Supported Power-System Protocols¶
NetSim Cyber supports major communication protocols used in power-system monitoring, control, protection, and automation networks. These protocols are commonly used between devices such as PMUs, PDCs, IEDs, RTUs, PLCs, SCADA masters, HMIs, substation gateways, and control-centre applications.
The supported protocols allow users to create realistic cyber-physical test scenarios and evaluate how communication attacks affect power-system visibility, measurement integrity, command reliability, and automation behaviour.
NetSim Cyber supports the following power-system protocols:
IEEE C37.118 Synchrophasor
IEC 61850 GOOSE, Routed GOOSE, MMS, and Sampled Values
Modbus TCP
DNP3
IEC 60870-5-104
Custom TCP/IP-based protocols
These protocols can be used with built-in simulators, external software tools, hardware-in-the-loop platforms, or real power-system devices depending on the test environment.
| Protocol | Typical Source Device | Typical Destination Device | Common Use Case |
|---|---|---|---|
| IEEE C37.118 Synchrophasor | PMU | PDC | Wide-area monitoring and Synchrophasor data streaming |
| IEC 61850 GOOSE / R-GOOSE | IED / Relay | IED / Subscriber | Substation protection and event messaging |
| IEC 61850 MMS | IED / Server | SCADA Client / Engineering Tool | Substation data access and device communication |
| IEC 61850 Sampled Values | Merging Unit | Protection Relay / Subscriber | High-speed sampled measurement transmission |
| Modbus TCP | PLC / RTU / Slave | SCADA Master / HMI | Industrial monitoring and control |
| DNP3 | RTU / Outstation | SCADA Master | SCADA telemetry and control |
| IEC 60870-5-104 | IEC-104 Slave / Controlled Station | IEC-104 Master / Control Center | Telecontrol and control-center communication |
| Custom TCP/IP | User-defined source | User-defined destination | Testing proprietary or custom application protocols |
Supported power-system protocols
IEEE C37.118 Synchrophasor¶
IEEE C37.118 is a communication standard used for transmitting Synchrophasor measurements from Phasor Measurement Units, commonly known as PMUs, to Phasor Data Concentrators, commonly known as PDCs. Synchrophasor data is widely used in wide-area monitoring systems, dynamic grid visualization, oscillation monitoring, event analysis, and power-system situational awareness.
A PMU measures electrical quantities such as voltage phasors, current phasors, frequency, and rate of change of frequency. These measurements are time-synchronized, usually using GPS or another precision time source, and are streamed to a PDC for aggregation, visualization, storage, or further analysis.
In NetSim Cyber, IEEE C37.118 traffic can be used to study attacks on Synchrophasor measurement integrity and timing. Since Synchrophasor applications depend heavily on accurate values and precise timestamps, even small modifications can affect monitoring and analysis systems.
Typical IEEE C37.118 data includes:
Voltage magnitude and angle
Current magnitude and angle
Frequency
Rate of Change of Frequency, or ROCOF
Analog values
Digital status words
Timestamp information
Configuration frames
Command frames
NetSim Cyber can emulate attacks that modify selected fields in the Synchrophasor data stream while allowing communication between the PMU and PDC to continue. This enables users to evaluate whether the receiving PDC, monitoring tool, or detection algorithm can identify abnormal data.
Typical attack scenarios include:
Voltage or current magnitude manipulation
Phase angle manipulation
Frequency manipulation
ROCOF manipulation
Timestamp shifting
Random noise injection
Increment and decrement attacks
Ramp attacks
Pulse or surge attacks
Replay of valid frames
IEEE C37.118 communication flow
| Item | Description |
|---|---|
| Typical source | PMU or PMU simulator |
| Typical destination | PDC or openPDC |
| Common traffic | Synchrophasor measurement frames |
| Typical data fields | Phasors, frequency, ROCOF, analog values, digital values, timestamps |
| Example attacks | False data injection, ramp, noise, timestamp shift, frequency manipulation |
| Typical application | Wide-area monitoring cybersecurity, PMU/PDC testing, dataset generation |
IEC 61850 GOOSE, R-GOOSE, MMS, and SV¶
IEC 61850 is a communication standard widely used in substation automation systems. It defines communication models and services for intelligent electronic devices, protection relays, merging units, bay controllers, substation gateways, and automation systems.
NetSim Cyber supports IEC 61850-related traffic used in protection, monitoring, and control environments. The major IEC 61850 communication types relevant to NetSim Cyber are:
GOOSE
Routed GOOSE, or R-GOOSE
MMS
Sampled Values, or SV
IEC 61850 GOOSE
GOOSE stands for Generic Object-Oriented Substation Event. It is used for fast event-based messaging between IEDs inside substations. GOOSE messages are commonly used for protection trips, interlocking, blocking, breaker status transfer, and automation logic.
GOOSE communication is time-critical. A replayed, delayed, dropped, or modified GOOSE message may affect protection or automation behavior in a test environment. NetSim Cyber can be used to study how GOOSE subscribers respond to abnormal or manipulated event messages.
Typical GOOSE attack scenarios include:
GOOSE replay
Message delay
Packet drop
Status value manipulation
Sequence-related manipulation
Event spoofing
IEC 61850 communication types in a substation
| IEC 61850 Type | Typical Source | Typical Destination | Purpose | Example Attack Scenario |
|---|---|---|---|---|
| GOOSE | IED / Protection Relay | IED / Subscriber | Fast event and protection messaging | Replay, delay, status manipulation |
| R-GOOSE | IED / Gateway | Remote subscriber | Routed event communication | Replay, delay, packet manipulation |
| MMS | SCADA client / Engineering tool | IED / Server | Monitoring, reporting, control, configuration | Data manipulation, unauthorized value modification in test environment |
| Sampled Values | Merging Unit | Protection Relay / Subscriber | Sampled voltage/current measurement transfer | Measurement manipulation, delay, packet loss |
IEC 61850 protocol support
Modbus TCP¶
Modbus TCP is an industrial communication protocol commonly used for monitoring and control between SCADA masters, HMIs, PLCs, RTUs, and field devices. It uses a client-server communication model where the client, usually a master or HMI, sends read or write requests to a server device, usually a PLC, RTU, or slave device.
Modbus TCP is widely used because it is simple, open, and easy to implement. However, many Modbus deployments do not include built-in authentication or encryption. This makes it useful for studying how unauthorized or manipulated messages can affect industrial monitoring and control systems in a controlled testbed.
Typical Modbus data includes:
Coils
Discrete inputs
Holding registers
Input registers
In NetSim Cyber, Modbus TCP traffic can be intercepted and modified between the master and slave. The Threat Agent can alter register values, modify response data, replay valid messages, or simulate abnormal data conditions.
Typical attack scenarios include:
Holding register value modification
Input register value modification
Coil status manipulation
Replay of previous responses
Delay of read or write responses
Packet drop
False process value injection
For power-system applications, Modbus TCP may be used to exchange measurements, breaker status, control commands, equipment status, or auxiliary system data. Manipulating these values in a lab setup can help users study incorrect SCADA display values, false alarms, or abnormal control behavior.
Modbus TCP communication flow
| Item | Description |
|---|---|
| Typical source | SCADA master, HMI, or Modbus client |
| Typical destination | PLC, RTU, or Modbus slave |
| Common port | TCP 502 |
| Common data | Coils, discrete inputs, holding registers, input registers |
| Example attacks | Register modification, coil manipulation, replay, delay, packet drop |
| Typical application | Industrial control testing, SCADA cybersecurity, false process value analysis |
Modbus TCP support in NetSim Cyber
DNP3¶
DNP3, or Distributed Network Protocol version 3, is commonly used in electric utility SCADA systems. It is used for communication between control centers, SCADA masters, RTUs, IEDs, and outstations. DNP3 is designed for reliable communication in utility environments and supports time-stamped measurements, events, binary states, analog values, counters, and control operations.
A typical DNP3 system consists of a master station and one or more outstations. The master requests data or sends control commands, while the outstation provides field data and event information.
DNP3 is used for:
Substation telemetry
Feeder automation
Remote terminal unit communication
Distribution automation
Control-center communication
Event reporting
In NetSim Cyber, DNP3 traffic can be used to study the effect of cyber-attacks on SCADA data integrity and communication behavior. The Threat Agent can be configured to manipulate selected values, replay messages, delay traffic, or drop packets in a controlled test environment.
Typical DNP3 attack scenarios include:
Analog input value manipulation
Binary input status manipulation
Counter value modification
Replay of valid outstation responses
Delay of telemetry messages
Packet drop
False event injection in a test environment
For power-system engineers, DNP3 attack studies are useful for understanding how manipulated field data may affect SCADA displays, alarms, event logs, operator awareness, and automation decisions.
DNP3 Communication Flow
| Item | Description |
|---|---|
| Typical source | DNP3 master or SCADA system |
| Typical destination | RTU, IED, or DNP3 outstation |
| Common port | TCP/UDP 20000 |
| Common data | Analog inputs, binary inputs, counters, events, controls |
| Example attacks | Measurement manipulation, replay, delay, packet drop, status modification |
| Typical application | Utility SCADA cybersecurity, RTU/outstation testing, telemetry integrity analysis |
DNP3 support in NetSim Cyber
IEC 60870-5-104¶
IEC 60870-5-104, commonly called IEC-104, is a telecontrol protocol used for communication between control centers and substations or remote stations. It is widely used in electric power transmission and distribution systems, especially for supervisory control and data acquisition over TCP/IP networks.
IEC-104 is based on the IEC 60870-5-101 application layer adapted for TCP/IP communication. It supports telemetry, telecontrol, event reporting, and status monitoring between a master station and a controlled station.
A typical IEC-104 system includes:
Control center or master station
Remote terminal unit or controlled station
Substation gateway
Telemetry and telecontrol data exchange
IEC-104 communication may include:
Single-point information
Double-point information
Measured values
Integrated totals
Commands
Time-tagged events
In NetSim Cyber, IEC-104 traffic can be used to study attacks on telecontrol and telemetry communication. The Threat Agent can emulate traffic manipulation, delay, replay, or packet loss in a controlled environment.
Typical IEC-104 attack scenarios include:
Telemetry value modification
Status indication manipulation
Replay of previously valid messages
Delay of telecontrol or telemetry messages
Packet drop
Time-tag manipulation
For power-system engineers, IEC-104 attack simulation is useful for evaluating control-center visibility, remote station communication behavior, and the impact of incorrect telemetry or delayed messages.
IEC 60870-5-104 communication flow
| Item | Description |
|---|---|
| Typical source | IEC-104 master or control center |
| Typical destination | IEC-104 slave, RTU, gateway, or controlled station |
| Common port | TCP 2404 |
| Common data | Telemetry, status indications, measured values, commands, time-tagged events |
| Example attacks | Telemetry manipulation, replay, delay, packet drop, timestamp modification |
| Typical application | Transmission/distribution SCADA testing, telecontrol cybersecurity, control-center visibility analysis |
IEC 60870-5-104 support in NetSim Cyber
Custom TCP/IP Protocol Support¶
In addition to built-in support for standard power-system protocols, NetSim Cyber can also support custom TCP/IP-based application protocols. This capability is useful when users want to test proprietary protocol traffic, research prototypes, laboratory tools, or application-specific communication formats.
Custom protocol support allows users to define payload modification logic using user scripts. The user can inspect packet payload bytes, identify fields of interest, apply custom transformations, and return the modified payload for forwarding through the NetSim Cyber Threat Agent.
This is useful for cases where:
The protocol is proprietary or not included in the built-in protocol list.
The user wants to test a research protocol or experimental communication format.
The payload structure is known to the user.
The user wants to implement a custom false data injection, replay, delay, or payload modification experiment.
The user wants to extend NetSim Cyber for a specific laboratory or product validation use case.
Custom TCP/IP protocol support is typically implemented through the payload_modifier_custom.py file in the Workspace PythonUserCode folder. Users can edit this file to define how payload data should be modified during the simulation.
A custom protocol workflow usually includes:
Identify the source and destination applications.
Configure the application traffic filter in NetSim Cyber.
Select or attach the custom payload modifier.
Define the parsing and modification logic in the custom script.
Run baseline traffic without attack.
Enable the custom attack.
Verify the effect at the receiving application.
Custom TCP/IP protocol attack workflow
| Item | Description |
|---|---|
| Supported traffic | TCP/IP-based application traffic |
| Modifier file | payload_modifier_custom.py |
| User responsibility | Define payload parsing and modification logic |
| Typical use case | Proprietary protocol testing, research protocols, laboratory experiments |
| Example attacks | Custom field modification, replay, delay, packet drop, payload transformation |
| Requirement | User must understand the payload structure of the target protocol |
Custom TCP/IP support
Summary¶
| Protocol | Communication Model | Typical Power-System Area | Main Cybersecurity Concern |
|---|---|---|---|
| IEEE C37.118 | PMU to PDC streaming | Wide-area monitoring | False synchrophasor data, timestamp manipulation |
| IEC 61850 GOOSE / R-GOOSE | Publisher-subscriber | Substation automation and protection | Replay, spoofing, delayed event messages |
| IEC 61850 MMS | Client-server | Substation monitoring and control | Unauthorized or manipulated data access |
| IEC 61850 SV | Publisher-subscriber | Digital substations | Measurement manipulation or packet loss |
| Modbus TCP | Client-server | Industrial control and SCADA | Register manipulation and false process values |
| DNP3 | Master-outstation | Utility SCADA | Telemetry and event manipulation |
| IEC 60870-5-104 | Master-controlled station | Control-center telecontrol | Telemetry, command, and time-tag manipulation |
| Custom TCP/IP | User-defined | Laboratory or proprietary systems | Payload-specific manipulation |
Protocol comparison summary