MITRE’s Caldera for OT team introduced Grid Watch, a software-only DNP3 outstation simulator designed to provide hands-on OT (operational technology) cybersecurity training without requiring physical substation hardware. The virtual sandbox models a small electrical distribution segment, including a circuit breaker, backup generator, bus voltage monitoring, and power-deficit tracking, allowing users to observe how DNP3 protocol interactions and adversary actions can affect simulated grid operations in real time.
In a recent Medium post, MITRE detailed that the Grid Watch platform integrates directly with Caldera for OT and runs entirely in software, making OT security experimentation and adversary emulation accessible from a standard laptop. The release enables defenders, researchers, and students to emulate cyberattacks against a live grid process using Caldera for OT’s DNP3 capabilities. Grid Watch supports scenarios ranging from reconnaissance and unauthorized control to multi-phase grid disruption exercises, demonstrating how commands such as opening breakers or disabling generators can produce immediate operational impacts.
Created by University of Hawaiʻi at Mānoa students Yueming Guo, Lewen Lin, Myra Angelica Ortigosa, and Justin Smith as a capstone project in collaboration with the MITRE Caldera for OT team, Grid Watch builds on MITRE’s broader effort to expand software-based OT cybersecurity training environments.
The not-for-profit organization identified that the environment helps practitioners test network monitoring and behavioral detection capabilities by distinguishing legitimate DNP3 traffic from adversary activity, while reinforcing understanding of how cyber actions can translate into physical consequences within critical infrastructure environments.
Highlighting that access to physical OT hardware is one of the biggest barriers to hands-on cybersecurity education, the MITRE Caldera team added that “Without substation equipment or a DNP3-capable outstation, it’s hard to build real intuition for how power-system protocols work, how field devices exchange data, and how an adversary’s actions translate into physical effects.”
They added that “Grid Watch removes that barrier. It’s a software-only DNP3 outstation that models a small distribution segment and plugs directly into Caldera for OT — so you can run adversary emulation against a live grid process from your laptop.”
Beyond initial-access risk, disruption to grid equipment has direct operational consequences. Manipulating breaker states or generator controls causes immediate changes to voltage and load. Even simple changes to control values demonstrate how a cyber action becomes a physical impact. Recognizing this growing intersection of cyber threats and power infrastructure, Grid Watch was built to give defenders a safe, accessible place to understand and practice these interactions.
Rather than replicating vendor-specific implementations or serving as a high-fidelity engineering model, GridWatch demonstrates how DNP3 protocol interactions can influence a simulated power-system process. The environment models a section of an electrical grid that includes a circuit breaker, a backup generator, bus voltage monitoring, and a power-deficit tracker that measures unmet load demand.
Users interact with the system using standard DNP3 read and operate requests, while breaker and generator controls directly affect the simulated process. Actions such as opening the breaker or disabling the generator trigger real-time changes in voltage and power-deficit readings, allowing users to observe the operational impact of their commands.
Grid Watch consists of a DNP3 outstation server that listens for and responds to DNP3 requests over TCP port 20000, and a matplotlib-based human-machine interface (HMI) that continuously polls the outstation using integrity polls to retrieve current operational data. The HMI displays voltage trends, power-deficit levels, and the status of the breaker and generator, while user actions are translated into DNP3 DIRECT_OPERATE commands sent to the outstation through the same protocol path used by Caldera for OT during adversary emulation scenarios. As a result, the interface provides a real-time view of the physical effects of simulated attacks, with all communications visible on port 20000 and available for traffic analysis.
The platform also supports network and behavioral detection exercises by generating a consistent baseline of legitimate polling traffic. This allows defenders to identify anomalous activity, such as unauthorized operation commands, irregular polling behavior, or connections originating from unexpected sources, and assess whether monitoring tools can distinguish adversary actions from normal DNP3 communications.
The post disclosed that Grid Watch exposes a set of DNP3 points that can be accessed using standard read requests. Within the simulator, analog inputs represent measured values such as sensor readings, while binary inputs indicate on or off operational states. Binary outputs serve as control points that allow users to change the state of simulated equipment. Control functions such as the breaker and generator can be modified through DNP3 operate requests, with the process simulation and human-machine interface immediately updating to reflect the new operating conditions.
Grid Watch operates entirely in software and does not require specialized hardware. The platform supports Python 3.11 and later on Linux, macOS, and Windows systems, and relies on matplotlib for the human-machine interface and dnp3py for DNP3 communications. Running the python run.py command presents users with options to start the DNP3 outstation, launch the HMI, or execute the built-in test client.
The repository also includes a fact source and four adversary profile files aligned with the training scenarios supported by the simulator. While these profiles are not mapped to specific Caldera ability IDs, they provide a useful framework for structuring DNP3 operations within Caldera for OT and can be customized for individual testing and training requirements.
Grid Watch is immediately deployable without the need for specialized hardware. Users can clone the repository, follow the provided scenario documentation, and leverage the included Caldera profiles as a foundation for training and testing activities. MITRE encourages community contributions and feedback as it continues to expand practical, accessible resources for OT cybersecurity training.
MITRE has been steadily expanding its Caldera for OT ecosystem with software-based simulators designed to lower the barriers to OT cybersecurity training and adversary emulation.
Earlier this year, the organization introduced the Wildcat Dam Modbus simulator and the Aloha Water Treatment Plant environment, which provide virtual industrial processes that support Modbus and BACnet communications, enabling defenders to safely test discovery, collection, process-control impairment, and impact techniques without requiring physical ICS (industrial control system) hardware.
More recently, MITRE released HVACSim, a BACnet-based building automation simulator that models HVAC operations and allows users to observe how protocol-level actions can influence physical processes, continuing the organization’s focus on accessible, low-cost cyber-physical training environments for OT security practitioners.
