Using the Protocol-Specific Attacker UIs¶
Purpose and Scope¶
This section explains how to operate the protocol-specific attacker interfaces supplied with NetSim Cyber for IEEE C37.118 Synchrophasor, Modbus TCP, IEEE 1815/DNP3, and IEC 60870-5-104. It covers the available attack workspaces, target discovery, attack activation, and safe shutdown.
The procedures assume that the correct simulator is running, protocol traffic passes through NetSim Cyber, and the attacker application matches the protocol used by the experiment.
Synchrophasor Attacker¶
The IEEE C37.118-2005 and IEEE C37.118.2-2011 attacker windows use the same layout and operating model. Both provide Automatic, Manual, and Replay tabs. The instructions below apply to both profiles.
Configuration Discovery¶
Station and phasor targeting depends on configuration information observed from the PMU-PDC stream. If the UI reports that no phasor configuration is loaded, generate or request a configuration frame while NetSim Cyber is in the communication path, then reload the available targets.
Automatic Mode¶

Synchrophasor Automatic tab showing the attack categories, attack list, and controls for Increment Bias.
| Attack | Purpose | Applicable target | Required UI inputs |
|---|---|---|---|
| Increment Bias | Raise selected phasor magnitudes. | Station/phasor | Attack Value, Window Size |
| Decrement Bias | Lower selected phasor magnitudes. | Station/phasor | Attack Value, Window Size |
| Pulse / Surge | Apply periodic magnitude surges. | Station/phasor | Attack Value |
| Ramp / Drift | Change magnitudes progressively. | Station/phasor | Attack Value, Direction, Window Size, optional Max Offset |
| Noise / Jitter | Add random measurement variation. | Station/phasor | Noise Type, Attack Value, probability controls |
| Angle Bias | Offset the selected phasor angle. | Station/phasor | Attack Value in degrees |
| Frequency Override | Replace the frequency field. | Selected stream | Attack Value in Hz |
| Time Sync (SOC) | Shift the whole-second timestamp. | Selected stream | Attack Value in seconds |
| Fine Time Shift | Shift the sub-second timestamp. | Selected stream | Attack Value in microseconds |
| STAT Sync Error | Set the synchronization-error status. | Selected stream | Bit Value |
| STAT Data Modified | Set the data-modified status. | Selected stream | Bit Value |
| STAT Config Changed | Set the configuration-changed status. | Selected stream | Bit Value |
| Time Quality Corruption (2011 only) | Change the FRACSEC time-quality value. | Selected 2011 stream | Attack Value from 0 to 15 |
Packet Attack Probability is available for eligible automatic attacks. Target Station and Target Phasor become usable after the configuration frame has been observed.
Select a category and attack.
Choose the target station and phasor when the selected attack supports targeting.
Set the attack value and any attack-specific controls.
For noise attacks, select Proportional Range, Gaussian, Uniform, or Spike behavior.
Set packet attack probability, window size, ramp direction, or maximum offset when those controls apply.
Review Config Preview and select Start Attack.
Use Modify Attack to update an active configuration or Stop Attack to disable it.
Manual Mode¶

Synchrophasor Manual tab with the phasor list loaded from the configuration frame.
Select Reload Phasors if the target list is empty or configuration data has changed.
Enable the required phasor rows.
Enter replacement magnitude and angle values.
Optionally enter Frequency Override and ROCOF Override values.
Select Apply Manual Values.
Select Clear Manual when the test is complete.
Replay Mode¶

Synchrophasor Replay tab with recording, CSV selection, replay, and stop controls.
Replay mode records live phasor values or replays values from a CSV file. Replay data can include magnitude, angle in degrees, frequency, and ROCOF.
Select the replay CSV path when using a prepared dataset, or start recording live values.
Allow enough normal data to be recorded for the intended test.
Start replay and monitor the Replay Preview and runtime status.
Select Stop when the scenario is complete.
Profile Difference¶
The 2005 and 2011 attacker UIs use the same workflow. The 2011 profile additionally provides Time Quality Corruption in the Time category.
Modbus TCP Attacker¶
The Modbus TCP attacker modifies selected slave responses after supported master requests. It provides Automatic, Manual, and Replay tabs.
Automatic Mode¶

Modbus TCP Automatic tab showing Increment Bias and its target and parameter controls.
| Attack | Purpose | Applicable target | Required UI inputs |
|---|---|---|---|
| Increment Bias | Raise values relative to their observed range. | FC03/FC04 registers | Bias Level, Window Size |
| Decrement Bias | Lower values relative to their observed range. | FC03/FC04 registers | Bias Level, Window Size |
| Offset Bias | Add a fixed signed value. | FC03/FC04 registers | Offset Value |
| Ramp / Drift | Change values progressively. | FC03/FC04 registers | Drift Rate, Direction, Window Size, optional Max Offset |
| Noise / Jitter | Add configurable random variation. | FC03/FC04 registers | Noise Type, noise value, probability controls |
| FDI (Overwrite Value) | Replace values with a fixed number. | FC03/FC04 registers | Injected Value, encoding, byte order |
| Bit Force ON | Force selected bits to logic 1. | FC01/FC02 bits | Target scope/signal |
| Bit Force OFF | Force selected bits to logic 0. | FC01/FC02 bits | Target scope/signal |
| Bit Toggle | Invert selected bits across responses. | FC01/FC02 bits | Target scope/signal |
Select an attack from the Attack Catalog.
Choose the target scope and, when available, a discovered target signal.
Enter the attack value and attack-specific parameters.
For register attacks, select FLOAT32 or UINT16 encoding and the required byte order: ABCD, CDAB, BADC, or DCBA.
Review Config Preview and select Start Attack.
Use Apply Changes to update an active attack or Stop Attack to disable it.
Manual Mode¶

Modbus TCP Manual tab with an observed FC04 address range and editable register rows.
Manual mode targets addresses discovered from valid Modbus read traffic. It supports FC01, FC02, FC03, and FC04 response modification.
For FC03 and FC04, enable the required rows and enter replacement register values.
For FC01 and FC02, enable the required rows and choose ON, OFF, or TOGGLE.
Use Select All or Clear to manage the visible address rows.
If no observed range is available, first generate normal master-slave read traffic.
Replay Mode¶

Modbus TCP Replay tab showing the recording and replay workflow.
Replay mode records supported Modbus read responses and replays the recorded sequence.
Choose all supported read responses or a specific function code: FC01, FC02, FC03, or FC04.
Select Start Recording while the required Modbus traffic is active.
Stop recording after sufficient responses have been captured.
Select Start Replay to use the recorded response sequence.
Select Stop Replay or Reset when the scenario is complete.
Troubleshooting¶
| Symptom | Likely cause | Operator action |
|---|---|---|
| No Modbus address range | No supported read traffic observed | Run normal FC01-FC04 traffic, then reopen or refresh Manual mode. |
| No phasor targets | CFG information not observed | Generate or request CFG while NetSim Cyber is in the PMU-PDC path, then reload phasors. |
| Attack has no visible effect | Wrong target, encoding, profile, or inactive configuration | Check target selection, preview, encoding/profile, and runtime status. |
| Unexpected values remain | A previous mode is still active | Stop the attack or replay, clear manual values, and confirm inactive status. |