Home / Blog / Machine learning in ICS

Machine learning in ICS

Posted on 06/23/2022, by INCIBE

Despite ICS being isolated from the Internet for a long time, the many attainable benefits for a business derived from a convergence between ICS and Internet, as well as with IT networks and cloud computing, have sped up said integration process. As a result, the ICS are increasingly more exposed to the attack vectors used in most cyberattacks, with the aggravation that these systems are less secure than IT systems and simultaneously much more critical for both individuals and businesses.

Since the discovery of Stuxnet much more attention has been paid to malware targeting PLCs and other industrial systems, that’s able to determine the physical structure of a plant, which could be exploited by an attacker to achieve their goals. To confront this type of situation, there is a trend towards implementing machine learning techniques in order to detect anomalies and prevent attacks on TO networks.

What is machine learning?

The concept of machine learning refers to a method of programming a system or application focused on making decisions, classifying occurrences or generating new information in a fully autonomous way. All this is based on some input elements, such as information provided by the systems and networks that are being monitored.

The most talked about algorithmic structure in the field of artificial intelligence is the neural structure, better known as neural network, an architecture that mimics the operation of brain neurons. Its intelligence is supported by training. In each iteration, the network gives a response based on an input that is subsequently compared with a reference. Therefore, by measuring the error between its response and the real one, the network is able to adjust its connections in order to give a better response in each iteration. The algorithms with which these networks are trained can be classified into several types:

  • Supervised (all tagged training data): requires a human to provide the network with training data (input-output matching). This group would include many of the existing classifiers, such as spam detectors, decision trees, Naïve Bayes classification, least squares regression, Support Vector Machines (SVM)... This type of algorithm is used in problems of classification (digit identification, identity fraud detection, diagnostics...) and regression (weather forecasts, life expectancy, growth...).
  • Unsupervised (no tagged training data): the network itself discovers when it has made a mistake and learns accordingly, without the need for an outsider to show it the training data. It is often used in user-type segmentation and consumption recommendations, as it is easier to discern different patterns, clustering problems or independent component analysis.
  • Semi-supervised: a mix between input-output matches and inputs without corresponding output is provided. Mainly used when not all matches are available, but a small amount of tagged data is available along with a large amount of untagged data. This learning method is very useful in situations where it is impractical to label all the training samples, either due to their quantity or their complexity, so a few are labeled and the rest are left to the discretion of the neural network.

Figure 1: Classification of samples according to type of training. Source: ResearchGate.

Applications in ICS cybersecurity

ICS systems and networks are very deterministic, in other words, they have very regular communication patterns. These are usually the same set of commands for writing and reading variables from the logs, repeated in the SCAN cycle.

Figure 2: Diagram of the SCAN cycle performed by the PLC in their operation.

All this regularity can be used by AI (Artificial Intelligence) to establish a "normal" network or system status and monitor the traffic and settings, comparing them against this status.

This is the basis for numerous research tracks that have been conducted in recent years regarding machine learning applied to cybersecurity in ICS. These include:

  • Security strategies for SCADA systems.
  • Enhance the features of a SIEM by implementing AI.
  • Implementation of IDS (Intrusion Detection System) in ICS based on artificial intelligence.
  • Creation of standard databases for training these algorithms.

Focusing on IDS, today many employ machine learning algorithms for pattern recognition to detect irregular activity in a specific system, however, this is not the only method available. The article Intrusion Detection via Machine Learning for SCADA System Protection, presents an intrusion detection method in a SCADA system based on digital signatures used to compare activities of certain roles against a database of known threats. These two methods could be combined to create a robust detection system, thus providing a sufficient layer of protection for various attack scenarios.

As for fields of application, it should be noted that other machine learning based IDS systems have been tested in a large number of ICS sectors, such as water distribution systems, wind turbine diagnostics and in the detection of power supply system disturbances.

Adding value to current systems: advantages and disadvantages

As we have already mentioned, machine learning has great potential to improve existing IDS/IPS (Intrusion Prevention System), making them smarter, or even replacing them.

One of the main advantages to implementing AI based solutions for ICS security is the real-time response and action. Machine learning based tools don’t need to wait for security personnel to make decisions when there’s an incident. They are able to detect abnormal information sharing and immediately respond to the threat, well before a SOC (Security Operations Center) resource has been warned of the anomaly.

We should also highlight the accuracy that these systems bring to existing ones, greatly reducing detection errors, as long as stable models are used and training data are as diverse as possible.

Furthermore, according to this study, it has been noted that these methods are able to provide important security information on various physical problems and practical situations. The authors argue that machine learning-based solutions are more systematic, easier to manipulate and manage.

However, as in all applications based on these algorithms, all this is only possible if there is a good reference on how the network should operate in normal situations, solid classification algorithms and access to as much data as possible. In this way, the algorithm’s function will converge faster and more stably, resulting in fewer false alarms and, therefore, a higher quality detection capability.

Despite the popularity of these algorithms, research groups behind IDS development lack standard databases to train and evaluate their algorithms. This results in an inability to develop robust machine learning models for detecting anomalies in ICS. Many existing databases, especially in the context of TO networks, do not contain all types of attacks, so measuring the performance and detection capacity of an IDS is difficult.

Lastly, it should be noted that implementing good algorithms for this purpose is proving to be quite challenging, and its effectiveness will depend largely on how limited the network to be monitored is and on the level of determinism that the information that can be extracted from it presents.


There is no doubt that the number of cyberthreats in ICS, as well as their complexity, is significantly increasing year after year. Therefore, it’s important that technological advances accompany this growth, seeking to improve the countermeasures that are currently applicable. Machine learning is a promising example of this, presenting clear advantages compared with existing systems. Nonetheless, for it to be effective in as many industrial use cases as possible, greater advances need to be made in this field.