ABSTRACT The security of industrial control systems (ICSs) is crucial due to their integral role in critical national infrastructure. This study tackles the escalating challenges posed by sophisticated cyberattacks, especially those that are unknown and evade existing detection mechanisms. Despite extensive research, there is a notable gap in systematically comparing supervised and unsupervised learning models for anomaly detection, leading to inconsistent evaluations of their effectiveness. To bridge this gap, we developed a comprehensive anomaly detection framework to systematically evaluate these models, focusing on their capability to detect unknown attacks. Utilising operational data from the Secure Water Treatment (SWaT) testbed, we assessed six unsupervised and five supervised learning methods. Our findings reveal significant performance disparities: supervised models excel in precision but have higher undetected rates, whereas unsupervised models achieve superior recall at the expense of increased false alarm rates. This study provides critical insights into the strengths and limitations of both approaches, guiding the development of more robust ICS security solutions.
Wang et al. (Thu,) studied this question.