Research

Literature Review: Intrusion Detection in Industrial Control Systems

February 5, 2026 ⏱ 3 min read Research
Research Intrusion Detection ICS Machine Learning Literature Review

Research Context

As part of my preparation for graduate study, I’m conducting a literature review on intrusion detection methods specifically designed for industrial control systems. Traditional IT-based IDS approaches often fail in OT environments because they don’t understand industrial protocols, can’t model physical process behaviour, and may generate unacceptable false positive rates in environments where every alert demands operator attention.

This review surveys the major approaches in the current literature and identifies open research questions.

Taxonomy of ICS IDS Approaches

The literature broadly categorises ICS intrusion detection into three approaches:

1. Network-Based Detection

Monitors network traffic for anomalies in industrial protocol behaviour. Examples include detecting unexpected Modbus function codes, identifying new communication pairs, or spotting protocol violations.

Strengths: Non-intrusive, doesn’t require modifications to PLCs or HMIs, can leverage existing OT network monitoring infrastructure.

Limitations: Limited visibility into the physical process itself, may miss attacks that use legitimate protocol commands to achieve malicious outcomes (semantic attacks).

Key works I’ve reviewed:

  • Signature-based approaches adapted for Modbus and DNP3 traffic
  • Specification-based IDS that model “correct” protocol behaviour from protocol standards
  • Flow-based anomaly detection that baselines communication patterns

2. Process-Aware Detection

Uses knowledge of the underlying physical process to detect attacks that manipulate process behaviour. If a reactor temperature rises faster than thermodynamically possible, something is wrong — regardless of whether the Modbus traffic looks “normal.”

Strengths: Can detect sophisticated semantic attacks where commands are technically valid but operationally dangerous. Provides a “physics check” on system behaviour.

Limitations: Requires detailed process models, may not generalise across different plants, and can struggle with transient process states (startup, shutdown, setpoint changes).

Key works I’ve reviewed:

  • Process invariant mining from historian data
  • Hybrid automata models of physical processes
  • Digital twin approaches that run parallel simulations for comparison

3. Machine Learning Approaches

Applies supervised or unsupervised ML to learn normal behaviour patterns from historical data and flag deviations.

Strengths: Can identify complex patterns that rule-based systems miss, adaptable to different environments through retraining.

Limitations: Requires large amounts of labelled data (scarce in ICS), susceptible to adversarial evasion, and often produces “black box” decisions that operators don’t trust for safety-critical actions.

Key works I’ve reviewed:

  • Autoencoders trained on normal process telemetry
  • LSTM networks for time-series anomaly detection on process values
  • Ensemble methods combining network and process features

Open Research Questions

Based on my review, several questions remain underexplored:

  1. Transferability — Can IDS models trained on one industrial process generalise to similar but not identical plants? Most current work requires per-site training.

  2. Adversarial robustness — How resilient are ML-based ICS IDS approaches to adversaries who understand and specifically evade the detection model?

  3. Explainability — OT operators need to understand why an alert was generated. How can we make ML-based detections interpretable enough for operational decision-making?

  4. Legacy protocol coverage — Most research focuses on Modbus and DNP3. There’s less work on newer protocols like OPC UA or specialised protocols in specific sectors.

  5. Integration with safety systems — How should IDS alerts interact with Safety Instrumented Systems? Should a cybersecurity detection ever trigger an automated safety response?

Relevance to My MSc Research

I’m particularly interested in the intersection of process-aware detection and machine learning — specifically, whether physics-informed ML models can provide more robust and transferable intrusion detection for ICS environments. This literature review is the foundation for the research direction I plan to pursue at the graduate level.

References

Note: This is a sample research article structure. Replace with your actual literature review, complete with proper academic citations, analysis, and synthesis of the works you’ve reviewed.

  • NIST SP 800-82 Rev 3
  • MITRE ATT&CK for ICS
  • IEEE and ACM digital libraries (search: “intrusion detection industrial control systems”)
  • SANS ICS Reading Room papers
  • Relevant conference proceedings: IEEE S&P, USENIX Security, ACSAC, CCS

This demonstrates the kind of research engagement that MSc admissions committees value. Replace with your actual literature review work.

← IEC 62443 in Practice: Mapping Security …