GridStratLLM: Agent Framework for Coordinated Cyberattacks on the Smart Grid with Large Language Models

A new cybersecurity threat emerges: Recent Large Language Models (LLMs) with advanced reasoning and tool calling enable even attackers lacking expert knowledge to coordinate large-scale attacks on Smart Grids (SG). These LLMs can orchestrate multiple malware instances, select appropriate signals and deltas, and execute data-modification attacks on the S7 and Modbus protocols. Thereby, the automatically generated attack progresses towards the targeted unsafe state and evades detection by the Intrusion Detection System (IDS). To assess this emerging threat, we introduce GridStratLLM, a novel agent framework for coordinated attacks on industrial networks. Furthermore, we evaluate attack plans generated by four frontier Large Language Models using the open-source Network Security Monitor (NSM) Zeek and a commercial NSM. Finally, we contribute a dataset recorded in a Hardware-in-the-Loop (HIL) testbed to support the training of IDS solutions against these attacks. The dataset is 24 hours and 11 minutes long, containing 436 attacks with 212 coordinated attacks.