SASMaker: A Framework for Generating Synthetic IEC 61850 Traffic from Diverse Substation Setups

Systems (IDSs), and in particular Machine-Learning (ML)-based IDSs, have received growing attention in the literature. A key challenge for developing and evaluating such systems is the limited availability of realistic, publicly accessible IEC 61850 datasets, preferably provided in

PCAP format.

This paper introduces SASMaker, an open-source framework for generating IEC 61850

GOOSE datasets through integrated simulation of power system simulation with IEC 61850 communication behavior generation. SASMaker links a time-stepped electrical substation model with an open-source IEC 61850 toolchain, enabling the generation of time-synchronized

GOOSE traffic that reflects the underlying physical behavior and protection logic of the substation. The framework allows users to define substation architectures, operating scenarios, and attack configurations within a single workflow and produces standard-compliant PCAP traces suitable for IDS development and evaluation.

SASMaker is evaluated against a widely used benchmark dataset in two complementary scenarios. First, its ability to reproduce protocol-level behavior is assessed using a fault-induced busbar protection scenario, where the evaluation of key GOOSE protocol fields is compared to the benchmark trace. Second, SASMaker’s ability to produce data suitable for IDS training is evaluated under a GOOSE flooding attack scenario. An ML-based intrusion-detection model trained on SASMaker-generated data is tested on benchmark data and achieves the same detection performance as a model trained directly on the benchmark dataset. The results show that SASMaker preserves essential GOOSE communication behavior during protection events and generates data that is suitable for ML-based intrusion-detection evaluation. SASMaker therefore provides a flexible and reproducible foundation for future research on data-driven security mechanisms for IEC 61850-based substation automation systems.