Parham Mohammadi built a lab to show what happens when you abuse all of that at once.
The Speaker
Parham is a postdoctoral researcher at York University. He spent six years doing his PhD on power systems simulation, worked at Huawei building ML models for energy prediction, and built the CPPS-SEC Lab, an open source ICS attack simulation environment that chains real attack vectors against power grid infrastructure.
The lab models three layers: the physical power system (simulated with an open source Python library running power flow calculations on a standard IEEE 14-bus system), the control layer (PLCs, MQTT brokers, Modbus registers), and the detection layer (Suricata and Zeek for intrusion detection).
The Attacks
He walked through three attacks, each targeting a different part of the system.
MQTT Takeover
The attacker hits the broker controlling distributed energy resources — solar panels, wind farms — and publishes a message that shuts down generation. No exploit, no credentials, no CVE. The broker is unauthenticated. An 80-megawatt DER fleet drops to zero. Voltage collapses. The operator sees a power drop but has no visibility into why.
Modbus Register Manipulation
Instead of killing generation, the attacker overwrites PLC registers that control load demand. The loads spike. The grid overloads. Because the changes happen at the control layer and not on the network, Suricata doesn't fire a single alert. Zeek catches some of it, but only if you're looking.
Detection gap: The attack happens at the control layer, not on the network. Traditional IDS sees valid Modbus traffic. The commands are legitimate. The intent is not.
False Data Injection
This one echoes Stuxnet. The attacker corrupts the sensors feeding the state estimator — the brain of the system. Power flow calculations break because they're running on garbage data. The operator dashboard stays green while the grid underneath falls apart.
The Full Chain
Then he chained all three together.
Generation goes offline via MQTT. Demand spikes via Modbus. The operator is blinded by false sensor data. The system loses control of voltage, current, and load balance all at once. Total collapse in under two minutes. No coming back from that.
The scariest part: the control room saw nothing wrong. The dashboard stayed green the entire time.
Why It Matters
North American power infrastructure is old. The protocols running it were designed decades ago with no adversary in mind. And the attack surface is growing — every new solar installation, every EV charger, every IoT device connected to the grid adds another entry point.
Parham's lab is going open source after publication. The goal is to give the security community a way to actually test these attack chains without needing access to real infrastructure. That gap between electrical engineering and computer science isn't going to close on its own.