The modern electricity grid is quietly becoming a software system. Substations that were once governed by electromechanical relays and copper wiring now run on Ethernet, standardised digital protocols, and remote connectivity. That shift — broadly captured by the term digital substation — has delivered enormous gains in automation, observability, and efficiency. It has also pulled the grid into the same threat landscape as the rest of the connected world, while leaving most utilities without a safe place to study what that actually means.
This is a case study of a platform we designed and built to close that gap: a cyber-physical smart-grid security testbed commissioned by a research institute. It reproduces the behaviour of a real distribution-class substation closely enough to be useful for research, training, and protocol validation, yet it is fully isolated from any live network and can be attacked, broken, and restored without consequence.
A grid that is being digitised faster than it is being defended needs somewhere to fail safely. This is the story of that somewhere — a bench built to behave like a real substation, and built to be broken.
This article breaks down the core architecture and major building blocks of the platform to provide a transparent look at its design. The focus is squarely on the high-level engineering philosophy—the what and the why behind the system—focusing on how these simulated environments are structurally designed rather than providing a step-by-step deployment blueprint or an actionable playbook.
The requirement
The institute’s brief was straightforward to state and demanding to satisfy: build a platform that behaves like a real 33/11 kV substation, exposes the digital communication layers that real substations depend on, and lets researchers and trainees observe — directly and safely — what happens when those layers are attacked.
Several constraints shaped everything that followed.
It had to be realistic. A testbed that only simulates an idealised model teaches little about real operations; the value lies in reproducing the actual protocols, timing behaviour, and control workflows that production substations use, so that lessons learned on the bench transfer to the field. (We have written separately on why fidelity, not convenience, is the deciding factor in this kind of work.)
It had to be cyber-physical and closed-loop. Studying grid security on a purely virtual model misses the point: the whole concern is that a digital action has a physical consequence — a breaker opens, a feeder de-energises, a generator trips. The platform therefore had to connect the digital control plane to a tangible, observable physical outcome, and to feed that outcome back into the simulation so the system as a whole responds the way a real grid would.
It had to be safe and self-contained. Researchers needed to run genuinely destructive scenarios — unauthorised switching, manipulated control messages, denial of service — without any possibility of those actions reaching a real network or a real grid. Isolation was a first-class design requirement, not an afterthought.
It had to be affordable and scalable. Commercial-grade substation automation and real-time simulation environments are extraordinarily capable and extraordinarily expensive — well beyond the reach of most academic and independent research programmes. The institute needed a platform that recreated the functional behaviour of those systems at a fraction of the cost, and that could be extended module by module as research questions evolved.
And it had to serve several audiences at once: cybersecurity researchers, power-system and protection engineers, operators in training, and educators. That breadth is itself a design constraint, because each audience values a different kind of realism.
The shape of the requirement: a digital substation runs as four layers — Station, Network, Bay, and Process — and the testbed reproduces that layering as a closed loop, so a command issued at the top propagates down to the physical grid and its consequences feed back up in real time.
The design approach
Before building anything, we benchmarked how real utility infrastructure is structured — how production substations layer their automation, how supervisory systems present the grid to operators, and how real-time simulators are used to validate equipment before it is trusted with live power. The goal of that study was not to copy any specific product, but to understand the architecture and behaviour that the testbed needed to reproduce, and then to ask which of those functions could be recreated faithfully using accessible, well-understood technology.
Two principles came out of that work and governed the rest of the design.
The first was architectural fidelity over component fidelity. Real digital substations are organised in well-defined layers — a supervisory station level, a communication network that ties everything together, a bay level where local control and protection live, and a process level where the physical plant sits. We chose to reproduce that layering exactly, because the structure is where the security-relevant behaviour comes from: how commands flow, where trust is assumed, and where an attacker can interpose.
For research and simulation, the price tag on the hardware is largely irrelevant. It matters far less whether a device is a six-figure industrial relay or a low-cost, accessible equivalent. What actually matters is architectural fidelity: does it sit in the right place on the network, and does it speak the right protocols at the right level?
The second was closed-loop integration as the core deliverable. Many testbeds stop at one layer — a network to capture packets, or a simulation to model power flow. The defining ambition here was to make the layers act as one system: a command issued at the supervisory level should propagate through the network, be executed by the control layer, change the state of the physical model, and feed back into the power-system simulation so that voltages, currents, and flows update accordingly — all in real time, in both directions. A fault introduced in the simulation should likewise drive protection behaviour, raise alarms to the operator, and visibly affect the physical model. Achieving that bidirectional, real-time synchronisation across heterogeneous layers was the hardest engineering problem in the project — and the single feature that turns a collection of devices into a research instrument.
Isolation and restorability were designed in from the start: the entire environment lives on its own segmented infrastructure with no path to any production or public network, and any scenario — however destructive — can be reset to a known-good baseline.
What was implemented
The delivered platform is a layered, closed-loop cyber-physical substation environment that mirrors the structure of a modern digital substation.
At the supervisory level, an operator-facing monitoring and control environment presents the state of the simulated substation, issues control actions, logs events, and serves as the workstation from which both engineering and security activity is conducted. This layer plays the role that a SCADA/HMI system plays in a real control room.
A communication network ties the layers together, reproducing the station-bus concept that real substations use as their digital backbone, and providing the points at which network monitoring and adversarial scenarios can be introduced. A protocol gateway and data-concentration function bridges the modern standards-based substation communication with the more legacy industrial protocols that still coexist in real installations — the interoperability seam that, in the field, is so often where security assumptions quietly break down.
At the bay level, software-defined intelligent electronic devices (IEDs) perform the local control and protection functions — operating breakers and isolators, reading instrument transformers, reporting status, and executing protection logic — communicating over the IEC 61850 family of standards that governs modern substation automation. A programmable controller represents the generation and process-automation side of the plant. Together these reproduce the distributed control behaviour of a real substation without exposing the specific means by which they were built.
At the process level, two complementary representations of the physical grid work in concert. A real-time power-system simulation continuously computes the electrical behaviour of a complete 33/11 kV substation — feeders, transformers, busbars, switching, instrument transformers, protection, power flow, and fault conditions — and a tangible miniature model of a generation-to-distribution network makes the consequences of control actions physically visible. Commands from the control and supervisory layers act on both; both feed their state back upward. The result is a single, coherent cyber-physical system in which a digital action and its electrical and physical consequences are always in agreement.
The electrical system the platform reproduces: a 33/11 kV substation single-line — incoming transmission, the step-down transformer, the 11 kV busbar, and the outgoing feeders with their circuit breakers. Every switching action and fault in the scenarios that follow plays out against this structure, modelled in real time and made physically visible on the bench.
The defining achievement is the real-time, bidirectional synchronisation across all of these layers. A switching action taken at the supervisory level is reflected near-instantly in device state, propagated across the substation network, and resolved in the power-system simulation and the physical model; a fault originating in the simulation drives protection behaviour, operator alarms, and a visible physical effect. This is what separates a demonstration from a research instrument: cause and effect are faithful end to end.
Technology and equipment
The platform is built almost entirely from accessible, well-understood technology rather than proprietary utility hardware — which is precisely how it reproduces industrial-grade behaviour at a fraction of industrial cost. At a high level, it comprises:
- Software-defined IEDs on single-board computers. The bay-level intelligent electronic devices run on Raspberry Pi-class single-board computers, each acting as a standards-compliant IEC 61850 server for breaker, isolator, and protection functions — standing in for relays that, in their commercial form, cost orders of magnitude more.
- An industrial PLC (Siemens S7 family) for the generation and turbine / process-automation side of the plant.
- A real-time power-system simulation built in MATLAB/Simulink, modelling the full 33/11 kV substation — feeders, transformers, busbars, switching, instrument transformers, protection, and fault behaviour.
- An open-source supervisory and HMI layer built on Node-RED, providing the monitoring, control, and alarm functions a SCADA/HMI would in a real control room.
- An industrial protocol gateway / RTU acting as data concentrator and protocol translator between the modern substation protocols and the legacy field protocols.
- Managed industrial networking — router, station-bus switch, and wireless access point — forming the segmented communication backbone and the isolation boundary.
- A physical miniature smart-grid model (a roughly 4×4-foot demonstration table) that makes generation, transmission, distribution, switching, and fault conditions physically visible.
- A virtualised station-level server hosting the supervisory services, simulation interfaces, and — for the defensive work — an open-source network intrusion-detection system.
The communication runs on the standard protocol families that real digital substations use: IEC 61850 (including MMS for control, and the GOOSE and Sampled Values mechanisms), OPC UA for cross-system interoperability, and Modbus TCP for legacy device control. What is not described here — and what genuinely makes the platform work — is how these pieces were programmed, configured, and synchronised into a single real-time cyber-physical system, and the specific methods used to attack them.
Validating the platform: adversarial scenarios
A security testbed is only credible if it can be used to do security research, so the platform was delivered with a set of pre-built, fully documented scenarios that each exercise a different layer of the substation communication stack and produce a visible, measurable effect on the system. They are described here by class — the lesson each one teaches — rather than by the specific tools or steps used to stage them.
- Weak authentication on the interoperability layer. A scenario demonstrating how poor or default credentials on the layer that brokers data between systems can be abused to issue unauthorised control over substation switching equipment — turning a single authentication weakness into physical action.
- Integrity attack on unauthenticated control messaging. A scenario in which an adversary who has gained a network foothold intercepts and alters control messages in transit, so that the physical plant behaves contrary to the operator’s intent while the operator sees nothing wrong — a direct illustration of why message integrity and authentication matter on the station bus.
- Capture and replay of a legacy control protocol. A scenario showing how a legacy protocol with no authentication or session binding allows previously observed commands to be replayed directly to a controller, bypassing the supervisory system entirely and driving process equipment on the attacker’s schedule.
- Bridging the air gap through removable media. A scenario demonstrating that physical access to a workstation on the process network is sufficient to execute code against an industrial controller and disrupt the process — a reminder that “air-gapped” is a claim that must be continuously earned, not a property that can be assumed.
- Detection as the counterpart to attack. A defensive scenario that places a network intrusion-detection capability on the substation network and tunes it to recognise the signatures of the offensive scenarios above, letting trainees correlate protocol-level detections with the physical effects they produce — and reconfiguring the same lab from an attack range into a defence-engineering environment.
The scenarios are spread deliberately across the stack: each class breaks a different trust assumption at a different layer — authentication and message integrity on the network, session binding at the bay, and the air gap at the process level — while a network intrusion-detection capability watches the station bus. The figure shows where each attack enters, not how it is staged.
Each scenario was designed so that the protocol-level activity and its physical consequence can be observed side by side.
This packet caused that breaker to move. That correlation — between an action on the wire and its effect on the grid — is the pedagogical heart of the platform.
Why this matters for the energy sector
For the people who actually manage the grid — utility operators, protection and automation engineers, control-room staff, and the security teams that increasingly sit alongside them — the value of a platform like this is practical and specific.
It provides a place to understand consequence before it happens. Operators and engineers can see, concretely, how a cyber action translates into an electrical and physical outcome on the grid, building the intuition that is hard to acquire from documents and impossible to acquire from production systems.
It enables safe, repeatable training on exactly the failure modes that worry the sector: unauthorised switching, manipulated telemetry and control, loss of a controller, and the quiet erosion of trust in the data an operator relies on. Crews can rehearse both the attack’s appearance and the defensive response without any risk to a live network.
It supports protocol and equipment validation — exercising the standards and communication patterns that real substations run on, and testing how protection and control behave under adversarial conditions rather than only under fault conditions.
It lowers the barrier to serious research. By reproducing the functional behaviour of industrial-grade environments at a fraction of their cost, the platform puts digital-substation and smart-grid security research within reach of institutions that could never justify a commercial real-time simulation laboratory — including work on anomaly detection and machine-learning-based monitoring that needs a realistic source of both normal and malicious behaviour.
And it gives security and operations teams a shared language. One of the enduring difficulties in protecting critical infrastructure is that the people who understand the power system and the people who understand the network often work in separate worlds. A cyber-physical testbed forces those worlds together around a single, observable system — which is, ultimately, the only place the problem is ever actually solved.
Conclusion
This project shows that a faithful, closed-loop smart-grid security testbed does not require an industrial budget — it requires the right architecture, an uncompromising commitment to real-time fidelity between the digital and physical layers, and disciplined isolation so that realistic attacks can be studied safely. The delivered platform reproduces the structure and behaviour of a modern 33/11 kV digital substation, demonstrates a representative set of attacks and their physical consequences, and serves as a durable instrument for research, training, and validation.
The grid’s transformation into a software-defined system is not slowing down, and the gap between how quickly substations are being digitised and how prepared the sector is to defend them is real. Environments like this one exist to narrow that gap — to let the energy sector learn how its digital nervous system fails, on a bench, before it is forced to learn the same lessons on the network.
Acknowledgements
This work would not have been possible without his generous guidance. His deep knowledge of how the grid actually behaves — and his patience in transferring it — shaped both our research and the fidelity of the platform we built. We are grateful for his time and insight.
This case study outlines the core architecture of a cyber-physical platform built for a research institute. If your organization or utility is designing a similar OT security range, testbed, or operator-training infrastructure, you can connect with the Cyberange Phygital Labs team through our contact page.