Providing SCADA Network Data Sets for Intrusion Detection Research

High profile attacks such as Stuxnet and the cyber at-tack on the Ukrainian power grid have increased re-search in Industrial Control System (ICS) and Supervi-sory Control and Data Acquisition (SCADA) network security. However, due to the sensitive nature of these networks, there is little publicly available data for re-searchers to evaluate the effectiveness of the proposed solution. The lack of representative data sets makes evaluation and independent validation of emerging se-curity solutions difficult and slows down progress to-wards effective and reusable solutions.

This paper presents our work to generate representative labeled data sets for SCADA networks that security researcher can use freely. The data sets include packet captures including both malicious and non-malicious Modbus traffic and accompanying CSV files that con-tain labels to provide the ground truth for supervised machine learning.

To provide representative data at the network level, the data sets were generated in a SCADA sandbox, where electrical network simulators were used to introduce realism in the physical component. Also, real attack tools, some of them custom built for Modbus networks, were used to generate the malicious traffic. Even though they do not fully replicate a production network, these data sets represent a good baseline to validate detection tools for SCADA systems.