summary of the paper "A Dataset to Support Research in the Design of Secure Water Treatment Systems"

[shairoMt]

A summary is created here that covers the most important information about the paper and dataset.

[shairoMt]

The Dataset is created to support research by design of secure Cyber Physical Systems (CPS). This dataset is used in order to detect cyber and physical attacks. The collected dataset covers 11 days of operation of SWaT so there will be two behavioural modes:

-normal mode: the first 7 days are without any faults and attacks .

• attack mode: during the last 4 days certain cyber and physical attacks were launched on SWaT.

Because CPS are mainly Physical Systems controlled and monitored through network, there will be two separate datasets:

• Physical dataset: captured from the physical system properties (sensors, measurements, states, etc...)
• Network dataset: contains the network traffic of the system (requests, ips, protocols, etc...)

There will be two kind also of attacks:

• cyber attack: refers to an attack that is transmitted through a communications network.
• physical attack: is on a physical component such as a motor or a pump

Attack Scenarios:

The processing of Water treatment consists of 6 stages and an attack could be startet at one or many stages of them. A total of 36 attacks were launched during the data collection process. The duration of the attack is varied based on the attack type. A few attacks, each lasting ten minutes, are performed consecutively with a gap of 10 minutes between successive attacks. Some of the attacks are performed by letting the system stabilize before a subsequent attack. The duration of system stabilization varies across attacks.

Attack Category	Number of attacks
SSSP	26
SSMP	4
MSSP	2
MSMP	4

SSSP: Single Stage Single Point SSMP: Single Stage Multi Point MSSP: Multi Stage Single Point MSMP: Multi Stage Multi Point

Data collection process

The following assumptions ere made during the data collection process:

• The system will stabilise and reach its operation state within the first seven days of normal operation.
• Data is recorded once every second assuming that no signicant attack on the SWaT testbed can be launched in less than one second.
• The PLC firmware does not change.

Physical Properties:

Data recorded in the Historian was obtained from the sensors and actuators of the testbed. In total, 946,722 samples comprising of 51 attributes were collected over 11 days. As the data collection process started from an empty state, it tool about 5 hours for SWaT to stabilise and reach its operational state and then approximately 6 hours the tanks to be filled up.

Network Traffic:

the data collection for network traffic began the moment the testbed was switched to operational mode.

Labelling data:

The are three labels groups of the data:

• Attack: for the logs of the attack like starting time, end, Description, etc.. . Two
• Physical properties: Each CSV file contains server name, sensor name, value at that point in time, etc... . And then the redundant data are removed All the remaining data was then combined into a single CSV file.
• Network Traffic: The network data was separated into multiple CSV files with a line limit of 500,000 packets for easier processing. as the data was captured at per second interval, there are instances of overlap where multiple rows reflect a different activity but carry the same time stamp.