Industrial Control Systems (ICS) are in charge of carrying out the management and supervision of industrial processes performed by critical infrastructures in industries such as electric, water, natural gas or chemical. In the last years, the adoption of IP technologies in industrial devices and the connection of ICS to the Internet have influenced the increment of cyberattacks. The most famous cyberattack affecting an ICS was in June 2010, when the Stuxnet worm was discovered. Stuxnet spied and reprogrammed industrial systems controlling centrifuges of the Iran nuclear power plant. Another relevant malware discovered in 2016 was Irongate, an Stuxnet type malware, that was used to hack the Siemens industrial control systems~\cite{kumar2016irongate}.

The increment of attacks affecting ICS, as well as their consequences, are influencing the use of Intrusion Detection Systems (IDS) in the field of ICS. IDS are responsible for both monitoring the environment in which they act and triggering alerts in case of detecting suspicious activity. An extensive number of intrusion detection techniques have been proposed in the literature to tackle security threats. Nowadays, the techniques achieving the best performance are based on Machine Learning (ML) and, more recently, Deep Learning (DL).

This work presents new ICS dataset, namely Electra, which has been generated from the network traffic of an electric traction substation running in normal and under attack ways. The Electra Dataset has been created in a realistic scenario with industrial devices such as Programmable-Logic Controllers (PLCs) and a SCADA system that are controlled by well-known industrial protocols such as S7Comm and Modbus.

The Electra dataset models the behaviour of an electric traction substation used in a real high-speed railway area. The main purpose of this testbed is to allow converting the electric power of the general network to voltage, current, and frequency conditions to supply railways or trams. This system can be used to convert the three-phase alternating current into single phase with the lower frequency needed for railway electrification systems. To accomplish its task, the Electric Traction Substation has 5 PLCS (1 master PLC and 4 slave PLCs) and a SCADA system. Additionally, the testbed has a switch (D5) for the interconnection of the different devices and a firewall (D4) to protect the substation from attacks coming from outside. The testbed devices communicate through control protocols following a master-slave architecture, where the master initiates the communication requesting some data and a slave response with information requested. The network communication is carried out through the following protocols: Modbus TCP, OPC and S7Comm. The SCADA system consists of a Nanobox (A1) and an HMI (A4) that communicates through the OPC protocol. The SCADA acts as a master of both Modbus slaves A2 and A3. Similarly, regarding the S7Comm protocol, D1 PLC acts as the master of A1, D2 and D3 PLCs. TABLE 1 details the IP, MAC and protocol used for each device. The attacks launched agains the testbed can be seen in Table 2 whereas Table 3 shows the features selected to be included in the dataset