Machine Learning for Intrusion Detection in Industrial Control Systems: Applications, Challenges, and Recommendations

TL;DR

This survey reviews machine learning techniques for intrusion detection in industrial control systems, highlighting applications, challenges, and research gaps in network and physical process anomaly detection.

Contribution

It categorizes and analyzes ML methods used in ICS intrusion detection, providing a comprehensive comparison and identifying key research challenges and recommendations.

Findings

ML methods are effective for network and physical anomaly detection

Supervised and semi-supervised learning are most commonly used

Research gaps include data scarcity and real-time deployment challenges

Abstract

Methods from machine learning are being applied to design Industrial Control Systems resilient to cyber-attacks. Such methods focus on two major areas: the detection of intrusions at the network-level using the information acquired through network packets, and detection of anomalies at the physical process level using data that represents the physical behavior of the system. This survey focuses on four types of methods from machine learning in use for intrusion and anomaly detection, namely, supervised, semi-supervised, unsupervised, and reinforcement learning. Literature available in the public domain was carefully selected, analyzed, and placed in a 7-dimensional space for ease of comparison. The survey is targeted at researchers, students, and practitioners. Challenges associated in using the methods and research gaps are identified and recommendations are made to fill the gaps.