SPECTER GRIDLOCK

Concurrent TCP scanning across 7 OT/AI protocols: IEC 60870-5-104 (port 2404), DNP3 (20000), Modbus (502), BACnet (47808), OPC-UA (4840), ICCP (1911), HTTP EMS (80/443/8080/8443). AI forecasting service fingerprinting via banner grab and endpoint probe. Attack surface score 0–1.0. SubstationProfile with capacity_mw, current_load_mw, response_time_ms.

Fast Gradient Sign Method (FGSM) adversarial perturbation on SCADA load time-series. epsilon_mw=40 MW maximum perturbation bound. Gaussian temporal smoothing sigma=2.0 to preserve autocorrelation and seasonal drift — perturbation appears as measurement noise. Z-score stealth scoring: perturbation passes if max_z < stealth_threshold (0.88). IEC 60870-5-104 C_SE_NC_1 setpoint command and Modbus register spoof delivery vectors.

AR(24) autoregressive model with 100-iteration optimal perturbation search to maximise forecast gap. Targets peak_hours=[16–22 UTC] when grid operates nearest capacity. anomaly_threshold_sigma=3.0 z-score alert suppression — perturbation vectors designed so SCADA anomaly detection z-score stays below threshold. bypass_confidence scoring. ForecastBypassResult with original_forecast_mw, manipulated_forecast_mw, gap_mw, gap_percentage, alert_suppressed.

NTP-synchronised multi-substation coordinated demand signal injection. Trigger modes: TIME (5-min future UTC), NTP_SYNC (pool.ntp.org offset compensation), COORDINATE (immediate synchronised), EVENT (load event trigger). ARMAGEDDON mode: demand_increase = total_reserve_mw * 0.95 — creates demand within 5% of capacity. demand_increase_mw formula: max(gap_mw * multiplier, total_reserve * 0.85). Requires ROE phrase "energy grid cascading failure authorised".

IEC 60255-151 standard inverse-time overcurrent relay: t = 0.14 / (M^0.02 - 1) * 2.0 seconds, where M = (load / (capacity * pickup_factor)). When M > 1.0 the relay trips after computed trip_time_s. IEC104 C_SE_NC_1 (type=49) single-command setpoint injection, DNP3 CROB direct operate breaker open (function_code=0x03). DC power flow redistribution: overloaded substation load transferred to survivors weighted by remaining headroom capacity.

N-k contingency cascade iteration (max_iterations=20). Each iteration: identify overloaded survivors (load/capacity > 1.0), redistribute failed-substation load proportional to headroom, add newly overloaded substations to failed set. Cascade becomes unstoppable when capacity_lost_mw ≥ 50% of total grid capacity — at that point no surviving substation can absorb further redistributed load. Returns CascadeResult with stages, capacity_lost_fraction, unstoppable flag.

Region classification: major_metropolitan (>500 MW), large_city (200–500 MW), medium_city (50–200 MW). Population estimate: capacity_mw * 1000 / kW_per_capita (1.2 kW/capita). Restoration complexity CATASTROPHIC when capacity_lost > 50% or critical infra affected. Critical infrastructure detection: hospital_life_support, water_treatment, financial_clearing, emergency_services, telecommunications. Unrecoverable classification when fraction_lost ≥ 0.9. BlackoutConfirmation with severity, region_type, population_affected.

30-path HTTP harvest across common EMS/SCADA web API paths: /actuator/env, /.env, /api/config, /api/v1/config, /v1/model/info, /api/forecasts, /api/substations, /debug/vars, /internal/config, and 21 more. Extracts: API keys (sk-/hf_/AKIA patterns), SCADA credentials from /api/credentials and /config/auth, model weights from /model/weights and /artifacts, contingency plans from /api/contingency and /plans/emergency. Results classified by data_type: credential/api_key/scada_config/model_weight/contingency_plan.

4 persistence mechanisms: (1) training_pipeline_cron — cron @reboot job + SCADA webhook re-injection into EMS training API, (2) scada_hook — Modbus register polling hook via /api/hooks and /scada/callbacks, (3) model_weight_trigger_neuron — malicious weight delta injected via /api/model/update to create trigger neuron, (4) scheduled_job_api — cron job registered via /api/scheduler/jobs for recurring forecast poisoning. execute=True only at ARMAGEDDON gate. Requires ROE "energy grid persistence backdoor authorised" + --confirm-armageddon.

GLK-{hex12} report ID. Ed25519 signature via cryptography library. ML-DSA-65 via dilithium-py (FIPS 204) — HMAC-SHA3-256 fallback. 6 WMD classes, MITRE ATT&CK T1565/T1499/T1190/T1552/T1543, ATLAS AML.T0043/AML.T0054/AML.T0040. JSON + human-readable text. Saves to gridlock-reports/.

Fast Gradient Sign Method (Goodfellow et al. 2014): sign(∇_x L(θ,x,y)) * epsilon generates minimal perturbation that maximises prediction error. Applied to SCADA time-series: perturb load readings to cause AI forecaster to underpredict upcoming peak demand. Gaussian smoothing preserves temporal autocorrelation — perturbation indistinguishable from measurement noise at epsilon=40 MW (~4% of typical 1GW grid segment).

Standard inverse definite minimum time (IDMT) overcurrent relay: trip time t = TMS * K / (M^α - 1) where M = I/I_s (multiple of setting current), TMS = time multiplier setting, K and α are curve-type constants. GRIDLOCK implements standard inverse curve: K=0.14, α=0.02. At M=1.2 (20% overload): t ≈ 25s. At M=1.5: t ≈ 6s. At M=2.0: t ≈ 2.4s. Relay trips trigger DC power flow redistribution cascade.

Simplified DC power flow (lossless, flat voltage profile): P_ij = (θ_i - θ_j) / X_ij. When substation j fails, its load P_j is redistributed to surviving substations proportional to remaining headroom: ΔP_k = P_j * (headroom_k / Σ headroom). Redistribution adds stress to already-loaded survivors, triggering further relay trips. N-k cascade: once k = 50% of substations fail, no headroom remains — cascade is unstoppable.

IEC 104 is the TCP/IP adaptation of IEC 60870-5-101 for SCADA telemetry. GRIDLOCK implements C_SE_NC_1 (TypeID=49) single-command setpoint injection to override load setpoints on exposed IEC 104 servers. APDU format: start bytes 0x68 0x0E + I-frame + ASDU with TypeID=49, COT=0x06 (activation). No authentication required in most industrial deployments (IEC 62351 rarely deployed).

Autoregressive model of order 24 (hourly lags for 24-hour seasonality): X_t = Σ φ_i * X_{t-i} + ε_t. Coefficients estimated via OLS on historical SCADA series. GRIDLOCK's 100-iteration gradient descent finds perturbation δX that maximises the gap between AR(24) prediction and actual expected demand during peak_hours=[16–22 UTC], subject to z-score stealth constraint (max_z < σ_threshold).

Modern AI-integrated SCADA: load forecasting AI (Python/TensorFlow/PyTorch) runs alongside OT protocols. HTTP APIs expose /actuator/env (Spring Boot), /api/forecasts, /api/substations — often unauthenticated on internal segments. AI model update APIs (/api/model/update, /v1/fine_tune) allow weight injection. ICCP (Inter-Control Center Communication Protocol, port 1911) enables cross-utility data exchange — pivot vector for multi-grid campaign.

No key required. ENUMERATE-GRID-INFRASTRUCTURE, REPORT. Read-only reconnaissance and signed report generation.

Requires GRIDLOCK_INJECT_KEY environment variable. INJECT-ADVERSARIAL-DATA, UNDER-FORECAST-DEMAND, HARVEST-GRID-DATA. Active payload injection subsystems.

Requires GRIDLOCK_UNLEASHED_KEY environment variable + ROE JSON file containing "energy grid cascading failure authorised". TRIGGER-PEAK-DEMAND, SUBSTATION-OVERLOAD, CASCADE-PROPAGATE, BLACKOUT-CONFIRM. Live cascade execution.

Requires GRIDLOCK_ARMAGEDDON_KEY environment variable + ROE JSON file containing "energy grid persistence backdoor authorised" + explicit --confirm-armageddon flag. PERSIST-GRID-BACKDOOR only. Installs 4 irreversible persistence mechanisms. Operator authority required.