icsnpp-synchrophasor

https://github.com/cisagov/icsnpp-synchrophasor
6 7 6 0 Last Push 10/17/24, 2:28 PM

ICSNPP-Synchrophasor

Industrial Control Systems Network Protocol Parsers (ICSNPP) - Synchrophasor Data Transfer for Power Systems (C37.118) over TCP and UDP.

Overview

ICSNPP-Synchrophasor is a Zeek plugin (written in Spicy) for parsing and logging fields used by the Synchrophasor protocol as presented in IEEE standard C37.118, defining a transmission format for reporting synchronized phasor measurements in power systems.

This parser produces the following log files, defined in analyzer/main.zeek:

  • synchrophasor.log
  • synchrophasor_cmd.log
  • synchrophasor_hdr.log
  • synchrophasor_cfg.log
  • synchrophasor_cfg_detail.log
  • synchrophasor_data.log
  • synchrophasor_data_detail.log

For additional information on this log file, see the Logging Capabilities section below.

Installation

Package Manager

This script is available as a package for Zeek Package Manager. It requires Spicy and the Zeek Spicy plugin.

$ zkg refresh
$ zkg install icsnpp-synchrophasor

If this package is installed from ZKG, it will be added to the available plugins. This can be tested by running zeek -NN. If installed correctly, users will see ANALYZER_SPICY_SYNCHROPHASOR_TCP and ANALYZER_SPICY_SYNCHROPHASOR_UDP under the list of Zeek::Spicy analyzers.

If users have ZKG configured to load packages (see @load packages in the ZKG Quickstart Guide), this plugin and these scripts will automatically be loaded and ready to go.

Logging Capabilities

Synchrophasor Log (synchrophasor.log)

Overview

This log summarizes, by connection, Synchrophasor frames transmitted over 4712/tcp or 4713/udp to synchrophasor.log. The port can be overriden by redefining the synchrophasor_ports_tcp and synchrophasor_ports_udp variables, respectively, e.g.:

$ zeek -C -r synchrophasor_tcp.pcap local "SYNCHROPHASOR::synchrophasor_ports_tcp={ 40712/tcp }"

Fields Captured

FieldTypeDescription
tstimeTimestamp (network time)
uidstringUnique ID for this connection
idconn_idDefault Zeek connection info (IP addresses, ports)
protostringTransport protocol
versionsetProtocol version number(s) observed
data_stream_idsetData stream ID(s) observed
historystringCommand history (see below)
frame_size_mincountSmallest frame size observed, in bytes
frame_size_maxcountLargest frame size observed, in bytes
frame_size_totcountSum of frame sizes observed, in bytes
data_frame_countcountCount of data frames observed
data_ratesetData rate values(s) observed
  • The history field is comprised of letters representing commands specified in observed command frames in the order they were transmitted (e.g., 2Dd):
    • d - turn off transmission of data frames
    • D - turn on transmission of data frames
    • h - send HDR frame
    • 1 - send CFG-1 frame
    • 2 - send CFG-2 frame
    • 3 - send CFG-3 frame
    • e - extended frame

Synchrophasor Command Frame Log (synchrophasor_cmd.log)

Overview

This log summarizes synchrophasor Command frames.

Fields Captured

FieldTypeDescription
tstimeTimestamp (network time)
uidstringUnique ID for this connection
idconn_idDefault Zeek connection info (IP addresses, ports)
protostringTransport protocol
frame_typestringFrame type from synchrophasor frame synchronization word
frame_sizecountFrame size (in bytes)
header_time_stamptimeTimestamp from frame header
commandstringString represetnation of the command
extframevectorExtended frame data (user-defined)

Synchrophasor Header Frame Log (synchrophasor_hdr.log)

Overview

This log summarizes synchrophasor Header frames.

Fields Captured

FieldTypeDescription
tstimeTimestamp (network time)
uidstringUnique ID for this connection
idconn_idDefault Zeek connection info (IP addresses, ports)
protostringTransport protocol
frame_typestringFrame type from synchrophasor frame synchronization word
frame_sizecountFrame size (in bytes)
header_time_stamptimeTimestamp from frame header
commandstringString representation of the command
datastringHuman-readable header data (user-defined)

Synchrophasor Configuration Frame Log (synchrophasor_cfg.log)

Overview

This log summarizes synchrophasor Configuration (CFG-1, CFG-2, and CFG-3) frames.

Fields Captured

FieldTypeDescription
tstimeTimestamp (network time)
uidstringUnique ID for this connection
idconn_idDefault Zeek connection info (IP addresses, ports)
protostringTransport protocol
frame_typestringFrame type from synchrophasor frame synchronization word
frame_sizecountFrame size (in bytes)
header_time_stamptimeTimestamp from frame header
cont_idxcountContinuation index for fragmented frames
pmu_count_expectedcountThe number of PMUs expected in the configuration frame
pmu_count_actualcountThe number of PMUs included in the configuration frame
cfg_frame_idstringUnique string to correlate with synchrophasor_cfg_detail

Synchrophasor Configuration PMU Details (synchrophasor_cfg_detail.log)

Overview

This log lists the per-PMU details from synchrophasor Configuration (CFG-1, CFG-2, and CFG-3) frames. As this can be very verbose, this log file is disabled by default. Users can enable it by appending SYNCHROPHASOR::log_cfg_detail=T to the zeek command on the command line or by adding redef SYNCHROPHASOR::log_cfg_detail = T; to the local.zeek file.

Fields Captured

Most of the fields listed here are optional. Many may be unused during communication depending on device configuration. See IEEE Std C37.118.2-2011 for more details.

FieldTypeDescription
tstimeTimestamp (network time)
uidstringUnique ID for this connection
idconn_idDefault Zeek connection info (IP addresses, ports)
protostringTransport protocol
frame_typestringFrame type from synchrophasor frame synchronization word
header_time_stamptimeTimestamp from frame header
cfg_frame_idstringUnique string to correlate with synchrophasor_cfg
pmu_idxcount0-based index of PMU configuration within the CFG frame
svc_classstringService class as defined in IEEE Std C37.118.1
station_namestringStation name
data_source_idcountData source id
global_pmuidstringGlobal PMU ID
phasor_shapeboolF = phasor real and imaginary (rectangular), T = magnitude and angle (polar)
phasor_formatboolF = phasors 16-bit integer, T = floating point
analog_formatboolF = analogs 16-bit integer, T = floating point
freq_formatbool0 = FREQ/DFREQ 16-bit integer, 1 = floating point
phnmrcountNumber of phasors
annmrcountNumber of analog values
dgnmrcountNumber of digital status words
phnamvectorPhasor channel names
annamvectorAnalog channel names
dgnamvectorDigital channel names
phasor_conv_phunitvectorPhasor conversion factor format unit
phasor_conv_phvaluevectorPhasor conversion factor format value
phasor_conv_upsampled_interpolationvectorUp sampled with interpolation
phasor_conv_upsampled_extrapolationvectorUpsampled with extrapolation
phasor_conv_downsampled_reselectionvectorDown sampled by reselection (selecting every Nth sample)
phasor_conv_downsampled_fir_filtervectorDown sampled with FIR filter
phasor_conv_downsampled_no_fir_filtervectorDown sampled with non-FIR filter
phasor_conv_filtered_without_changing_samplingvectorFiltered without changing sampling
phasor_conv_calibration_mag_adjvectorPhasor magnitude adjusted for calibration
phasor_conv_calibration_phas_adjvectorPhasor phase adjusted for calibration
phasor_conv_rotation_phase_adjvectorPhasor phase adjusted for rotation ( ±30o, ±120o, etc.)
phasor_conv_pseudo_phasor_valvectorPseudo-phasor value (combined from other phasors)
phasor_conv_mod_applvectorModification applied, type not here defined
phasor_conv_phasor_componentvectorPhasor component (see std. spec)
phasor_conv_phasor_typevectorF = voltage, T = current
phasor_conv_user_defvectorUser-defined
phasor_conv_scale_factorvectorScale factor Y
phasor_conv_angle_adjvectorPhasor angle adjustment θ
analog_conv_analog_flagsvectorAnalog flags
analog_conv_user_defined_scalingvectorUser-defined scaling
analog_conv_mag_scalevectorMagnitude scale factor
analog_conv_offsetvectorAngle offset
digital_conv_normal_status_maskvectorDigital input normal status mask
digital_conv_valid_inputs_maskvectorDigital input valid inputs status mask
pmu_latdoublePMU latitude in degrees
pmu_londoublePMU longitude in degrees
pmu_elevdoublePMU elevation in meters
windowintPhasor measurement window length
group_delayintPhasor measurement group delay
fnomcountNominal line frequency code
cfgcntcountConfiguration change count

Synchrophasor Data Frame Log (synchrophasor_data.log)

Overview

This log summarizes synchrophasor Data frames. As this can be very verbose, this log file is disabled by default. You can enable it by appending SYNCHROPHASOR::log_data_frame=T to your zeek command on the command line or by adding redef SYNCHROPHASOR::log_data_frame = T; to your local.zeek file.

Fields Captured

FieldTypeDescription
tstimeTimestamp (network time)
uidstringUnique ID for this connection
idconn_idDefault Zeek connection info (IP addresses, ports)
protostringTransport protocol
frame_typestringFrame type from synchrophasor frame synchronization word
frame_sizecountFrame size (in bytes)
header_time_stamptimeTimestamp from frame header
pmu_count_expectedcountThe number of PMUs expected in the data frame
pmu_count_actualcountThe number of PMUs included in the data frame
data_frame_idstringUnique string to correlate with synchrophasor_data_detail

Synchrophasor Data PMU Details Log (synchrophasor_data_detail.log)

Overview

This log lists the per-PMU details from synchrophasor Data frames. As this can be very verbose, this log file is disabled by default. You can enable it by appending SYNCHROPHASOR::log_data_detail=T to your zeek command on the command line or by adding redef SYNCHROPHASOR::log_data_detail = T; to your local.zeek file. Note that log_data_frame described above must also be set to T for log_data_detail to take effect.

Most of the fields listed here are optional. Many may be unused during communication depending on device configuration. See IEEE Std C37.118.2-2011 for more details.

Fields Captured

FieldTypeDescription
tstimeTimestamp (network time)
uidstringUnique ID for this connection
idconn_idDefault Zeek connection info (IP addresses, ports)
protostringTransport protocol
frame_typestringFrame type from synchrophasor frame synchronization word
header_time_stamptimeTimestamp from frame header
data_frame_idstringUnique string to correlate with synchrophasor_data_detail
pmu_idxcount0-based index of PMU data within the data frame
trigger_reasoncountTrigger reason
unlocked_timecountUnlocked time
pmu_time_qualitycountPMU time quality
data_modifiedboolT = data made by post-processing, F = otherwise
config_changeboolT = confiuration change advised, F = change effected
pmu_trigger_pickupboolT = PMU trigger detected, F = no trigger
data_sorting_typeboolF = sort by time stamp, T = sort by arrival
pmu_sync_errorboolT = time sync error, F = PMU in sync with time source
data_error_indicatorcountData error indicator
est_rectangular_realvectorPhasor estimate: rectangular real value
est_rectangular_imaginaryvectorPhasor estimate: rectangular imaginary value
est_polar_magnitudevectorPhasor estimate: polar magnitude value
est_polar_anglevectorPhasor estimate: polar angle radians
freq_dev_mhzdoubleFrequency deviation from nominal, in mHz
rocofdoubleROCOF, in hertz per second times 100
analog_datavectorUser-defined analog data value
digitalvectorUser-defined digital status word

ICSNPP Packages

All ICSNPP Packages:

Full ICS Protocol Parsers:

  • BACnet
    • Full Zeek protocol parser for BACnet (Building Control and Automation)
  • BSAP
    • Full Zeek protocol parser for BSAP (Bristol Standard Asynchronous Protocol) over IP
    • Full Zeek protocol parser for BSAP Serial comm converted using serial tap device
  • Ethercat
    • Full Zeek protocol parser for Ethercat
  • Ethernet/IP and CIP
    • Full Zeek protocol parser for Ethernet/IP and CIP
  • GE SRTP
    • Full Zeek protocol parser for GE SRTP
  • Genisys
    • Full Zeek protocol parser for Genisys
  • OPCUA-Binary
    • Full Zeek protocol parser for OPC UA (OPC Unified Architecture) - Binary
  • S7Comm
    • Full Zeek protocol parser for S7comm, S7comm-plus, and COTP
  • Synchrophasor
    • Full Zeek protocol parser for Synchrophasor Data Transfer for Power Systems (C37.118)
  • Profinet IO CM
    • Full Zeek protocol parser for Profinet I/O Context Manager

Updates to Zeek ICS Protocol Parsers:

  • DNP3
    • DNP3 Zeek script extending logging capabilities of Zeek's default DNP3 protocol parser
  • Modbus
    • Modbus Zeek script extending logging capabilities of Zeek's default Modbus protocol parser

Other Software

Idaho National Laboratory is a national research facility with a focus on development of software and toolchains to improve the security of criticial infrastructure environments around the world. Please review our other software and scientific offerings at:

Primary Technology Offerings Page

Supported Open Source Software

Raw Experiment Open Source Software

Unsupported Open Source Software

License

Copyright 2023 Battelle Energy Alliance, LLC. Released under the terms of the 3-Clause BSD License (see LICENSE).

Package Version :

Description :

Synchrophasor (as defined in C37.118.2-2011 IEEE Standard for Synchrophasor
Data Transfer for Power Systems) defines a simple and direct method of data
transmission and accretion within a phasor measurement system.

Script Dir :

analyzer

Plugin Dir :

build/spicy-modules

Build Command :

mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .

Test Command :

cd tests && PATH=$(zkg config plugin_dir)/packages/spicy-plugin/bin:$PATH btest -d -j $(nproc)

Depends :

zeek >=6.0.0

Tags :

synchrophasor, power, SCADA, zeek plugin, protocol analyzer, log writer, ics, CISA, INL, ICSNPP