REVIEW article
Front. Comput. Sci.
Sec. Networks and Communications
This article is part of the Research TopicFrontiers in Information Technology, Electronics, and Management InnovationView all 11 articles
Explainable Hybrid Intrusion Detection for SCADA/ICS: A Review and Research Agenda
Provisionally accepted
- Riga Technical University, Riga, Latvia
Select one of your emails
You have multiple emails registered with Frontiers:
Notify me on publication
Please enter your email address:
If you already have an account, please login
You don't have a Frontiers account ? You can register here
Supervisory Control and Data Acquisition (SCADA) and Industrial Control System (ICS) networks underpin critical infrastructure across energy, water, transportation, and manufacturing sectors. Existing intrusion detection systems face inherent trade-offs: signature-based approaches achieve low false-positive rates but cannot detect zero-day attacks, while anomaly-based methods detect novel threats but generate ambiguous alerts that burden operators and erode trust. Recent empirical studies reveal persistent practical gaps in deployment, including the difficulty of obtaining labeled attack data for supervised methods, severe hyperparameter tuning challenges for one-class classifiers, and limited integration of protocol-aware features despite the prevalence of process-aware detection. Explainability techniques remain underimplemented in industrial intrusion detection despite their potential for improving operator understanding and security workflow integration. This article presents a systematic review and research agenda for explainable hybrid intrusion detection in SCADA/ICS environments; it synthesizes evidence on detection architectures, explainability mechanisms, and deployment challenges, but does not report original experimental results. A systematic literature review was conducted across major databases for the period 2014–2025, yielding 40 studies for synthesis after screening. The review distills five practical gaps: limited zero-day coverage, false-positive control, process awareness versus protocol blindness, explainability for operators, and deployment complexity including concept drift. A conceptual reference architecture is proposed that fuses protocol-aware signatures with temporal anomaly detection and feature-attribution-based explanations. An evaluation checklist and research agenda guide future prototype development and pilot deployments under latency and safety constraints. Reported performance ranges (90–99% accuracy, 0.8–2.1% false-positive rates) and latency benchmarks represent summaries of prior work, not new experimental findings from this study.
Keywords: Concept Drift, Explainability, Hybrid detection, Industrial control systems, intrusion detection, SCADA security
Received: 13 Oct 2025; Accepted: 09 Feb 2026.
Copyright: © 2026 Skrodelis and Romanovs. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) or licensor are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.
* Correspondence: Heinrihs Kristians Skrodelis
Disclaimer: All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article or claim that may be made by its manufacturer is not guaranteed or endorsed by the publisher.