Mind the Gap: Missing Cyber Threat Coverage in NIDS Datasets for the Energy Sector

TL;DR

This paper assesses the adequacy of five popular NIDS datasets for energy sector cybersecurity, revealing significant gaps in coverage of attack techniques relevant to industrial environments and proposing pathways for improvement.

Contribution

It introduces a structured gap analysis methodology to evaluate dataset representativeness for energy sector cybersecurity threats, highlighting specific deficiencies and potential dataset enhancements.

Findings

Sherlock dataset has the highest coverage (0.56).

Combining datasets achieves 92% coverage.

Critical gaps identified in lateral movement and protocol manipulation.

Abstract

Network Intrusion Detection Systems (NIDS) developed using publicly available datasets predominantly focus on enterprise environments, raising concerns about their effectiveness for converged Information Technology (IT) and Operational Technology (OT) in energy infrastructures. This study evaluates the representativeness of five widely used datasets: CIC-IDS2017, SWaT, WADI, Sherlock, and CIC-Modbus2023 against network-detectable MITRE ATT&CK techniques extracted from documented energy sector incidents. Using a structured five-step analytical approach, this article successfully developed and performed a gap analysis that identified 94 network observable techniques from an initial pool of 274 ATT&CK techniques. Sherlock dataset exhibited the highest mean coverage (0.56), followed closely by CIC-IDS2017 (0.55), while SWaT and WADI recorded the lowest scores (0.38). Combining CIC-IDS2017, Sherlock, and CIC-Modbus2023 achieved an aggregate coverage of 92%, highlighting their complementary strengths. The analysis identifies critical gaps, particularly in lateral movement and industrial protocol manipulation, providing a clear pathway for dataset enhancement and more robust NIDS evaluation in hybrid IT/OT energy environments.