IEC 60870-5-104 dataset
The evolution of the Industrial Internet of Things (IIoT) introduces several benefits, such as real-time monitoring, pervasive control and self-healing. However, despite the valuable services, security and privacy issues still remain given the presence of legacy and insecure communication protocols like IEC 60870-5-104. IEC 60870-5-104 is an industrial protocol widely applied in critical infrastructures, such as the smart electrical grid and industrial healthcare systems. The IEC 60870-5-104 Intrusion Detection Dataset was implemented in the context of the research paper entitled “Modeling, Detecting, and Mitigating Threats Against Industrial Healthcare Systems: A Combined Software Defined Networking and Reinforcement Learning Approach” [1], in the context of two H2020 projects: ELECTRON: rEsilient and seLf-healed EleCTRical pOwer Nanogrid (101021936) and SDN-microSENSE: SDN – microgrid reSilient Electrical eNergy SystEm (833955). This dataset includes labelled Transmission Control Protocol (TCP)/Internet Protocol (IP) network flow statistics (Common-Separated Values (CSV) format) and IEC 60870-5-104 flow statistics (CSV format) related to twelve IEC 60870-5-104 cyberattacks. In particular, the cyberattacks are related to unauthorised commands and Denial of Service (DoS) activities against IEC 60870-5-104. Moreover, the relevant Packet Capture (PCAP) files are available. The dataset can be utilised for Artificial Intelligence (AI)-based Intrusion Detection Systems (IDS), taking full advantage of Machine Learning (ML) and Deep Learning (DL).
Download from: Zenodo, IEEE DataPort
DNP3 Intrusion Detection Dataset
In the digital era of the Industrial Internet of Things (IIoT), the conventional Critical Infrastructures (CIs) are transformed into smart environments with multiple benefits, such as pervasive control, self-monitoring and self-healing. However, this evolution is characterised by several cyberthreats due to the necessary presence of insecure technologies. DNP3 is an industrial communication protocol which is widely adopted in the CIs of the US. In particular, DNP3 allows the remote communication between Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA). It can support various topologies, such as Master-Slave, Multi-Drop, Hierarchical and Multiple-Server. Initially, the architectural model of DNP3 consists of three layers: (a) Application Layer, (b) Transport Layer and (c) Data Link Layer. However, DNP3 can be now incorporated into the Transmission Control Protocol/Internet Protocol (TCP/IP) stack as an application-layer protocol. However, similarly to other industrial protocols (e.g., Modbus and IEC 60870-5-104), DNP3 is characterised by severe security issues since it does not include any authentication or authorisation mechanisms. This dataset contains labelled Transmission Control Protocol (TCP) / Internet Protocol (IP) network flow statistics (Common-Separated Values – CSV format) and DNP3 flow statistics (CSV format) related to 9 DNP3 cyberattacks. These cyberattacks are focused on DNP3 unauthorised commands and Denial of Service (DoS). The network traffic data are provided through Packet Capture (PCAP) files. Consequently, this dataset can be used to implement Artificial Intelligence (AI)-powered Intrusion Detection and Prevention (IDPS) systems that rely on Machine Learning (ML) and Deep Learning (DL) techniques.
Download from: IEEE DataPort
Datasets of Man-in-the-middle Attacks Targeting Modbus TCP/IP and MMS protocols in the Smart Grid
The sustainable development of smart grids requires the massive deployment of renewable energy, in a highly distributed manner, introducing new challenges for the system operation. Therefore, the integration of information and communication technologies in sites with Distributed Energy Resources (DERs) is needed to monitor and control the DERs operation. In this scheme, a local controller is installed at each DER site to interact with the centralized applications at the grid level and the power equipment at the site level. This local controller uses client–server protocols (e.g., Modbus TCP/IP and IEC 61850 Manufacturing Message Specification (MMS)) to communicate with different power equipment in the Private Area Network (PAN) of the site. Such protocols often lack information confidentiality and integrity mechanisms. As a result, the smart grids become vulnerable to cyber-attacks.
This repository contains datasets created to evaluate the detection and classification of man-in-the-middle attacks, operating in eavesdropping mode, targeting MMS and Modbus TCP/IP protocols in the PAN of the smart grid. Five Flow-based features were used to create these datasets.
Download the datasets: Zenodo ELECTRON community
Dataset SUC1/S1-S4: Cyberattack scenarios on DER energy management and control
This dataset collection is related to the four comprehensive cyber-attack scenarios which target the Modbus TCP communication ptotocol used for transmitting measurements from smart meters of RESs and DERs to DER controller, as well as set-points sent to flexible DER inverters from DER controller, aiming to affect the proper operation of the DER energy managemnet and control function. The four scenarios are:
- SUC1/S1 – MITM with FDI cyber-attack on wind farm measurements
- SUC1/S2 – MITM with FDI cyber-attack on BSS measurements
- SUC1/S3 – MITM with FDI cyber-attack on BSS set-points
- SUC1/S4 – MITM with DoS cyber-attack
Downloas the dataset: Zenodo ELECTRON, support documentation for ELECTRON_SUC1 dataset, Cyber-attack affecting DER Energy Management and Control
Dataset for Sandboxing use case SUC2 related to cyber-attacks affecting Wide Area Protection
This dataset is related to the operation of the second KIOS CoE sandboxing use case (SUC2) which includes 3 scenarios (S1-S3) which examines the behavior a WAP scheme of power grids in case of a short circuit fault and in case of two types of cyber-attacks. The description of the architecture of the University of Cyprus/ KIOS CoE sandboxing environment used for extracting these datasets along with the full list of scenarios and their detailed implementation are described in the supporting documents.
Download the datasets: Zenodo ELECTRON community.
Datasets for sandboxing use case SUC3 corresponding to cyber-attacks affecting the differential protection scheme of a HV transformer
These datasets reflect two main scenarios (S1-S2) associated to the operation of a sandboxing use case SUC3 corresponding to cyber-attacks affecting the differential protection scheme of a HV transformer. Details about are illustrated in Section 1.3 of the supporting document. These scenarios analyse the operation of the digital twin of the IEEE 9-bus system and the differential protection scheme under healthy conditions, cyber-attack on communication channels of IEC 61850 Sample Values (SVs) protocol, and a fault in HV side of a transformer in the power system. The scenarios are presented with selected time-series plots in Section 1.3, accompanied a detailed analysis of the processes included and an impact assessment. Thus, during execution of each scenario, data such as electrical measurements were captured and are collected in the form of the datasets presented here.
Download the datasets: Zenodo ELECTRON community.
Dataset for KIOS CoE Sandboxing use-case SUC4 corresponding to cyber-attacks affecting the Coordinated Overcurrent Protection Scheme (IEC 61850 GOOSE)
The datasets reflect on two main scenarios (S1-S2) related to SUC4 – corresponding to cyber-attacks affecting the Coordinated Overcurrent Protection Scheme. The first scenario explores the response of the coordinated overcurrent protection when circuit breakers (CBs) are healthy, under normal operation, i.e., SUC4/S1(without attack), and the under a FDI cyberattack on IEC 61850 – GOOSE communication protocol, i.e., SUC4/S1(with FDI attack). Similarly, the second scenario investigates the response of the coordinated overcurrent protection when there a mechanical failure in the CB of the downstream feeder, under normal operation, i.e., SUC4/S2(without attack), and the under a message suppression (MS) cyber-attack on GOOSE protocol, i.e., SUC4/S2(with MS attack). Details regarding the datasets captured during the execution of each scenario (with and without attacks), including electrical measurements and network traffic, are briefly summarized below, while the full details are provided in the supporting documents.
More information about the dataset is available in Zenodo ELECTRON community.
Dataset for KIOS CoE Sandboxing use-case SUC5 corresponding to cyber-attacks affecting the control of active distribution grids and microgrids
These datasets illustrate two primary scenarios (S1-S2) concerning the operation of the sandboxing use case SUC5 corresponding to cyber-attacks affecting the control of active distribution grids and microgrids. These scenarios examine the functioning of an active distribution grid and microgrid system, along with the effects of certain cyber-attacks in this context. The demonstration of each scenario is detailed in selected time-series plots which were described in detail in Section 1.3 of the supporting document of SUC5 (accompanied by an in-depth analysis of the processes and an impact assessment). All data captured during the execution of each scenario was collected, including electrical measurements, reference and set-point signals.
More information about the dataset is available in Zenodo ELECTRON community along with the supporting documentation.
Dataset for Detecting False Data Injection Attacks in GOOSE Protocol Communication between RTU and Bay Protection Unit
This dataset focuses on the detection and prevention of False Data Injection (FDI) attacks targeting the communication between a Remote Terminal Unit (RTU) and a Bay Protection Unit in a power substation, utilizing the Generic Object-Oriented Substation Event (GOOSE) protocol. It includes both clean traffic events and recorded instances of FDI attacks.
More information about the dataset is available in Zenodo ELECTRON community.
Dataset for Unauthorized Access Attacks on Digital Meter SICAM via TCP/IP Communication
This dataset captures network traffic involving unauthorized access attacks on a Digital Meter SICAM device within a controlled test environment. It includes both normal operations and simulated attacks over TCP/IP communication. The clean traffic records legitimate interactions between the Control Station and the SICAM meter, including successful logins, data retrievals, and routine logoffs at specified timestamps. The attack traffic documents an intruder’s activities after infiltrating the network: conducting network scans with Nmap, executing dictionary and brute-force attacks using Hydra to discover passwords, and accessing measured values on the SICAM meter.
More information about this dataset is available in Zenodo ELECTRON community.
Dataset for DoS and DDoS Attacks on Digital Meter SICAM via GOOSE Protocol Flooding
This dataset presents network traffic data from simulated Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks on a Digital Meter SICAM device using the GOOSE protocol. An unauthorized attacker floods the SICAM meter’s communication by initially sending 100 GOOSE packets at 1 ms intervals, followed by an intensified attack of 500 GOOSE packets. These actions render the meter unreachable by the legitimate Control Station, disrupting normal operations and data retrieval processes.
More information about this dataset is available in Zenodo ELECTRON community.
Dataset for Advanced Persistent Threat (APT) Attacks on Power Substation Networks via GOOSE Protocol Exploitation
This dataset captures network traffic from a simulated Advanced Persistent Threat (APT) campaign targeting a power substation’s communication network. The attacker maintains a prolonged presence within the network, conducting low-profile scans using Nmap to stealthily discover the network configuration. The focus is on the communication between the Remote Terminal Unit (RTU), the Programmable Logic Controller (PLC), and the Bay Protection Unit, all of which utilize the Generic Object Oriented Substation Event (GOOSE) protocol for critical operations.
More information about this dataset is available in Zenodo ELECTRON community.