Mind the Gap: Missing Cyber Threat Coverage in NIDS Datasets for the Energy Sector
It addresses the problem of inadequate NIDS dataset coverage for hybrid IT/OT energy infrastructures, which is incremental as it builds on existing datasets and analysis methods.
This study evaluated the representativeness of five NIDS datasets for energy sector cyber threats by comparing them to MITRE ATT&CK techniques, finding that combining CIC-IDS2017, Sherlock, and CIC-Modbus2023 achieved 92% coverage while identifying gaps like lateral movement and industrial protocol manipulation.
Network Intrusion Detection Systems (NIDS) developed using publicly available datasets predominantly focus on enterprise environments, raising concerns about their effectiveness for converged Information Technology (IT) and Operational Technology (OT) in energy infrastructures. This study evaluates the representativeness of five widely used datasets: CIC-IDS2017, SWaT, WADI, Sherlock, and CIC-Modbus2023 against network-detectable MITRE ATT&CK techniques extracted from documented energy sector incidents. Using a structured five-step analytical approach, this article successfully developed and performed a gap analysis that identified 94 network observable techniques from an initial pool of 274 ATT&CK techniques. Sherlock dataset exhibited the highest mean coverage (0.56), followed closely by CIC-IDS2017 (0.55), while SWaT and WADI recorded the lowest scores (0.38). Combining CIC-IDS2017, Sherlock, and CIC-Modbus2023 achieved an aggregate coverage of 92%, highlighting their complementary strengths. The analysis identifies critical gaps, particularly in lateral movement and industrial protocol manipulation, providing a clear pathway for dataset enhancement and more robust NIDS evaluation in hybrid IT/OT energy environments.