultaneously unlocks the door to a new breed of cyber threats, each capable of jeopardising the very operation and safety of these indispensable facilities.

In response to this evolving threat landscape, the imperative for a novel cybersecurity approach tailored to the intricacies of IEC 61850 communication networks becomes abundantly clear. This innovative strategy is epitomised by functional security monitoring, a vigilant practice revolving around the continuous scrutiny of the operational health of critical systems and devices nestled within substations. Through this continuous monitoring, any aberrations or anomalies are promptly identified, empowering swift action to curtail the ascent of potential cyber threats.

Within the context of this article, we embark on a deep dive into the enigmatic realm of Ethernet ghosting attacks, an emerging cyber threat that has set its sights on OT power utilities. Our journey unravels the clandestine machinations of these attacks, elucidates the substantial challenges they pose, and, most crucially, unveils the strategies to detect and defend against them.

What is Ethernet ghosting?

Ethernet ghosting represents an elusive cyber threat that poses a grave danger to OT power utilities. In traditional methods of network infiltration, attackers typically leave traces identifiable through their MAC (Media Access Control) and IP addresses. When a network is equipped with a properly configured detection system, it triggers alerts upon detecting these intruders. However, to circumvent detection, attackers resort to Ethernet ghosting.
Ethernet ghosting is a method employed by cyber attackers to connect their device to a network undetected. They achieve this by sending messages using the MAC address and physical Ethernet connection of a legitimate device already on the network. Effectively, the attacker’s device cloaks its communication by merging it with legitimate traffic over a shared physical connection. From the perspective of the switch and the network, there appears to be only one device transmitting packets on behalf of a single MAC address.

Graphic representing ethernet ghosting

The mechanics of an Ethernet ghosting attack

So, how do Ethernet ghosting attacks actually work? Let’s break down the process:

  1. Skunk switch setup: Attackers utilise specialised devices like the Skunk switch (e.g., by Ringtail Security) to connect to the network. These devices are first configured and set up via a USB command interface. Once prepared, they are connected to a computer via USB input and accessed through a serial port using tools like Putty or MobaXtrem.
  2. VLAN configuration: The attacker configures their PC for a specific VLAN. This step is essential to receive traffic from the victim device without raising suspicion.
  3. Integration into the network: Once configured, the Skunk switch is discreetly integrated into the network.
  4. Traffic capture: Using packet capture tools like Wireshark, the attacker intercepts traffic originating from the Intelligent Electronic Device (IED). This reveals vital information, including the victim’s IP address and MAC address.
  5. Mirroring information: The attacker then mirrors this address information to their own device. To minimise suspicion, unused services are often disabled.
  6. Infiltration: With the victim’s credentials in hand, the attacker enters the network incognito and begins sending messages undetected.

After enacting all these steps, messages can be sent to the network undetected. Among these could be:

  • A port scan attack: This provides the attacker with information, such as the manufacturer (based on MAC address) and any open ports.
  • An IEC 61850 discovery on another IED device ( in the substation: IEC 61850 self-description services are used to retrieve the structure of the IED data model.

Identifying Ethernet ghosting attacks

Detecting Ethernet ghosting attacks is a complex challenge, but it can be achieved through the fusion of talents from both information technology (IT) and OT engineering realms. These two distinct worlds bring unique perspectives and objectives to the cybersecurity arena. Effectively bridging the gap between them and nurturing a culture of collaboration emerges as the linchpin in fortifying the security posture of electrical substation networks.
This collaborative synergy finds its conduit in the deployment of an IDS, such as OMICRON’s StationGuard. StationGuard is imbued with intrinsic OT knowledge capable of monitoring substation network traffic in real-time, detecting enigmatic or novel attacks, and discerning the intricate web of functional and logical relationships that define the substation’s digital ecosystem. StationGuard operates on an allowlist principle, permitting only authorised traffic. Any deviation from this norm is flagged as a potential threat and displayed on the dashboard for further analysis.

In the concrete example, here is how StationGuard can help identify Ethernet ghosting attacks:

  • Port Scan Attack Detection: StationGuard can detect port scan attacks, offering insights into the attacker’s actions, including details about the manufacturer based on MAC addresses and identification of open ports.
  • IEC 61850 Discovery: An attacker may employ IEC 61850 self-description services to retrieve an IED’s data model. StationGuard identifies and flags this intrusion as a potential threat, preventing further escalation.


Ethernet ghosting is but one enigmatic threat to OT power utilities that challenges the very essence of critical infrastructure security. To counteract these emerging threats, the cybersecurity paradigm must evolve to cater to the unique complexities of IEC 61850 communication networks. One such approach, known as functional security monitoring, emphasises continuous scrutiny of the operational well-being of critical substation systems and devices. This proactive approach, when combined with the acumen of Operational Technology (OT) professionals and the capabilities of Intrusion Detection Systems (IDS) equipped with OT knowledge, solidifies an effective defense against cyber threats in substations.

Nevertheless, the effectiveness of this approach pivots on the convergence of IT and OT expertise, two distinct realms with distinct perspectives and objectives concerning cybersecurity. Bridging these gaps and fostering collaboration becomes pivotal in shoring up the security of electrical substation networks. This collaborative synergy finds its conduit in the deployment of IDS systems imbued with intrinsic OT knowledge, capable of real-time monitoring of substation network traffic, detection of enigmatic or novel attacks, and discernment of the intricate web of functional and logical relationships defining the substation’s digital ecosystem.

In essence, Ethernet ghosting emerges as an intricate challenge in the realm of critical infrastructure cybersecurity. It allows attackers to infiltrate undetected, disguising their presence amidst legitimate network traffic. However, through vigilance, collaboration, and the utilisation of specialised tools like StationGuard, we can thwart these elusive threats.

By operating on an allowlist principle, these tools identify deviations from established network norms and provide actionable insights, thereby ensuring the security of our critical infrastructure in the digital age.


Previous articleVINCI Energies acquires TechTest Services Pty Ltd
Next article5 Minutes With: Scientia Professor Martin Green