Simulation of Man in the Middle Attack On Smart Grid Testbed by Fritz, Jared J. et al.
United States Military Academy
USMA Digital Commons
West Point Research Papers
4-2019
Simulation of Man in the Middle Attack On Smart
Grid Testbed
Jared J. Fritz
United States Military Academy, Jared.Fritz@westpoint.edu
Joseph Sagisi
United States Military Academy, Joseph.Sagisi@westpoint.edu
John James
United States Military Academy, john.james@westpoint.edu
Aaron St. Leger
United States Military Academy, aaron.stleger@westpoint.edu
Kyle King
United States Military Academy, kyle.king@westpoint.edu
See next page for additional authors
Follow this and additional works at: https://digitalcommons.usmalibrary.org/
usma_research_papers
Part of the Electrical and Computer Engineering Commons
This Article is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point Research Papers by
an authorized administrator of USMA Digital Commons. For more information, please contact nicholas.olijnyk@usma.edu.
Recommended Citation
Jared J. Fritz, Joseph Sagisi, John James, Aaron St. Leger, Kyle King, and Kate J. Duncan, Simulation of Man in the Middle Attack on
Smart Grid Testbed, Proceedings of the 2019 IEEE SoutheastCon, Huntsville, AL, April 2019.
Authors
Jared J. Fritz, Joseph Sagisi, John James, Aaron St. Leger, Kyle King, and Katherine Duncan
This article is available at USMA Digital Commons: https://digitalcommons.usmalibrary.org/usma_research_papers/135
Simulation of Man in the Middle Attack On Smart
Grid Testbed
Jared J. Fritz, Joseph Sagisi, John James, Aaron St. Leger, Kyle King, and Kate J. Duncan
Electrical Engineering and Computer Science
United States Military Academy
West Point, NY
jared.fritz@westpoint.edu
Abstract—Over the past decade, the frequency of cyber attacks
against power grids has steadily increased, requiring researchers
to find and patch vulnerabilities before they can be exploited. Our
research introduces the prototype of a man-in-the-middle attack
to be implemented on a microgrid emulator of a smart grid. We
present a method of violating the integrity and authentication
of packets that are using the IEEE Synchrophasor Protocol in a
controlled environment, but this same approach could be used on
any other protocol that lacks the proper overhead to ensure the
integrity and authenticity of packets. In future research, we plan
to implement and test the attack on the previously mentioned
smart grid testbed in order to assess the attacks feasibility
and tangible effects on Wide Area Monitoring and Control
applications, as well as propose possible countermeasures. For
this paper, we developed a working simulation of our intended
attack using the software ModelSim 10.4. The attack will modify
network packet data coming from a Schweitzer Engineering Labs
(SEL) Phasor Measurement Unit (PMU) hardware sensor, which
provides a stream of precise timing values associated with current
and voltage values, as these measured values are en route to the
Open Phasor Data Concentrator (OpenPDC) application running
on a Windows server. Our simulation provides and validates all of
the necessary code in order to program a Field Programmable
Gate Array and execute our attack on the testbed in future
research.
Index Terms—Man-in-the-Middle Attacks, Phasor Measure-
ment Unit, Security, Smart Grid, Supervisory Control and Data
Acquisition, Field Programmable Gate Array
I. INTRODUCTION
The integration of information age technology into indus-
trial controls has revolutionized many of the essential systems
that allow our society to function, from waste treatment to
public transportation. The speed and accuracy of the data
that can be collected from this integration opens the doors
for optimization and automation, as well as increased safety.
Unfortunately, similar to the beginning of the Internet, this
technology was implemented with a focus on utility, at the
expense of security. This fact was brought to the global stage
in 2010 by the destruction of Irans nuclear centrifuges at the
hands of a computer virus known as Stuxnet [1] . Since then,
critical infrastructure protection has been an essential part of
any nation’s cyber security policy.
One of the most essential components of our critical infras-
tructure is the power grid. Under President Obama, the United
States began implementing power grids with modern digi-
tal communication and computation capabilities, commonly
known as smart power grids or smart grids [2] . These smart
grids have caused a lot of concern in the cyber security
community. In 2007, Idaho National Labs demonstrated, in
what is known as the Aurora experiment, that it is possible to
physically destroy a generator with a staged cyber attack [1].
Since then, we have seen several real examples of cyber attacks
on power grids. On Dec. 23, 2015, hundreds of thousands of
people in and around Ukraine’s capital city were subjected to a
six-hour blackout as the result of a widespread hack of regional
electric power distribution companies. The hack occurred very
soon after pro-Ukrainian activist groups succeeded in cutting
off power to parts of Crimea, suggesting that the hacks may
have been Russia’s retaliation. Experts agree, however, that
the results could have been much worse, potentially even
replicating the Aurora experiment [3]. One might question the
wisdom of implementing this technology at all, considering
the risks it creates. However, the benefits of smart grids, such
as increased safety and efficiency, can outweigh these risks,
as long as we approach the problem from a security mindset
in order to anticipate and counter threats before they can even
occur.
One such cyber security threat is the man-in-the-middle
attack. This attack is often described as a conversation between
Alice and Bob, with Eve as an eavesdropper. Eve convinces
Alice that she (Eve) is Bob, and then she convinces Bob that
she is Alice. This is a particularly appealing attack to use
on smart grids due to two vulnerabilities that are inherent
in smart grid design. The first vulnerability is the physical
distance between Phasor Measurement Units (PMUs) and the
Phasor Data Concentrator (PDC). This distance is inherent to
a smart grid’s Wide Area Monitoring and Control (WAMC)
design, the idea being that the wider the net cast by the
monitoring system, the more complete the PDC’s picture of
the grid, and the more finely tuned one’s control over the grid
can be. However, the distance between PMUs and the PDC
introduces latency, making it difficult to detect when packets
have been intercepted on their way to their destinations. The
second inherent vulnerability is the speed at which data must
be collected by the PDC. The standard for the best smart grids
is real time measurement, or 60 Hz [4]. The speed at which
these readings must be taken and sent leaves little time for
encryption, authentication, or integrity checks. As a result,
most data is sent in plain text with only basic error checks
U.S. Government work not protected by U.S. copyright
[5]. A man-in-the-middle attack is perfectly suited to take
advantage of these vulnerabilities. Our paper contributes to
the safety of the grid by introducing and testing a design for
a Field Programmable Gate Array (FPGA) implementation of
a man-in-the-middle attack in order to study the impacts and
research countermeasures on WAMC systems.
The rest of the paper is organized as follows. Section II
will cover related works and some of the required background
knowledge for our research. In Section III, we will describe the
setup and implementation of our simulations. Section IV will
present the results of these simulations, and we will summarize
these results in Section V.
II. BACKGROUND
A. Related Work
[6] proposed using a Supervisory Control And Data Ac-
quisition (SCADA) testbed in order to investigate an Address
Resolution Protocol (ARP) spoofing-based man-in-the-middle
attack. [6] did a great job of outlining other testbeds that
currently exist, as well as summarizing the various threats
to power grids. However, [6] is a proposal, so little practical
application is shown.
[7] analyzed the vulnerabilities of General Packet Radio
Services (GRPS)-based SCADA systems to denial of service
and message spoofing attacks. [7] also presented simulated
data outlining the potential consequences of such an attack.
[7] showed, via simulation, that not only two of their three
proposed attacks on GPRS worked, but also had the potential
to cause serious damage. The final result was a combination
of attacks. The first step was spoofing a message to open
a circuit breaker, then telling the control center everything
is fine, and finally jamming the signals from the control
center to the SCADA system controlling the circuit breaker. A
similar attack on the timing of other, non-GPRS based SCADA
systems would be a useful extension of [7].
[8] investigated the vulnerability of the IEC 60870-5-104
Protocol for telecontrol communications. [8] covered man-
in-the-middle attacks, as well as capture and replay attacks.
Attacks are performed on a simulation first, then in a com-
prehensive testbed environment. [8] is a very detailed and
practical paper, but one that can be expanded on by analyzing
other protocols using a similar method, and by presenting
methods of prevention.
Finally, [9] used the same testbed on which our simulation
and future work are based to create an Anomaly and Fault
Generator. [9] used this generator test the capabilities of the
testbed’s anomaly detection and protection capabilities. This
is similar to our research in that both approaches result in
anomalous data being sent to the PDC, but our attack takes
place at the network layer, whereas the attack in [9] takes
place at the sensor level.
The main difference between these papers and our work
is the potential for practical application. The main focus of
existing research has been on simulating attacks on various
communication protocols, but very few are able to test their
research on actual equipment in order to analyze its effects.
The main focus of this research is to simulate an attack with
the express goal of being able to transition to a physical
hardware/communication network in order to develop resilient
WAMC measures in a realistic scenario. Additionally, our
research still differs from the few papers that have also had
the advantage of using real hardware because of our focus on
creating a method of exploiting a vulnerable network protocol
that could be reapplied to any other protocol that similarly
lacks basic integrity and authentication checks.
B. IEEE Synchrophasor Protocol
The PMU we used in our research was an SEL451, which
uses the IEEE C37.118 Protocol, otherwise known as the IEEE
Synchrophasor Protocol, to communicate with the OpenPDC
server. The IEEE Synchrophasor Protocol standard was last
released in 2005 and was developed for systems measuring
phasor quantities in order to maximize the amount of infor-
mation that can be sent in relatively small packets to the PDC.
A key feature of this protocol is the use of four different
types of frames: configuration, data, header, and command.
It is important to note that correct interpretation of data
frames requires an initial configuration frame. The configu-
ration frame is sent at the start-up of an IEEE Synchrophasor
Protocol communications session in order for the receiving
device to properly interpret the following data frames. This
means that any device inserted as a man-in-the-middle would
need to intercept this configuration frame in order to properly
interpret the intercepted data frame packets. This could be
done by forcing the communications session between the two
devices to fail by dropping all packets until the PMU attempts
to reset the data stream. However, this may alert monitoring
systems to the devices presence. An alternative method may
be including logic to determine the configuration of the data
frames through brute force, attempting to interpret data frames
using all possible configurations until one of the configurations
produces an expected result. For the purpose of our research,
we captured the configuration frame using Wireshark and used
it to customize our simulated device to interpret and modify
packets, meaning that our attack will only work on devices
using the IEEE Synchrophasor Protocol and using the same
configuration.
Fig. 1 shows more details on the composition of data frames
in C37.118. Two- and 4-byte words are transmitted in big
endian order. For the purpose of our paper, the focus will be
on the timestamp (SOC + FRACSEC), DATA, and CHK bytes.
Fig. 1: Order of C37.118 Data Frame Transmission [10]
The timestamp is 8 bytes and describes the time of the
phasor measurement down to a fraction of a second, as well
as its estimated accuracy. Further analysis of the timestamp is
beyond the scope of our paper. The PHASORS block contains
single or 3-phase positive, negative, or zero sequence values. It
may be 8 or 16 bytes. The check word (CHK), is a checksum
of the preceding bits using Cyclic Redundancy Check, made
by the Consultative Committee for International Telephony
(CRC-CCITT). This CRC-CCITT uses the generating poly-
nomial, shown in Equation 1:
CHK = X16 +X12 +X5 + 1 (1)
with an initial value of -1 (0xffff) and no final mask [10].
III. IMPLEMENTATION
This section will discuss the hardware on which we based
our simulations, as well as how we implemented the simula-
tions.
A. Hardware
As of this paper, we have not moved to testing our attack
on the testbed’s physical hardware. Instead, we simulated
inserting a DE2-115 Altera Board inline, between an SEL451
and the Windows server running OpenPDC, as shown in Fig.
2. Thus, all packets transmitted between the PMU and the
server have to pass through, and be intercepted by, the DE2-
115 board.
Fig. 2: FPGA Inserted into Testbed Network
B. Simulation Design
We simulated our attack using ModelSim 10.4. This re-
quired programming a synchrophasor packet generator in
ModelSim using information from Wireshark-captured packets
on the testbed’s network. We programmed ModelSim to gener-
ate packets using the structure of packets found on the network
of our testbed. This modeled an SEL451 PMU sending data
frames to the PDC.
ModelSim allowed us to simulate Verilog code as if it was
being written to our Cyclone IV FPGA. Fig. 3 shows all of
the hardware and modules that were simulated and that will
be necessary in future research to allow the physical FPGA to
receive and transmit packets at Ethernet speeds.
Additionally, we instantiated a Nios II processor which
qualified each 32 bit word of data as it was received and
checked it for certain values. For instance, if the word con-
tained the packets EtherType, we checked if the EtherType
was IPv4, which we knew the PMU was using. If the packet
Fig. 3: Network Speed Ethernet on an FPGA [11]
was using IPv4, the source IP address was the PMU we were
attacking, the destination IP address was the PDC, the protocol
used was the Synchrophasor Protocol, and the packet was a
synchrophasor data frame, then the processor began its attack.
The processor also handled custom error checking, custom
packet buffers, and a channelizer. All architecture was based
off of previous work done by Sagisi in modifying packets in
transit [12].
C. Attacks
We developed three attacks to test exerting increasing
amounts of control over packets as they passed through the
processor. For the initial attack, we replaced all of the bits
of the data frame that were associated with measurement data
with zeroes to show that we had arbitrary control over the
phasor values presented to the PDC. We called this a “constant
measurement value attack.” In the next attack, which we called
a “variable measurement value attack,” we subtracted 1 bit
each from the binary values for real and imaginary voltages
to prove that the phasor values could be modified based on
their original value, rather than just replaced. Finally, we
performed what we called a “time shift attack,” in which we
initially saved the measurement data from the first packet,
then sent that packet through unchanged. Every following
packet received the measurement data of the preceding packet,
creating the illusion that all of the PMUs measurements were
occurring one packet later than they actually were. Ideally,
each of these attacks would also have included replacing the
synchrophasor CHK bytes at the end of the packet with a
newly calculated checksum, thereby making the packet appear
unmolested. Unfortunately, time constraints on our research




The first step of our research required determining how our
testbed communicated with the PDC. We used Wireshark to
obtain sample packets from the testbed’s network, shown in
Fig. 4. We captured several of these packets and used them to
create the packet generator for the simulation.
Fig. 4: Wireshark Captured Synchrophasor Packet
We also used Wireshark to interpret each of the packet’s 32-
bit words in order to identify the words that contained values
that we would need to qualify for our attack. Fig. 5 is the
result of our analysis of the Synchrophasor packet structure,
which we used to construct our simulated attack.
Fig. 5: Complete structure of C37.118 Synchrophasor Protocol
over IPv4 over Ethernet
B. Simulation
Our simulation proved that all of the simulated attacks were
feasible, at least in a controlled simulation.
Our first attack successfully replaced all of the measurement
data with zeros, proving that we could modify and resend data.
Fig. 6 shows the 32-bit words from the packet generated in
green and the words exiting our processor in orange. The red
box highlights the word containing the packet’s measurement
data, which has been replaced with zeros after going through
the processor.
Our second attack successfully subtracted one bit from
both the real and imaginary voltage values of the packet’s
measurement data, proving that we can analyze the contents
of a packet, manipulate its data according to the results of said
analysis, and resend the packet. Fig. 7, like Fig. 6, highlights
the modified data.
Fig. 6: Constant Measurement Value Attack
Fig. 7: Variable Measurement Value Attack
Finally, the time shift attack successfully replaced each
packets data with the data from the previous packet. This
proves that we can save the data from previous packets and use
them in the following packets in order to ”shift” the delivery of
measurement data, making it seem as if the phasors measured
by exploited PMU are out of sync with the rest of the grid.
Fig. 8 shows the first three packets of the simulation. The
first packet, Fig. 8a, was passed through unchanged, but each
subsequent packet, Fig. 8b and Fig. 8c, received the preceding
packet’s measurement data. This attack also has the potential
to become a time-loop attack, in which enough measurement
data is captured and saved to the point that the PMUs packets
are completely rejected, and all of the data being sent to the
PDC is instead coming from the inserted FPGA, which is now
emulating the PMU based on previous data.
The previous images were manipulated in order to more
easily compare the corresponding words of the sent and
received packets. In reality, some latency was introduced
between receiving and sending each packet. However, this
delay was well under a microsecond long in every simulation,
whereas packet travel times are typically measured in mil-




Fig. 8: Time Shift Attack
(60Hz). Therefore, our attacks introduced a negligible amount
of latency that would be virtually undetectable by the PDC.
V. SUMMARY
Our research demonstrates the risks created by the lack
of strong integrity and authentication checks in the IEEE
Synchrophasor Protocol. Our simulation proves that it is
plausible to use an FPGA to modify Synchrophasor packets,
while minimizing the effect of latency, in order to misdirect
a PDC into accepting faulty data from a PMU. If these
attacks were successfully executed on a production system,
an attacker could not only insert arbitrary values for each
measured magnitude and phase, but could also increase or
decrease these values by a certain amount to achieve a specific
desired effect, create the illusion that a generator is out of
phase, or even completely replay captured data in a loop.
The faulty data inserted by these attacks could be used to
impair the efficiency and safety of smart grids. An undetected
abnormality or fault could possibly result in power grid failure,
similar to the Northeast blackout in 2003, an event caused by
system failures that prevented the accuracy and availability of
timely data [13]. The 2003 blackout, though not the result of
a deliberate attack, resulted in an estimated $4-10 billion in
total costs [14].
VI. FUTURE WORK
The Cyclone IV EP4CE115F29 Field Programmable Gate
Array (FPGA), located on a DE2-115 Altera board, shown in
Fig. 9, will be used in future research to test our attacks. Other
parts of the board we will use include the boards two RJ45
ports and their corresponding Marvell 88EE1111 PHY chips
and RJ45 connectors.
Fig. 9: Altera DE2-115 Development and Education Board
The power grid testbed we plan to perform the attacks on
was developed at West Point by St. Leger, et. al. It uses
SEL451 and 421 synchrophasors, which act as both relays
and PMUs, to measure the phase voltage of all three phases
of a custom, 1000:1 scale power grid, with PMUs at several
different nodes. These measurements are given a timestamp
using an SEL2407 and then transmitted to an OpenPDC
application, which is located on a nearby Windows server [15].
Going forward, we will begin to test our attack on our
testbed, as well as implement a way to correctly calculate
and replace the checksum at the end of each modified packet.
With our future use of the SEL451 and OpenPDC server, we
hope to show that our attacks can work on a wide range of
modern equipment because they exploit vulnerabilities in a
communication protocol rather than the devices themselves.
While our future research will be conducted on a testbed
with SEL451 PMUs using the Synchrophasor Protocol, our
attack could theoretically be adapted to any protocol or device,
provided that the packet structure is known and the protocol
lacks adequate integrity and authentication checks.
In addition to testing our attack methods on different pro-
tocols and equipment, future research will also involve testing
methods of detection and prevention of our own attack in order
to achieve our ultimate goal of improving the security of the
power grid.
ACKNOWLEDGMENTS
Funding for this work was provided by the Office of Naval
Research and the U.S. Army Armament Research, Develop-
ment and Engineering Center (ARDEC). The opinions of this
work are solely of the authors and do not necessarily reflect
those of the U.S. Military Academy, the U.S. Army, or the
Department of Defense.
REFERENCES
[1] D. M. Nicol, “Hacking the Lights Out,” Scientific American, vol. 305,
no. 1, pp. 7075, 2011.
[2] “President Obama Announces $3.4 Billion Investment
to Spur Transition to Smart Energy Grid”, Energy.gov.
https://www.energy.gov/articles/president-obama-announces-34-billion-
investment-spur-transition-smart-energy-grid (accessed Jan. 17 2019).
[3] J. E. Sullivan and D. Kamensky, “How cyber-attacks in Ukraine show the
vulnerability of the U.S. power grid,” The Electricity Journal, 30(3):30-
35, April 2017.
[4] S. J. Matthews and A. St. Leger, “Leveraging single board computers for
anomaly detection in the smart grid,” in 2017 IEEE 8th Annual Ubiq-
uitous Computing, Electronics and Mobile Communication Conference
(UEMCON), New York, NY, 2017, pp. 437-443.
[5] B. Babu, T. Ijyas, Muneer P. and J. Varghese, ”Security issues in SCADA
based industrial control systems,” in 2017 2nd International Conference
on Anti-Cyber Crimes (ICACC), Abha, 2017, pp. 50.
[6] Y. Yang, B. Pranggono, T. Littler, Z. Yao, E. G. Im, K. Mclaughlin,
H. Wang, and S. Sezer, Man-in-the-middle attack test-bed investigat-
ing cyber-security vulnerabilities in smart grid SCADA systems, in
International Conference on Sustainable Power Generation and Supply
(SUPERGEN 2012), Hangzhou, 2012, pp. 1-8.
[7] T. Zhang, Y. Wang, X. Liang, Z. Zhuang and W. Xu, “Cyber attacks in
cyber-physical power systems: A case study with GPRS-based SCADA
systems,” in 2017 29th Chinese Control And Decision Conference
(CCDC), Chongqing, 2017, pp. 6847-6852.
[8] P. Maynard, K. McLaughlin, & B. Haberler, (2014). “Towards Un-
derstanding Man-In-The-Middle Attacks on IEC 60870-5-104 SCADA
Networks,” in 2nd International Symposium for ICS & SCADA Cyber
Security Research 2014, 2014, pp. 30-42.
[9] M. Stark, C. Clay, A. St. Leger, N. Barry, “Emulation of Anomalies for
Wide-Area Monitoring, Protection and Control System Development,” in
2018 Clemson University Power Systems Conference (PSC), Charleston,
SC, USA, 2018, pp. 1-8.
[10] IEEE Standard for Synchrophasor Measurements for Power Systems, in
IEEE Std C37.118.1-2011 (Revision of IEEE Std C37.118-2005), pp.1-
61, 28 Dec. 2011.
[11] Using Triple-Speed Ethernet on DE2-115 Boards, Altera Corporation—




[12] J. Sagisi, J. Tront and R. Marchany, “System architectural design of
a hardware engine for moving target IPv6 defense over IEEE 802.3
Ethernet,” in MILCOM 2017 - 2017 IEEE Military Communications
Conference (MILCOM), Baltimore, MD, 2017, pp. 551-556.
[13] D. Hilt, “Technical Analysis of the August 14, 2003, Blackout: What
Happened, Why, and What Did We Learn?” NERC, Princeton, NJ, USA,
Jul. 13, 2004.
[14] U.S.–Canada Power System Outage Task Force, “Final Report on the
August 14, 2003 Blackout in the United States and Canada: Causes and
Recommendations,” U.S. Department of Energy, April 2004.
[15] A. St. Leger, J. Spruce, T. Banwell, and M. Collins, “Smart grid testbed
for Wide-Area Monitoring and Control systems,” in 2016 IEEE/PES
Transmission and Distribution Conference and Exposition (T&D), Dal-
las, TX, 2016, pp. 1-5.
