pith. sign in

arxiv: 2604.21626 · v1 · submitted 2026-04-23 · 💻 cs.CR

On the Challenges of Holistic Intrusion Detection in ICS

Stefan Lenz , Julia Raab , Benedikt Holzbach , Deniz K\"oller , Sotiris Michaelides , Martin Henze This is my paper

Pith reviewed 2026-05-09 21:42 UTC · model grok-4.3

classification 💻 cs.CR
keywords intrusion detectionindustrial control systemsICS securityholistic detectioncyber-physical systemsnetwork securityprocess monitoring
0
0 comments X

The pith

Multiple specialized detection systems must run in parallel to cover all dimensions of industrial control systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that intrusion detection mechanisms for industrial control systems typically examine only narrow characteristics such as packet timings or physical process values. Because real attacks often combine network and physical targets, these isolated tools leave coverage gaps and require several systems to operate together. Running them in parallel creates practical difficulties in coordination, maintenance, and response. The authors recount specific obstacles they met while pursuing one unified system that spans every dimension, with the goal of directing more research toward solving those obstacles.

Core claim

Current intrusion detection for ICS remains fragmented across isolated characteristics, so that adversaries targeting both the network and the physical process can only be reliably uncovered by deploying multiple systems in parallel; this setup complicates day-to-day operation, and the authors therefore catalog the concrete challenges that arose during their own attempt to construct a single holistic system capable of addressing all dimensions at once.

What carries the argument

The holistic intrusion detection system, a single mechanism intended to integrate detection across the network, physical process, and remaining dimensions of an ICS rather than relying on separate specialized tools.

If this is right

  • Attacks that simultaneously target the ICS network and the physical process will continue to evade any single-dimension detector.
  • Operators must manage the added complexity of coordinating outputs, alerts, and updates across several independent detection systems.
  • Any advance that reduces the number of required parallel systems would lower both the cost and the error rate of ICS monitoring.
  • Research that resolves the reported challenges would directly enable more complete protection of critical industrial infrastructure.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same tension between narrow detectors and broad coverage may appear in other cyber-physical domains such as smart grids or autonomous vehicles.
  • Standardized testbeds that combine network and physical measurements could be used to quantify how much each listed challenge actually increases operational load.
  • Once detection challenges are addressed, the next practical step would be to link the unified detector to automated response actions that act across both cyber and physical layers.

Load-bearing premise

The challenges the authors met while building toward a holistic system are representative enough of the general problem that the community should treat them as priorities.

What would settle it

A working prototype of one unified intrusion detection system for a realistic ICS testbed that covers network traffic, physical process variables, and other dimensions without requiring parallel deployments or introducing the listed operational complications would show the challenges are not fundamental.

Figures

Figures reproduced from arXiv: 2604.21626 by Benedikt Holzbach, Deniz K\"oller, Julia Raab, Martin Henze, Sotiris Michaelides, Stefan Lenz.

Figure 1
Figure 1. Figure 1: Holistic industrial intrusion detection systems (IIDS) aim to monitor both network behavior and physical process state, while traditional IIDS focus on one. ing process state discretization (§2), IIDS parameterization (§3), and collecting sufficiently good training data (§4). 2 Challenge 1: Discretization To create a holistic IIDS capturing the complete ICS in a single model, we explored the use of process… view at source ↗
Figure 2
Figure 2. Figure 2: Alerts (black) of LLM detec￾tion on SWaT (red) are sensitive to pro￾cess data variance. Monitoring subpro￾cesses reduces processing overhead [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗
read the original abstract

Past attacks against industrial control systems (ICS) show that adversaries often target both the ICS network and the physical process to achieve potential catastrophic impact. To secure ICS, intrusion detection systems promise timely uncovering of such adversaries. However, as these detection mechanisms typically focus on isolated characteristics of ICS (e.g., packet timings), multiple detection systems have to be deployed in parallel, complicating their operation in practice. In this work, to spur discussion and further research, we present challenges encountered during our research towards a holistic intrusion detection system aiming to cover all dimensions of an ICS.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript is a position paper that argues current ICS intrusion detection systems focus on isolated characteristics (such as packet timings), requiring multiple parallel deployments that complicate operations in practice. It presents challenges encountered during the authors' research toward a holistic IDS covering all dimensions of an ICS, with the explicit goal of spurring discussion and further research rather than proposing or evaluating a new system.

Significance. If the enumerated challenges prove representative of the broader ICS security landscape, the paper could usefully focus community attention on integration and operational issues that isolated detectors create. As a challenges/position piece without new measurements, derivations, or reproducible artifacts, its significance is primarily in framing open problems rather than resolving them.

major comments (2)
  1. [Abstract and §1 (Introduction)] The central motivation—that isolated detectors (e.g., timing-based) necessitate parallel deployment and thereby complicate operations—is stated in the abstract and introduction but is not supported by any concrete case study, deployment data, or quantitative illustration from the authors' research. This weakens the load-bearing premise that a holistic system is required.
  2. [§3 (Challenges)] The challenges themselves are presented as a list without explicit linkage to specific ICS dimensions, threat models, or prior literature citations that would allow readers to verify representativeness or novelty. This makes it difficult to assess whether the listed obstacles are general or idiosyncratic to the authors' attempted implementation.
minor comments (2)
  1. [Abstract and §1] The abstract and introduction repeat the same motivation sentence almost verbatim; condensing this would improve readability.
  2. [Main body] No section or subsection headings are provided in the supplied text for the challenges list, making navigation and citation difficult.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our position paper. We address each major comment below, indicating planned revisions where appropriate.

read point-by-point responses

  1. Referee: [Abstract and §1 (Introduction)] The central motivation—that isolated detectors (e.g., timing-based) necessitate parallel deployment and thereby complicate operations—is stated in the abstract and introduction but is not supported by any concrete case study, deployment data, or quantitative illustration from the authors' research. This weakens the load-bearing premise that a holistic system is required.

    Authors: We acknowledge that the paper is a position piece without new empirical measurements or deployment data. The motivation is grounded in challenges encountered during our research toward a holistic IDS and in the broader ICS security literature. To strengthen the premise, we will revise the abstract and introduction to incorporate specific citations to prior work documenting the operational complexities of parallel IDS deployments in ICS settings. revision: partial

  2. Referee: [§3 (Challenges)] The challenges themselves are presented as a list without explicit linkage to specific ICS dimensions, threat models, or prior literature citations that would allow readers to verify representativeness or novelty. This makes it difficult to assess whether the listed obstacles are general or idiosyncratic to the authors' attempted implementation.

    Authors: We agree that greater explicitness would improve the section. In the revision we will expand §3 to map each challenge directly to the relevant ICS dimensions (network, timing, physical process), associated threat models drawn from documented attacks, and additional citations that establish representativeness and novelty relative to existing literature. revision: yes

Circularity Check

0 steps flagged

No significant circularity; position paper reports research obstacles without derivations or fitted claims

full rationale

The paper is a challenges/position piece whose purpose is to describe obstacles met while pursuing a holistic ICS IDS and to invite further work. Its central motivation—that isolated detectors must be run in parallel and thereby complicate operations—is presented as background rather than as a formally demonstrated result. No equations, proofs, datasets, or quantitative claims appear whose correctness hinges on an unstated assumption or self-referential fit. The representativeness of the authors’ specific challenges is left as an open question for the community; that is a matter of scope and priority, not an internal inconsistency. No load-bearing steps reduce by construction to inputs, self-citations, or ansatzes, satisfying the criteria for a self-contained non-derivational contribution.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper introduces no mathematical model, no fitted parameters, and no new entities. It rests on the domain assumption that holistic detection is desirable and that the authors' experience generalizes.

axioms (1)
  • domain assumption Holistic intrusion detection covering network and physical process is both feasible and necessary for ICS security.
    Stated in the abstract as the goal of the research whose challenges are being reported.

pith-pipeline@v0.9.0 · 5395 in / 1106 out tokens · 26107 ms · 2026-05-09T21:42:11.776009+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

20 extracted references · 20 canonical work pages

  1. [1]

    Academic View: Development of the Process Mining Discipline

    Wil van der Aalst. “Academic View: Development of the Process Mining Discipline”. In: Process Mining in Action: Principles, Use Cases and Outlook . 2020

    work page 2020

  2. [2]

    FingerCI: Writing industrial process specifications from network traffic

    Filipe Apolin´ario et al. “FingerCI: Writing industrial process specifications from network traffic”. In:Inter- national Journal of Critical Infrastructure Protection 47 (2024)

    work page 2024

  3. [3]

    Comprehensively Analyzing the Impact of Cyberattacks on Power Grids

    Lennart Bader et al. “Comprehensively Analyzing the Impact of Cyberattacks on Power Grids”. In:IEEE EuroS&P. 2023

    work page 2023

  4. [4]

    How Many Clus- ters? Which Clustering Method? Answers via Model- Based Cluster Analysis

    Chris Fraley and Adrian E. Raftery. “How Many Clus- ters? Which Clustering Method? Answers via Model- Based Cluster Analysis”. In: The Computer Journal 41.8 (1998)

    work page 1998

  5. [5]

    A Dataset to Support Research in the Design of Secure Water Treatment Systems

    Jonathan Goh et al. “A Dataset to Support Research in the Design of Secure Water Treatment Systems”. In: CRITIS. 2017

    work page 2017

  6. [6]

    Hemsley and Dr

    Kevin E. Hemsley and Dr. Ronald E. Fisher.History of Industrial Control System Cyber Incidents . Tech. rep. Idaho National Laboratory, USA, 2018

    work page 2018

  7. [7]

    Industrial Cybersecurity History and Trends

    Eric D. Knapp. “Industrial Cybersecurity History and Trends”. In:Industrial Network Security. 2024

    work page 2024

  8. [8]

    SoK: Evaluations in Industrial Intrusion Detection Research

    Olav Lamberts et al. “SoK: Evaluations in Industrial Intrusion Detection Research”. In: Journal of Systems Research 3.1 (2023)

    work page 2023

  9. [9]

    Security Implications of 5G Com- munication in Industrial Systems

    Stefan Lenz et al. “Security Implications of 5G Com- munication in Industrial Systems”. In: Proceedings of the 11th ACM Cyber-Physical System Security Work- shop (CPSS). 2026. doi: 10.1145/3775042.3807886

    work page doi:10.1145/3775042.3807886 2026

  10. [10]

    Timing-Based Anomaly Detection in SCADA Networks

    Chih-Yuan Lin, Simin Nadjm-Tehrani, and Mikael As- plund. “Timing-Based Anomaly Detection in SCADA Networks”. In: CRITIS ’21. 2018

    work page 2018

  11. [11]

    Secure Integration of 5G in Industrial Networks: State of the Art, Challenges and Opportunities

    Sotiris Michaelides et al. “Secure Integration of 5G in Industrial Networks: State of the Art, Challenges and Opportunities”. In: Future Generation Computer Systems 166 (2025)

    work page 2025

  12. [12]

    Anomaly Detection for Industrial Control Systems using Process Mining

    David Myers et al. “Anomaly Detection for Industrial Control Systems using Process Mining”. In: Comput- ers & Security 78 (2018)

    work page 2018

  13. [13]

    Questioning the Myth: Investigating ICS Traffic Homogeneity from an Anomaly Detection Perspective

    Franka Schuster and Hartmut K¨onig. “Questioning the Myth: Investigating ICS Traffic Homogeneity from an Anomaly Detection Perspective”. In: Crit- ical Information Infrastructures Security . Vol. 15549. 2025

    work page 2025

  14. [14]

    Explainable hybrid intrusion detection for SCADA/ICS: a review and research agenda

    Heinrihs Kristians Skrodelis and Andrejs Ro- manovs. “Explainable hybrid intrusion detection for SCADA/ICS: a review and research agenda”. In:Fron- tiers in Computer Science Volume 8 (2026)

    work page 2026

  15. [15]

    Analyzing a TCP/IP-Protocol with Process Mining Techniques

    Christian Wakup and J ¨org Desel. “Analyzing a TCP/IP-Protocol with Process Mining Techniques”. In: Business Process Management Workshops. 2015

    work page 2015

  16. [16]

    A review of systematic selec- tion of clustering algorithms and their evaluation

    Marc Wegmann et al. “A review of systematic selec- tion of clustering algorithms and their evaluation”. In: CoRR abs/2106.12792 (2021)

    work page arXiv 2021

  17. [17]

    Can Industrial Intrusion De- tection Be SIMPLE?

    Konrad Wolsing et al. “Can Industrial Intrusion De- tection Be SIMPLE?” In: ESORICS ’22. 2022

    work page 2022

  18. [18]

    Deployment Challenges of Industrial Intrusion Detection Systems

    Konrad Wolsing et al. “Deployment Challenges of Industrial Intrusion Detection Systems”. In:Computer Security. ESORICS ’24 International Workshops. 2024

    work page 2024

  19. [19]

    IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems

    Konrad Wolsing et al. “IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems”. In: RAID ’22. 2022

    work page 2022

  20. [20]

    One IDS is not enough! Ex- ploring Ensemble Learning for Industrial Intrusion Detection

    Konrad Wolsing et al. “One IDS is not enough! Ex- ploring Ensemble Learning for Industrial Intrusion Detection”. In: ESORICS ’23. 2023

    work page 2023