Next Article in Journal
Post-Quantum Private Set Intersection with Ultra-Efficient Online Performance
Previous Article in Journal
Enhanced Tensor Incomplete Multi-View Clustering with Dual Adaptive Weight
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 15
Issue 1
10.3390/electronics15010010
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

A Hybrid Machine Learning Approach for Cyberattack Detection and Classification in SCADA Systems: A Hydroelectric Power Plant Application

by
Mehmet Akif Özgül
1,
Şevki Demirbaş
2 and
Seyfettin Vadi
2,*
1
The Electricity Generation Corporation, 06510 Çankaya, Turkey
2
Department of Electrical and Electronics Engineering, Gazi University, 06570 Ankara, Turkey
*
Author to whom correspondence should be addressed.
Electronics 2026, 15(1), 10; https://doi.org/10.3390/electronics15010010
Submission received: 15 November 2025 / Revised: 16 December 2025 / Accepted: 17 December 2025 / Published: 19 December 2025
(This article belongs to the Topic Artificial Intelligence and Machine Learning in Cyber–Physical Systems)
Browse Figures
Versions Notes

Abstract

SCADA systems, widely used in critical infrastructure, are becoming increasingly vulnerable to complex cyber threats, which can compromise national security. This study presents an artificial intelligence-based approach aimed at the early and reliable detection of cyberattacks against SCADA systems. The study physically scaled the SCADA communication architecture of a hydroelectric power plant and created a suitable test environment. In this environment, in addition to the benign normal state, attack scenarios such as Man-in-the-Middle (MITM), Denial-of-Service (DoS), and Command Injection were implemented while the process created for the system’s operation was running continuously. While the scenarios were being implemented, the SCADA system was monitored, and network data flow was collected and stored for later analysis. Basic machine learning algorithms, including KNN, Naive Bayes, Decision Trees, and Logistic Regression, were applied to the obtained data. Also, different combinations of these methods have been tested. The analysis results showed that the hybrid model, consisting of a Decision Tree and Logistic Regression, achieved the most successful results, with a 98.29% accuracy rate, an Area Under the Curve (AUC) value of 0.998, and a reasonably short detection time. The results demonstrate that the proposed approach can accurately classify various types of attacks on SCADA systems, providing an effective early warning mechanism suitable for field applications.

1. Introduction

With the proliferation and increasing complexity of digital technologies, cybersecurity has become a crucial field, evolving to meet the need to protect the assets of individuals, institutions, and governments. The International Telecommunication Union defines the concept of cybersecurity as an integrated structure of tools, policies, security concepts, measures, actions, risk management strategies, training, methods, and technologies that can be used to protect information and systems [1]. Cybersecurity generally aims to protect information systems and data from illegal access, attacks, and misuse [2]. Critical infrastructures have become increasingly essential targets, especially for attackers seeking to exploit vulnerabilities for their own benefit through various attack methods. Critical infrastructure encompasses the systems that provide essential services such as water, energy, communication, transportation, finance, healthcare, and security, which are necessary for a country or institution to maintain its existence and functioning. SCADA systems in these infrastructures are widely used for monitoring and controlling components in local and remote sites [3].
Physical and cyberattacks on SCADA systems can lead to unauthorized control of the systems, disruption of their operation, or service interruptions [4]. The impact of these attacks is not limited to operational disruptions; it can reach dimensions that threaten economic, social, and national security [5]. Cyberattacks, especially those targeting energy production, transmission, and distribution infrastructure, can create an atmosphere of social chaos by causing service disruptions. In 2010, a nuclear power plant in Iran was attacked through the Stuxnet malware, which was leaked onto the local network via a USB drive. As a result of this attack, the control systems of the uranium enrichment facility were infected [6,7]. In 2015, a false data injection attack targeting the breakers of three different distribution companies in Ukraine resulted in approximately 225,000 customers being without electricity service for several hours [8]. In countries experiencing these types of disruptions, it has become clear how critical disruptions to critical infrastructure systems are. Ensuring the cybersecurity of critical infrastructure in countries is of crucial importance, as SCADA systems, which enable the automatic control and remote management of essential services (such as water, electricity, and natural gas), are involved [9]. Investigating and addressing the security vulnerabilities of these systems is a necessary prerequisite for ensuring the cybersecurity of critical infrastructure. Additionally, cyberattack detection and prevention are cornerstones of cybersecurity strategies for critical infrastructure. The development of cyberattack detection and prevention systems will enhance the resilience of countries’ critical infrastructure against cyber threats and significantly contribute to the continuity of critical systems. Machine learning, deep learning, and artificial intelligence-based algorithms can be integrated into SCADA systems to enhance cyberattack detection capabilities. However, since the detection models used by these algorithms are structurally different, the analysis results can also vary from model to model. Due to varying performance across different datasets and models, it is necessary to develop an intrusion detection model that achieves high accuracy, specifically tailored to a particular dataset.
In this study, a physical test environment similar to the SCADA communication architecture of a hydroelectric power plant was established; the network traffic resulting from various cyberattacks (MITM, DoS, Command Injection) performed in this environment was analyzed. The recorded traffic was evaluated using supervised machine learning algorithms, and both attack detection and classification of attack types were performed. The primary objective of this study is to develop machine learning models that can effectively detect cyberattacks on SCADA systems, thereby contributing to advanced research in this field. The contributions of this study can be summarized as follows:
  • A realistic test environment was created using the physical components of SCADA systems used in critical infrastructure. The literature primarily features simulation-based studies, with fewer applications found in cyber-physical environments.
  • Based on the SCADA communication structure of hydroelectric power plants, a system model with a ring-to-ring topology specific to the PROFINET protocol has been developed.
  • Three different attack scenarios, such as MITM, DoS, and Command Injection, were applied to the established test environment; network traffic was analyzed under both normal operating conditions and under attack.
  • Unlike the commonly used ready-made datasets in the literature, a protocol and hardware-based, original, and labeled dataset was created in this study.
  • Not only was the detection of attacks targeted, but also their classification; within this scope, seven different machine learning models (KNN, NB, DT, LR, KNN-NB, DT-LR, KNN-NB-DT) were evaluated. The performances of singular and hybrid modeling approaches have been compared.
As a result of the study, machine learning-based methods that could be effective in distinguishing between different types of attacks on SCADA systems were identified. The study consists of five main sections. In the first chapter, the importance of cybersecurity within the framework of SCADA systems and critical infrastructures is discussed, and the purpose and scope of the study are explained. In the second section, the structure and vulnerabilities of SCADA systems, the importance of cyber threats against these systems, and current studies on artificial intelligence (AI) and machine learning-based cyberattack detection are highlighted. In the third chapter, the setup of the physical test environment, scenario-based cyberattacks, the structure of the generated dataset, and the applied classification models are presented in detail. In the fourth section, performance metrics are presented, and experimental data obtained from the applications are evaluated. In the fifth section, general conclusions and recommendations are presented based on this data.

2. Related Works

SCADA systems are used for the safe and efficient management of industrial processes, as well as for increasing operational efficiency. These systems contribute to reducing failure and maintenance costs by enabling real-time monitoring of processes and rapid intervention. However, SCADA systems can be vulnerable to cyberattacks due to their architectural structure. This situation poses serious risks, especially to critical infrastructure, making it imperative to protect these systems against security threats. The main components of SCADA systems, including the communication protocols used in these systems, are among the key elements that need to be considered from a cybersecurity perspective.
SCADA systems comprise three basic components: The Master Terminal Unit (MTU), Remote Terminal Units (RTUs), and the communication network, as illustrated in Figure 1. Additionally, the business information technology (IT) network, which serves as the data processing system, can also be incorporated into this structure. The MTU serves as the primary control point, where all field-end units are monitored, and data is collected and processed. Data communication between devices is provided through this unit, which is considered the most critical component of the system. A cyberattack on the MTU could have consequences that affect the entire network [9]. RTUs are endpoint units that collect, analyze, and transmit data from the field to the MTU, and also relay incoming commands to devices in the field [9]. Programmable Logic Controllers (PLCs) are located within this unit. The communication network, on the other hand, includes communication protocols specifically designed to ensure secure data transmission between SCADA components [10]. Most structures that use SCADA systems are not directly connected to the internet and operate independently of external networks. However, even in critical infrastructures that are not directly connected to the internet or have extremely limited connections to external networks, cyberattacks can be carried out over the local network. Among the most well-known examples of such scenarios are malware like Stuxnet, Duqu, and Flame. These software programs have caused serious damage by infiltrating systems without an external network connection through portable media [11]. Many cyberattacks have been carried out against SCADA systems to date. In the Dragonfly 2.0 attack that occurred in 2017, the attackers targeted the SCADA systems of organizations in the energy sector, attempting to disrupt the production processes of industrial facilities. First detected in Hungary in 2011, targeting European-based systems, the Duqu malware is an information theft attack against Microsoft Windows-based control systems. Similarly to Stuxnet, it operated within a local network environment but did not cause physical damage. It performed functions such as keylogging, taking screenshots, and archiving configuration files on the infected systems [12].
Based on the characteristics of the PROFINET protocol, which is widely used in SCADA systems, various cyberattacks, such as network device access, man-in-the-middle attacks, replay attacks, and DoS attacks, can be carried out [13]. The PROFINET protocol provides integration and operational ease by sharing the same physical network infrastructure with devices supporting different protocols, but it also carries security risks in terms of unauthorized access and program-based attacks. When analyzing the cybersecurity of communication protocols, it is known that a number of security vulnerabilities exist. Given the wide range of applications for the PROFINET protocol, it is likely that cyberattacks could be carried out by exploiting these security vulnerabilities [14]. Based on the characteristics of the PROFINET protocol, attacks such as accessing devices on the network, man-in-the-middle attacks, replay attacks, and DoS attacks can be carried out [15]. Paul and his colleagues examined attacks that could be carried out against the PROFINET protocol, such as DoS and MITM, in their studies [16]. By exploiting vulnerabilities in the Profinet protocol, various cyber attacks can be carried out on systems [17]. PROFINET, an Ethernet-based protocol that supports real-time communication, is sensitive to the security risks inherent in Ethernet infrastructure [18]. In a study conducted by Akerberg and Bjorkman, it was demonstrated that a man-in-the-middle attack could be carried out against the PROFINET protocol [19]. The database of the National Institute of Standards and Technology (NIST), which publishes globally recognized standards and security guidelines, contains identified security vulnerabilities related to the PROFINET protocol, including denial-of-service (DoS) attacks, command injection, and other types of attacks [20]. For example, it has been reported that a security vulnerability identified in the PROFINET protocol in 2024 allows attackers to carry out a denial-of-service (DoS) attack that causes the device to become unresponsive, and that this vulnerability has been recorded in the security database with the identifier CVE-2024-48989 [20].
The usage rates of SCADA communication protocols are presented in Figure 2 [21]. Cyber threat actors aware of the security vulnerabilities in commonly used communication protocols in SCADA systems view the sectors where these systems are deployed as favorable and valuable targets for carrying out attacks. Thus, assets in SCADA systems become vulnerable to cyber threats and face various risks of attack.
All of these types of attacks can compromise the efficiency, reliability, and security of industrial systems. Therefore, necessary measures should be taken, and cyberattack detection systems should be developed to enhance the security of these systems. On the other hand, obtaining precise data on the frequency of cyberattacks and the number of individuals economically harmed by these attacks is challenging due to factors such as the concealment of attacks and the difficulty in apprehending the perpetrators [22]. In this context, software development should be prioritized to ensure security and supported by strong legal regulations. Today, the increasing complexity of cyberattacks makes them challenging to detect. Therefore, there has been a significant shift toward artificial intelligence-based methods that can identify anomalies by analyzing large datasets, rather than traditional methods. Artificial intelligence is defined as the ability of computers or digital systems to perform specific tasks by mimicking human-like behaviors [23]. Artificial intelligence algorithms enable the real-time detection of cyberattacks and provide flexibility in identifying various types of attacks, thereby minimizing human error and enhancing security. In this respect, artificial intelligence systems have become a vital tool in detecting and preventing cyberattacks. There are studies in the literature on the detection of cyberattacks using artificial intelligence methods. Kalech proposed two algorithms based on cyberattack detection techniques that rely on temporal pattern recognition, specifically Hidden Markov Models (HMMs) and Artificial Neural Networks (ANNs), to ensure the security of SCADA systems in critical infrastructures. The research was conducted using data obtained from a comprehensive training SCADA laboratory established by CyberGym, as well as from a real SCADA system located at Ben-Gurion University of the Negev. According to the findings, it has been stated that temporal pattern recognition methods can detect cyberattacks, including legitimate functions known to be challenging to identify in the literature [24].
Kravchik and Shabtai [25] presented a study using convolutional neural networks to detect cyberattacks against industrial control systems. The study was conducted on the Secure Water testbed (SWaT) dataset, which represents a scaled-down model of a real-world industrial water treatment plant. The proposed method outperformed previous studies on this dataset, detecting 31 cyberattacks with only three false positives. Researchers focused on the working time and performance of the model they presented, stating that it shows great promise for EKS cyberattack detection. Alhaidari and AL-Dahasi [26] attempted to develop a framework using three different machine learning algorithms to protect SCADA systems against DDoS attacks. They used the J48, NB, and Random Forest (RF) algorithms. These algorithms were trained and evaluated on the KDD Cup ′99 dataset. The results obtained showed that the best classification was achieved using RF with an accuracy rate of 99.99%, while the NB algorithm had the lowest accuracy rate at 97.74%.
Teixeira and his colleagues conducted five exploratory attacks specific to the EKS on the testbed, which represents the control system of a water storage tank, a stage in the water treatment and distribution process [27]. During these attacks, they intercepted network traffic containing information about the devices (valves, pumps, sensors). They applied five different traditional machine learning algorithms to the dataset they created from this network traffic to detect cyberattacks: “Random Forest, Decision Tree, Logistic Regression, Naive Bayes, and KNN.” The results they obtained demonstrated the efficiency of machine learning models in detecting attacks in real-time. Hindy and his colleagues developed a new model for anomaly detection in water networks controlled by SCADA systems in their study [28]. The Modbus protocol was used. While creating the model, they used six different machine learning algorithms: LR, Gaussian Naive Bayes (GNB), SVM, KNN, DT, and RF. The model, developed using a pre-existing dataset, is designed to classify various types of anomalies, including sabotage, hardware errors, and cyberattacks. Unlike existing detection systems, the proposed model is designed to inform the operator about the probability of an event occurring and to reduce the effects of attacks. In another study, Benisha and Ratna proposed a new methodology for identifying and classifying cyberattacks in SCADA networks [29]. The dataset they used in the study includes network attacks on the water storage system. In the proposed approach, the researchers used clustering and an STS-based Enhanced Cuckoo Search Optimization algorithm to select the most suitable features. In the classification stage, they opted for a genetic machine learning-based neural network algorithm. With the new methodology, accuracy has been increased in the shortest possible time. The results of the performance analysis demonstrated that better clustering, optimization, and classification outcomes were achieved compared to traditional algorithms. Perez and his colleagues [30] applied machine learning techniques for intrusion detection in SCADA systems using a real dataset provided by Mississippi State University (MSU) and collected from a gas pipeline system, successfully detecting network attacks. In their studies, they chose to use SVM and RF algorithms. The results obtained demonstrate that RF effectively detects unauthorized entries, and using the F1 score enables an accurate evaluation of performance.
Grammatikis and his colleagues have proposed an intrusion detection and prevention system for SCADA systems using the DNP3 protocol [31]. This system is based on supervised and unsupervised machine learning detection models and can distinguish whether network traffic is associated with a specific DNP3 cyberattack or anomaly. Data obtained from a real substation was used, and the effectiveness of the proposed system was demonstrated. Söğüt and Erdem utilized a dataset from a gas pipeline control system, which is part of the critical infrastructure, in their study. The various attacks targeted the Modbus protocol for the gas pipeline control system, encompassing command injection, reconnaissance, and denial-of-service categories. Data mining methods were applied to the dataset using various algorithms. Using this dataset, attacks on EKS or SCADA systems and non-attacks were evaluated and analyzed based on different characteristics. According to the analysis results, it was observed that the Random Tree algorithm achieved the most accurate classification rate [10]. Rajesh and Satyanarayana [32] employed machine learning algorithms in conjunction with filtering and sampling techniques for detecting attacks in Industrial Process Control Systems (SCADA) networks. In their study, researchers created their own datasets using network traffic containing both normal and attack data, generated from a real-time SCADA testbed. When creating the dataset, they applied the Chi-Square, Analysis of Variance (ANOVA), Least Absolute Shrinkage and Selection Operator (LASSO), and Support Vector Machine Synthetic Minority Over-sampling Technique (SVMSMOTE) techniques. After creating the dataset, they utilized machine learning algorithms, including SVM, KNN, RF, and NB, to detect the attacks.
In this study, MITM, unauthorized command injection, and DoS attacks, which are potential cyberattacks that can be carried out against the SCADA network of a hydroelectric power plant within the energy sector, a critical infrastructure, are discussed. Artificial intelligence-based models are proposed for detecting these attacks. In this direction, an original dataset was created based on the communications carried out in the system, and various machine learning algorithms were applied to this data. In the study, in addition to basic algorithms such as KNN, NB, DT, and LR, hybrid models, including KNN-NB, DT-LR, and KNN-NB-DT, were also evaluated. This method presents different approaches to detecting cyberattacks on SCADA systems, and the resulting attack detection accuracy rates and other performance metrics have been calculated. Thus, the outputs obtained within the scope of the study were compared within a methodological framework to provide a holistic evaluation.

3. Materials and Methods

This section introduces the test environment, discusses the cyberattack scenarios implemented, the dataset and its attributes, and the metrics used in the analysis.

3.1. The Physical Test Environment

A test environment is a simulation that models the industrial control systems of a real facility or factory as closely as possible without exactly replicating them [33]. This section outlines the structural design, architecture, and functional processes of the test environment created. The setup and use of the test environment provide a suitable environment for conducting real cyberattacks and observing the results of the attacks. The test environments created within this scope enable the evaluation of the impact of cyber threats on systems, the identification of vulnerabilities, and the development of solutions to address these vulnerabilities. By simulating real-world attack scenarios in a controlled environment, the effectiveness of attack detection mechanisms can be measured, and new defense strategies can be developed.
In this study, a test environment simulating the SCADA communication architecture of a hydroelectric power plant was created to contribute to research in the field of cybersecurity. The test environment is designed with a two-layer SCADA communication network architecture. In this environment, Profinet communication, which is widely used in industrial systems, is employed, and various operations are performed to represent the plant’s operation. This test environment represents a simplified simulation of the SCADA communication architecture of a real hydroelectric power plant. The operational status of the hydroelectric power plant is controlled and monitored through the SCADA system. The equipment used in the test environment was selected from components commonly preferred in the SCADA systems of a typical hydroelectric power plant. The architectural structure of the test environment is shown in Figure 3. Commands given through the computer communicate with the physical PLC via the Profinet protocol, controlling the system’s hardware components (intake cover motor, warning breaker circuit, cooling water pump, etc.). In this way, real-time data flow and the modeling of the control mechanism are ensured. Thanks to this structure, both command sending and status monitoring operations were performed simultaneously.
In the test environment, scanning operations were performed on the local network using an attacker device, and various cyberattack scenarios were applied to the physical PLC on the industrial network switch. In the study, three different types of cyberattacks were conducted against the physical PLC, which was selected as the target. These attacks are: ARP Spoofing, which falls under the MITM category, TCP SYN Flood, and command injection attacks, which are types of DoS attacks. Within the scope of these scenarios, the operating status of the physical system and the controlled processes were monitored. For each attack scenario, network traffic was individually monitored, and relevant packets were recorded using Wireshark 1.8 software. Additionally, network traffic from a normal operating state without any attacks was similarly monitored and recorded for comparison purposes. Whether there was any attack activity in the system was checked on the main computer by analyzing network traffic. The attack scenarios were carried out through the attacker environment, which was configured as a virtual machine on the same computer and had the Kali Linux operating system installed. A sample image of the network traffic monitoring process, performed using Wireshark, is shown in Figure 4.
In the analysis of the datasets obtained in this study, the MATLAB-2024a programming environment was chosen for statistical evaluation and machine learning applications. Various preprocessing steps were applied to make the data suitable for the analysis process. After completing the preprocessing steps, different machine learning algorithms were employed for attack detection, and performance analyses were conducted on these models.

3.2. Implementing Cyberattack Scenarios in a Test Environment

This section discusses the normal operating state of the created test environment and the cyberattack scenarios performed against this environment. Common types of attacks that threaten the security of SCADA systems were analyzed and applied to the test environment. In this context, in addition to attacks aimed at disrupting communication between PLCs and HMIs, targeted attacks against specific RTUs have also been carried out.
The impact on the system’s integrity and stability from the carried-out attacks was observed; network traffic before and after the attacks was recorded in detail using Wireshark software. The scenarios implemented are summarized as follows:
  • Normal situation scenario.
  • ARP spoofing attack scenario.
  • SYN flood attack scenario.
  • Unauthorized command injection scenario.
The attacker used both passive and active scanning tools to identify target devices, and custom packets were created for use in attack scenarios. Based on the information obtained, information gathering operations were performed on the target devices, and this data was used in planning the subsequent attack stages. Based on this data, attack operations were carried out, and each attack scenario was implemented for an average of 4 min. The purpose of determining this duration is to enable the observation of the system’s effects and to create a broader dataset of attack traffic. Thus, the necessary data traffic diversity has been provided for machine learning models to be trained more effectively. Following the attacks, system operation in some cases did not recover and was unable to return to its regular working order. In some types of attacks, user interaction through the virtual computer interface was blocked, making it impossible to interact with the system. This situation highlights the sensitivity of SCADA systems and the potential for attacks to have not only temporary but also permanent consequences for the system. Therefore, detailed monitoring and analysis of the effects of such attacks are crucial for identifying vulnerabilities and taking appropriate measures.
As a result of these attack scenarios, network parameters such as system behavior, packet sizes, timing differences, and connection density were analyzed. The obtained data was labeled and made usable in machine learning-based anomaly detection systems.

3.3. Data Set Creation Process

This section provides information on the total dataset created using network traffic data obtained from each scenario performed in the test environment. For each scenario, network traffic was recorded and analyzed separately using the Wireshark tool. The obtained records were combined under a single dataset to create a holistic structure. During the stage of determining the attributes to be used in the dataset, attributes specific to the Profinet protocol, which is widely preferred in the literature and one of the most commonly used industrial communication protocols, were examined [34]. A total of 39 suitable attributes were identified for the dataset created within the scope of this study, and their definitions and explanations are presented in Table 1.
A new and comprehensive dataset was created, consisting of 38 attribute columns and one label column, with a total of 171,786 samples within the scope of this study. During the data set preparation process, different cyberattack scenarios were implemented in a real-time SCADA test environment, and the system’s responses were directly observed. The attacks led to systemic anomalies, which directly contributed to the data set labeling process. This dataset is suitable for both classification problems related to attack detection and for training and testing different machine learning methods. Additionally, the dataset allows us to determine not only whether an attack has occurred, but also the type of attack that was carried out (e.g., ARP spoofing, TCP SYN flood, unauthorized command injection, etc.). In this respect, it contributes to the existing literature on cybersecurity and SCADA systems.

3.4. Machine Learning Performance Metrics Used in Cyberattack Detection

The primary goal of machine learning is to develop models that can generalize from training data. Therefore, it is essential to perform performance comparisons to determine the most suitable model. For these comparisons to be healthy, appropriate evaluation methods and metrics must be selected. One of the commonly used methods in performance evaluations is the confusion matrix. This matrix is created by comparing the model’s predictions with the actual labels, allowing for the analysis of not only accuracy but also the types of errors that occur. A sample confusion matrix for binary datasets is shown in Table 2.
Cases where the actual class is positive (Class 1) and the model prediction is also positive (Class 1) are called True Positives (TP). In this case, the model has made a correct prediction. Samples that are incorrectly predicted as positive (Class 1) by the model, while the actual class is negative (Class 2), are defined as False Positives (FP). Cases where the actual class is positive (Class 1) but the model predicts these examples as negative (Class 2) are called False Negatives (FN); the model has missed these examples. Finally, examples where the actual class is negative (Class 2) and the model’s prediction is also negative (Class 2) are referred to as True Negatives (TN). In this case, the model has classified correctly.
Various metrics are used to evaluate the performance of machine learning models. These metrics enable a quantitative analysis of the model’s accuracy, error rates, and generalization capabilities. Among the most commonly used performance metrics in the literature are accuracy, sensitivity/recall, specificity, precision, the F1 score, the Receiver Operating Characteristic (ROC) curve, and the area under the curve (AUC) [35].
Accuracy indicates the proportion of all samples, including both positive and negative classes, that a classification model correctly predicts. This metric is calculated as the ratio of the number of samples the model correctly classified to the total number of samples.
Accuracy = (TP + TN)/(TP + FP + TN + FN)
Sensitivity (or Recall) is a performance metric that measures a classification model’s ability to predict examples belonging to the positive class correctly. It is expressed as the proportion of examples correctly classified as positive by the model among the actual positive examples. In other words, it demonstrates the model’s ability to predict the positive class accurately.
Recall = TP/(TP + FN)
Specificity is a performance metric that measures a classification model’s ability to predict examples belonging to the negative class correctly. It represents the proportion of actual negative examples that the model correctly classifies as negative. In other words, it demonstrates the model’s ability to identify the negative class accurately.
Specificity = TN/(TN + FP)
Precision refers to the proportion of samples that the model classifies as positive that are actually positive. In other words, it demonstrates the model’s accuracy in predicting the positive class.
Precision = TP/(TP + FP)
The F1 score is defined as the harmonic mean of a classification model’s precision and recall metrics. This metric aims to optimize the model’s overall performance by balancing sensitivity and precision metrics.
F1 Score = 2 × (Precision × Recall)/(Precision + Recall)
The ROC curve is an essential graphical tool used to evaluate the performance of classification models. AUC indicates how successfully the model can distinguish between classes. The predictive performance of the model is assessed by considering the value ranges for AUC given below [36].
  • AUC = 0.5 → The model is not capable of distinguishing between classes.
  • 0.5 < AUC < 0.7 → The model’s prediction performance is poor.
  • 0.7 ≤ AUC < 0.8 → The model has acceptable classification success.
  • 0.8 ≤ AUC < 0.9 → The interclass separation of the model is at an excellent level.
  • 0.9 ≤ AUC ≤ 1 → The model has a superior classification ability.
In this study, commonly used performance metrics, including accuracy, precision, recall, specificity, F1 score, and ROC-AUC, were utilized to evaluate the success of classification models. Additionally, the prediction times of the models in cyberattack detection were also analyzed.

3.5. Machine Learning Models Used for Cyberattack Detection

Cyberattack detection was performed on a dataset generated in a physical SCADA test environment in this study. In this context, different machine learning algorithms were prepared and applied to a dataset divided into three parts (training, validation, and testing). Data preprocessing steps were used, and experimental analyses were conducted to ensure higher success rates for the developed models. Within the scope of the study, a test environment was established to enhance the cybersecurity of the SCADA system, a unique dataset was created, and a novel approach was presented.

3.5.1. Analyze the Appropriate Dataset Configuration

This section discusses the steps involved in creating a data set structure suitable for the analysis process and designing the most appropriate machine learning models for this data set. Figure 5 presents a summary flow of the process described in this section. Various preprocessing techniques were applied to make the dataset suitable for analysis and modeling. The dataset was transformed into a 26-attribute dataset by applying six commonly used basic preprocessing steps from the literature: removing highly missing attributes [37,38,39], removing duplicate records [40,41], filling in missing data [42,43], converting labels to numerical form [44], correlation simplification [45], and Min-Max scaling [46]. During the preprocessing stage, attributes with a high proportion of missing values (e.g., Byte Address (PLC), Profinet DCP ServiceID, StandardGateway, etc.) and attributes with high correlation were removed from the dataset to improve data quality.
During the process of filling in data with a low percentage of missing values, attributes containing missing values but requiring preservation (e.g., Source Port, Destination Port, and Sequence Number) were identified. Due to the presence of extreme values in these attributes, the missing values were filled using the median method, which more accurately reflects the center of the distribution.
Normalization was applied to all attributes in the dataset. The cleaned dataset obtained after the data preprocessing steps applied was divided into three subsets with a 70% training, 15% validation, and 15% testing ratio, in accordance with a widely adopted approach in the literature [47]. Care was taken to ensure a balanced distribution of all attack types and standard traffic samples in each subset, thus preserving class representation and allowing the model to be trained, validated, and finally tested on a dataset of 116,043 lines. This study adopted a packet-based IDS approach and aimed to have the model learn statistical patterns based on packet characteristics.

3.5.2. Applied Classification Models

This section discusses machine learning-based classification algorithms and hybrid models that combine these algorithms. Information on the basic architecture and parameters of the models used is also provided.
KNN Model
This model is a supervised and non-parametric learning method used in both classification and regression problems. This algorithm is based on the “k” nearest neighbors in the training dataset to classify or predict a new instance. In classification, neighbors are assigned classes based on majority vote, while in regression, predictions are made based on the average value of the neighbors [48]. Figure 6 shows the basic working principle of the KNN model.
In the model, NumNeighbors (k) was tested from 1 to 21, and the optimal value and Euclidean distance hyperparameters were used. The KNN model was trained on the training data with these parameters, and class-based accuracy, precision, recall, specificity, and F1-score metrics were calculated on the training, validation, and test datasets. Additionally, the model performance was validated using 10-fold stratified cross-validation.
NB Model
Naive Bayes models are classification algorithms based on a probabilistic approach, rooted in Bayes’ theorem. This method calculates various probabilities by considering the frequencies and value combinations of features in the dataset. The likelihood of observations occurring is evaluated for each class, and the classification process is performed by assuming that the observation belongs to the class with the highest probability [50]. Figure 7 illustrates the data points for each class clustered together, with the curved decision boundaries indicating which class is probabilistically dominant in the relevant region.
The model was implemented using the Gaussian Naive Bayes hyperparameter. The NB model was trained on the training data using this parameter, and class-based accuracy, precision, recall, specificity, and F1-score metrics were calculated on the training, validation, and test datasets.
DT Model
A decision tree is a model in the form of a tree structure that branches out from a starting point called the root node and establishes a hierarchical relationship between variables [51]. As seen in Figure 8, a decision tree asks a question and divides the tree into sub-branches based on the answer (“Yes”/“No”).
The model was implemented using the Gini Index criterion. The DT model was trained on the training data using this parameter, and metrics such as class-based accuracy, precision, recall, specificity, and F1-score were calculated on the training, validation, and test datasets.
LR Model
The maximum likelihood method is commonly used for estimation in logistic regression models. This method aims to determine the parameter values that maximize the likelihood of the observed data occurring. For this, the likelihood function is defined, and the parameters are estimated as the values that maximize this function [53]. Figure 9 illustrates the sigmoid (S-curve) function, which describes the classification process of the logistic regression model.
The Logistic Regression model was implemented using the Maximum Likelihood Estimate (MLE) method for parameter estimation, and the One-vs-Rest (OvR) strategy was used for multiclass data. The model was trained using these methods on the training data, and class-based accuracy, precision, recall, specificity, and F1-score metrics were calculated on the training, validation, and test datasets.
KNN-NB Hybrid Model
The hybrid combination of the Naive Bayes and K-Nearest Neighbor algorithms provides a balanced and complementary classification approach by combining the high speed and generalization capabilities of Naive Bayes with the instance-based, strong local classification abilities of the KNN algorithm. NB and KNN algorithms exhibit complementary characteristics due to their respective properties of low and high variance. In the literature, the most commonly preferred methods for the hybrid use of NB and KNN algorithms are voting and stacking-based approaches [54,55]. In this study, a hybrid classification model was designed that combines both algorithms, and the resulting prediction outcomes were integrated using a voting-based ensemble method.
In this study, a Naive Bayes model was implemented with a kernel distribution, and a KNN model was implemented with a hyperparameter of the number of neighbors (NumNeighbors). The predictions of both models were combined using a voting-based hybrid method, and the model was evaluated using class-based accuracy, precision, recall, specificity, and F1-score metrics on training, validation, and test datasets.
DT-LR Hybrid Model
In this hybrid model, the DT and LR algorithms are combined as a stacking-based hybrid model for a dataset with class imbalance and complex patterns. Decision trees strongly separate classes by dividing data according to rules, while logistic regression performs more precise and generalizable classifications on these separated structures. The aim is to increase the recognition rate of minority classes, reduce the risk of overfitting, and improve the model’s generalization performance with this hybrid model.
In the model, DT was used as the base learner, and its predictions were added to the training, validation, and test datasets to produce final predictions on the LR meta learner. The DT model uses the Gini criterion to separate classes and is trained with hyperparameters such as leaf size and maximum number of splits. The LR model is implemented with L2 regularization (ridge) and trained with an appropriate regularization coefficient. The model was trained on the training data using these methods, and metrics such as class-based accuracy, precision, recall, specificity, and F1-score were calculated on the training, validation, and test datasets. Additionally, performance was validated using 10-fold stratified cross-validation.
KNN-NB-DT Hybrid Model
The KNN-NB-DT hybrid model used in this study benefits from the complementary features of these algorithms. While DT performs preliminary analysis by categorizing data, NB estimates overall probabilities, and KNN makes sample-based local decisions. Through this combination, the aim is to improve classification performance by capturing both general trends and detailed patterns.
In this hybrid model, Decision Tree (DT), K-Nearest Neighbor (KNN), and Naive Bayes (NB) algorithms are combined, and the predictions of each algorithm are integrated using a majority voting method. The number of neighbors for KNN and the kernel for NB are the basic hyperparameters. The model is trained on training data, and class-based accuracy, precision, recall, specificity, and F1-score metrics are calculated on validation and test datasets.

4. Experimental Results and Analysis

In this section, the analysis results of the proposed machine learning models are examined in detail. The performance of the models was evaluated based on metrics such as accuracy, precision, recall, specificity, F1 score, ROC AUC, and prediction times. The classification successes of the models were analyzed comparatively. Additionally, statistical data on network traffic recorded during the implementation of attack and everyday state scenarios are presented in Table 3. These data revealed the representation of sample records in the datasets used for model analysis.

4.1. Experimental Results

Basic statistical information regarding network traffic for attack and everyday state scenarios is given in Table 3. The heaviest traffic is attributed to the TCP SYN Flood attack, with a total of 57,472 packets. This is followed by ARP Spoofing, command injection, and everyday state scenarios, in that order. In terms of total packet size, the attack scenarios generally generated more data than regular traffic, creating a strain on system resources. Examining average packet sizes reveals that in certain types of attacks, the system is overloaded by shorter and lighter packets. In contrast, in other attacks, larger packets are used for direct intervention. Notably, the command injection attack type is distinguished by its high data generation in terms of both intensity and volume. The TCP SYN Flood scenario has the smallest average packet size at 60.03 bytes. This situation indicates that TCP SYN Flood attacks are carried out with short and intense packets. It has been observed that the volume of network traffic generated by the attacks is remarkably high.
In the study, classification analyses were performed using basic machine learning algorithms, such as KNN, NB, DT, and LR, as well as three different hybrid structures created by combining these models (KNN-NB, DT-LR, and KNN-NB-DT). The performance of each model was evaluated separately, and then the contribution of hybrid structures to attack detection was analyzed. During the analysis, cyberattack tests were performed while the system’s operation process was running in continuous mode. In this way, the success levels of both individual models and integrated structures have been comprehensively examined. The analysis results obtained are presented in Table 4. All model training and testing procedures used in the study were performed in the MATLAB environment on an HP laptop equipped with a Windows 10 operating system, an 11th Generation Intel(R) Core(TM) i7 2.80 GHz processor, 16 GB RAM, and 237 GB HDD hardware.
Table 4 evaluates the basic and hybrid classification models used across different performance metrics, providing a comprehensive comparison based on accuracy, precision, recall, specificity, F1 score, ROC-AUC values, and prediction times. I demonstrated a bridged model of Decision Tree and Logistic Regression (DT-LR), specifically the model that showed the highest overall success. This model achieved the highest success among all models, with an accuracy rate of 98.29%. It also demonstrated stable performance in both imbalanced class structures and multi-class scenarios, achieving an F1 score of 96.41% and an AUC value of 99.8%.
Additionally, the fact that the DT-LR model produces high and balanced values not only in terms of overall accuracy but also in class-specific metrics makes it a reliable method for attack detection in critical infrastructures. In this respect, it has demonstrated both its resilience to imbalanced datasets and its versatility. In addition, the model’s low average prediction time indicates that the DT-LR hybrid structure offers not only high accuracy but also a time-efficient solution. The test metrics for the KNN-NB hybrid model are provided in Table 5. The lower accuracy of the KNN-NB hybrid model in some classes compared to single models can be explained by the combination method used and the imbalance of the data set.
The test results presented in Table 5 show that the accuracy drop observed in the KNN–NB hybrid model is not a general performance problem, but is concentrated in specific classes. Specifically, the model’s classification performance weakens in attack classes with relatively fewer examples, while consistent and high performance is maintained in other attack types and normal traffic classes. This situation reveals that the hybrid model’s overall accuracy value is affected by class-based performance differences.
For additional validation, the two highest-performing models, DT-LR and KNN, were evaluated using stratified 10-fold cross-validation (CV), which preserves class distribution.
Table 6 compares the one-time test accuracies of both models with the results of 10-fold cross-validation. The results show that the DT-LR hybrid model consistently provides higher accuracy compared to KNN. The low standard deviations confirm that the performance variability between folds is minimal and that the observed difference is not due to randomness. The class-based performance metrics of the DT–LR hybrid model, which showed the highest performance in this study, are presented in Table 7.
The relatively lower detection accuracy observed for Class 1 (MITM/ARP Spoofing) is primarily due to the limited number of examples belonging to this class and the class imbalance in the dataset. This makes it relatively difficult for the DT-LR model to distinguish this class from other classes. However, the model was generally able to successfully distinguish different attack types and demonstrated reliable performance with high discriminatory power in multi-class datasets.
The results show that the model achieves high success not only on the majority class but on all attack types, and class imbalance has no significant negative impact on the model’s performance.
The correct and incorrect classification distributions of the DT–LR hybrid model are shown in the confusion matrix given in Figure 10. The matrix reveals that the model correctly classifies all classes to a large extent and that the error rates are quite low. The achievement of high correct classification rates even in minority classes supports the model’s robustness against imbalanced data sets. These results confirm that the hybrid approach can effectively distinguish each attack type.
The DT-LR hybrid structure offers not only high accuracy but also a time-efficient solution. Figure 11 presents a class-based visual analysis of the training and validation metrics for the DT-LR model. When comparing the accuracy, precision, recall, specificity, and F1 score values calculated from the training and validation datasets, it is evident that the metrics for each class are pretty close and that the validation performance largely mirrors the training performance. This situation reveals that the DT-LR hybrid model does not exhibit overfitting and has a high generalization ability. Graphical analyses have also supported the model’s effectiveness.

4.2. Discussion and Limitations

4.2.1. Discussion

Cyber threats to SCADA systems are typically categorized into two main types: external attacks and internal attacks. External attacks generally refer to cyberattacks carried out over external networks, typically targeting systems exposed to the internet. The focus of the study is attacks carried out over a local network on SCADA systems used in critical infrastructure. The main reason for this preference is that cyberattacks, especially in critical infrastructures that are not directly connected to the internet or have extremely limited connections to external networks, are primarily carried out through threat actors with physical access to the systems (such as DoS, MITM, and command injection) or through malware spread via portable media (e.g., USB drives). Among the most well-known examples of such scenarios are malware like Stuxnet, Duqu, and Flame. These software programs have caused serious damage by infiltrating systems without an external network connection through portable media [6,7,48]. Detecting internal attacks is more difficult than external attacks because the attacker often disguises themselves as an authorized user or can damage systems with the advantage of physical access. Therefore, the study focused particularly on monitoring local network traffic and detecting anomalous behavior. Early detection of such attacks is critical to preventing physical damage and service disruptions. In this context, one of the study’s contributions is the analysis of critical infrastructures through a realistic threat model, focusing on internal threats that are often overlooked but have a significantly high impact, in addition to external threats.
Although analysis was performed using the PROFINET protocol in this study, the applicability of the proposed approach to different industrial protocols can also be evaluated. The packet structure, security features, and data transmission mechanisms of each protocol differ. Therefore, direct application of the model may not be possible. However, with the availability of appropriate datasets for the relevant protocol, similar analytical approaches can be developed with the necessary protocol adaptations.
Figure 11 presents a class-by-class visual analysis of the training and validation metrics for the DT-LR model. Comparing the accuracy, precision, sensitivity, specificity, and F1-score values calculated from the training and validation datasets reveals that the metrics for each class are quite similar, and validation success largely follows training success. This demonstrates that the DT-LR hybrid model does not exhibit overfitting and has a high generalization ability. Therefore, the use of training and validation sets in Figure 11 was chosen to visually illustrate the model’s learning and generalization performance on a class-by-class basis. The model’s effectiveness was also confirmed through graphical analysis.
Additionally, the ring topology, which is commonly used in critical infrastructure and industrial facilities, was preferred in the study. Since the attacks carried out in this study were applied over the local network, they can be successfully executed in many cases regardless of the topology used. However, network topology can affect factors such as the spread of the attack, the number of nodes it involves, and the time it takes to be detected. Therefore, the impact of the same attacks can vary across different topologies. The analysis results of the proposed model, which achieved the highest success rate in the study, were compared with those of studies in the literature. The results obtained are presented in Table 8.
Accuracy rate is the first and most crucial parameter indicating how effective the proposed hybrid model is. A 98.29% accuracy rate places it among the most successful studies in the literature (97.8% in [59], 98.02% in [60], and 97% in [58]). This rate indicates that your model produces extremely reliable results in critical areas such as cybersecurity or anomaly detection.
The accuracy column in Table 8 represents the model with the highest accuracy value among the models listed in the Algorithm column, i.e., the most successful model. The proposed study offers accuracy comparable to that of Deep Learning models, such as the LSTM in [60]. While LSTM has an accuracy rate of 98.02%, the proposed model surpasses this with 98.29%. Generally, traditional machine learning models like Decision Trees and Logistic Regression (even in hybrid form) require significantly less training time and processing power (CPU/GPU) compared to large-scale and highly complex Deep Learning models (such as LSTM). This indicates that your model is a more practical and efficient solution for real-time applications and resource-constrained environments (IoT devices or small servers).
The proposed DT-LR hybrid approach stands out as one of the most advanced in the literature, achieving an accuracy rate of 98.29%. The fact that it outperforms high-computational-cost deep learning models, such as Long Short-Term Memory (LSTM), by a significant margin (98.02%) and surpasses simple ensemble learning approaches (90%) demonstrates that it offers a balanced and superior solution, combining high accuracy with low resource requirements. This study focuses on the detection of DoS, MITM, and command injection attacks performed in a physical test environment using SCADA systems. Machine learning-based methods were utilized in the study. In previous research, attacks have been studied using both pre-existing datasets and datasets created by researchers. Studies that set up their own test environment and create original datasets for analysis are more limited. Both approaches have been included and evaluated in this review. As shown in Table 8, various algorithms were applied to different datasets for detecting attacks on SCADA systems. Since each dataset contains unique characteristics, evaluations should be made within their own context.
Research in the literature has found that machine learning-based methods have an average success rate of over 90% in detecting attacks in SCADA systems. As a result of the analyses conducted in this study, the DT-LR hybrid model, developed using machine learning techniques, achieved a success rate of 98.29%. After examining existing research, promising models have been developed by establishing a suitable test platform, utilizing relevant technologies, and meticulously preparing dataset features. However, directly comparing the performance of models with the results of studies using different datasets does not provide an accurate assessment of their performance. Therefore, each model should be evaluated within the context of its own dataset and testing environment. It has been determined that the proposed model exhibits either superior or highly similar performance compared to existing models in the literature. Considering the increasing diversity and complexity of attack types, conducting additional analyses in different test environments is of great importance, and this study has achieved this goal. In this regard, the need to regularly update and diversify attack detection studies for SCADA systems has emerged.

4.2.2. Limitations

This study was conducted in accordance with the PROFINET protocol. Direct generalizability is limited for different industrial protocols; separate data collection and analysis processes are required for its applicability in these protocols.
Additionally, the study addresses three types of cyberattacks against SCADA systems (DoS, MITM, and Command Injection). These types of attacks were preferred because they apply to the PROFINET protocol. Other types of attacks are excluded. Therefore, the model’s effectiveness on different types of attacks should be evaluated separately.

5. Conclusions and Suggestions

The safe and uninterrupted operation of critical infrastructure depends heavily on the stable and sustainable functioning of SCADA systems. Cyberattacks on these systems can cause disruptions in control and monitoring functions, leading to serious operational interruptions and economic losses. The various attack scenarios conducted within the scope of the study have revealed the vulnerability of SCADA systems to such threats. Thanks to the proposed detection methods, it is possible to identify attacks at an early stage, aiming to prevent potential systemic disruptions and strengthen infrastructure security.
In this study, various cyberattack scenarios were implemented on a test environment structured similarly to a SCADA system, with network traffic data from both attack moments and normal operating conditions being systematically recorded. The obtained data were made suitable for analysis by undergoing the necessary preprocessing steps. The performance of seven different machine learning algorithms was compared on the generated dataset. Based on the evaluations, the DT-LR hybrid model, created by combining the Decision Tree (DT) and Logistic Regression (LR) algorithms, showed the highest success with an accuracy rate of 98.29%. This result demonstrates that the proposed method offers a practical and reliable approach to detecting cyberattacks against SCADA systems.
The impact of cybersecurity threats on industrial control systems is escalating daily, underscoring the need to develop effective attack detection and prevention methods for SCADA systems. This study, conducted in this direction, serves as a guide for future research. In future studies, it is recommended that the SCADA test environment be made more comprehensive and multi-protocol. Although only the Profinet protocol was used in the current study, the performance of intrusion detection systems against different communication structures can be evaluated by integrating various industrial protocols, such as DNP3 and Modbus TCP, into the environment.
Additionally, by incorporating analog signals into the test environment, studies on attack and anomaly detection based on continuously changing physical quantities, such as temperature, pressure, and level, can be conducted more comprehensively. In future studies, the integration of analog data alongside digital data, along with control elements such as timers and counters, will enhance the comprehensiveness of intrusion detection systems. Increasing the diversity of attacks is another critical area of development. Within the scope of this study, DoS, MITM, and command injection attacks were performed; however, a more comprehensive security assessment will be possible in future studies with the addition of different attack scenarios. Finally, in addition to the machine learning algorithms used in this study, deep learning approaches, artificial neural networks, and the diversification of detection systems with different hybrid model structures can be targeted. Future goals include achieving higher performance than studies in the literature by applying different protocols, attack scenarios, and detection models to a more comprehensive test environment, and making unique contributions to the security of SCADA systems.

Author Contributions

Conceptualization, M.A.Ö.; Research Design and Methodology, M.A.Ö. and S.V.; Data Collection, M.A.Ö.; Model Development and Implementation, M.A.Ö. and S.V.; Experimentation, M.A.Ö., S.V. and Ş.D.; Formal Analysis, M.A.Ö., S.V. and Ş.D.; Writing—Original Draft Preparation, M.A.Ö., S.V. and Ş.D.; Writing—Review and Editing, M.A.Ö., S.V. and Ş.D.; Supervision and Academic Guidance, Ş.D.; Project Administration, Ş.D.; Technical Consultation and Algorithm Improvement, M.A.Ö., S.V. and Ş.D.; Model Validation and Performance Evaluation, M.A.Ö., S.V. and Ş.D.; Literature Review, M.A.Ö. and Ş.D.; Experimental Environment Setup, M.A.Ö.; Data Preprocessing Support, M.A.Ö.; Reproducibility Verification and Technical Validation, M.A.Ö., S.V. and Ş.D. All authors have read and agreed to the published version of the manuscript.

Funding

This publication was made possible by NPRP12C-33905-SP-220 from the Qatar National Research Fund (a member of Qatar Foundation). The statements made herein are solely the responsibility of the authors.

Informed Consent Statement

All authors give consent for the publication of identifiable details, which can include photograph(s) and/or videos and/or case history and/or details within the text to be published in the above journal and article.

Data Availability Statement

The data that support the findings of this study are available from the corresponding author, Prof. Dr. Demirbas, upon reasonable request.

Conflicts of Interest

Author Mehmet Akif Özgül was employed by the company The Electricity Generation Corporation. The remaining authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
ANNArtificial Neural Network
ARPAddress Resolution Protocol
AUC Area Under the Curve
ITInformation Technology
CARTClassification and Regression Trees
DDoSDistributed Denial of Service
DHCPDynamic Host Configuration Protocol
DNP3Distributed Network Protocol Version 3.0
DNSDomain Name System
DoSDenial of Service
DTDecision Tree
ICSIndustrial Control Systems
FNNFeedforward Neural Network
FPRFalse Positive Rate
GNBGaussian Naive Bayes
HPPHydroelectric Power Plant
HMIHuman Machine Interface
ICMPInternet Control Message Protocol
ID3Iterative Dichotomizer 3
IEEEInstitute of Electrical and Electronics Engineers
IPInternet Protocol
KNNK-Nearest Neighbors
LANLocal Area Network
LRLogistic Regression
LSTMLong Short-Term Memory
MACMedia Access Control
MCUMaster Central Unit
MITMMan in the Middle
NBNaive Bayes
PIProfibus International
PLCProgrammable Logic Controller
PROFINETProcess Field Network
RFRandom Forest
RILSRecursively Iterated Least Squares
ROCReceiver Operating Characteristic
SCADASupervisory Control and Data Acquisition
SVMSupport Vector Machine
SVMSMOTESupport Vector Machine Synthetic Minority Over-sampling Technique
SWaTSecure Water Testbed
SYNSynchronize
TCPTransmission Control Protocol
TIATotally Integrated Automation
UDPUser Datagram Protocol
RTURemote Terminal Unit
VPNVirtual Private Network
WPAWi-Fi Protected Access
WPA2Wi-Fi Protected Access 2

References

  1. Reid, R.; Van Niekerk, J. From information security to cyber security cultures. In Proceedings of the Information Security for South Africa, Johannesburg, South Africa, 13–14 August 2014; pp. 1–7. [Google Scholar] [CrossRef]
  2. Srinivas, J.; Das, A.K.; Kumar, N. Government regulations in cyber security: Framework, standards and recommendations. Future Gener. Comput. Syst. 2019, 92, 178–188. [Google Scholar] [CrossRef]
  3. Sağıroğlu, Ş. Cybersecurity and Defense Book Series-Cybersecurity Ontology, Threats, and Solutions, 1st ed.; Nobel Academic Publishing: Ankara, Türkiye, 2021. [Google Scholar]
  4. Irmak, E.; Erkek, İ. Endüstriyel Kontrol Sistemleri ve SCADA Uygulamalarının Siber Güvenliği: Modbus TCP Protokolü Örneği. Gazi Üniversitesi Fen Bilim. Derg. Part C Tasarım Ve Teknol. 2018, 6, 1–16. [Google Scholar] [CrossRef]
  5. Dai, Y.; Lin, C.; Xie, Y.; Qin, G. Design and Implementation of Curriculum Resource Library System Based on Information Technology. In Proceedings of the 3rd International Conference on Artificial Intelligence and Computer Information Technology (AICIT), Yichang, China, 20–22 September 2024; pp. 1–5. [Google Scholar] [CrossRef]
  6. Yohanandhan, R.V.; Elavarasan, R.M.; Manoharan, P.; Mihet-Popa, L. Cyber-Physical Power System (CPPS): A Review on Modeling, Simulation, and Analysis With Cyber Security Applications. IEEE Access 2020, 8, 151019–151064. [Google Scholar] [CrossRef]
  7. Stuxnet Report. Available online: https://www.researchcollection.ethz.ch/bitstream/handle/20.500.11850/200661/Cyber-Reports-2017-04.pdf (accessed on 22 July 2025).
  8. Musleh, A.S.; Chen, G.; Dong, Z.Y. A Survey on the Detection Algorithms for False Data Injection Attacks in Smart Grids. IEEE Trans. Smart Grid 2019, 11, 2218–2234. [Google Scholar] [CrossRef]
  9. Özbilen, A. Security and Solution Proposals in TCP/IP-Based Distributed Industrial Control Systems. Ph.D. Thesis, Gazi University Institute of Science, Ankara, Türkiye, 2012. [Google Scholar]
  10. Söğüt, E.; Erdem, O.A. Cyber terror attack analysis for industrial control systems (scada). J. Polytech. 2020, 23, 557–566. [Google Scholar] [CrossRef]
  11. Sotirov, A.; Stevens, M.; Appelbaum, J.; Lenstra, A.; Molnar, D.; Osvik, D.A.; de Weger, B. MD5 considered harmful today—Creating a rogue CA certificate. In Proceedings of the 25th Chaos Communications Congress, Berlin, Germany, 30 December 2008; Available online: https://infoscience.epfl.ch/server/api/core/bitstreams/923a78fb-16f4-4f1c-83ba-04143c2df8f9/content (accessed on 16 December 2025).
  12. Yağmur, E. Detection of Distributed Denial-of-Service Attacks in SCADA Systems Using Deep Learning and Machine Learning Methods. Master’s Thesis, Graduate School, Konya Technical University, Konya, Türkiye, 2023. [Google Scholar]
  13. Niemann, K.-H. IT security extensions for PROFINET. In Proceedings of the IEEE 17th International Conference on Industrial Informatics (INDIN), Helsinki, Finland, 22–25 July 2019; pp. 407–412. [Google Scholar] [CrossRef]
  14. Imanto, T.; Adriansyah, A. Performance analysis of PROFINET network in PLC-based automation system. In Proceedings of the 2nd International Conference on Broadband Communications, Wireless Sensors and Powering (BCWSP), Yogyakarta, Indonesia, 28–30 September 2020; pp. 47–52. [Google Scholar]
  15. Pfrang, S.; Meier, D. On the Detection of Replay Attacks in Industrial Automation Networks Operated with Profinet IO. In Proceedings of the ICISSP, Porto, Portugal, 19–21 February 2017; pp. 683–693. [Google Scholar] [CrossRef]
  16. Walz, A.; Niemann, K.H.; Göppert, J.; Fischer, K.; Merklin, S.; Ziegler, D.; Sikora, A. PROFINET Security: A Look on Selected Concepts for Secure Communication in the Automation Domain. In Proceedings of the 21st International Conference on Industrial Informatics (INDIN), Lemgo, Germany, 17–20 July 2023; pp. 1–6. [Google Scholar] [CrossRef]
  17. Akpınar, K.O. Rule and Machine Learning-Based Attack and Anomaly Detection in an Ethercat-Based SCADA System. Ph.D. Thesis, Sakarya University Institute of Science, Sakarya, Turkey, 2019. [Google Scholar]
  18. Meshram, A.; Karch, M.; Haas, C.; Beyerer, J. Poet: A self-learning framework for profinet industrial operations behaviour. In Proceedings of the International Conference on Testbeds and Research Infrastructures, Melbourne, Australia, 23–25 November 2022; pp. 3–19. [Google Scholar]
  19. Akerberg, J.; Bjorkman, M. Exploring security in PROFINET IO. In Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference, Seattle, WA, USA, 20–24 July 2009; pp. 406–412. [Google Scholar]
  20. Information Technology Laboratory. National Vulnerability Database. Available online: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=profinet&search_type=all&isCpeNameSearch=false (accessed on 22 July 2025).
  21. Paul, A.; Schuster, F.; König, H. Towards the Protection of Industrial Control Systems–Conclusions of a Vulnerability Analysis of Profinet IO. In Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment, Lecture Notes in Computer Scienc, Berlin, Germany, 18–19 July 2013; Volume 7967, pp. 160–176. [Google Scholar] [CrossRef]
  22. HatïPoğlu, C.; Tunacan, T. Türkiye’de Siber Saldırı ve Tespit Yöntemleri: Bir Literatür Taraması. Bilecik Şeyh Edebali Univ. J. Nat. Sci. 2021, 8, 430–445. [Google Scholar] [CrossRef]
  23. Mıjwıl, M.M.; Sadıkoğlu, E.; Cengiz, E.; Candan, H. The role and importance of artificial intelligence in cybersecurity: A review. Data Sci. 2022, 5, 97–105. [Google Scholar]
  24. Kalech, M. Cyber-attack detection in SCADA systems using temporal pattern recognition techniques. Comput. Secur. 2019, 84, 225–238. [Google Scholar] [CrossRef]
  25. Kravchik, M.; Shabtai, A. Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks. In Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and Privacy, Toronto, ON, Canada, 15–19 October 2018; ACM: New York, NY, USA, 2018; pp. 72–83. [Google Scholar] [CrossRef]
  26. Alhaidari, F.A.; AL-Dahasi, E.M. New Approach to Determine DDoS Attack Patterns on SCADA System Using Machine Learning. In Proceedings of the International Conference on Computer and Information Sciences (ICCIS), Sakaka, Saudi Arabia, 3–4 April 2019; pp. 1–6. [Google Scholar] [CrossRef]
  27. Teixeira, M.; Salman, T.; Zolanvari, M.; Jain, R.; Meskin, N.; Samaka, M. SCADA System Testbed for Cybersecurity Research Using Machine Learning Approach. Future Internet 2018, 10, 76–86. [Google Scholar] [CrossRef]
  28. Hindy, H.; Brosset, D.; Bayne, E.; Seeam, A.; Bellekens, X. Improving SIEM for critical SCADA water infrastructures using machine learning. In Proceedings of the 2nd International Workshop on Security and Privacy Requirements Engineering, Barcelona, Spain, 6–7 September 2018; pp. 3–19. [Google Scholar]
  29. Maglaras, L.A.; Jiang, J. Intrusion detection in SCADA systems using machine learning techniques. In Proceedings of the 2014 Science and Information Conference, London, UK, 27–29 August 2014; pp. 626–631. [Google Scholar] [CrossRef]
  30. Perez, R.L.; Adamsky, F.; Soua, R.; Engel, T. Machine Learning for Reliable Network Attack Detection in SCADA Systems. In Proceedings of the 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), New York, NY, USA, 1–3 August 2018; pp. 633–638. [Google Scholar] [CrossRef]
  31. Grammatikis, P.R.; Sarigiannidis, P.; Efstathopoulos, G.; Karypidis, P.-A.; Sarigiannidis, A. DIDEROT: An intrusion detection and prevention system for DNP3-based SCADA systems. In Proceedings of the 15th International Conference on Availability, Reliability and Security, Virtual Event Ireland, 25–28 August 2020; ACM: New York, NY, USA, 2020; pp. 1–8. [Google Scholar] [CrossRef]
  32. Beaver, J.M.; Borges-Hink, R.C.; Buckner, M.A. An Evaluation of Machine Learning Methods to Detect Malicious SCADA Communications. In Proceedings of the 2013 12th International Conference on Machine Learning and Applications, Miami, FL, USA, 4–7 December 2013; pp. 54–59. [Google Scholar] [CrossRef]
  33. Candell, R.; Zimmerman, T.A.; Stouffer, K.A. An Industrial Control System Cybersecurity Performance Testbed. Natl. Inst. Stand. Technol. 2015, 8089, 1–55. [Google Scholar] [CrossRef]
  34. Sestito, G.S.; Turcato, A.C.; Dias, A.L.; Rocha, M.S.; da Silva, M.M.M.; Ferrari, P.; Brandao, D. A Method for Anomalies Detection in Real-Time Ethernet Data Traffic Applied to PROFINET. IEEE Trans. Ind. Informatics 2017, 14, 2171–2180. [Google Scholar] [CrossRef]
  35. Marsland, S. Chapman and Hall/CRC Machine Learning & Pattern Recognition Series Machine Learning: An Algorithmic Perspective, 2nd ed.; Taylor & Francis Group, LLC: Boca Raton, FL, USA, 2011. [Google Scholar]
  36. White, N.; Parsons, R.; Collins, G.; Barnett, A. Evidence of questionable research practices in clinical prediction models. BMC Med. 2023, 21, 339–352. [Google Scholar] [CrossRef]
  37. Barca, E.; Guagliardi, I.; Caloiero, T. A methodological approach for filling the gap in extreme daily temperature data: An application in the Calabria region (Southern Italy). Theor. Appl. Clim. 2024, 155, 7447–7461. [Google Scholar] [CrossRef]
  38. Emmanuel, T.; Maupong, T.; Mpoeleng, D.; Semong, T.; Mphago, B.; Tabona, O. A survey on missing data in machine learning. J. Big Data 2021, 8, 140–152. [Google Scholar] [CrossRef] [PubMed]
  39. Boros, K.; Kmetty, Z. Identifying missing data handling methods with text mining. Int. J. Data Sci. Anal. 2024, 20, 2079–2091. [Google Scholar] [CrossRef]
  40. Selvi, P. An analysis of the removal of duplicate records using different types of data mining techniques: A survey. Int. J. Comput. Sci. Mob. Comput. 2017, 6, 38–42. [Google Scholar]
  41. Christen, M.; Gordijn, B.; Loi, E.M. The International Library of Ethics, Law and Technology; Springer International Publishing: Cham, Switzerland, 2020; Volume 21, pp. 157–177. [Google Scholar] [CrossRef]
  42. Ağaçdoğrayan, E. Missing Data Imputation Ve Temel Çözümler. 2021. Available online: https://ecemagacdograyan.medium.com/missing-data-imputation-ve-temel-%C3%A7%C3%B6z%C3%BCmler-7822d6b8f653 (accessed on 1 April 2025).
  43. Kwak, S.K.; Kim, J.H. Statistical data preparation: Management of missing values and outliers. Korean J. Anesthesiol. 2017, 70, 407–411. [Google Scholar] [CrossRef]
  44. Bolikulov, F.; Nasimov, R.; Rashidov, A.; Akhmedov, F.; Cho, Y.-I. Effective Methods of Categorical Data Encoding for Artificial Intelligence Algorithms. Mathematics 2024, 12, 2553. [Google Scholar] [CrossRef]
  45. Lyu, Y.; Feng, Y.; Sakurai, K. A Survey on Feature Selection Techniques Based on Filtering Methods for Cyber Attack Detection. Information 2023, 14, 191. [Google Scholar] [CrossRef]
  46. Amorim, L.B.V.; Cavalcanti, G.D.C.; Cruz, R.M.O. The choice of scaling technique matters for classification performance. Appl. Soft Comput. 2022, 133, 12343. [Google Scholar] [CrossRef]
  47. Titiz, F. Prediction and Comparative Analysis of Mechanical Properties of Rubber Compounds Using Artificial Intelligence Techniques. Master’s Thesis, Sakarya University Institute of Science, Sakarya, Turkey, 2023. [Google Scholar]
  48. Keleş, M.B.; Keleş, A. Predicting flight prices using machine learning methods. Euroasia J. Math. Eng. Nat. Med. Sci. 2020, 7, 72–78. [Google Scholar] [CrossRef]
  49. Zhu, L.; Spachos, P.; Pensini, E.; Plataniotis, K. Deep Learning and Machine Vision for Food Processing: A Survey. Curr. Res. Food Sci. 2021, 4, 233–249. [Google Scholar] [CrossRef] [PubMed]
  50. Tuncel, F.; Mumcu, B.; Tanberk, S. A Chatbot for Preliminary Patient Guidance System. In Proceedings of the 2021 29th Signal Processing and Communications Applications Conference (SIU), Istanbul, Turkey, 9–11 June 2021; pp. 1–4. [Google Scholar] [CrossRef]
  51. Aytekïn, Ç. Text Classification Via Decısıon Trees Algorithm: Customer Comments Case. J. Int. Soc. Res. 2018, 11, 782–792. [Google Scholar] [CrossRef]
  52. Bishop, C.M.; Nasrabadi, N.M. Pattern Recognition and Machine Learning, 1st ed.; Springer: New York, NY, USA, 2006; p. 738. [Google Scholar]
  53. Ocakoğlu, G. Comparison of Classification Properties of Logistic Regression Analysis and Artificial Neural Networks Techniques and an Application. Master’s Thesis, Bursa Uludağ University Institute of Health Sciences, Bursa, Turkey, 2006. [Google Scholar]
  54. Ahuja, R.; Sharma, S.C. Stacking and voting ensemble methods fusion to evaluate instructor performance in higher education. Int. J. Inf. Technol. 2021, 13, 1721–1731. [Google Scholar] [CrossRef]
  55. Bencsáth, B.; Pék, G.; Buttyán, L.; Félegyházi, M. The Cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet 2012, 4, 971–1003. [Google Scholar] [CrossRef]
  56. Oyucu, S.; Polat, O.; Türkoğlu, M.; Polat, H.; Aksöz, A.; Ağdaş, M.T. Ensemble Learning Framework for DDoS Detection in SDN-Based SCADA Systems. Sensors 2023, 24, 155. [Google Scholar] [CrossRef] [PubMed]
  57. Panthi, M. Identification of Disturbances in Power System and DDoS Attacks using Machine Learning. IOP Conf. Ser. Mater. Sci. Eng. 2021, 1022, 012096. [Google Scholar] [CrossRef]
  58. Khan, A.Z.; Serpen, G. Intrusion detection and identification system design and performance evaluation for industrial SCADA networks. Inf. Comput. Secur. 2020, 1–24. [Google Scholar] [CrossRef]
  59. Ma, X.; Almutairi, L.; Alwakeel, A.M.; Alhameed, M.H. Cyber Physical System for Distributed Network Using DoS Based Hierarchical Bayesian Network. J. Grid Comput. 2023, 21, 27. [Google Scholar] [CrossRef]
  60. Jaradat, S.; Komol, M.M.; Elhenawy, M.; Dong, N. Cyber attack detection on SWaT Plant industrial control systems using machine learning. Artif. Intell. Auton. Syst. 2024, 1, 0006. [Google Scholar] [CrossRef]
  61. Yalçın, N.; Çakır, S.; Ünaldı, S. Attack Detection Using Artificial Intelligence Methods for SCADA Security. IEEE Internet Things J. 2024, 11, 39550–39559. [Google Scholar] [CrossRef]
Electronics 15 00010 g001
Figure 1. Main components of the SCADA system.
Figure 1. Main components of the SCADA system.
Electronics 15 00010 g001
Electronics 15 00010 g002
Figure 2. Usage rates of SCADA communication protocols.
Figure 2. Usage rates of SCADA communication protocols.
Electronics 15 00010 g002
Electronics 15 00010 g003
Figure 3. Architectural structure of the test environment.
Figure 3. Architectural structure of the test environment.
Electronics 15 00010 g003
Electronics 15 00010 g004
Figure 4. A sample image of the network traffic monitoring process.
Figure 4. A sample image of the network traffic monitoring process.
Electronics 15 00010 g004
Electronics 15 00010 g005
Figure 5. Data preparation and modeling process.
Figure 5. Data preparation and modeling process.
Electronics 15 00010 g005
Electronics 15 00010 g006
Figure 6. Basic working principle of the KNN model [49].
Figure 6. Basic working principle of the KNN model [49].
Electronics 15 00010 g006
Electronics 15 00010 g007
Figure 7. Basic working principle of the Naïve Bayes algorithm.
Figure 7. Basic working principle of the Naïve Bayes algorithm.
Electronics 15 00010 g007
Electronics 15 00010 g008
Figure 8. Decision tree learning process [52].
Figure 8. Decision tree learning process [52].
Electronics 15 00010 g008
Electronics 15 00010 g009
Figure 9. The basic working principle of logistic regression.
Figure 9. The basic working principle of logistic regression.
Electronics 15 00010 g009
Electronics 15 00010 g010
Figure 10. DT-LR hybrid model confusion matrix.
Figure 10. DT-LR hybrid model confusion matrix.
Electronics 15 00010 g010
Electronics 15 00010 g011
Figure 11. Class-based visual analysis of training and validation metrics for the DT-LR model (Class 0: Normal traffic, Class 1: MITM/ARP Spoofing, Class 2: DoS/TCP SYN Flood, Class 3: Command Injection).
Figure 11. Class-based visual analysis of training and validation metrics for the DT-LR model (Class 0: Normal traffic, Class 1: MITM/ARP Spoofing, Class 2: DoS/TCP SYN Flood, Class 3: Command Injection).
Electronics 15 00010 g011
Table 1. Features and descriptions are defined for the dataset.
Table 1. Features and descriptions are defined for the dataset.
NoAttribute NameDescription
1NoSequence number of the packet
2TimeTimestamp of the packet
3Source IPIP address of the source device
4Destination IPIP address of the destination device
5ProtocolProtocol used in communication
6LengthLength of the packet in bytes
7Source PortSource port number
8Destination PortDestination port number
9Source MAC AddressSource MAC address
10Destination MAC AddressDestination MAC address
11Sequence Number (raw)Sequence number in the data flow
12Acknowledgment number (raw)Sequence number of the last acknowledged byte
13Time since the first frame in this TCP streamTime elapsed since the start of the TCP flow
14Time since the previous frame in this TCP streamTime interval since the last packet in the TCP connection
15Frame length on the wireLength of the frame transmitted over the physical medium
16Time delta from the previous captured frameTime interval from the last packet
17Protocols in frameProtocol chain in the packet
18Profinet Real Time FrameIDReal-time Profinet frame ID
19Profinet DCP ServiceIDDCP Profinet device configuration service ID
20Profinet DCP ServiceTypeDCP Profinet service type (request/response)
21Profinet DCP XidVariable used for Profinet DCP communication mapping
22ResponseDelayDelay time in communication
23Profinet DCPDataLengthLength of the Profinet DCP data field
24IG BitCommunication control bit
25DeviceVendorValueDevice manufacturer information
26Device Name (Name of Station)Station name assigned to the device
27Device Role DetailsFunction of the device on the network
28Device Instance Low HighSampling value of the device
29Subnet MaskIP subnet mask
30Standard GatewayIP default gateway
31Destination referenceDestination reference in communication
32ROSCTRProtocol operation control code
33Protocol Data Unit ReferenceData unit identifier
34Community IDCommunication session ID
35Item countNumber of transmitted data items
36Byte Address (PLC)Byte address accessed in the PLC memory
37Bit Address (PLC)Bit address in the PLC
38InfoGeneral descriptive information about the packet
39Attack_Type_LabelLabel information representing the attack type or normal state corresponding to each instance in the dataset (4 scenarios)
Table 2. Confusion Matrix.
Table 2. Confusion Matrix.
Actually Positive (1)Actually Negative (0)
Predicted Positive (1)True Positive (TP)False Positive (FP)
Predicted Negative (0)False Negative (FN)True Negative (TN)
Table 3. Network traffic statistical summary and scenario-based comparison.
Table 3. Network traffic statistical summary and scenario-based comparison.
ScenarioTotal Number of PacketsAverage Packet Size (Bytes)Total Packet Size (Bytes)
Normal condition27,80482.02,278,889
ARP spoofing attack36,12893.03,353,449
TCP SYN Flood attack57,47260.033,449,884
Unauthorized command injection30,492101.03,065,780
Table 4. Performance comparison table of classification models.
Table 4. Performance comparison table of classification models.
ModelAverage Accuracy (%)PrecisionRecallF1 ScoreSpecificityAUCEstimation Time (ms)
KNN97.530.971840.975310.973560.999720.987522589.44
NB92.960.739320.929550.753580.977740.975858.20482
DT96.690.948040.966870.9570.999590.99178.53197
LR94.340.91970.943370.929930.991640.967522.3577
KNN-NB hybrid75.220.746910.752180.747610.991830.87198101,481.1
DT-LR hybrid98.290.948320.982890.964170.999620.9982311.6990
KNN-NB-DT hybrid95.870.955410.958690.957030.99950.9791132,235.1
Table 5. Test performance metrics of the KNN–NB hybrid model.
Table 5. Test performance metrics of the KNN–NB hybrid model.
ScenariosAccuracy (%)PrecisionRecallSpecifityF1 Score
Class 0 (Normal traffic)10.9581810.986250.97864
Class 1 (ARP Spoofing attack—MITM)0.080650.042020.080650.993430.05525
Class 2 (TCP SYN Flood—DoS)0.995240.987430.995240.987620.99132
Class 3 (Command injection attack)0.9328210.9328210.96524
Table 6. Comparison of the test accuracy and cross-validation scores of the two most successful models.
Table 6. Comparison of the test accuracy and cross-validation scores of the two most successful models.
ModelTest Accuracy (Average)Cross-Validation Accuracy (Average)Standard Deviation of Cross-Validation Accuracy (Average)
DT-LR hybrid98.2998.15±0.01397
KNN97.5397.24±0.01136
Table 7. Test metrics of the most successful model (DT-LR hybrid model).
Table 7. Test metrics of the most successful model (DT-LR hybrid model).
ScenariosAccuracy (%)PrecisionRecallF1 Score
Class 0 (Normal traffic)1111
Class 1 (ARP Spoofing attack—MITM)0.935480.794520.935480.85926
Class 2 (TCP SYN Flood—DoS)10.9996510.99983
Class 3 (Command injection attack)0.996060.999120.996060.99759
Table 8. Comparison of studies in the literature.
Table 8. Comparison of studies in the literature.
AlgorithmDatasetAccuracy (%)Reference
Decision Tree-Based Ensemble LearningYour Own Datasets95.2[56]
RF + AdaBoostIndustrial Control System (ICS) Cyberattack Datasets90[57]
RF, Support Vector Machine, KNNYour Own Datasets97[58]
Hierarchical Bayes NetworkNSL-KDD Datasets97.8[59]
RF, Support Vector Machine, KNN, Long Short-Term Memory (LSTM)Dataset from the Singapore University of Technology and Design98.02
(LSTM)		[60]
KNN, AdaBoost, Quadratic Discriminant Analysis, Gradient Boosting, Extreme Gradient Boosting (XGB)WUSTL-IIOT-202196.99[61]
DT-LR HybridMy Own Datasets98.29Proposed study
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Özgül, M.A.; Demirbaş, Ş.; Vadi, S. A Hybrid Machine Learning Approach for Cyberattack Detection and Classification in SCADA Systems: A Hydroelectric Power Plant Application. Electronics 2026, 15, 10. https://doi.org/10.3390/electronics15010010

AMA Style

Özgül MA, Demirbaş Ş, Vadi S. A Hybrid Machine Learning Approach for Cyberattack Detection and Classification in SCADA Systems: A Hydroelectric Power Plant Application. Electronics. 2026; 15(1):10. https://doi.org/10.3390/electronics15010010

Chicago/Turabian Style

Özgül, Mehmet Akif, Şevki Demirbaş, and Seyfettin Vadi. 2026. "A Hybrid Machine Learning Approach for Cyberattack Detection and Classification in SCADA Systems: A Hydroelectric Power Plant Application" Electronics 15, no. 1: 10. https://doi.org/10.3390/electronics15010010

APA Style

Özgül, M. A., Demirbaş, Ş., & Vadi, S. (2026). A Hybrid Machine Learning Approach for Cyberattack Detection and Classification in SCADA Systems: A Hydroelectric Power Plant Application. Electronics, 15(1), 10. https://doi.org/10.3390/electronics15010010

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop