ICS-ADD -A Smart Industry Testbed Dataset for Cyber-Physical Security Monitoring Testing

Citation Author(s):
Giovanni Battista
Gaggero
University of Genova
Alessandro
Armellin
University of Genova
Submitted by:
Giovanni Battis...
Last updated:
Thu, 05/16/2024 - 08:16
DOI:
10.21227/4zht-tr07
Data Format:
License:
1098 Views
Categories:
Keywords:
0
0 ratings - Please login to submit your rating.

Abstract 

The increasing integration of cyber-physical systems in industrial environments has under scored the critical need for robust security measures to counteract evolving cyber threats. In response to this need, this work introduces an open-source dataset designed to enhance the development and evaluation of cybersecurity solutions for smart industries. The dataset comprises a traffic capture of an industrial control system (ICS) subjected to a variety of simulated cyber-attacks, including but not limited to denial of service (DoS), man-in-the-middle (MITM), and malware infiltration. In addition to raw network traffic, the dataset presents the output of two widely utilized open-source security monitoring tools, OSSIM (Open Source Security Information Management) and Suricata, which offer insights into the detection and analysis capabilities of existing security frameworks against these simulated threats. By providing a detailed account of attack methodologies, network traffic characteristics, and tool responses, this dataset serves as a valuable resource for researchers and practitioners aiming to develop, test, and benchmark new cyber-physical security monitoring and detection technologies.

Instructions: 

ICS-ADD -A Smart Industry Testbed Dataset for Cyber-Physical Security Monitoring Testing
All the details can be found in the paper:
Gaggero, Giovanni Battista, et al. "Industrial Control System-Anomaly Detection Dataset (ICS-ADD) for Cyber-Physical Security Monitoring in Smart Industry Environments." IEEE Access (2024).

traffic_capture_span.pcap --> This file is exported from Wireshark, an open-source packet analyzer. This file collected all the network traffic in the selected time interval. For example, it is possible to distinguish the Modbus/TCP traffic exchanging between the ScadaBr and OpnePLC as well as all the malicious traffic generated by the infected PC.

ScadaBr_events.csv --> ScadaBr tracks every change of the configured pointers' values. This file is made by selecting all possible parameters configured on ScadaBr. The evidence of the Modbus FDI attack is clear: at 12:21:18, the Pump is maliciously activated without any manual intervention on the HMI. As a result, the level of the bottom reservoir decreased and consequently the upper reservoir started to fill up. The Modbus FDI attack ended at 12:21:46, and the system automatically returned to the previous configuration.

OSSIM_events.csv --> This file is exported from the SIEM. The selected data sources are: NIDS (Suricata) and Syslog. Suricata analyzes the network traffic and populates the SIEM with alarms whenever a rule is matched. Syslog logs are generated by the firewall (PfSense) that is configured to forward to the SIEM the following types of logs: Firewall Events, DNS Events (Resolver/unbound, Forwarder/dnsmasq, filterdns), DHCP Events (DHCP Daemon, DHCP Relay, DHCP Client) and VPN Events (IPsec, OpenVPN, L2TP, PPPoE Server). The file is divided into four columns: Event Name, note that in the case of alarms, the explicit message is given; Payload, note that all the details of the log are reported in this field; Src IP; Dst Ip.