Simulating attacks on Cyber Physical Systems (CPS) using NetSim

Electric power grid and cyber physical systems

The electric power grid (EPG) or smart grid is a critical infrastructure at high risk of cyber-attacks, such as False Data Injection attacks, Denial-of-Service (DoS) attacks on a critical asset, Malicious Intrusions etc. To secure the smart grid, we must integrate cyber security. The backbone of the electric grid are Cyber-physical systems (CPS) - that employ communication and computational resources for operation and interaction with the physical environment. Typical CPS components such as automated control systems, remote terminal units, programmable logic controllers (PLCs), intelligent electronic devices (IEDs), etc., are all connected to one another over a communication network. power system security through cyber-physical security (CPS).

Important protocols for which attacks can be simulated in NetSim

IEEE C37.118 protocol (Synchrophasor Protocol)
Generic Object-Oriented Substation Events (GOOSE), a subset of IEC 61850
DNP3 (over TCP/IP)
Modbus (over TCP/IP)
IEC 60870-5-104 (over TCP/IP)

Real Time Power System Simulators

Real-time power system simulators (RT-PSS) are computer-based systems that can simulate the behavior of a power system in real time. This means that the simulator can calculate the response of the power system to disturbances and changes in operating conditions as quickly as they occur in the real world. RT-PSS are used for a variety of purposes, including Cyber Physical attacks.

RT-PSS are typically used in research laboratories and utility control rooms. They can be very valuable for improving the reliability and efficiency of power grids.

Here are some examples of real-time power system simulators that can be interfaced with NetSim:

OPAL-RT
RTDS
HYPERSIM
PSCAD
MATLAB

This model depicts the simplest form of a smart grid attack, emulated with a PMU, PDC, and NetSim. Real traffic from the PMU is mapped to NetSim's virtual PMU, flows through a malicious node, and is mapped back to the destination after the attack.

In the Malicious Node, the SYNCHROPHASOR, DNP3, GOOSE Packets can be

Visualized in the Wireshark
Modify the data
Perform different cyber-attacks

Cyber physical test bed: Why NetSim?

The security of such CPSs can be improved by using a testbed to replicate and understand power systems operating conditions, discover vulnerabilities, develop security countermeasures, and evaluate grid operation under fault-induced or maliciously constructed scenarios.

Testbeds can be hardware based or software based. The drawbacks of hardware-based testbeds are:

They are expensive.
Once set up, expansion or modification is time consuming and costly. Scaling up is nearly impossible.
Safety needs to be factored in

To overcome these issues, high fidelity simulation tools are combined to form software-based CPS test beds. Such testbeds provide flexibility in designing, modifying, and scaling the systems under test. They can also serve as digital twins.

The simplest of such a simulation tools-based testbed comprises of a power system simulator and a network simulator. The former models all the power electronics devices, power transmission and distribution while the latter models the communications network. Typical power system simulators such as MATLAB/Simulink or RTDS can be interfaced with NetSim to run in real-time.

Attack Methodology

In NetSim for CPS, several types of network attacks can be simulated to assess the security of the Cyber-Physical System. Here are some common network attack types that can be performed:

Denial-of-Service (DoS) Attack
Distributed Denial-of-Service (DDoS) Attack
Man-in-the-Middle (MitM) Attack
Packet Sniffing
Network Traffic Manipulation

Simulation Setup

To simulate a cyber-physical attack scenario with the NetSim environment and the RTDS simulator, including Fault Detection, Isolation, and Recovery (FDIA), the following configuration steps can be followed:

Setting up NetSim Environment
Integrating with Real time Powe system Simulator
Configuring Cyber-Physical Attack Scenario
1. Define Attack Objectives
2. Implement Attack Mechanisms
3. Monitor and Log Data
4. Machine Learning and Analytics Tools

Example: False Data Injection Attack

Steps involved in performing attack:

Study the packet structure and identify the packet data section:
1. Analyze the packet format and understand its structure.
2. Identify the specific section within the packet where the data is stored.
Select the device in NetSim where you want to perform the attack:
1. Choose the target device within the simulated network where you want to inject the false data.
Write a program to modify the data portion in the packet:
1. Develop a program or script that allows you to modify the data section of the packet.
2. This program should provide the functionality to change the data in a controlled manner.
Recalculate the checksum of the modified packet:
1. Identify the checksum algorithm used for checksum calculations:
  1. Determine the algorithm used to calculate the checksum for the packet.
2. Implement the algorithm and append the new recalculated checksum in the packet header:
  1. Calculate the new checksum based on the modified data.
  2. Update the checksum field in the packet header with the newly calculated value.
Perform the simulation in NetSim and observe the results using Wireshark:
1. Run the simulation in NetSim with the modified packet.
2. Monitor the network traffic using a packet capture tool like Wireshark.
3. Analyze the captured packets to observe the impact of the false data injection attack.

The SYNCHROPHASOR Packet

A Synchrophasor packet is a data packet that contains measurements of electrical quantities in a power system, such as voltage, current, and frequency.
Synchrophasor packets are used to transmit real-time measurements of the power system to control centers and other applications.
The IEEE C37.118 standard defines the format of synchrophasor packets.
Synchrophasor technology is a key enabler for smart grids. It provides real-time information about the power system that can be used to improve the reliability, efficiency, and security of the grid.

Summary

Simulating cyber-physical attacks, including Fault Detection, Isolation, and Recovery (FDIR), in NetSim using the RTDS simulator holds great significance for several reasons:

Vulnerability Assessment
Realistic Evaluation
Defense Mechanism Testing
Risk Mitigation
Innovation and Research

30-day evaluation and lab set-up

Please contact us for a free 30-day evaluation of NetSim. NetSim is an IP based, data plane, flow-through network emulator which means NetSim emulates the network for the data flowing between the client(s) and server(s). A typical lab setup would be as follows

A physical server with multiple VMs (or Multiple PCs) running the power system simulator (and/or other applications)
A dedicated physical system or VM running NetSim Emulator (Win 10 / Win 11 OS)
Network connectivity between the server / PCs and the NetSim system, preferably through a L2 switch.
Set the gateway in the server / PCs to the NetSim Emulator system
Create a 'virtual network' in NetSim. Map real devices to virtual devices (done inside NetSim)
Run the power system simulator (and/or other applications)

Traffic will now 'flow through' NetSim and encounter network impairments - such as delay, loss, error, attacks, etc. - depending on the settings in the virtual network created. The network parameters can be modified for each run and various 'what-if' scenarios analyzed.

NetSim provides an interface with Wireshark at all the 'virtual nodes' within the 'virtual network'; packets can be captured and analyzed within the network. As the packet flows through this virtual network various kinds of attacks can be launched. These include packet drops, modification of packet headers, modification of packet payload, creation and injection of malicious packets and so on.

Useful Links

Examples

False Data Injection Attack