Here, we describe the attacks carried out for the test set of each scenario. We also plot the the time series for each data point.
01-Basic
Training
| ID | Type | Attack | Start Time | Duration | Description |
|---|---|---|---|---|---|
| 1 | Cable maintenance | False | 0:21:23 | 0:00:30 | The control center issues control commands to disconnect a cable, enabling maintenance personnel safe interactions with the cable. |
| 2 | Generator Control | False | 1:34:18 | – | The control center issues a control command to (re)connect a generator to the grid. |
| 3 | Transformer maintenance | False | 3:09:04 | – | The control center issues control commands to enable the maintenance of an MV/LV transformer |
| 4 | Separator movement | False | 5:17:46 | 0:00:05 | The control center issues control commands to move the separator position by closing and opening switches. |
| 5 | Generator control | False | 6:08:07 | – | The control center issues a command to set the power infeed of a generator to 700 kW. |
| 6 | Manual commands | False | 6:53:30 | – | Manual commands |
| 7 | Generator Control | False | 7:38:11 | – | The control center issues a control command to reduce the power infeed of a generator. |
Test
| ID | Type | Attack | Start Time | Duration | Description |
|---|---|---|---|---|---|
| 1 | Host Insertion | True | 0:04:30 | – | The attackers physically attach a new host to the network |
| 2 | Industroyer | True | 1:11:24 | 0:03:00 | The attackers perform an industroyer-like attack, repeatedly sending commands to open circuit breakers |
| 3 | Attack Countermeasure | False | 1:14:57 | – | The control center sends manual commands to counteract the previous Industroyer attack by closing two switches |
| 4 | Drift Off | True | 1:38:52 | 0:08:07 | As an MitM, the attackers perfom a drift-off attack manipulating the voltage readings at two buses to drift off towards predefined factors. |
| 5 | Industroyer | True | 2:12:11 | 0:02:50 | Industroyer-like attack disconnecting a power generation facility from the grid |
| 6 | Attack Countermeasure | False | 2:15:47 | – | The control center sends manual commands to counteract the previous Industroyer attack. |
| 7 | Generator Infeed Control | False | 2:45:11 | – | The control center sends commands to reduce the active power infeed of a generator to 75% (15 kW) |
| 8 | Control & Freeze | True | 3:11:32 | 0:06:00 | As a MitM, the attackers perform a control & freeze attack: First, measurements at one or multiple RTUs are recorded and their trend is interpolated. Then, control commands to disconnect switches are inserted into the active connection(s). Future measurements are manipulated to mimic the former trend, hiding the attack’s effects (a local blackout) from the control center. |
| 9 | Attack Countermeasure | False | 3:19:14 | – | The control center issues manual commands to counteract the previous Control & Freeze attack. |
| 10 | Cable Maintenance | False | 4:05:21 | 0:00:40 | The operator changes the grid’s topology by opening and closing switches to allow for a cable maintenance, i.e., by completely disconnecting the respective line. |
| 11 | Arp Spoofing DoS | True | 4:11:23 | 0:02:06 | Using ARP Spoofing, the attackers interfere with the connections between the control center and two RTUs |
| 12 | Industroyer | True | 4:55:28 | 0:03:05 | Industroyer-like attack open circuit breakers to disconnect a part of the grid |
| 13 | Attack Countermeasure | False | 5:00:00 | – | The control center issues manual commands to counteract the previous Industroyer attack. |
| 14 | Separator Movement | False | 5:28:56 | 0:00:07 | The operator issues control commands to move the separator in an open ring to optimize the power flow and reduce load on affected lines. |
| 15 | Drift Off | True | 5:47:42 | 0:08:14 | As an MitM, the attackers perform a drift-off attack against a single bus voltage measurement to experience excessive amounts of noise, provoking the classification of a faulty sensor. |
| 16 | Control & Freeze | True | 6:15:36 | 0:09:10 | Following the previous Control & Freeze attack, the attackers now manipulate the power infeed of a generator. To further mask the attack’s effects, the infeed is reduced gradually over time using a secondary connection. |
| 17 | Attack Countermeasure | False | 6:26:31 | – | The control center issues commands to reset the power infeed as a countermeasure to the previous Control & Freeze attack. |
| 18 | Industroyer | True | 6:43:27 | 0:03:01 | Industroyer-like attack, disconnecting a consumer (load) from the grid. |
| 19 | Attack Countermeasure | False | 6:47:05 | – | The control center issues manual commands to counteract the previous Industroyer attack. |
| 20 | Transformer Maintenance | False | 7:05:21 | – | The operator issues control commands to disconnect an MV/LV transformer from the grid, allowing safe maintenance. |
| 21 | Control & Freeze | True | 7:24:33 | 0:06:01 | Using a central vantage point in the network, the attackers attack over 10 RTUs simultaneously for measurement manipulation, allowing the attacker to control a significant portion of all measurements. In the control phase, a local blackout is induced and then masked during the freeze phase. |
| 22 | Attack Countermeasure | False | 7:32:29 | – | The control center issues commands to reset the power grid’s topology as a countermeasure to the previous Control & Freeze attack. |
| 23 | Drift Off | True | 7:56:28 | 0:09:58 | As an MitM, the attackers perform a drift-off attack manipulating the voltage measurement at a single bus towards a strict over-voltage condition. |
| 24 | Industroyer | True | 8:11:58 | 0:02:57 | Industroyer-like attack, reducing the power infeed of a power generation facility |
| 25 | Attack Countermeasure | False | 8:16:23 | – | The control center issues control commands to reset the power infeed as a countermeasure to the previous Industroyer attack. |
| 26 | Generator Infeed Control | False | 8:32:42 | – | The control center issues control commands to change the infeed of a generator. |
| 27 | Control & Freeze | True | 8:46:44 | 0:05:30 | Similar to the previous control & freeze attack, the attackers induce a local blackout and manipulate the measurements at multiple RTUs. |
| 28 | Attack Countermeasure | False | 8:53:41 | – | The control center issues control commands to counteract the effects of the previous control & freeze attack |
| 29 | Industroyer | True | 9:18:57 | 0:02:52 | Industroyer-like attack, repeatedly forcing circuit breakers to be closed (limiting the operators control) |
| 30 | ARP Spoofing DoS | True | 9:51:05 | 0:02:08 | Using ARP Spoofing, the attackers interfere with the connections between the control center and two RTUs |
| 31 | Control & Freeze | True | 10:04:27 | 0:09:17 | As an MitM, the attackers record and manipulate measurements before inserting control commands to gradually reduce the power infeed of a generator using a secondary connection. |
| 32 | Attack Countermeasure | False | 10:14:33 | – | The control center issues commands to counteract the previous control & freeze attack |
| 33 | Transformer Tap Control | False | 10:26:40 | – | The control center issues a control command (Step Down) to change the tap position of a transformer, influencing the voltage at the lower voltage side of the transformer. |
| 34 | Industroyer | True | 10:32:19 | 0:02:58 | Industroyer-like attack, disconnecting multiple generators and storages |
| 35 | Attack Countermeasure | False | 10:36:08 | – | The control center issues commands to counteract the previous industroyer attack. |
| 36 | Drift Off | True | 10:46:32 | 0:08:17 | As an MitM, the attackers perform a drift-off attack manipulating the active and reactive power measurements of two loads, inducing noise and excessive power consumption. |
| 37 | Transformer Tap Control | False | 11:07:00 | – | The control center issues a control command (Step Up) to change the tap position of a transformer, influencing the voltage at the lower voltage side of the transformer. |
| 38 | Topology Change | False | 11:32:50 | 0:00:30 | The operator issues control command to change the grid’s topology |
| 39 | Topology Change | False | 11:37:02 | 0:00:24 | The operator issues control command to change the grid’s topology, reducing the load on a specific part of the grid |
| 40 | Cable Maintenance | False | 11:52:11 | 0:00:44 | The control center issues control commands to allow for a cable maintenance. To reduce the load on the remaining lines, the infeed of a generator is reduced. |
02-Semiurban
Training
| ID | Type | Attack | Start Time | Duration | Description |
|---|---|---|---|---|---|
| 1 | Separator Movement | False | 0:58:45 | 0:00:20 | The separator of an open ring in the grid is moved by first closing a disconnecting switch before opening another switch to control the power flow of two wind power plants. |
| 2 | Transformer Maintenance | False | 1:25:15 | 0:06:40 | An MV/LV transformer is disconnected for maintenance |
| 3 | Generator Bootstrap | False | 2:03:13 | – | A wind power plant is connected to the power grid which has not been connected previously |
| 4 | Generator Infeed Control | False | 2:45:36 | – | The infeed of a generator is reduced |
| 5 | Separator Movement | False | 3:55:20 | 0:00:14 | A separator of an open ring is moved to control the flow of power within the grid |
| 6 | Close Ring | False | 4:33:44 | – | The topology is changed to close a ring, reducing the load of involved lines |
| 7 | Open Ring | False | 4:48:24 | – | The previously opened ring is closed again |
| 8 | Generator Infeed Control | False | 5:52:04 | – | The infeed of a generator is reduced |
| 9 | Generator Infeed Control | False | 6:49:41 | – | The infeed of the generator is restored to the previously (unrestricted) infeed |
Test
| ID | Type | Attack | Start Time | Duration | Description |
|---|---|---|---|---|---|
| 1 | ARP Spoofing DoS | True | 0:23:23 | 0:02:16 | ARP Spoofing DoS against 5 RTUs |
| 2 | Control & Freeze | True | 0:32:38 | 0:05:58 | The MitM issues a control command to disconnect the low voltage section of a DSS |
| 3 | Attack Countermeasure | False | 0:39:07 | – | The control center issues control commands to counteract the previous control & freeze attack |
| 4 | Industroyer | True | 0:53:29 | 0:03:01 | The attacker sends repeated control commands to disconnect a section of the grid by opening a switch |
| 5 | Attack Countermeasure | False | 0:57:00 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 6 | Transformer Maintenance | False | 1:13:43 | 0:06:00 | The control center issues control commands to disconnect an MV/LV transformer, enabling safe maintenance of this transformer |
| 7 | ARP Spoofing DoS | True | 1:23:13 | 0:02:33 | ARP Spoofing DoS against 4 RTUs |
| 8 | Separator Movement | False | 1:47:44 | 0:00:33 | The control center issues commands to move the separator within an open loop to another line |
| 9 | Drift Off | True | 2:03:37 | 0:08:05 | The MitM manipulates the voltage measurements of 4 buses, dissembling an undervoltage situation |
| 10 | Control & Freeze | True | 2:33:31 | 0:11:18 | The MitM issues a control command to slowly reduce the power infeed of two generators |
| 11 | Attack Countermeasure | False | 2:45:20 | – | The control center issues control commands to counteract the previous control & freeze attack |
| 12 | Drift Off | True | 2:46:36 | 0:08:15 | The MitM manipulates the voltage measurements of a bus to fluctuate, dissembling a faulty measurement device |
| 13 | Generator Bootstrap | False | 3:10:50 | – | The control center issues a command to connect a previously inactive wind turbine to the grid |
| 14 | Industroyer | True | 3:28:36 | 0:02:50 | The attacker sends repeated control commands to disconnect a section of the grid by opening a switch |
| 15 | Attack Countermeasure | False | 3:31:57 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 16 | ARP Spoofing DoS | True | 3:49:12 | 0:02:04 | ARP Spoofing DoS against 3 RTUs |
| 17 | Drift Off | True | 4:02:48 | 0:09:55 | The MitM manipulates the voltage measurements of a bus to increase to ~1.38 pu, dissembling a local overvoltage situation |
| 18 | Generator Control | False | 4:18:48 | – | The control center issues a command to modify the power infeed of a wind turbine |
| 19 | Control & Freeze | True | 4:41:32 | 0:09:16 | Control-and-freeze |
| 20 | Attack Countermeasure | False | 4:51:19 | – | The control center issues control commands to counteract the previous control & freeze attack |
| 21 | Control & Freeze | True | 4:52:34 | 0:05:26 | Control-and-freeze |
| 22 | Attack Countermeasure | False | 4:58:30 | – | The control center issues control commands to counteract the previous control & freeze attack |
| 23 | Drift Off | True | 5:09:57 | 0:08:16 | The MitM manipulates voltage and power measurements, dissembling an increase in power infeed |
| 24 | ARP Spoofing DoS | True | 5:25:27 | 0:02:02 | ARP Spoofing DoS against a single RTU |
| 25 | Control & Freeze | True | 5:36:37 | 0:09:18 | Control-and-freeze |
| 26 | Attack Countermeasure | False | 5:46:26 | 0:00:01 | The control center issues control commands to counteract the previous control & freeze attack |
| 27 | Drift Off | True | 6:05:25 | 0:09:55 | The MitM manipulates the measurements of a line, dissembling an increase in loading. |
| 28 | Cable Maintenance | False | 6:25:42 | 0:00:01 | The control center issues commands to fully disconnect a line, enabling safe maintenance of this line |
| 29 | Drift Off | True | 6:37:47 | 0:09:07 | The MitM manipulates measurements of multiple loads, dissembling an irregular behavior |
| 30 | ARP Spoofing DoS | True | 6:59:14 | 0:02:12 | ARP Spoofing DoS against 3 RTUs |
| 31 | ARP Spoofing DoS | True | 7:11:11 | 0:01:45 | ARP Spoofing DoS against a single RTU |
| 32 | Industroyer | True | 7:28:54 | 0:03:06 | The attacker sends repeated control commands to open and close different switches |
| 33 | Attack Countermeasure | False | 7:32:31 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 34 | Industroyer | True | 7:40:13 | 0:03:01 | The attacker sends repeated control commands to force a switch to stay closed |
| 35 | Separator Movement | False | 7:56:55 | 0:00:16 | The control center issues commands to move the separator within an open loop to another line |
| 36 | Drift Off | True | 8:12:43 | 0:08:09 | The MitM manipulates voltage measurements of multiple buses |
| 37 | Close Ring | False | 8:49:51 | – | The operator issues a control command to close a previously open ring within the grid topology |
| 38 | Industroyer | True | 9:12:23 | 0:02:58 | The attacker sends repeated commands to reduce the active power of a storage |
| 39 | Attack Countermeasure | False | 9:15:52 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 40 | Industroyer | True | 9:23:51 | 0:02:53 | The attacker sends repeated control commands to open switches, disconnecting a part of the grid |
| 41 | Attack Countermeasure | False | 9:27:14 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 42 | Industroyer | True | 9:33:54 | 0:02:58 | The attacker sends repeated control commands to disconnect the low voltage grid at a specific transformer |
| 43 | Attack Countermeasure | False | 9:37:23 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 44 | Drift Off | True | 9:47:01 | 0:07:21 | The MitM manipulates measurements of multiple loads, dissembling an irregular behavior |
| 45 | Open Ring | False | 10:00:39 | – | The operator issues a control command to open the previously closed ring within the grid topology |
| 46 | Drift Off | True | 10:35:26 | 0:15:40 | The MitM manipulates measurements of a load, dissembling an extreme increase in demand |
| 47 | Industroyer | True | 10:52:32 | 0:03:40 | The attacker sends repeated control commands to disconnect a load from the grid |
| 48 | Attack Countermeasure | False | 10:56:42 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 49 | Industroyer | True | 11:12:30 | 0:03:14 | The attacker sends repeated control commands to disconnect a generator from the grid |
| 50 | Attack Countermeasure | False | 11:16:15 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 51 | Generator Control | False | 11:25:33 | – | The control center issues a control command to reduce the power infeed of a wind turbine |
| 52 | Generator Control | False | 11:34:35 | – | The control center issues a control command to restore the power infeed of a wind turbine |
03-Rural
Test
| ID | Type | Attack | Start Time | Duration | Description |
|---|---|---|---|---|---|
| 1 | Generator Control | False | 0:15:49 | – | The control center issues a control command to change the power infeed of a hydro electric turbine |
| 2 | Industroyer | True | 0:38:21 | 0:02:52 | The attacker sends repeated control commands to open switches, disconnecting a part of the grid |
| 3 | Attack Countermeasure | False | 0:41:44 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 4 | ARP Spoofing DoS | True | 1:00:16 | 0:01:48 | ARP Spoofing DoS against two RTUs |
| 5 | Drift Off | True | 1:10:30 | 0:16:07 | The MitM manipulates measurements of a load, dissembling an extreme increase in demand |
| 6 | Close Ring | False | 1:37:00 | – | The operator issues a control command to close a previously open ring within the grid topology |
| 7 | Control & Freeze | True | 1:54:15 | 0:11:41 | The MitM issues a control command to slowly reduce the power infeed of two generators |
| 8 | Attack Countermeasure | False | 2:06:27 | – | The control center issues control commands to counteract the previous control & freeze attack |
| 9 | Control & Freeze | True | 2:26:30 | 0:09:41 | Control-and-freeze |
| 10 | Attack Countermeasure | False | 2:36:41 | – | The control center issues control commands to counteract the previous control & freeze attack |
| 11 | Drift Off | True | 2:40:41 | 0:07:33 | The MitM manipulates voltage measurements of multiple buses |
| 12 | ARP Spoofing DoS | True | 3:06:53 | 0:02:02 | ARP Spoofing DoS against a single RTU |
| 13 | Control & Freeze | True | 3:26:03 | 0:08:58 | The MitM issues a control command to disconnect a DSS |
| 14 | Drift Off | True | 3:33:51 | 0:09:35 | The MitM manipulates the voltage measurements of a bus to increase to ~1.38 pu, dissembling a local overvoltage situation |
| 15 | Attack Countermeasure | False | 3:35:31 | – | The control center issues control commands to counteract the previous control & freeze attack |
| 16 | Generator Control | False | 4:07:47 | – | The control center issues a command to modify the power infeed of a wind turbine |
| 17 | Drift Off | True | 4:22:29 | 0:07:56 | The MitM manipulates the voltage measurements of 4 buses, dissembling an undervoltage situation |
| 18 | ARP Spoofing DoS | True | 4:39:48 | 0:01:57 | ARP Spoofing DoS against 4 RTUs |
| 19 | ARP Spoofing DoS | True | 5:04:23 | 0:02:18 | ARP Spoofing DoS against 2 RTUs |
| 20 | Control & Freeze | True | 5:16:18 | 0:05:29 | Control-and-freeze |
| 21 | Attack Countermeasure | False | 5:22:18 | – | The control center issues control commands to counteract the previous control & freeze attack |
| 22 | Industroyer | True | 5:35:07 | 0:02:58 | The attacker sends repeated control commands to disconnect the low voltage grid at a specific transformer |
| 23 | Attack Countermeasure | False | 5:38:36 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 24 | Industroyer | True | 5:51:52 | 0:03:39 | The attacker sends repeated control commands to disconnect a load from the grid |
| 25 | Attack Countermeasure | False | 5:56:02 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 26 | Control & Freeze | True | 6:03:56 | 0:09:16 | Control-and-freeze |
| 27 | Attack Countermeasure | False | 6:13:42 | – | The control center issues control commands to counteract the previous control & freeze attack |
| 28 | Cable Maintenance | False | 6:35:02 | – | The control center issues commands to fully disconnect a line, enabling safe maintenance of this line |
| 29 | Drift Off | True | 6:57:02 | 0:08:53 | The MitM manipulates voltage and power measurements, dissembling an increase in power infeed |
| 30 | Separator Movement | False | 7:10:02 | 0:00:33 | The control center issues commands to move the separator within an open loop to another line |
| 31 | ARP Spoofing DoS | True | 7:33:15 | 0:02:15 | ARP Spoofing DoS against 4 RTUs |
| 32 | ARP Spoofing DoS | True | 7:46:11 | 0:02:12 | ARP Spoofing DoS against 3 RTUs |
| 33 | Industroyer | True | 8:05:18 | 0:03:01 | The attacker sends repeated control commands to force a switch to stay closed |
| 34 | Industroyer | True | 8:17:32 | 0:02:57 | The attacker sends repeated commands to reduce the active power of a storage |
| 35 | Attack Countermeasure | False | 8:21:00 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 36 | Industroyer | True | 8:35:35 | 0:03:05 | The attacker sends repeated control commands to open and close different switches |
| 37 | Attack Countermeasure | False | 8:39:11 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 38 | Drift Off | True | 8:52:39 | 0:07:39 | The MitM manipulates measurements of multiple loads, dissembling an irregular behavior |
| 39 | Separator Movement | False | 9:32:48 | 0:00:16 | The control center issues commands to move the separator within an open loop to another line |
| 40 | Drift Off | True | 9:36:15 | 0:09:38 | The MitM manipulates measurements of multiple loads, dissembling an irregular behavior |
| 41 | Industroyer | True | 10:16:38 | 0:02:51 | The attacker sends repeated control commands to disconnect a section of the grid by opening a switch |
| 42 | Attack Countermeasure | False | 10:19:59 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 43 | Drift Off | True | 10:29:03 | 0:08:25 | The MitM manipulates the voltage measurements of a bus to fluctuate, dissembling a faulty measurement device |
| 44 | Industroyer | True | 10:39:53 | 0:03:00 | The attacker sends repeated control commands to disconnect a section of the grid by opening a switch |
| 45 | Attack Countermeasure | False | 10:43:24 | – | The control center issues control commands to counteract the previous Industroyer attack |
| 46 | Open Ring | False | 10:54:04 | – | The operator issues a control command to open the previously closed ring within the grid topology |
| 47 | Generator Control | False | 11:08:49 | – | The control center issues a control command to reduce the power infeed of a wind turbine |
| 48 | Drift Off | True | 11:46:28 | 0:10:03 | The MitM manipulates the measurements of a line, dissembling an increase in loading. |