Here, we describe the attacks carried out for the test set of each scenario along with benign actions conducted by the grid operator.
Some attacks leave the grid in an undesired state such that a dedicated counter action has to be conducted by the grid operator. After that, a short period of time passes before the grid reaches its desired operating state. The timing of the countermeasures and the time the grid has recovered from the attack’s impact is included in the table as well. Please note that the “Recovered” time is a (worst-case) estimation to ease the evaluation of IDSs. The grid might be in a stable state earlier.
01-Basic
Training
| ID | Type | Attack | Start Time | Duration | Countermeasure | Recovered | Description |
|---|---|---|---|---|---|---|---|
| 1 | Cable maintenance | False | 0:21:23 | 0:00:30 | – | – | The control center issues control commands to disconnect a cable, enabling maintenance personnel safe interactions with the cable. |
| 2 | Generator Control | False | 1:34:18 | – | – | – | The control center issues a control command to (re)connect a generator to the grid. |
| 3 | Transformer maintenance | False | 3:09:04 | – | – | – | The control center issues control commands to enable the maintenance of an MV/LV transformer |
| 4 | Separator movement | False | 5:17:46 | 0:00:05 | – | – | The control center issues control commands to move the separator position by closing and opening switches. |
| 5 | Generator control | False | 6:08:07 | – | – | – | The control center issues a command to set the power infeed of a generator to 700 kW. |
| 6 | Manual commands | False | 6:53:30 | – | – | – | Manual commands |
| 7 | Generator Control | False | 7:38:11 | – | – | – | The control center issues a control command to reduce the power infeed of a generator. |
Test
| ID | Type | Attack | Start Time | Duration | Countermeasure | Recovered | Description |
|---|---|---|---|---|---|---|---|
| 1 | Industroyer | True | 1:11:24 | 0:03:00 | 1:14:57 | 1:15:27 | The attackers perform an industroyer-like attack, repeatedly sending commands to disrupt grid operations |
| 2 | Drift Off | True | 1:38:52 | 0:08:07 | – | 1:47:29 | As an MitM, the attackers perfom a drift-off attack manipulating measurements sent to the control center |
| 3 | Industroyer | True | 2:12:11 | 0:02:50 | 2:15:47 | 2:16:17 | The attackers perform an industroyer-like attack, repeatedly sending commands to disrupt grid operations |
| 4 | Generator Infeed Control | False | 2:45:11 | – | – | – | The control center sends commands to reduce the active power infeed of a generator to 75% (15 kW) |
| 5 | Control & Freeze | True | 3:11:32 | 0:06:00 | 3:19:14 | 3:19:44 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 6 | Cable Maintenance | False | 4:05:21 | 0:00:40 | – | – | The operator changes the grid’s topology by opening and closing switches to allow for a cable maintenance, i.e., by completely disconnecting the respective line. |
| 7 | ARP Spoofing DoS | True | 4:11:23 | 0:02:06 | – | 4:14:00 | Using ARP Spoofing, the attackers interfere with the connections between the control center and one or multiple RTUs |
| 8 | Industroyer | True | 4:55:28 | 0:03:05 | 5:00:00 | 5:00:30 | The attackers perform an industroyer-like attack, repeatedly sending commands to disrupt grid operations |
| 9 | Separator Movement | False | 5:28:56 | 0:00:07 | – | – | The operator issues control commands to move the separator in an open ring to optimize the power flow and reduce load on affected lines. |
| 10 | Drift Off | True | 5:47:42 | 0:08:14 | – | 5:56:27 | As an MitM, the attackers perfom a drift-off attack manipulating measurements sent to the control center |
| 11 | Control & Freeze | True | 6:15:36 | 0:09:10 | 6:26:31 | 6:27:01 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 12 | Industroyer | True | 6:43:27 | 0:03:01 | 6:47:05 | 6:47:35 | The attackers perform an industroyer-like attack, repeatedly sending commands to disrupt grid operations |
| 13 | Transformer Maintenance | False | 7:05:21 | – | – | – | The operator issues control commands to disconnect an MV/LV transformer from the grid, allowing safe maintenance. |
| 14 | Control & Freeze | True | 7:24:33 | 0:05:58 | 7:32:29 | 7:32:59 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 15 | Drift Off | True | 7:56:28 | 0:09:54 | – | 8:06:53 | As an MitM, the attackers perfom a drift-off attack manipulating measurements sent to the control center |
| 16 | Industroyer | True | 8:11:58 | 0:02:57 | 8:16:23 | 8:16:53 | The attackers perform an industroyer-like attack, repeatedly sending commands to disrupt grid operations |
| 17 | Generator Infeed Control | False | 8:32:42 | – | – | – | The control center issues control commands to change the infeed of a generator. |
| 18 | Control & Freeze | True | 8:46:44 | 0:05:31 | 8:53:41 | 8:54:11 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 19 | Industroyer | True | 9:18:57 | 0:02:52 | – | 9:22:20 | The attackers perform an industroyer-like attack, repeatedly sending commands to disrupt grid operations |
| 20 | ARP Spoofing DoS | True | 9:51:05 | 0:02:08 | – | 9:53:44 | Using ARP Spoofing, the attackers interfere with the connections between the control center and one or multiple RTUs |
| 21 | Control & Freeze | True | 10:04:27 | 0:09:20 | 10:14:33 | 10:15:03 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 22 | Transformer Tap Control | False | 10:26:40 | – | – | – | The control center issues a control command (Step Down) to change the tap position of a transformer, influencing the voltage at the lower voltage side of the transformer. |
| 23 | Industroyer | True | 10:32:19 | 0:02:58 | 10:36:08 | 10:36:38 | The attackers perform an industroyer-like attack, repeatedly sending commands to disrupt grid operations |
| 24 | Drift Off | True | 10:46:32 | 0:08:17 | – | 10:55:20 | As an MitM, the attackers perfom a drift-off attack manipulating measurements sent to the control center |
| 25 | Transformer Tap Control | False | 11:07:00 | – | – | – | The control center issues a control command (Step Up) to change the tap position of a transformer, influencing the voltage at the lower voltage side of the transformer. |
| 26 | Topology Change | False | 11:32:50 | 0:00:30 | – | – | The operator issues control command to change the grid’s topology |
| 27 | Topology Change | False | 11:37:02 | 0:00:24 | – | – | The operator issues control command to change the grid’s topology, reducing the load on a specific part of the grid |
| 28 | Cable Maintenance | False | 11:52:11 | 0:00:44 | – | – | The control center issues control commands to allow for a cable maintenance. To reduce the load on the remaining lines, the infeed of a generator is reduced. |
02-Semiurban
Training
| ID | Type | Attack | Start Time | Duration | Countermeasure | Recovered | Description |
|---|---|---|---|---|---|---|---|
| 1 | Seperator Movement | False | 0:58:45 | 0:00:20 | – | – | The control center issues control commands to move the open segment of an open ring |
| 2 | Transformer Maintenance | False | 1:45:15 | 0:06:40 | – | – | The control center issues control commands to fully disconnect an MV/LV transformer from the grid to enable safe maintenance. Afterward, the transformer is reconnected. |
| 3 | Generator Bootstrap | False | 2:43:13 | – | – | – | The control center issues a control command to connect a new generator to the grid |
| 4 | Generator Control | False | 3:19:36 | – | – | – | The control center issues a control command to reduce the power infeed of a wind turbine |
| 5 | Seperator Movement | False | 4:15:20 | 0:00:14 | – | – | The control center issues control commands to move the open segment of an open ring |
| 6 | Close Ring | False | 6:33:44 | – | – | – | The control center issues a control command to close a previously open ring |
| 7 | Open Ring | False | 7:18:24 | – | – | – | The control center issues a control command to open the previously closed ring |
| 8 | Generator Control | False | 8:52:04 | – | – | – | The control center issues a control command to reduce the power infeed of a wind turbine |
| 9 | Generator Control | False | 10:49:41 | – | – | – | The control center issues a control command to restore the power infeed of a wind turbine |
Test
| ID | Type | Attack | Start Time | Duration | Countermeasure | Recovered | Description |
|---|---|---|---|---|---|---|---|
| 1 | ARP Spoofing DoS | True | 0:23:23 | 0:02:16 | – | 0:26:09 | ARP Spoofing DoS against 5 RTUs |
| 2 | Control & Freeze | True | 0:32:38 | 0:05:58 | 0:39:07 | 0:39:37 | The MitM issues a control command to disconnect the low voltage section of a DSS |
| 3 | Industroyer | True | 0:53:29 | 0:03:01 | 0:57:00 | 0:57:30 | The attacker sends repeated control commands to disconnect a section of the grid by opening a switch |
| 4 | Transformer Maintenance | False | 1:13:43 | 0:06:00 | – | – | The control center issues control commands to disconnect an MV/LV transformer, enabling safe maintenance of this transformer |
| 5 | ARP Spoofing DoS | True | 1:23:13 | 0:02:33 | – | 1:26:16 | ARP Spoofing DoS against 4 RTUs |
| 6 | Separator Movement | False | 1:47:44 | 0:00:33 | – | – | The control center issues commands to move the separator within an open loop to another line |
| 7 | Drift Off | True | 2:03:37 | 0:08:05 | – | 2:12:13 | The MitM manipulates the voltage measurements of 4 buses, dissembling an undervoltage situation |
| 8 | Control & Freeze | True | 2:33:31 | 0:11:18 | 2:45:20 | 2:45:50 | The MitM issues a control command to slowly reduce the power infeed of two generators |
| 9 | Drift Off | True | 2:46:36 | 0:08:15 | – | 2:55:21 | The MitM manipulates the voltage measurements of a bus to fluctuate, dissembling a faulty measurement device |
| 10 | Generator Bootstrap | False | 3:10:50 | – | – | – | The control center issues a command to connect a previously inactive wind turbine to the grid |
| 11 | Industroyer | True | 3:28:36 | 0:02:50 | 3:31:57 | 3:32:27 | The attacker sends repeated control commands to disconnect a section of the grid by opening a switch |
| 12 | ARP Spoofing DoS | True | 3:49:12 | 0:02:04 | – | 3:51:46 | ARP Spoofing DoS against 3 RTUs |
| 13 | Drift Off | True | 4:02:48 | 0:09:55 | – | 4:13:14 | The MitM manipulates the voltage measurements of a bus to increase to ~1.38 pu, dissembling a local overvoltage situation |
| 14 | Generator Control | False | 4:18:48 | – | – | – | The control center issues a command to modify the power infeed of a wind turbine |
| 15 | Control & Freeze | True | 4:41:32 | 0:09:16 | 4:51:19 | 4:51:49 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 16 | Control & Freeze | True | 4:52:34 | 0:05:26 | 4:58:31 | 4:59:01 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 17 | Drift Off | True | 5:09:57 | 0:08:16 | – | 5:18:43 | The MitM manipulates voltage and power measurements, dissembling an increase in power infeed |
| 18 | ARP Spoofing DoS | True | 5:25:27 | 0:02:02 | – | 5:27:59 | ARP Spoofing DoS against a single RTU |
| 19 | Control & Freeze | True | 5:36:37 | 0:09:18 | 5:46:28 | 5:46:58 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 20 | Drift Off | True | 6:05:25 | 0:09:55 | – | 6:15:50 | The MitM manipulates the measurements of a line, dissembling an increase in loading. |
| 21 | Cable Maintenance | False | 6:25:42 | 0:00:01 | – | – | The control center issues commands to fully disconnect a line, enabling safe maintenance of this line |
| 22 | Drift Off | True | 6:37:47 | 0:09:07 | – | 6:47:25 | The MitM manipulates measurements of multiple loads, dissembling an irregular behavior |
| 23 | ARP Spoofing DoS | True | 6:59:14 | 0:02:12 | – | 7:01:57 | ARP Spoofing DoS against 3 RTUs |
| 24 | ARP Spoofing DoS | True | 7:11:11 | 0:01:45 | – | 7:13:26 | ARP Spoofing DoS against a single RTU |
| 25 | Industroyer | True | 7:28:54 | 0:03:06 | 7:32:31 | 7:33:01 | The attacker sends repeated control commands to open and close different switches |
| 26 | Industroyer | True | 7:40:13 | 0:03:01 | – | 7:43:45 | The attacker sends repeated control commands to force a switch to stay closed |
| 27 | Separator Movement | False | 7:56:55 | 0:00:16 | – | – | The control center issues commands to move the separator within an open loop to another line |
| 28 | Drift Off | True | 8:12:43 | 0:08:09 | – | 8:21:23 | The MitM manipulates voltage measurements of multiple buses |
| 29 | Close Ring | False | 8:49:51 | – | – | – | The operator issues a control command to close a previously open ring within the grid topology |
| 30 | Industroyer | True | 9:12:23 | 0:02:58 | 9:15:52 | 9:16:22 | The attacker sends repeated commands to reduce the active power of a storage |
| 31 | Industroyer | True | 9:23:51 | 0:02:53 | 9:27:14 | 9:27:44 | The attacker sends repeated control commands to open switches, disconnecting a part of the grid |
| 32 | Industroyer | True | 9:33:54 | 0:02:58 | 9:37:23 | 9:37:53 | The attacker sends repeated control commands to disconnect the low voltage grid at a specific transformer |
| 33 | Drift Off | True | 9:47:01 | 0:07:21 | – | 9:54:53 | The MitM manipulates measurements of multiple loads, dissembling an irregular behavior |
| 34 | Open Ring | False | 10:00:39 | – | – | – | The operator issues a control command to open the previously closed ring within the grid topology |
| 35 | Drift Off | True | 10:35:26 | 0:15:40 | – | 10:51:37 | The MitM manipulates measurements of a load, dissembling an extreme increase in demand |
| 36 | Industroyer | True | 10:52:32 | 0:03:40 | 10:56:42 | 10:57:12 | The attacker sends repeated control commands to disconnect a load from the grid |
| 37 | Industroyer | True | 11:12:30 | 0:03:14 | 11:16:15 | 11:16:45 | The attacker sends repeated control commands to disconnect a generator from the grid |
| 38 | Generator Control | False | 11:25:33 | – | – | – | The control center issues a control command to reduce the power infeed of a wind turbine |
| 39 | Generator Control | False | 11:34:35 | – | – | – | The control center issues a control command to restore the power infeed of a wind turbine |
03-Rural
Test
| ID | Type | Attack | Start Time | Duration | Countermeasure | Recovered | Description |
|---|---|---|---|---|---|---|---|
| 1 | Generator Control | False | 0:15:49 | – | – | – | The control center issues a control command to change the power infeed of a hydro electric turbine |
| 2 | Industroyer | True | 0:38:21 | 0:02:52 | 0:41:44 | 0:42:14 | The attacker sends repeated control commands to open switches, disconnecting a part of the grid |
| 3 | ARP Spoofing DoS | True | 1:00:14 | 0:01:48 | – | 1:02:32 | ARP Spoofing DoS against two RTUs |
| 4 | Drift Off | True | 1:10:30 | 0:16:10 | – | 1:27:11 | The MitM manipulates measurements of a load, dissembling an extreme increase in demand |
| 5 | Close Ring | False | 1:37:00 | – | – | – | The operator issues a control command to close a previously open ring within the grid topology |
| 6 | Control & Freeze | True | 1:54:11 | 0:11:37 | 2:06:19 | 2:06:49 | The MitM issues a control command to slowly reduce the power infeed of two generators |
| 7 | Control & Freeze | True | 2:26:30 | 0:09:37 | 2:36:38 | 2:37:08 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 8 | Drift Off | True | 2:42:39 | 0:07:30 | – | 2:50:40 | The MitM manipulates voltage measurements of multiple buses |
| 9 | ARP Spoofing DoS | True | 3:06:51 | 0:02:02 | – | 3:09:23 | ARP Spoofing DoS against a single RTU |
| 10 | Control & Freeze | True | 3:26:03 | 0:08:55 | 3:35:28 | 3:35:58 | The MitM issues a control command to disconnect a DSS |
| 11 | Drift Off | True | 3:43:47 | 0:09:38 | – | 3:53:55 | The MitM manipulates the voltage measurements of a bus to increase to ~1.38 pu, dissembling a local overvoltage situation |
| 12 | Generator Control | False | 4:07:47 | – | – | – | The control center issues a command to modify the power infeed of a wind turbine |
| 13 | Drift Off | True | 4:22:29 | 0:07:57 | – | 4:30:57 | The MitM manipulates the voltage measurements of 4 buses, dissembling an undervoltage situation |
| 14 | ARP Spoofing DoS | True | 4:39:47 | 0:01:57 | – | 4:42:15 | ARP Spoofing DoS against 4 RTUs |
| 15 | ARP Spoofing DoS | True | 5:04:22 | 0:02:18 | – | 5:07:10 | ARP Spoofing DoS against 2 RTUs |
| 16 | Control & Freeze | True | 5:16:18 | 0:05:25 | 5:22:14 | 5:22:44 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 17 | Industroyer | True | 5:35:05 | 0:02:59 | 5:38:34 | 5:39:04 | The attacker sends repeated control commands to disconnect the low voltage grid at a specific transformer |
| 18 | Industroyer | True | 5:51:50 | 0:03:39 | 5:56:00 | 5:56:30 | The attacker sends repeated control commands to disconnect a load from the grid |
| 19 | Control & Freeze | True | 6:03:55 | 0:09:15 | 6:13:41 | 6:14:11 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disrupt the grid’s operation are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (e.g., a local blackout) from the control center. |
| 20 | Cable Maintenance | False | 6:35:02 | – | – | – | The control center issues commands to fully disconnect a line, enabling safe maintenance of this line |
| 21 | Drift Off | True | 6:56:58 | 0:08:53 | – | 7:06:21 | The MitM manipulates voltage and power measurements, dissembling an increase in power infeed |
| 22 | Separator Movement | False | 7:13:02 | 0:00:33 | – | – | The control center issues commands to move the separator within an open loop to another line |
| 23 | ARP Spoofing DoS | True | 7:33:13 | 0:02:15 | – | 7:35:59 | ARP Spoofing DoS against 4 RTUs |
| 24 | ARP Spoofing DoS | True | 7:46:09 | 0:02:12 | – | 7:48:52 | ARP Spoofing DoS against 3 RTUs |
| 25 | Industroyer | True | 8:05:18 | 0:03:01 | – | 8:08:50 | The attacker sends repeated control commands to force a switch to stay closed |
| 26 | Industroyer | True | 8:17:32 | 0:02:57 | 8:21:00 | 8:21:30 | The attacker sends repeated commands to reduce the active power of a storage |
| 27 | Industroyer | True | 8:35:35 | 0:03:05 | 8:39:11 | 8:39:41 | The attacker sends repeated control commands to open and close different switches |
| 28 | Drift Off | True | 8:52:39 | 0:07:40 | – | 9:00:50 | The MitM manipulates measurements of multiple loads, dissembling an irregular behavior |
| 29 | Separator Movement | False | 9:32:48 | 0:00:16 | – | – | The control center issues commands to move the separator within an open loop to another line |
| 30 | Drift Off | True | 9:38:12 | 0:09:40 | – | 9:48:23 | The MitM manipulates measurements of multiple loads, dissembling an irregular behavior |
| 31 | Industroyer | True | 10:16:38 | 0:02:50 | 10:19:59 | 10:20:29 | The attacker sends repeated control commands to disconnect a section of the grid by opening a switch |
| 32 | Drift Off | True | 10:29:02 | 0:08:27 | – | 10:37:59 | The MitM manipulates the voltage measurements of a bus to fluctuate, dissembling a faulty measurement device |
| 33 | Industroyer | True | 10:42:53 | 0:03:00 | 10:46:24 | 10:46:54 | The attacker sends repeated control commands to disconnect a section of the grid by opening a switch |
| 34 | Open Ring | False | 10:57:04 | – | – | – | The operator issues a control command to open the previously closed ring within the grid topology |
| 35 | Generator Control | False | 11:11:49 | – | – | – | The control center issues a control command to reduce the power infeed of a wind turbine |
| 36 | Drift Off | True | 11:46:24 | 0:09:59 | – | 11:56:54 | The MitM manipulates the measurements of a line, dissembling an increase in loading. |