Key points are not available for this paper at this time.
Introduction Supervisory Control and Data Acquisition (SCADA) and Industrial Control System (ICS) networks underpin critical infrastructure across energy, water, transportation, and manufacturing sectors. Existing intrusion detection systems face inherent trade-offs: signature-based approaches achieve low false-positive rates but cannot detect zero-day attacks, while anomaly-based methods detect novel threats but generate ambiguous alerts that burden operators and erode trust. Recent empirical studies reveal persistent practical gaps in deployment, including the difficulty of obtaining labeled attack data for supervised methods, severe hyperparameter tuning challenges for one-class classifiers, and limited integration of protocol-aware features despite the prevalence of process-aware detection. Explainability techniques remain underimplemented in industrial intrusion detection despite their potential for improving operator understanding and security workflow integration. This article presents a systematic review and research agenda for explainable hybrid intrusion detection in SCADA/ICS environments; it synthesizes evidence on detection architectures, explainability mechanisms, and deployment challenges, but does not report original experimental results. Methods A systematic literature review was conducted across major databases for the period 2014–2025, yielding 40 studies for synthesis after screening. Results The review distills five practical gaps: limited zero-day coverage, false-positive control, process awareness vs. protocol blindness, explainability for operators, and deployment complexity including concept drift. Reported performance ranges (90%–99% accuracy, 0.8%–2.1% false-positive rates) and latency benchmarks represent summaries of prior work, not new experimental findings from this study. Discussion A conceptual reference architecture is proposed that fuses protocol-aware signatures with temporal anomaly detection and feature-attribution-based explanations. An evaluation checklist and research agenda guide future prototype development and pilot deployments under latency and safety constraints.
Skrodelis et al. (Tue,) studied this question.