Large Language Models as Explainable Cyberattack Detectors for Energy Industrial Control Systems

TL;DR

This paper explores using large language models as explainable, human-in-the-loop intrusion detectors for energy industrial control systems, converting Modbus traffic into token strings for real-time alerts.

Contribution

It demonstrates that off-the-shelf LLMs can effectively detect critical ICS network events without task-specific training, providing concise incident records for analyst review.

Findings

LLMs achieve high predictive performance on ICS datasets.

The approach requires no task-specific weight updates.

Token-grounded incident records aid analyst review.

Abstract

In modern energy systems, industrial control systems (ICS) and power-system SCADA require intrusion detection that is not only accurate but also auditable by operators. The ICS intrusion-detection landscape is currently dominated by established supervised detectors. In this paper, we study whether an off-the-shelf large language model (LLM) can serve as a complementary, human-in-the-loop layer for Modbus traffic. We cast this as a binary network-side normal/critical decision task on two public ICS Modbus datasets, collapsing attack periods and other safety-critical behaviors into a single critical class. Each Modbus communication instance is converted into a compact token string derived from discretized protocol fields, and a prompt-configured LLM produces a normal/critical alert together with a concise, token-grounded incident record for analyst review. Under matched event information and shared evaluation splits, the resulting LLM-based triage pipeline achieves high predictive performance on both benchmarks and is broadly comparable to strong supervised baselines, while requiring no task-specific weight updates. To assess the audit record, we apply intervention-based diagnostics, including sufficiency- and necessity-style tests, which provide evidence that the cited tokens are often decision-relevant to the model's own prediction. These records are intended as audit signals rather than full human-grounded explanations.