Explainable AI in SCADA Security Creates Exploitable Attack Surfaces

AI-based intrusion detection for SCADA systems faces a fundamental tension between explainability and security. Operators need to understand why an AI system flagged an event as malicious (explainable AI / XAI) to trust and act on its recommendations. But the same explainability mechanisms that build operator trust simultaneously expose model decision boundaries to adversaries, who can reverse-engineer the detection logic to craft attacks that evade it. This is not a theoretical concern: adversarial machine learning techniques can cause well-trained models to misclassify malicious SCADA traffic as benign with small, carefully crafted perturbations. No current SCADA IDS has been validated against adversarial attacks, and no standardized industrial cybersecurity datasets exist for benchmarking adversarial robustness.

As AI-based security becomes the primary defense layer for critical infrastructure, adversarial robustness becomes a national security concern. AI significantly lowers the barrier for less sophisticated adversaries to conduct more comprehensive cyber-attacks — state-sponsored groups and criminal organizations are already using AI to automate reconnaissance and adapt attack strategies faster than human defenders can respond. The 430% increase in supply chain compromises targeting ICS vendors (2020–2024) indicates that attackers are specifically targeting the systems AI is meant to protect. If defenders deploy AI security tools that are vulnerable to adversarial manipulation, they create a false sense of security that may be worse than having no AI defense at all.

Hybrid deep learning architectures (autoencoder-ResNet-LSTM combinations) achieve high detection accuracy (90%+) on benchmark datasets like HAI and SWaT, but these benchmarks do not include adversarial attack scenarios. GAN-based IDS approaches reduce inference time to 20ms but have not been evaluated for adversarial robustness. Transformer-based models achieve the highest accuracy (92% on HAI) but their attention mechanisms are known to be susceptible to adversarial perturbation in other domains. Adversarial training — deliberately exposing models to adversarial examples during training — is the standard defense in image classification, but it has not been systematically applied to SCADA network traffic, where the constraints differ (real-time processing, protocol-specific features, physical process semantics). The fundamental limitation is the absence of standardized datasets that include realistic adversarial attacks against industrial protocols, making it impossible to benchmark or compare defenses.

A standardized adversarial robustness benchmark for SCADA IDS — analogous to RobustBench for image classification — would enable systematic comparison of defenses. Physics-informed adversarial training that constrains adversarial examples to physically plausible SCADA commands (rather than arbitrary perturbations) would produce more realistic robustness evaluations. Selective explainability approaches that provide operators with actionable information without exposing the full decision boundary to potential adversaries could resolve the XAI paradox. Federated learning frameworks that allow utilities to collaboratively train models on distributed operational data without sharing sensitive infrastructure details could address the data scarcity problem.

A student team could evaluate the adversarial robustness of existing SCADA IDS models (published architectures trained on publicly available datasets like SWaT or HAI) by applying standard adversarial perturbation techniques (FGSM, PGD, C&W) and measuring detection degradation. This is a well-scoped ML security research project. A more design-oriented team could prototype a selective XAI interface that provides operators with different levels of explanation detail depending on their role and security clearance, testing whether this reduces the information available to an adversary while maintaining operator trust.