NetSim Cyber: Model and Simulate Cyber Attack on Power Systems

Last updated: May, 2026

Modern electric power grids are no longer isolated physical systems. They are cyber-physical infrastructures where power equipment, communication networks, and control software operate together. While this convergence improves efficiency and automation, it also introduces cybersecurity risks.

The threat is real and escalating

Power grids are now prime targets, surpassing other critical infrastructures in attack frequency. Three incidents illustrate.

2015 · Ukraine

Ukrainian Power Grid Attack

The first confirmed cyber-induced blackout. Attackers remotely operated substations, cutting power to over 200,000 consumers.

2022 · Ukraine

Industroyer2

Malware hard-coded for IEC-104 attempted physical destruction of substations during missile strikes. A clear cyber-kinetic attack.

2023-24 · USA

Volt Typhoon

State-sponsored actors covertly infiltrated U.S. power grid networks for months using legitimate admin tools, positioning for future disruption.

Why NetSim Cyber

Improving CPPS security requires a realistic testbed that can replicate power-system behavior under malicious conditions.

The problem

Hardware testbed limitations

High cost and procurement complexity
Limited scalability, hard to replicate multi-substation scenarios
Safety risks when running malicious attack scenarios
Inflexible configurations, changes require physical rewiring

The approach

Software digital twin

A complete CPPS testbed combines a power-system simulator (generators, power electronics, transmission, distribution) with a network simulator that models the communication network and its cyber behavior.

NetSim Cyber provides the network and attack-emulation layer
Safe, scalable, reconfigurable in software
Functions as a digital twin of the real power system

System architecture

NetSim Cyber connects protocol source simulators through a common Core that intercepts live traffic, applies protocol-aware attacks, recalculates checksums, and delivers wire-valid modified packets to destination analysis tools.

NetSim Cyber Core end-to-end protocol workflow — NetSim Cyber Core: end-to-end protocol workflow

System 1 · Source

Protocol simulators

Synchrophasor PMU, GOOSE/SV source, Modbus master or DNP3 master generate original traffic on a controlled LAN.

System 2 · Core

NetSim Cyber Core

Intercepts traffic, applies protocol-aware attacks and recalculates checksums. Modified packets remain indistinguishable on the wire.

System 3 · Destination

Analysis tools

PDC/WAMS, IED/relay, SCADA/HMI or utility control receive and validate the modified traffic.

NetSim Cyber as the network simulation and cyber attack layer — NetSim Cyber: network simulation and cyber attack layer

Protocol deep dive

Field-level rewrites, not generic packet fuzzing. Each protocol has attack modules that parse structure, field semantics, and checksum requirements.

Synchrophasor

IEEE C37.118

The standard for synchrophasor data transmission in Wide Area Monitoring Systems (WAMS). Used for real-time grid monitoring, state estimation, and protection. Supports 2005 (v1), 2011 (v2), and 2024 profiles including the 64-phasor, 4-frequency-channel model.

NetSim sits between PMU and PDC intercepting and modifying synchrophasor traffic — NetSim Cyber sits between PMU and PDC, intercepting and modifying synchrophasor traffic

Attacks

Phasor magnitude inc/decrement
Pulse faults and ramp drift injection
Random jitter on phasor values
Manual phasor/freq/ROCOF override
FDI on frequency and ROCOF
SOC timestamp shift
Replay capture and playback

Technical details

Frame sync 0xAA, CRC-CCITT pre-mutation
Version-aware: 2005 (v1), 2011 (v2), 2024
Polar and rectangular phasors, int/float
64 phasors, 4 freq channels (2024 model)
Physics-driven freq, voltage, load-flow angle
SOC/FRACSEC fields fully modifiable

IEC 61850

GOOSE / Sampled Values

Generic Object-Oriented Substation Events (GOOSE) and Sampled Values (SV) carry substation communication in IEC 61850 networks. Attacks on these protocols can trigger false breaker trips, corrupt protection relay logic, and disrupt substation automation.

Attacks

stNum override
sqNum override
timeAllowedToLive override
Simulation flag toggle
Dataset tampering (bool/float/uint)
SV smpCnt and smpSynch override
SV payload: Va/Vb/Vc/Vn, Ia-In

Technical details

BER tag parsing, allData field discovery
Handles stNum, sqNum, TAL simulation
SV ASDU: smpCnt, smpSynch, seqData
80 or 256 samp/period, sine and constant
Breaker trip and process-bus integrity test
Simulation flag distinguishes test vs live traffic

Industrial control

Modbus TCP

A common protocol in industrial control systems and SCADA environments. Register tampering and coil manipulation can cause incorrect actuator commands and corrupt historian data without raising alarms.

Attacks

Register increment/decrement
Register ramp drift and jitter
Fixed-value false data injection
Manual register override by address
Coil/discrete bit: ON / OFF / FLIP

Technical details

MBAP header parse and response rebuild
Targets FC01, FC02, FC03, FC04
Simulator: FC01-FC06, FC15, FC16
Fields: func code, byte count, registers
Master polls all 4 types, logs all responses

IEEE 1815

DNP3

The standard protocol for utility-to-substation communication in North America. Unauthorized control commands and replay attacks can trigger remote switching operations and corrupt SCADA historian records.

Attacks

FDI: analog/binary inputs, counters
Replay via interceptor path
Unauthorized direct/select-operate
Link-status recon and integrity polling
Time skew writes
Enable/disable unsolicited responses
Cold/warm restart, DoS flooding

Technical details

Start 0x05 0x64, header and block CRC
Transport seg, obj groups, CROB
Point DB: binary, analog, counter I/O
Interceptor: outstation-master traffic
Class poll, replay, ctrl paths via GUI
Supports both solicited and unsolicited modes

Telecontrol

IEC 60870-5-104

A telecontrol protocol used for communication between control centers and substations over TCP/IP networks, widely used in electric power transmission and distribution systems for supervisory control and data acquisition. IEC-104 supports telemetry, telecontrol, event reporting, and status monitoring between a master station and a controlled station.

Attacks

Telemetry value modification
Status indication manipulation
Replay of valid messages
Delay of telecontrol messages
Packet drop
Time-tag manipulation

Technical details

IEC 60870-5-101 app layer over TCP/IP
Port TCP 2404, master to controlled station
Single/double-point information, measured values
Commands, integrated totals, time-tagged events
Use case: transmission/distribution SCADA, telecontrol security

Integration with power-system simulators

NetSim Cyber interfaces with real-time power-system simulators and electrical platforms.

Feature highlights

What NetSim Cyber does that hardware testbeds and generic security tools do not.

Focus

Post-exploitation

Evaluates grid impact after a breach, not how it occurred. No pen-testing, no malware deployment. Controlled lab environment only.

Method

Protocol-aware mutation

Field-level rewrites on Synchrophasor, GOOSE, Modbus, DNP3 and IEC-104. Not generic packet fuzzing.

Fidelity

Wire-valid packets

CRCs and transport checksums recalculated post-mutation. Modified packets remain indistinguishable on the wire.

Form factor

Software digital twin

Hardware testbeds are costly, inflexible, hard to scale. NetSim Cyber functions as a digital twin: safe, scalable, zero hardware risk.

Integrations

Power-system tools

Direct interfaces with OPAL-RT, RTDS, HYPERSIM, PSCAD, MATLAB/Simulink, Typhoon HIL, OpenPMU and openPDC.

Outcome

Proactive resilience

Validate detection and countermeasures before attacks occur on live infrastructure.

Who is NetSim Cyber for

Teams working on the cyber-physical security of electric power systems.

Utilities and grid operators

Power-system utilities and national grid operators evaluating attack impact on production infrastructure.

SCADA and substation engineers

Protection, SCADA and substation automation engineers validating relay logic and process-bus integrity.

Cybersecurity teams

Teams validating protocol-aware detection and countermeasures on power-system traffic.

CPPS researchers

Cyber-physical lab integrators and researchers building software digital twins of power systems.

Defence and critical infrastructure

Defence and critical-infrastructure agencies preparing for cyber-kinetic attack scenarios.

Academic institutions

Universities and training organisations teaching CPPS security with reproducible experiments.

Publications that have used NetSim

Supervised ML framework for DOS Attack Detection and Mitigation for Synchrophasor data transmitted from PMU to PDC (ieeexplore.ieee.org/document/11162614)
A Method for Achieving Confidentiality and Integrity in IEC 61850 GOOSE Messages (ieeexplore.ieee.org/document/9079598)
Optimal Energy Routing in Microgrids with IEC61850 based Energy Routers (ieeexplore.ieee.org/document/8764599)
On IEC 61850 communication networks in smart grid, methodology of implementation and performance analysis on an experimental platform (ieeexplore.ieee.org/document/8585706)
Testing of IEC 61850 System Solutions (ieeexplore.ieee.org/document/9429718)
Performance Analysis of IEC 61850 Messages in LTE Communication for Reactive Power Management in Microgrids (mdpi.com/1996-1073/13/22/6011)
Performance Analysis of Smart Grid Communication Networks Using Co-Simulation (ieeexplore.ieee.org/document/10735155)
Communication Assisted Protection Scheme Based on Artificial Neural Networks for Multi-Microgrid (ieeexplore.ieee.org/document/10387437)
Cyber Resilient 5G Enabled Communication Framework for Virtual Power Systems (ieeexplore.ieee.org/document/11135712)