As cyberattacks targeting Supervisory Control and Data Acquisition (SCADA) systems have increased significantly in recent years, researchers have begun to collect and generate SCADA datasets for analyzing attack signatures and characteristics. Insights from the analyses are then used to build detection and prevention mechanisms. However, most existing SCADA datasets primarily contain simulated attack records and focus on generic network threats –– hindering the research on zero-day attacks and the effectiveness of defense mechanisms developed using these datasets.

In this paper, we introduce real-world attack datasets for SCADA systems that were collected through the deployment of SCADA honeypots in realistic Internet environments. The datasets contain the original raw data and a refined dataset processed by our proposed tool – HoneyParser which automatically cleans, extracts and enriches parameters to transform raw data into a structured and standardized format. HoneyParser stores the refined data in MySQL format which is directly usable and query-able, improving the scalability and efficiency of future attack pattern analysis and defense development. To demonstrate its usability, we performed a classical analysis using the refined attack dataset to explore the time trends and geolocation patterns. The analyses’ insights provide a deeper understanding of cyberattacks targeting SCADA systems and contribute to the enhancement of SCADA systems’ resilience in future work.