Key Takeaways
- Grid Watch is a software‑only DNP3 outstation simulator that runs on a standard laptop, eliminating the need for physical substation hardware.
- It integrates directly with MITRE’s Caldera for OT framework, enabling realistic adversary‑emulation and hands‑on OT cybersecurity training.
- The simulator models a small distribution segment (circuit breaker, backup generator, bus voltage, power‑deficit tracker) and shows immediate physical effects of cyber actions.
- Users can perform reconnaissance, unauthorized control, and multi‑phase disruption scenarios while observing real‑time changes in voltage and load.
- Grid Watch supports network‑ and behavioral‑detection exercises by providing a baseline of legitimate DNP3 traffic for anomaly analysis.
- The platform is built with Python 3.11+, matplotlib for the HMI, and dnp3py for DNP3 communications, and is openly available for community contribution and customization.
Overview of Grid Watch
MITRE’s Caldera for OT team introduced Grid Watch as a lightweight, software‑only DNP3 outstation simulator designed to give OT security practitioners a tangible way to explore how cyber interactions affect power‑system operations. Rather than mimicking a specific vendor’s implementation, Grid Watch abstracts the essential DNP3 protocol behaviors and couples them with a simple electrical‑distribution model. This approach lets users focus on protocol mechanics, adversary tactics, and the resulting physical consequences without getting bogged down by proprietary details or expensive lab equipment. The simulator is deliberately scoped to a small distribution segment—enough to illustrate core concepts while remaining easy to deploy and understand.
Software‑Only Design and Accessibility
A central motivation behind Grid Watch is removing the hardware barrier that often limits hands‑on OT cybersecurity education. By running entirely in software on a standard laptop, the platform makes it possible for students, researchers, and defenders to emulate attacks against a live grid process from virtually anywhere. The simulator listens on TCP port 20000 for DNP3 requests and responds as an outstation would, while a lightweight human‑machine interface (HMI) visualizes the state of the modeled equipment. Because no specialized ICS hardware or substation access is required, learners can quickly spin up the environment, run experiments, and tear it down without logistical overhead.
Development Background
Grid Watch originated as a capstone project by University of Hawaiʻi at Mānoa students Yueming Guo, Lewen Lin, Myra Angelica Ortigosa, and Justin Smith, who collaborated closely with the MITRE Caldera for OT team. Their work built on MITRE’s broader strategy to expand software‑based OT training environments that lower entry costs and increase accessibility. The student team’s contribution focused on creating a realistic yet simple DNP3 outstation, integrating it with Caldera’s adversary‑emulation capabilities, and documenting usage scenarios that align with common OT security training objectives.
Core Components and Functionality
The simulator consists of two primary software components: a DNP3 outstation server and a matplotlib‑based HMI. The outstation listens for DNP3 requests (read, operate, etc.) on port 20000 and maintains the internal state of the modeled grid segment. The HMI continuously polls the outstation using integrity polls to retrieve current operational data, which it displays in real time. Users interact with the system by issuing standard DNP3 commands—such as reading analog inputs or sending DIRECT_OPERATE requests to binary outputs—that control the simulated breaker and generator. These actions instantly affect the simulated voltage and power‑deficit metrics, providing immediate visual feedback on the physical impact of cyber commands.
Real‑Time HMI and Data Flow
The HMI serves as the user’s window into the simulated power system. It plots voltage trends, shows the current power‑deficit level (unmet load demand), and displays the on/off status of the breaker and generator. Each poll from the HMI triggers an integrity request to the outstation, ensuring the displayed values reflect the most recent state. When a user sends a DNP3 operate command—for example, to open the breaker—the outstation updates its internal model, the HMI polls the updated state, and the voltage reading drops accordingly. This closed‑loop flow mirrors how a real SCADA system would respond to field‑device commands, reinforcing the cause‑effect relationship between cyber actions and physical outcomes.
Detection and Monitoring Exercises
Beyond offensive emulation, Grid Watch is deliberately crafted to support defensive training. The platform generates a steady baseline of legitimate DNP3 polling traffic that mimics normal SCADU‑outstation communication. Defenders can use this baseline to calibrate network‑monitoring tools, practice distinguishing legitimate activity from anomalous behavior, and test alerts for unauthorized operate commands, irregular polling intervals, or connections from unexpected sources. By manipulating the simulator—such as injecting rogue operate requests—trainees can observe how their detection mechanisms respond, thereby improving both signature‑based and anomaly‑based detection capabilities in a safe, repeatable environment.
DNP3 Point Model and Controls
Grid Watch exposes a set of DNP3 points that map directly to the simulated process. Analog inputs represent sensor readings like bus voltage, while binary inputs reflect the on/off status of devices such as the breaker and generator. Binary outputs serve as controllable points; issuing a DNP3 operate request to these points changes the corresponding device state. For instance, commanding the breaker output to “open” triggers the outstation to update its internal breaker state, which the HMI then reflects as a loss of voltage and an increase in power‑deficit. This clear point‑to‑function mapping helps learners understand how DNP3 data objects translate into real‑world equipment behavior.
Deployment Requirements and Usage
The simulator is designed for straightforward deployment. It requires Python 3.11 or later and runs on Linux, macOS, and Windows. Dependencies include matplotlib for the HMI and dnp3py for DNP3 communication handling. Users clone the public repository, execute python run.py, and are presented with a menu to start the outstation, launch the HMI, or run a built‑in test client. Comprehensive scenario documentation accompanies the release, guiding users through reconnaissance, unauthorized control, and multi‑phase disruption exercises. MITRE encourages community feedback, contributions, and customization of the included adversary‑profile files to tailor the platform to specific training needs.
Integration with Caldera for OT
Grid Watch plugs directly into MITRE’s Caldera for OT framework, allowing the latter’s adversary‑emulation capabilities to target a live DNP3 process. When a Caldera ability issues a DNP3 command, the command travels over the same TCP 20000 path used by the simulator’s HMI, ensuring that the outstation treats it as a legitimate field‑device request. This tight integration means that users can execute full attack‑lifecycle scenarios—from initial access to impact—while observing the consequent changes in voltage, load, and device status in real time. The seamless coupling reduces setup complexity and focuses the training experience on learning objectives rather than infrastructure configuration.
Broader MITRE OT Simulator Portfolio
Grid Watch is part of a growing suite of MITRE‑provided, software‑only OT training environments. Earlier releases include the Wildcat Dam Modbus simulator and the Aloha Water Treatment Plant BACnet environment, which similarly enable discovery, collection, process‑control impairment, and impact techniques without physical ICS hardware. More recently, MITRE introduced HVACSim, a BACnet‑based building‑automation model that demonstrates how protocol‑level actions influence heating, ventilation, and air‑conditioning systems. Together, these tools illustrate MITRE’s commitment to delivering low‑cost, accessible cyber‑physical training platforms that help defenders build intuition for how OT protocols operate and how cyber threats can manifest in physical consequences.
Conclusion and Call to Action
Grid Watch lowers the traditional barriers to OT cybersecurity education by providing a fully software‑based, real‑time DNP3 outstation that runs on a laptop and integrates with Caldera for OT. Its simple yet realistic model of a distribution segment lets users see instantly how cyber commands—such as opening a breaker or disabling a generator—translate into measurable changes in voltage and power‑deficit. By supporting both offensive emulation and defensive detection exercises, the platform equips students, researchers, and security professionals with practical skills needed to safeguard critical infrastructure. MITRE invites the community to download, experiment with, and contribute to Grid Watch, continuing the effort to make hands‑on OT security training widely available and effective.