Real-Time ICS SCADA System Cyber Kit Testbed with Industrial Hacking Scenarios

Published: 25 June 2021| Version 1 | DOI: 10.17632/k76xhm22yj.1
Sinil Mubarak,


An innovative and cost-effective real-time network traffic testbed, which can mimic the industrial control system operation is introduced. The ICS portable kit package provides real industrial network flow data for research and to develop anomaly-based Machine learning algorithms for intrusion detection in ICS systems. The ICS cyber portable test kit can overcome the main concern for researchers on the dependence on public datasets which usually do not include all types of attacks to train and test the machine learning algorithms The ICS portable kit package consists of following components: PLC (IP address- SIMATIC S7-1200 Siemens for process operation simulation HMI (IP address- SIMATIC Basic panel Siemens for graphical interface Ethernet switch (IP address: Scalance XB213 Siemens with mirror port facility to copy the operational technology (OT)network traffic Process simulation modules- Analogue, digital inputs/outputs for field process simulation Physical sensor: Data collection of network traffic with Deep Packet Inspection (DPI) Attacker system: Launch OT attacks with Penetration test software Kali Linux Industrial Process Plant Operations: The ICS kit is possessed with input/output modules to mimic the field devices and its process variables, which are connected to PLC systems and to the HMI panel Mirrored Ethernet Switch: The ICS components of kit (PLC, HMI) are connected to Siemens ethernet switch for copying OT traffic Industrial Sensor: OT Sensors are used in passive mode, connected to the ethernet switch for metadata OT traffic extraction The test kit can also be attacked and tested with hacking penetration tools to obtain the industrial datasets, which are very difficult to get from the industries due to its sensitivity and criticality Each of the dataset instance has 06 data columns ( Timestamp of each packet, Source IP, Destination IP, OT Protocols, Summarized packet Info for DPI) The datasets include normal operation along with attack scenarios dedicated to OT ICS protocols domain and the contents include: 1. Stable mode of control system operation maintained for at least 10 minutes has 68965 instances 2. MITM attack scenario (ARP) with Ettercap tool for PLC/HMI communication has 52600 instances 3. Telnet communication for PLC/HMI ethernet switch has 13076 instances 4. Web-server access (HTTP) of PLC system with programming tool laptop scenario has 21435 instances The metadata extracted from info column in matrix data is pre-processed, transformed for Deep learning ML techniques for cyber attack abnormality detection MODBUS TCP -S7 ARP TELNET MODBUS LLDP HTTP [27617 x 4] [238x3] [89 x 1] [1503 x 5] [251 x 2] [910 x 1] More information is provided in the data paper which is currently under review: M. H. Habaebi,S. Mubarak (2021),Real-Time ICS SCADA System Testbed with Industrial Datasets Scenarios and Attack Detection Using Machine Learning Techniques, IASC