HACKING THE GRID: Exposing Vulnerabilities in IEC 61850 Substation Automation Systems – A Pentester’s Guide + Video

Listen to this Post

Featured Image

Introduction:

Substation Automation Systems (SAS) rely on industrial protocols like IEC 61850, DNP3, and Modbus to monitor and control power grids. However, these protocols were designed for reliability and real-time performance, not security – leaving critical infrastructure exposed to spoofing, denial-of-service, and man-in-the-middle attacks. With threat actors increasingly targeting energy sectors, understanding how to simulate, test, and harden SAS environments using professional tools and open-source frameworks has become an essential skill for cybersecurity professionals.

Learning Objectives:

  • Identify the most widely used SAS protocols (IEC 61850, IEC 60870-5-104/101, DNP3, Modbus) and their corresponding simulation/test tools.
  • Perform security assessments, including fuzzing, GOOSE/SMV injection, and command manipulation using both commercial test harnesses and Python-based scripts.
  • Implement detection and hardening measures on Linux and Windows hosts to monitor and block malicious SAS traffic in operational technology (OT) networks.

You Should Know:

  1. Understanding the SAS Protocol Landscape and Simulation Tools

Substation automation involves several key protocols. The original post highlights the most popular simulators and test tools for each:

  • IEC 61850 (GOOSE, SV, MMS): Tools include IEDScout (OMICRON), StationScout (OMICRON), 61850 Test Suite (Triangle MicroWorks), ASE61850, and open-source libIEC61850.
  • IEC 60870-5-104: ProTester (Infotech), lib60870, ASE2000 Test Set.
  • IEC 60870-5-101: IEC 101 Simulator (FreyrSCADA), lib60870.
  • DNP3: Test Harness (Triangle MicroWorks), ASE2000 Test Set.
  • Modbus TCP/RTU: Modbus Doctor (FreyrSCADA), ModSim (WinTECH).

These tools are typically used for conformance testing, but they can also be weaponized for security testing – e.g., injecting malformed GOOSE messages or replaying recorded SCADA commands. As noted in the comments, OMICRON IEDScout (launched 20 years ago at IEEE T&D) remains a reliable choice for individual IED testing, while StationScout offers full system visualization. Additionally, ASE2000 supports multiple protocols including IEEE 2030.5 and Sunspec Modbus.

  1. Setting Up a Lab Environment with libIEC61850 on Linux

To perform free, hands-on security testing, install libIEC61850 – an open-source implementation of IEC 61850 MMS, GOOSE, and SV. This library allows you to simulate IEDs, capture traffic, and craft custom packets.

Step-by-step guide (Ubuntu/Debian):

 Install dependencies
sudo apt update
sudo apt install git build-essential cmake libssl-dev

Clone and compile
git clone https://github.com/mz-automation/libiec61850.git
cd libiec61850
make clean
make

Run a simple server example
cd examples/server_example
make
./server_example

Test client communication: In another terminal, use the provided client or a tool like iec61850_client:

cd examples/client_example
make
./client_example

Capture MMS traffic (port 102) with tcpdump:

sudo tcpdump -i eth0 -s 0 -w iec61850_traffic.pcap 'tcp port 102'

For Windows: Use Wireshark with the IEC 61850 dissector (built-in). Install Npcap and run:

& 'C:\Program Files\Wireshark\tshark.exe' -i Ethernet -Y "iec61850" -w capture.pcap

Security tip: Monitor for unexpected MMS connections. Use Zeek (formerly Bro) with the IEC 61850 analyzer to detect malformed requests.

  1. Simulating Attacks with Triangle MicroWorks Test Harness (DNP3 Fuzzing)

While the Test Harness is a commercial tool, its methodology applies to any fuzzing exercise. DNP3 is commonly used in North American substations and is vulnerable to buffer overflows and function code injection.

Step-by-step fuzzing approach:

  1. Set up the test harness – Configure as a master (or outstation) targeting a real IED or a simulated device.
  2. Define a fuzzing campaign – Focus on function codes (e.g., 0x01–0x81), object headers, and qualifier fields.
  3. Monitor for crashes – Use a watchdog script to detect IED unresponsiveness.

Python alternative with Scapy (DNP3 support):

from scapy.all import 
from scapy.contrib.dnp3 import DNP3

Craft a malformed DNP3 request
pkt = IP(dst="192.168.1.100")/TCP(dport=20000)/DNP3(
src=1, dst=2, func_code=0x02,  Read function
data=b'\xff'300  Excessive data to trigger overflow
)
send(pkt, count=100, inter=0.1)

Detection rule (Snort):

alert tcp $HOME_NET 20000 -> any any (msg:"DNP3 excessive payload"; content:"|FF|"; depth:1; dsize:>256; sid:1000001;)
  1. Hardening IEC 60870-5-104 with Firewall Rules and IDS

IEC 104 uses TCP port 2404 and is prone to command injection and DoS. Hardening should occur at both network and host levels.

Linux iptables (rate-limiting and allowed IPs only):

 Allow only specific SCADA master IP
sudo iptables -A INPUT -p tcp --dport 2404 -s 192.168.10.5 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2404 -j DROP

Rate-limit to 5 new connections per minute
sudo iptables -A INPUT -p tcp --dport 2404 -m limit --limit 5/min -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2404 -j LOG --log-prefix "IEC104_OVERFLOW: "

Windows Firewall (PowerShell as Admin):

New-NetFirewallRule -DisplayName "IEC104 Allow Master" -Direction Inbound -Protocol TCP -LocalPort 2404 -RemoteAddress 192.168.10.5 -Action Allow
New-NetFirewallRule -DisplayName "IEC104 Block Others" -Direction Inbound -Protocol TCP -LocalPort 2404 -Action Block

Monitoring with Zeek + custom script: Zeek’s IEC 104 analyzer can flag unexpected commands like “Interrogation” (C_IC_NA_1) during non-peak hours. Install Zeek and enable the IEC 104 analyzer:

sudo zeek -i eth0 -r substation.pcap scripts/iec104/main.zeek

Look for unusual command counts in the `iec104.log`.

  1. Leveraging OMICRON IEDScout for Security Testing (GOOSE/SMV Analysis)

IEDScout is a powerful Windows-based tool for testing individual IEDs. From a security perspective, it can be used to:

  • Sniff and decode GOOSE (Generic Object Oriented Substation Events) and SMV (Sampled Measured Values).
  • Inject false GOOSE messages to test relay tripping logic.
  • Replay captured traffic to verify if the system can be spoofed.

Step-by-step security test with IEDScout:

  1. Connect IEDScout to the same network segment as the IED (mirror port recommended).
  2. Start a “Live Observation” to see all GOOSE/SMV messages. Note the MAC addresses, APPID, and data sets.
  3. Use the “Simulate” function to craft a duplicate GOOSE message with a higher StNum (state number) and SqNum – this will be accepted as legitimate by subscribing IEDs if no authentication is enabled.
  4. Verify if the IED executes the false trip command.

Mitigation: Implement IEC 61850-8-1 with digital signatures (rarely deployed) or use network segmentation to limit GOOSE traffic to isolated VLANs. Monitor with Wireshark’s `goose.retransmission` filter.

  1. Training and Certification: IEC 61850 University and ICS Security Paths

The comment by Dustin Tessier mentions `61850university.com` – a dedicated training platform for IEC 61850, including a “recently overhauled mobile digital substation.” For cybersecurity professionals, formal training in SAS protocols is critical. Recommended courses and certs:

  • IEC 61850 University: Hands-on courses covering IED configuration, GOOSE/SMV engineering, and troubleshooting.
  • SANS ICS410: ICS/SCADA Security Essentials.
  • Global Industrial Cyber Security Professional (GICSP).
  • Certified IEC 61850 Associate Engineer (from various vendors like SEL, Siemens).

Command-line check for IEC 61850 compliance (using libIEC61850 client):

./iec61850_client 192.168.1.100 102 -c "getLogicalDeviceList"

If no response, the IED may be misconfigured or firewalled.

  1. Writing Custom Fuzzers for Modbus TCP Using Python

Modbus remains ubiquitous but lacks authentication. With libraries like `pymodbus` and socket, you can build a simple fuzzer to test Modbus TCP slaves.

Python fuzzer example (targeting function code 0x06 – write single register):

import socket
import random
import time

target_ip = "192.168.1.200"
target_port = 502

Build Modbus TCP frame: transaction id, protocol id, length, unit id, function code, register addr, value
def create_modbus_frame(addr, value, func=0x06):
trans_id = random.randint(1, 65535)
protocol_id = 0
length = 6  unit id + func + addr + value
unit_id = 1
frame = trans_id.to_bytes(2, 'big') + protocol_id.to_bytes(2, 'big') + length.to_bytes(2, 'big')
frame += unit_id.to_bytes(1, 'big') + func.to_bytes(1, 'big')
frame += addr.to_bytes(2, 'big') + value.to_bytes(2, 'big')
return frame

Fuzz with random register addresses and values
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, target_port))

for i in range(1000):
addr = random.randint(0, 65535)
value = random.randint(0, 65535)
payload = create_modbus_frame(addr, value)
sock.send(payload)
time.sleep(0.1)
try:
resp = sock.recv(1024)
print(f"Sent addr {addr} value {value} -> {resp.hex()}")
except:
print("Timeout or crash")
sock.close()

Defensive countermeasure: Use a Modbus gateway with whitelist (e.g., Nozomi Networks or open-source ModbusPal) that enforces allowed register ranges and function codes. On Linux, run `modbus-proxy` from `mbtools` to filter.

What Undercode Say:

  • Key Takeaway 1: Substation automation protocols are security blind spots – but you can use the same simulators (IEDScout, libIEC61850, Test Harness) that engineers rely on to uncover misconfigurations and injection flaws before attackers do.
  • Key Takeaway 2: Open-source tools combined with simple Python scripts and firewall rules provide a low-cost, effective way to assess and hardening SAS environments; commercial solutions add visualization and advanced fuzzing but are not strictly necessary for initial red teaming.

Analysis: The original post’s list of popular SAS simulators is a goldmine for security researchers. Many engineers use these tools for compliance and debugging, unaware that the same functionality can replay, spoof, or flood critical messages. For instance, GOOSE messages have no built-in authentication – an attacker on the same VLAN can trigger a transformer trip simply by replaying a captured GOOSE with a higher sequence number. The comment about IEDScout’s 20-year legacy highlights how long these insecure designs have persisted. Meanwhile, training platforms like IEC 61850 University are finally bridging the gap between operational technology and cybersecurity. We recommend every OT security team acquire at least one of these simulators and integrate protocol-aware monitoring (Zeek, Snort) into their SIEM.

Prediction:

As energy grids embrace digital substations and IEC 61850 Edition 3 (with enhanced security features like role-based access control and encrypted GOOSE), we will see a surge in “grid red teams” using the very simulators listed above to test resilience. However, legacy IEDs will remain vulnerable for decades – expect a thriving market for bump-in-the-wire security gateways and anomaly detection powered by machine learning on SAS traffic. Additionally, regulatory frameworks like NERC CIP will soon mandate protocol-level fuzzing and GOOSE authentication, turning today’s niche testing tools into mandatory compliance equipment.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mohammedattallah Sas – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky