Advanced sensors and high-speed networks have enabled real-time monitoring of power grids, providing data on various electrical measurements such as voltage, current, and frequency, as well as environmental information like temperature, humidity, and light (Luo, 2016; Zhang et al., 2021; Mittal et al., 2023). This data is utilized to support grid monitoring, protection, regulation, and other functions.

The smart grid control system in CPPS consists of three main components: the power system as dipicted in Figure 1 (including generators, loads, power electronic equipment, energy storage systems, measuring units, and control units), the communication system (comprising routers, optical fibers, servers, and other devices), and the security and stability control device (a decision-making system with a master station and substation).

Measuring units collect data on the grid’s status and transmit it to the master station via a wide-area communication network (Osanaiye et al., 2016; Zhang et al., 2020c). The master station calculates control commands based on a strategy and sends them to each substation. Substations then execute specific operations using control units based on local control strategies (Othman et al., 2018; Menezes et al., 2023).

This paper utilizes a modular design to integrate discrete event simulation and continuous-time simulation. The co-simulation platform comprises four modules: power system, communication system, master station, and substation. These modules are connected via Ethernet to streamline data interface design and enhance modeling efficiency. Real-time performance is ensured through the use of appropriate simulation tools for the power system and communication system. Figure 2 illustrates the architecture of the co-simulation platform.

The real-time requirements of the co-simulation platform present a challenge, as most power simulation systems are PC-based and cannot handle large-scale simulations in real-time with small time steps (Zhang et al., 2024). To tackle this problem, the OPAL-RT modeling software RT-LAB was chosen as the power system simulator (Amaizu et al., 2021). Simulink models can be compiled into multiple subroutines that can be executed in parallel using RT-LAB.

Modeling in RT-LAB involves four main components: the power grid, a measuring unit, a control unit, and a network interface (Cil et al., 2021), as shown in Figure 1. The original power grid is simplified into an equivalent network for real-time simulation, and the grid model is designed accordingly and verified through offline simulations (Mittal et al., 2023). Regarding the measuring unit, it is essential to define the sampling frequency and data type of the packets, which include parameters such as voltage, current, frequency, and power-angle (Alnasser and Sun, 2017; Singh and Mahajan, 2020; Singh and Mahajan, 2021; Yu et al., 2022; Zhang et al., 2021a; Zhang et al., 2021b; Zhang et al., 2021c). Additionally, timestamps are included to analyze latency. In the control unit, it is crucial to determine the target and structure of commands sent from the substation. The control unit is responsible for converting these commands into control quantities and outputting them to the control target. OPAL-RT uses TCP and UDP protocols for external communication. The network interface consists of three modules: OpIPSocketCtrl, which controls the communication protocol, port, and IP address; OpAsyncRecv, for receiving packets; and OpAsyncSend, for sending packets. Multiple sets of network interfaces can be included in the power system model, distinguished by port numbers.

To ensure real-time performance, this paper utilizes OPNET to simulate the communication system. The modeling in OPNET is categorized into three layers: net-work, node, and process, depending on the level of the communication network. This three-level modeling allows for the construction of communication networks, protocols, algorithms, and equipment. OPNET also offers a range of standard applications, such as Database, E-mail, HTTP, Print, Remote Login, Video Conferencing, and Voice, which can be combined to cover most power services (Kaur et al., 2021; Zhang et al., 2023). For unique power businesses, the standard application model can be modified at the process layer to create a customized application model.

To establish end-to-end business connections between real and virtual networks, a semi-physical simulation interface can be employed (Priyadarshini and Barik, 2022). OPNET offers three types of such interfaces: HLA-API, ESA-API, and System in the loop (SITL). While HLA-API and ESA-API require defining process and node models and designing corresponding interface programs, SITL is an existing model provided by OPNET. Although it supports limited protocols and requires mapping real packets to virtual ones, it enables easy access to external devices in the simulation system. As communication between modules uses the UDP protocol, we have chosen SITL as the data interface to simplify model design.

Data is exchanged between measuring units and substations with the master station through a communication system. Control units exchange data with substations directly through a switch. To facilitate this, two network interface cards (NICs) are inserted into the OPNET host. NIC1 communicates with the OPAL-RT and substation via the switch, while NIC2 communicates directly with the master station. The network model includes multiple SITL modules that correspond to the master station, substation, and measuring units by setting filters. Network 1 connects measuring units to the master station, while network 2 connects the substation to the master station.

The security and stability control device plays a crucial role as the second and third lines of defense for the power grid. It is responsible for responding to emergencies such as load shedding, generator trips, or valve fast shutdowns in order to prevent further spread of faults in the grid. This device consists of both a master station and substations. The master station monitors the power grid’s status through measuring units and compares any faults found with the security control strategy based on the fault type and location. Once the optimal control strategy is determined, the master station sends control commands to the substations. The substations report the controllable load amount to the master station and receive control commands from it. Finally, the substations send commands to the control units and execute the actual operation according to the local control strategy.

The master station is constructed on the Linux platform and is programmed using the C language, allowing it to perform complex operations. It retrieves real-time power grid status information from OPAL_RT and receives control commands from the security and stability control device to efficiently monitor and manage the power system. The master station consists of four modules, which are as follows:

Figure 4 illustrates the real-time simulation timeline of a co-simulation platform that includes a power system, communication system, master station, and substation. This timeline considers the simplified structure of the control system in the power grid.

To simplify the modeling process and clarify the function of each module, the measuring unit is limited to sending data only, while the control unit can only receive data. The communication cycle between the measuring unit and the master station is T_1, and the cycle between the control unit and the substation is T_2. At moment A1 in the simulation, the measuring unit sends sampled data to the master station, which receives the data at D1. At moment B1, the substation system sends the data of controllable load to the master station. After processing the data upon receiving them at D2, the master station issues a synchronization message or control order message to the substation. The substation analyzes the message and issues a control order to the control unit at B3. Finally, the control unit updates the relevant parameters in the power system node at A2.

The system latency consists of four main components: network latency, master station latency, substation latency, and inherent simulation platform latency. Network latency is the delay caused by communication systems, including issues such as packet loss, bit errors, routing problems, bandwidth limitations, and server performance. Master station latency is a result of hardware and software limitations, encompassing hardware latency and software latency. Hardware latency involves delays within the master station system, including network card performance and data transfer. Software latency refers to the time required for power service computations, such as state estimation, measurement information management, and power quality monitoring. Substation latency is similar to master station latency, involving hardware and software limitations that lead to delays. Inherent simulation platform latency arises from communication between modules in the platform. This includes factors like OPAL-RT operating system latency, OPAL-RT network card latency, OPNET operating system latency, OPNET host network card latency, switch latency, and more.

In actual CPPS, the platform’s inherent latency cannot be eliminated and varies randomly depending on the amount of data flow between modules. When data packets are less than 64 bytes, the inherent latency is approximately 1–2 ms. However, as the total latency of network, master station, and substation is already in the range of tens to hundreds of milliseconds, the impact of inherent latency is negligible and will not significantly affect the simulation accuracy. To further minimize the influence of inherent latency, one common approach is to use the Ping command to measure the communication latency between modules, record it as inherent latency, and subtract it from the controllable latency in the master station system.

A Distributed Denial of Service (DDOS) attack is a form of resource-exhaustion attack. Attackers employ Client/Server techniques to manipulate multiple computers as sources of attack, thereby enhancing the attack’s effectiveness. There are various types of DDOS attacks, including Sy flood, Smurf, and Land-based attacks. When a host is targeted by a DDOS attack, it experiences a high volume of pending connections, causing the network to be flooded with useless packets, leading to network congestion. Consequently, the target of the attack becomes incapable of communicating with the outside world.

Figure 5 illustrates the DDOS attack scheme, consisting of four components: the attacker, control puppet, attack puppet, and target. Attackers gain either partial or complete control of both the control puppet and attack puppet. The control puppet transmits the attack program to the attack puppet. Through the control puppet, the attacker instructs the attack puppet to send actual attack packets to the target.

This paper deploys an attacker node in an OPNET simulation. The attacker randomly scans and attacks all terminals in phase one, and infected computers send confirmations back to the attacker. In phase two, the infected computers flood the network connecting to the target with tons of meaningless packets.

The Man in the Middle (MITM) attack is an indirect method of gaining control over a target. By spoofing IP addresses and ports, the attacker can invade and take control of a virtual computer, creating a new communication channel between the original nodes. This new channel allows packets to be easily modified, leading the target to make incorrect decisions. Common examples of MITM attacks include Careto, Crypto locker, Dexter, and Fin Fisher.

In the research depicted in Figure 6, a computer is utilized as the attacker and equipped with two network interface cards (NICs). One NIC connects to OPNET while the other connects to the substation. The IP address of the NIC connected to the substation serves as the gateway IP address for the substation, while a virtual NIC is established within the computer and assigned the IP of the master station. The IP address of the NIC connected to the substation is configured as the substation’s IP address.

Two methods of Man-in-the-Middle (MITM) attack are proposed as follows:

To verify the impact of communication systems and devices on power system simulations, as well as the necessity of co-simulation platforms in power system analysis, a 7-bus system was constructed in RT-Lab, as shown in Figure 7. The system includes seven buses, two controllable loads, two generators, one ideal voltage source, four transformers, and seventeen circuit breakers. Measuring units monitor buses B1, B2, and B3. The protection unit and control unit jointly manage the controllable load and generator, with the protection unit preventing the control unit from operating the protected device once it has been broken out. The simulation is based on a reference AC voltage of 230 kV, frequency of 60 Hz, and a simulation step of h = 2.5 × 10^∧(−5) s. Table 1 provides the parameters for each device.

The strategy for system protection and security control during a three-phase short-circuit fault on transmission line L3 is as follows: The short-circuit protection unit will disconnect L3 within 0.1 s of the fault occurring. The over-current protection unit will disconnect L1 after a 2-second delay and disconnect L5 after a 3.5-second delay from the occurrence of the fault. Additionally, the security and stability control device will disconnect R2 after a 2-second delay following the short-circuit fault.

Figure 8 illustrates the communication network constructed in OPNET, which comprises eight router nodes, multiple servers, and terminals designed to simulate data transmission across various services. Notably, the measuring unit, master station, and substation do not directly correspond to individual nodes within this network. Instead, these physical components are interconnected to the OPNET communication network at specific boundary nodes using the SITL (System-in-the-Loop) module. This setup reflects the hierarchical nature of our system, where multiple physical devices may connect to a single communication node that serves as a gateway or aggregation point, rather than having a direct one-to-one mapping with the communication nodes.

Furthermore, the control unit is integrated into the network via a connection to the substation through a switch, emphasizing the layered interaction between control operations and network communication. The routers in this network are linked by a 2 Mbps optical fiber, ensuring a consistent communication delay of 1 ms across the system.

After the occurrence of a three-phase short-circuit fault on L3, a DDOS attack and MITM attack are conducted to assess the effects of cyber-attacks on the power system.

In this scenario, there is an attacker node connected to router A, as shown in Figure 9. The attacker sends malware to all terminals in the network and infects approximately 70% of them randomly. The infected terminals are then controlled by the attacker to send meaningless requests to the server, causing a congestion in network traffic.

All the loads in the system are connected to B2. However, the output of G3 is insufficient to meet the load requirements. As a result, the current of B2 directly indicates the behavior and stability of the system. The comparison of B2 current in three scenarios is illustrated in Figure 10.

Under ideal conditions, without taking into account the communication system and actual devices, the security and stability control device had a response delay of 0 ms. As a result, the control unit disconnected R2 within 2 s of the occurrence of a short-circuit fault, ensuring the stability of the system.

Taking into account the communication system and the actual devices, the channel remained unobstructed and free from congestion in typical situations. The average latency between the substation and the master station was 233.9 ms. The substation promptly disconnected R2, resulting in a reduction of current in L5. This action effectively curbed the further spread of the fault.

During the DDOS attack, the average latency between the substation and the master station significantly increased to 2,136.7 ms due to a high volume of meaning-less packets congesting the channel. Despite the substation responding to the commands from the master station, the prolonged latency resulted in system instability and further propagation of the fault by the protection device.

Figure 11 illustrates the average latency between the substation and the master station for various levels of attack intensity, including infection rates of 30%, 50%, 70%, and 90%. In the case of a mild DDOS attack, the communication system exhibited the capacity to handle the packets sent by the compromised machines, resulting in minimal changes in latency. However, as the number of infected terminals grew, the communication system’s resources were depleted, leading to a significant increase in latency.

In this situation, the attacker intercepted the packet sent from the master station to the substation. This prevented the substation from receiving the command, resulting in a missed trip. Table 2 displays the breaker’s operating time under both normal conditions and attack conditions following the occurrence of a three-phase short-circuit fault.

As depicted in Figures 12, 13 the attacker intercepted and filtered the control commands sent by the master to the substation, resulting in a missed trip and preventing the breaker from disconnecting R2. As a consequence, the overcurrent protection disconnected L5 at 12.74s and L1 at 15.25s. Unfortunately, the failure continued to spread, eventually causing G3 to go out of step.

In this scenario, the attacker eavesdropped on the packets sent by the master station. Upon detecting a command packet, the attacker intercepted all subsequent packets and randomly sent switching load commands to the substation. As depicted in Figures 14, 15, the current of B2 and the speed of G3 exhibited differences under the MITM attack compared to normal conditions. In the absence of an attack, the substation would disconnect R2, resulting in a gradual decline and stabilization of the current in B2, with only occasional fluctuations in the speed of G3 during load shedding. However, during the attack, the substation indiscriminately switched the load, causing sharp fluctuations in both the current of B2 and the speed of G3. Although the system did not become destabilized in this particular example, the continuous injection of disturbances by the malfunctioning substation compromised the stability of the overall system.

In conclusion, the integration of communication networks and cyber-attack considerations greatly enhances the security and stability control of smart grid operations. Without simulating the communication network and utilizing actual devices, it becomes challenging to accurately predict system responses. The co-simulation platform proposed in this study successfully integrates the power system, communication system, and actual devices, providing an effective method for studying Cyber-Physical Systems (CPS) in smart grids.