ICS intrusion detection has blind spots that complicate plant security

Industrial control systems on plant floors run alongside a growing layer of monitoring software meant to catch intruders before they reach a turbine, a valve, or a chemical mixer. Vendors sell these intrusion detection systems on the promise of broad coverage across both network traffic and the physical process. A new paper from researchers at RWTH Aachen University lays out three reasons that promise tends to wobble in practice.

The discretization problem

Most physical readings inside an industrial plant are continuous values: a tank fill level, a temperature, a flow rate. Detection systems that model process behavior need to convert those readings into discrete labels before they can spot anomalies. The Aachen team compared common methods, including k-means clustering and quantile-based binning, on benchmark datasets where the correct answer was known in advance.

The method that scored highest on accuracy was different from the one that scored highest on recall, which was different again from the one that performed best on combined timing-and-detection metrics.

Plant operators picking a product have no way to know which metric the vendor optimized for, and the choice quietly determines whether the system catches subtle attacks or floods the control room with false alerts.

Large language models hit a wall

One pitch gaining traction in security marketing is the use of LLMs to remove manual tuning from intrusion detection. The researchers tested this on the SWaT water treatment dataset. Running an LLM-based detector across the entire process exceeded the memory of a 96GB cluster node. Scaled down to monitor individual subprocesses, the detector produced near-constant alerts that buried any real attack signal, with one subprocess being a partial exception because of unusually low variance in its data.

Closed-box reasoning made it impossible to tell why the model raised any given alert. For a plant operator deciding whether to shut down a production line, that opacity matters.

Wireless changes the rules

Many timing-based detection products rely on the assumption that industrial network traffic is highly deterministic. Packets arrive at predictable intervals, and any deviation looks like an attack.

The researchers built a simulation that swaps the communication medium without changing process behavior. On a wired link, inter-arrival times sat at roughly 46 or 100 milliseconds depending on the link, with standard deviation under half a millisecond. A clean wireless channel hit similar averages. A wireless channel under disturbance kept comparable mean timings, with standard deviation rising to over 1.4 milliseconds across multiple links.

That variance is enough to trigger false alarms in deployed timing-based systems, which have no way to tell a noisy radio environment apart from a coordinated intrusion. Plants moving toward 5G and Wi-Fi for flexibility on the factory floor inherit this problem the moment they switch on the new radios.

What this means for buyers

The research points to specific gaps between how these products are sold and how they perform in messy operational settings. Procurement teams asking three questions will get further than those reading the data sheet alone. Which detection metric was the model tuned for. How does the system behave when packet timings drift for benign reasons. What happens when the model encounters a process state it has never seen before.

The honest answers are rarely on the brochure.

Guide: Breach and Attack Simulation & Automated Penetration Testing