Research on Hardware-in-the-Loop Test Platform Based on Simulated IED and Man-in-the-Middle Attack

Abstract

With the widespread adoption of intelligent electronic devices (IEDs) in smart substations, the real-time data transmission and interoperability features of the IEC 61850 communication standard play a crucial role in ensuring seamless automation system integration. This paper presents a hardware-in-the-loop (HIL) platform experiment analysis based on a simulated IED and man-in-the-middle (MITM) attack, leveraging built-in IEC 61850 protocol software to replicate an existing substation communication architecture in cyber physical systems. This study investigates the framework performance and protocol robustness of this approach. First, the physical network infrastructure of smart grids is analyzed in detail, followed by the development of an HIL testing platform tailored for discrete communication network scenarios. Next, virtual models of intelligent electrical equipment and MITM attacks are created, along with their corresponding communication layer architectures, enabling comprehensive simulation analysis. Finally, in the 24-h stability operation test and the test of three typical fault scenarios, the simulated IED can achieve 100% of the protocol consistency passing rate, which is completely consistent with the protection action decision of the physical IED, the end-to-end delay is less than 4 ms, and the measurement accuracy matches the accuracy level of the physical IED, which verifies that the proposed test platform can effectively guide the commissioning of smart substations.

1. Introduction

With the large-scale application of different components such as controllers, sensors, and actuators in smart grids, the management of modern smart grids has become more complex [1,2,3]. Using intelligent electrical equipment (IED) to perform protection and control operation is one of the key points to realize the accurate and efficient operation of these components. Because the IED uses IEC 61850 as the standard communication protocol, it ensures the interoperability between substation equipment from different manufacturers [4,5,6]. On the other hand, the network security of a substation based on an IEC 61850 communication protocol is indisputable [7,8,9,10]. IEC 61850 protocol open architecture also introduces new risks such as false data injection and denial of service attack [11,12,13,14]. In order to meet the requirements of the scenario, complete tests will be carried out before implementation. However, due to the need for real-time monitoring and a control system to make appropriate decisions, there are often problems when these tests are carried out directly on the power grid. Therefore, the pre-operation test of the network physical system (CPS) composed of multiple communication layers has become an urgent challenge for the current smart grid.

The IEC 61850 standard provides a unified information model and service model for seamless communication of a substation SA system [15,16,17]. Its ultimate goal is to form a standard open substation SA communication system, which can not only adapt to the development of communication technology in the future, but also needs to ensure the interoperability of multi-supplier IED and realize the requirements of high power grid reliability and low investment cost [18,19]. Interoperability is mainly to deal with the interaction between a continuous power network and discrete communication network in CPS. At present, the most commonly used solutions are the non-real joint simulation method [20] and real-time joint simulation method [21]. In order to ensure the synchronization between the continuous power network and the discrete communication network, the non-real-time co-simulation method will frequently start and stop the simulation program, resulting in a simulation process and time that are too long, and low efficiency; at present, the real-time co-simulation method can only realize the point-to-point communication of the communication network, which cannot meet the one-to-many requirements of IED devices, and there will be many problems such as more devices and significant investment. Therefore, this paper uses the hardware-in-the-loop (HIL) method to simulate the smart grid in real-time equipment [22] and uses the built-in software of the IEC 61850 protocol to create the existing communication architecture of a given substation; however, the network security problems of the IEC 61850 protocol must inevitably be faced. The details are shown in

Table 1. Literature research and analysis.

Literature	Technical Route	Network Protocol	Performance (‘×’ Indicates Not Achieved; ‘√’ Indicates Achieved)
[25]	HIL-physical IED + RTDS	GOOSE protocol: IED rapid peer-to-peer communication MMS protocol: Client-server communication RTDS: Protection IED integration	×scalability ×attack automation √fidelity √latency
[26,28,29]	HIL-physical IED + RTDS	MITM Network Attack on the GOOSE Protocol	×scalability √attack automation √fidelity √latency
[32]	HIL-safety testing platform + physical IEDs + Simulated IEDs	GOOSE protocol: IED rapid peer-to-peer communication MMS protocol: Client-server communication RTDS: Protection IED integration	√scalability ×attack automation √fidelity √latency
[35]	HIL-CPS Safety Testing Platform + Simulated IEDs	GOOSE protocol: IED rapid peer-to-peer communication MMS protocol: Client–server communication	√scalability ×attack automation √fidelity √latency
This paper	HIL-CPS Safety Testing Platform + Simulated IEDs	GOOSE protocol: IED rapid peer-to-peer communication MMS protocol: Client–server communication	√scalability √attack automation √fidelity √latency

. The joint operation of power system simulation tool DIgSILENT and information system simulation tool MATLAB is realized based on OPC technology, which can effectively reflect the interaction between the information and physical system in the system, and wide area damping control can effectively suppress low-frequency oscillation of the power system [23]. In order to evaluate the performance of the CPPS algorithm, which may be affected by the characteristics of physical targets and actual communication conditions, a hardware-in-the-loop test platform based on the combination of real-time simulator RT-LAB and OPNET is proposed, which can simulate the dynamic characteristics of CPPS at high speed and accurately. The integrated simulation process is introduced, and its effectiveness is verified by the case of active power output cooperative control [24]. The hardware-in-the-loop technology is used to connect the real-time analog grid test bench with the physical IED. The test bench receives the analog signal from the real-time digital analog bench through the power amplifier, but at the cost of using multiple physical IEDs [25,26]. Aiming at the impact of false data attacks on power flow characteristics, the literature analyzes the cascading failure process and state estimation of the system structure and proposes both the coping strategy for information network faults based on the two-hop neighbor algorithm and the optimal load shedding strategy for grid faults based on the optimal power flow model [27]. Based on the modeling of power CPS and the interaction mechanism of Information Physics, the corresponding security defense strategies are proposed from the three aspects of information failure source analysis, failure cross-space transmission process analysis, and security assessment index calculation [28]. Based on the deep coupling relationship between the information system and the physical system in the CPS system, a real-time simulation platform based on improved cooperation mode is proposed. The simulation results also better verify the effectiveness of the platform but still cannot solve the contradiction between communication demand and investment [29]. A real-time simulation test platform is built using a real-time digital simulator and a programmable logic controller, which can adjust parameters and structure according to actual needs, and has good flexibility and usability [30]. The real-time digital simulator is applied to the photovoltaic grid connected system, which realizes the power tracking and grid-connected control of the photovoltaic system, and provides a convenient experimental means for the study of microgrid characteristics [31]. Connecting some IEDs to the HIL real-time running simulator environment, the protection logic can be executed in the real-time running simulator, which expands the usable range of the CPS interface layer test bench, but it is still unable to invest in expensive problems [32]. Integrate emerging virtualization and resource optimization technologies to build a new generation of HIL test architecture, use FPGA dynamic allocation technology to use hardware acceleration and low-frequency load to enable CPU parallel computing for high-frequency equipment, replace non-critical IEDs with software models, accurately reproduce physical behavior of virtual nodes in 10 kV ring network test, and significantly reduce hardware costs and computing resources [33]. Combined with the real-time collaborative simulation platform, the composite disturbance of false data and communication interruption was injected to verify the toughness of wide-area damping control. The virtual IED replaced 80% of the physical IED, and the test cost was reduced by 67.4%. The defense strategy based on goose channel switching in MITM attack test reduced the fault isolation time to 68 ms, providing an economic and reliable test paradigm for high distortion distribution networks [34].

In conclusion, this paper presents an HIL test platform experiment analysis based on simulated IED and MITM attacks. Using IEC61850 protocol software, we reconstruct an existing substation communication architecture to analyze framework performance and protocol robustness. The methodology begins with a detailed examination of smart grid network-physical systems, followed by HIL platform development for discrete communication network testing. Simulated IEDs and MITM attacks are implemented in two communication layer modeling scenarios, with subsequent performance analysis. The results confirm the operational accuracy of simulated IEDs while validating the robustness and effectiveness of the proposed testing platform.

The main contributions of this paper are as follows:

◆

A HIL test platform based on a simulated IED and man-in-the-middle attack is proposed. The existing communication architecture of a given substation is created using the built-in software of IEC61850 protocol. The communication delay, data transmission accuracy, and network security vulnerabilities of GOOSE message, SV messages of IEC61850 standard, and general IEDs of MMS server protocol are analyzed;

◆

By creating three different scenarios to study the protection logic of short-circuit current protection, overload protection, and network imbalance test, scenario 1 introduces microgrid fault isolation, and the time delay for the physical IED to send and receive goose messages is obtained. Scenario 2 introduces the simulated IED, analyzes the protection mechanism behavior of the simulated IED under overload and unbalanced current faults, and compares and analyzes the real performance of the simulated IED and the physical IED. Scenario 3 introduces MITM network attack in the distributed energy system and judges the effectiveness between the test platforms according to the EVCS fault isolation.

2. Smart Grid CPS Business

The concept of CPS was first proposed by the National Science Foundation (NSF) in 2006 [36]. Its core is to build a real-time interactive closed loop between the information space and physical system through the deep integration of computing, communication, and control capabilities, so that the physical system has higher autonomy, reliability, and security. Power system has become the natural carrier of the CPS concept because of its wide-area distributed characteristics. Compared with a traditional pure digital system, power grid CPS emphasizes the dynamic coupling of information space and physical space. It can realize millisecond level state perception and control instruction execution through physical IED and integrate multi-source heterogeneous devices in the power network with a unified architecture, so that different manufacturers’ devices can interact seamlessly in the information layer. When attacked by an external network, it can also trigger physical isolation and information reconstruction synchronously [37,38].

The CPS architecture of power grids comprises three integrated frameworks: the power network layer, communication network layer, and information decision-making layer, as illustrated in Figure 1. The power network layer primarily consists of core equipment for power generation, transmission, distribution, and transformation processes; the communication network layer incorporates devices such as routers, switches, communication protocols, optical cables, and firewalls for data transmission; while the information decision-making layer includes operator workstations (OWS), SCADA servers, security devices, and other information subsystems for data processing, decision-making, and state management. Sensors deployed across the power network layer collect operational data, which is transmitted via the communication network layer to the information decision-making layer. The control center within this layer generates control commands based on predefined parameters and processes, then delivers them through the communication network layer to IEDs in the power network layer for precise equipment monitoring and control. The extensive sensor network in the power system provides massive datasets, while advances in communication technology enhance transmission efficiency, collectively enabling accurate decision-making in the information layer.

The key difficulty of power grid CPS business is to solve the interaction between continuous power network and discrete communication network. Building a simulation platform is one of the effective methods to solve this problem. Based on HIL real-time test platform, this paper uses IEC61850 protocol built-in Typhoon HIL404 software to create three scenarios for the application of existing communication architecture in a given substation, and studies the framework performance and protocol robustness of the proposed method. Scenario 1 uses a real physical IED to study the delay of communication system, aiming to accurately describe the system delay of discrete communication network. However, in the actual application of complex systems, multiple IEDs are required to test the performance of coordination strategy; in scenario 2, based on scenario 1, a simulated IED running in real time on HIL equipment is designed, and the working accuracy of the physical IED in scenario 1 is compared with that of the simulated IED, in order to prove the accuracy and practicability of the simulated IED; in scenario 3, new elements such as distributed renewable energy and electric vehicle charging stations (EVCS) are added, and man in MIIT attacks are carried out in the power grid, resulting in the isolation of EVCS, thus verifying the effectiveness of the proposed test platform.

3. Test Bench Scene Construction

The power grid test platform employed in this research was constructed according to the power system network model outlined in the literature [35]. It operates at a nominal voltage of 110 kV with a working frequency of 50 Hz. The base power grid includes three constant-power loads consuming a combined total of 700 kW, along with one diesel generator (DG) configured with a rated power of P₁ = 300 kW and a rated frequency of f = 50 Hz. Additional power demand is supplied via an equivalent grid bus.

3.1. Scenario 1

This testing scenario employs HIL technology, utilizing real, physical IEDs as test subjects. Its primary objective is to validate the accuracy of logical decision-making processes and the reliability of communication timing mechanisms. The tested IEDs comply with the IEC61850 communication protocol standard, as depicted in Figure 2. The communication framework comprises three layers: substation, bay, and process bus levels, designed according to the IEC61850 substation automation topology. Physical IEDs exchange data with the microgrid’s HIL SCADA panel via an MMS server interface at the substation level, while using GOOSE messaging for peer-to-peer communication at the bay level. Additionally, these IEDs receive data from internally simulated merging units (MUs) within the test environment, which timestamp current measurement samples and generate synchronized sampling value (SV) messages. These analog current signals, sourced from measuring instruments, are converted by MUs into digital data packets for IED processing.

The schematic diagram of the experimental setup for this scenario is shown in Figure 3. The equivalent power grid serves as the power supply source. CB_sub1 and CB_sub2 are the substation outlet circuit breakers, and BUS_sub1 and BUS_sub2 are the substation outlet busbars. BUS₁, BUS₂, BUS₃, and BUS₄ are the convergence busbars of the transmission network, respectively. CB11, CB12, CB21, CB31, CB32, CB41, and CB42 are the convergence busbar outgoing circuit breakers, CB22 is the interconnection circuit breaker, CB13, CB23, CB33, and CB43 are load feeder circuit breakers, L₁–L₅ are segmented lines, and Feeder1-Feeder4 are load feeders. The circuit breaker receives the corresponding IED trip command and status from the HIL device input terminal through a hard-wired cable, and the IED receives the MU measurement signal implemented from the microgrid through the Ethernet port.

(1)

Segmented line fault handling: When a fault occurs in segment line L5, only IED41 and IED32 corresponding to CB41 and CB32 will detect the short-circuit current and respond to the short-circuit fault, issuing a trip command for instantaneous short-circuit protection. CB41 and CB32 will activate the fault removal logic and fault isolation logic, respectively, to trip. Meanwhile, CB31 and CB33 are still in the closed position, and busbar 3 will be isolated from the power grid next to the faulty line, resulting in unnecessary power outages (load 3 is not powered). To address this issue, IEDs are pre-programmed to exchange protection and interlock GOOSE messages for isolating only areas where power grid faults occur. IED22 receives the interlock GOOSE message from IED32, confirms that the status of the contact switch CB22 is in the open position, sends a closing signal to prompt CB22 to close, and supplies power to bus 3 through bus 2, ensuring seamless power supply in the shortest possible interruption time.

(2)

Load feeder fault: When the load feeder3 fails, the load feeder circuit breaker CB33 cuts off the fault, but there is no need to trigger the “fault isolation successful” GOOSE signal, so the contact switch CB22 does not close.

(3)

Abnormal switch failure: L5 malfunctioned, CB32 and CB41 switches failed and refused to trip, adjacent switch CB42 cut off the fault, adjacent switches CB31 and CB33 isolated the fault, CB31 triggered the “fault isolation successful” GOOSE signal, and the contact switch CB22 started the power supply recovery logic closing to complete the power supply and restoration.

(4)

GOOSE communication anomaly: BUS3 has malfunctioned, the network cable connecting CB33 to the switch has malfunctioned, and there are communication anomalies between CB31 and CB33, as well as between CB32 and CB33. GOOSE communication anomaly fault removal (overcurrent protection) and isolation logic (voltage loss protection) should be activated. CB32 overcurrent protection action, CB31 and CB33 voltage loss protection action. The contact switch CB22 starts the power supply recovery logic and completes the transfer and restoration of power.

3.2. Scenario 2

By implementing simulated IEDs on HIL real-time systems to substitute for physical IEDs, two real-time simulators utilize fiber-optic networks for precise time synchronization, ensuring the slave HIL device maintains temporal alignment with the master HIL device. The time synchronization mode of the two typical HIL 404 simulators is IEEE 1588 PTP hardware timestamp and optical fiber direct connection. One is configured as PTP master clock and the other is slave clock, which can control the time error at the nanosecond level to minimize jitter and drift. The measured step-by-step time error is less than 50 ns and jitter is less than 20 ns. The impact of the error on the MS level delay measurement can be ignored. This approach allows researchers to thoroughly examine the IEC61850 communication protocol in settings without actual physical IEDs. The test platform configuration also facilitates measurement of inter-device communication delays, with the 404 Typhoon HIL device capable of simultaneously simulating up to 12 IEDs, enabling the construction of complex network topologies.

In practical high-voltage protection systems, logic units (IEDs) are typically positioned remotely from grid circuit breakers to allow operators easy configuration adjustments. To closely replicate real-world conditions, this test positions the protective relay on a separate, independent HIL device, which interacts with the microgrid-implemented circuit breaker through a dedicated communication layer between the two HIL devices. At the communication architecture level, horizontal communication between bay-level IEDs responsible for interlocking and protection generally employs the GOOSE protocol for signal transmission, while the physical connection between HIL devices serves only for device interconnection. By directly mapping MMS commands to circuit breakers (CBs), this study accurately captures pure MMS transmission delays.

This section introduces a basic overload test case to evaluate the test platform shown in Figure 4. The microgrid structure used matches that of scenario 1, but the triggering event is an overload on Load 3. As previously described, the platform comprises two HIL devices: one simulates the microgrid test system, while the other runs a simulated IED. These devices communicate through a gateway router connected via the substation bus.

Upon fault occurrence, simulate the current and voltage sampling values received by the IED, then compare the measured current against its protection threshold. If an anomaly is detected, the IED’s GOOSE transmission module generates and sends a trip command signal. Upon receiving this signal, GOOSE subscribers within the microgrid set one logic gate input to 0, forcing the logic gate output to 0 and triggering the circuit breaker (CB) to trip. Notably, microgrid circuit breakers offer dual response modes: they can act on commands pushed by monitoring units via Manufacturing Message Specification (MMS) or GOOSE message instructions from IEDs. Within the simulated IED, the protective relay processes data is transmitted by the merging unit (MU). When the data exceeds the protection threshold, the relay issues a trip command, which the IED’s GOOSE publisher broadcasts via the Ethernet port. The target circuit breaker’s GOOSE subscriber receives and executes the trip command after validation. State update frequency requirements vary across applications, and this parameter can be flexibly configured; here, the execution time is set to 100 μs.

For each implemented protection mechanism, there are separate settings that can be set from the SCADA control panel that simulates the IED. Taking the overload protection (ANSI 49) as an example, there are three I-t characteristic curves in the SCADA panel for selection, as shown in Figure 5, and the relay logic unit calculates the time delay according to the selected curve of the given threshold current. The established communication layer comprises station control, bay, and process levels, as shown in Figure 6. The station control layer’s MMS server sends trip commands to simulated bay-level IEDs via the station bus, which then transmits GOOSE messages to circuit breakers through the process bus to complete operations.

3.3. Scenario 3

To evaluate network security vulnerabilities, network attack simulations were performed on the experimental platform based on the architecture depicted in Figure 7. The platform incorporates multiple protective mechanisms and features a low-voltage EVCS operating at 400 V [39]. There are two types of man-in-the-middle attack: data interception and data tampering, which can cause the system to refuse to move and mismove, respectively. Data interception is defined as the attacker intercepts the data packets sent by the master station and the sub-station, replaces the corresponding bytes of the command data packet with the contents of the timing data packet in the buffer and sends it to the sub-station, and returns the sub-station response data packet to the master station. In this attack mode, the sub-station cannot receive the control command from the master station, but the master station mistakenly believes that the sub-station has received the command and acted, resulting in the sub-station refusing to move. Data tampering is defined as being when an attacker detects a command packet, he starts to attack, replacing all data packets sent by the master station with command packets, and the command content is randomly set to load shedding or load switching, resulting in fail operation of the sub-station. Although the goal of network attackers when attacking the power grid is to maximize the damage to the power grid itself, due to the influence of the monitoring level of the power grid itself, when the power grid state deviates from the normal state too much, the adjacent monitoring unit in the system can easily monitor the power grid fault.

After the CPS attacker attacks the power grid information parameters, the physical equipment of the power grid will change to some extent, and in particular, the state information of the power grid power flow calculation near the attack point will change significantly. The DC model of power grid power flow calculation is shown in Formulas (1) and (2) [40]:

$$P=B\theta ,$$

(1)

$$B=\left\{\begin{array}{l}{B}_{ij}=-1/x_{ij}\\ B_{ii}={\displaystyle \sum _{j\in i,j\ne i}1/x_{ij}}\end{array}\right.,$$

(2)

where P represents the injection power parameter corresponding to the substation; B represents the admittance matrix vector corresponding to the power grid; θ represents the phase angle vector parameter corresponding to the substation voltage; B_ij represents the parameter in row i and column j of admittance matrix vector B; and transmission line x_ij represents the reactance parameter corresponding to transmission line ij.

The calculation of active power distribution matrix P_l on all lines in the grid is shown in Formula (3):

$$\left\{\begin{array}{l}{P}_l=\Lambda \Phi \\ \Lambda =diag\left(\left[b_{\mathrm{l}1},b_{2\mathrm{l}},\cdots ,b{N}_{\mathrm{l}}\right]\right)\end{array}\right.,$$

(3)

where Λ represents the diagonal parameter corresponding to the admittance matrix of all lines in the power grid; Φ represents the power angle difference matrix between all lines in the power grid; and N_l represents the total number of grid branches.

By P = A·Λ·A^T and Φ ≈ A·θ, the corresponding relationship between the active parameters of the system branch and the injected power on the node is simply solved as shown in Formula (4):

$$P_l={\Lambda }^{-1}\cdot A^{\mathrm{T}}\cdot B^{+}\cdot P\approx SF\cdot P,$$

(4)

where SF represents the sensitivity matrix of the active parameters on the system branch to the node injection power; B⁺ represents the inverse matrix parameter of matrix B; and A represents the correlation matrix parameter corresponding to the power grid system.

The degree and depth of network attack by network attackers need to meet the following constraints, and the constraint formula is shown in Formula (5):

$$\left\{\begin{array}{l}\alpha ·D_i^0\le \Delta D_i^1\le \beta ·D_i^0\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\forall i\in S\\ \alpha ·\left|P_m^0\right|\le \Delta P_m^0\le \beta ·\left|P_m^0\right|\hspace{1em}\hspace{1em}\hspace{1em}\forall m\in L_M\end{array}\right.,$$

(5)

where α and β represent the upper and lower boundary coefficients of network attack, and their values are 0.3 and −0.3, respectively; P⁰_m and D⁰_i represent the change degrees of line m power flow and load node i power before network attack, respectively; ∆P¹_m and ∆D¹_i represent the changes of line m power flow and load node i caused by network attack; S represents the total number of nodes affected by network attack; and L_M represents the number of network attack lines.

The power variation in multiple lines calculated based on DC power flow is shown in Formula (6) [41,42]:

$$\left\{\begin{array}{l}\Delta P_l^1=-{\displaystyle \sum _{i\in B}S{F}_{l,i}·\Delta D_i^1}\hspace{1em}\hspace{1em}\hspace{1em}\forall l\in L\\ {\displaystyle \sum _{i\in B}\Delta D_i^1}=0\end{array}\right.,$$

(6)

where SF_l,i represents the sensitivity of the active parameters on line l to the injected power of node i and L represents the number of all lines in the grid.

Therefore, taking the change degree of active power of all lines in the system as the network attack objective function, the calculation formula is shown in Formula (7):

$$f=Max{\displaystyle \sum _{l\in L}\left[\left|\Delta P_l^1\right|·\left(1-t_l\right)\right]},$$

(7)

where |∆P¹_l| represents the corresponding change degree of active power in line l and t_l represents a selection variable. Its value is selected according to whether the branch is disconnected or not. If the corresponding branch is disconnected, the parameter value is 1. If the corresponding branch is not disconnected, the parameter value is 0.

All constraints based on power flow calculation and analysis and data attack range are shown in Formula (8):

$$\left\{\begin{array}{l}{\displaystyle \sum _{i\in N}\Delta P_i^1}=0\\ \Delta P_i^1=-{\displaystyle \sum _{i\in N}\left(SF·\Delta D_i^1\right)}\\ \alpha ·D_i^0\le \Delta D_i^1\le \beta ·D_i^0\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\forall i\in B\\ \alpha ·\left|P_m^0\right|\le \Delta P_m^1\le \beta ·\left|P_m^0\right|\hspace{1em}\hspace{1em}\hspace{1em}\forall m\in L_M\end{array}\right.$$

(8)

It simulates the continuous monitoring and collection of current and voltage data from protective relays within IEDs. When values exceed preset thresholds, a circuit breaker trip command is issued via the GOOSE protocol. Additionally, the monitoring unit can directly adjust circuit breaker status during emergencies. Notably, the monitoring unit communicates with the local area network (LAN) using unencrypted manufacturing message specification (MMS) due to two key factors: first, MMS messages have a limited transmission range (non-broadcast) and, second, physical network access is typically required for manipulation. However, in EVCS scenarios, the necessity of granting physical access permissions to charging station operators and potentially lax security measures create opportunities for attackers to infiltrate the network through social engineering or similar tactics.

4. Numerical Study

4.1. Scenario 1 Simulation Analysis

The current data gathered by the measuring unit in conjunction with IED41 during the fault period is illustrated in Figure 8. The fault initiated at 0.8322 s within the observation window and cleared at 0.8795 s, marking a 47.3 ms duration from fault onset to circuit breaker operation. The total fault clearance delay comprises several stages: the delay caused by the digital to analog converter of 0.12 ms, the delay of the communication network protocol when packaging and unpacking data of 4.35 ms, the processing time of IED detection fault of 1.83 ms, and the delay of the real-time simulator of 40.8 ms. The IED’s fault detection processing time can be configured according to the priority of different fault types. The buffer is optimized by queuing theory, and the scheduling algorithm is fixed priority. The real-time simulator delay refers to the time needed to drive the circuit breaker to complete its action after receiving the trip command via GOOSE messaging.

The current measurement readings for Load 3 connected to Busbar 3 are presented in Figure 9. The fault occurred at 0.8323 s, triggering the disconnection of circuit breaker (CB) 41. The faulty line was isolated by opening CB32 at 0.87955 s. IED22 issued a GOOSE closing command at 0.90634 s, causing CB22 to close and restore power supply to Load 2. Consequently, the power interruption duration for Load 3 was approximately 74.04 milliseconds. There is a 12.7-millisecond delay between an IED’s tripping action and the transmission of the GOOSE message to update the status of other IEDs’ circuit breakers. While communication delays for other IEDs can be analyzed separately, their values are generally comparable.

4.2. Scenario 2 Simulation Analysis

To precisely quantify communication latency, when MMS push commands are initiated, the simulated merging unit (MU) within the microgrid simultaneously captures identical measurement values. The circuit breaker responds to the MMS trip signal, which is transmitted via a hardwired connection from an analog IED on a separate device to the main microgrid, eliminating additional delays caused by the GOOSE protocol. The timeline of the MMS push process is illustrated in Figure 10. Arrow 1 marks time zero (when the MMS trigger command is issued); Arrow 2 indicates the initiation of circuit breaker tripping; Arrow 3 shows the circuit breaker fully disconnected 500 microseconds after the MMS command; Arrow 4 denotes the monitoring unit detecting a change in circuit breaker status 900 microseconds after the MMS push command. In the experiment, the 500-microsecond interval between the MMS server issuing the trip command and the circuit breaker’s actual operation is defined as the MMS server communication delay. By comparing the timestamp recorded in stVal with the circuit breaker state change time logged by SCADA, an additional 400-microsecond delay (associated with the circuit breaker state transition) was identified, resulting in a total delay of 1 millisecond, which deviated from the experimentally set value. In the 24 h stability operation test and the test of typical fault scenarios, the simulated IED can achieve 100% of the pass rate of protocol consistency, which is completely consistent with the protection action decision of the physical IED, the end-to-end delay is less than 4 ms, and the measurement accuracy matches the accuracy grade of the physical IED of 0.5.

Introduce unbalanced current surges and overload conditions into Load 3, then capture the response by simulating the IED protection functionality. As anticipated, GOOSE messages transmitted by IEDs were promptly received by subscribers with no noticeable delays. The simulation results are presented in Figure 11. Figure 11a displays the outcomes under unbalanced current fault conditions, where the simulated IED accurately analyzes electrical data collected by the MU and issues a circuit breaker tripping command when current thresholds are exceeded. Figure 11b illustrates the results under overload fault conditions, where the simulated IED compares the measured current against overload protection settings and sends a trip signal via the GOOSE transmitter. The time delay between fault occurrence (for both unbalanced current and overload faults) and the corresponding change in the MMS server’s circuit breaker (CB) state aligns precisely with the calculated results from the physical IED in scenario 1. Therefore, modifying the setpoint configuration on the SCADA control panel for simulated IEDs will lead to corresponding action delays based on the implemented protection strategies.

4.3. Scenario 3 Simulation Analysis

MITM attacks enable adversaries to intercept and potentially manipulate information exchanged within communication channels without authorization. The precise moment of the attack, captured by the merging unit (MU) deployed in the microgrid, is depicted in Figure 12. After executing the MITM attack algorithm, the simulated IED issued a circuit breaker tripping command, prompting CB33 to isolate the electric vehicle charging station (EVCS) fault. However, the monitoring unit continued to receive normal measurement data, including current and voltage readings, suggesting no operational abnormalities. The EVCS remained properly connected to the power grid, and no circuit breaker tripping events were triggered. In multiple electric vehicle charging stations (EVCSs) or other distributed energy resource (DER) endpoint systems, man-in-the-middle attacks, by invading firmware or software vulnerabilities (such as unencrypted update endpoints and weak identity authentication) of the EVCS management system (ECVSMS), batch implanting malicious code, and building multiple EVCS nodes into botnets. Scan the exposed ECVSMS portal through Shodan and other tools and use default credentials or SQL injection vulnerabilities to spread horizontally [43].

5. Conclusions

In this paper, a HIL platform experiment analysis based on simulated IED and MITM attacks is proposed. The existing communication architecture of a given substation is created by using IEC61850 protocol built-in software. The framework performance and protocol robustness of the proposed method are studied. The simulated IED and man-in-the-middle attacks are introduced and applied to the communication layer model of three scenarios. The simulation results verify the working accuracy of the proposed simulated IED and the effectiveness of the test platform. The following conclusions are obtained:

(1)

A HIL real-time test platform is built to study the implementation logic of power system protection, and three different scenarios are proposed to help analyze the communication delay, data transmission accuracy and network security vulnerabilities of the analog IED equipped with IEC61850 standard GOOSE message, SV message and MMS server protocol.

(2)

Scenario 1 represents microgrid fault isolation, and the time delay of sending and receiving goose messages by physical IED is solved. In scenario 2, the simulated IED is introduced to discuss the protection mechanism behavior of the simulated IED under overload and unbalanced current faults. It is verified that the simulated IED can completely replace the physical IED, and the performance of the two is equivalent. Scenario 3 introduces MITM network attack into distributed energy system, which can accurately isolate EVCS faults. In the 24 h stability operation test and the test of three typical fault scenarios, the simulated IED can achieve 100% of the protocol consistency passing rate, which is completely consistent with the protection action decision of the physical IED, the end-to-end delay is less than 4 ms, and the measurement accuracy matches the accuracy level of the physical IED 0.5, which verifies that the proposed test platform can effectively guide the debugging of intelligent substation.

(3)

In the future, the automation protection mechanism and new energy construction of smart substations will lead to more complex and changeable power grids. The next research can expand the platform to the actual distribution network or introduce more network attack scenarios and put forward the corresponding detection methods and coping strategies.