AI-Based Intrusion Detection Cannot Deploy on Legacy SCADA/PLC Systems

Modern AI-based intrusion detection systems (IDS) for industrial control systems demonstrate high accuracy in laboratory benchmarks, but they cannot be deployed on the legacy programmable logic controllers (PLCs) and SCADA systems that actually operate critical infrastructure. Most PLCs run deterministic logic on hardware with minimal computational capacity — there is no room for real-time machine learning inference. Meanwhile, the attack surface is expanding rapidly: internet-exposed ICS devices increased 40% between 2024 and 2025, and supply chain compromises targeting ICS vendors rose 430% from 2020 to 2024. The result is a widening gap between the sophistication of available AI defenses and the ability of operational infrastructure to use them.

SCADA systems control water treatment, power grids, oil and gas pipelines, and manufacturing processes. A successful cyberattack on these systems can cause physical damage, environmental disasters, and loss of life — as demonstrated by the 2021 Oldsmar water treatment attack and the 2015/2016 Ukraine power grid attacks. The global shortage of 2.8–4.8 million cybersecurity professionals compounds the problem: even when AI tools exist, there are too few trained operators to deploy and manage them. Critical infrastructure in water, energy, and transportation sectors relies on equipment with 20–40 year lifecycles, meaning the legacy hardware problem will persist for decades without a deployment strategy that works within existing constraints.

Traditional signature-based IDS (like Snort or Suricata rules) can run on lightweight hardware but only detect known attack patterns and miss novel threats. Statistical anomaly detection approaches have lower computational requirements but produce high false positive rates that overwhelm operators. Deep learning approaches — CNNs, LSTMs, Transformers, autoencoders — achieve 90%+ accuracy on benchmark datasets (HAI, SWaT, BATADAL) but require GPU-class hardware for real-time inference, which is unavailable in most ICS environments. Network-based approaches that monitor traffic at a separate appliance avoid the PLC hardware constraint but cannot detect attacks that manipulate the physical process through legitimate-looking commands. The addition of encryption to SCADA protocols (DNP3 Secure Authentication, IEC 62351) introduces significant real-time response delays that are unacceptable for process control. A comprehensive review of 250 articles found that few studies propose frameworks that merge fault detection, predictive maintenance, and cybersecurity into architectures compatible with legacy automation systems.

A hybrid architecture that places lightweight anomaly detection on or near the PLC (using federated inference or edge computing) while offloading computationally intensive deep analysis to a centralized system could bridge the gap. Model compression techniques (quantization, pruning, knowledge distillation) that reduce AI model size by 10–100x while maintaining detection accuracy would enable deployment on constrained hardware. Physics-informed AI models that encode knowledge of the industrial process could detect anomalies with fewer parameters than general-purpose neural networks. Standardized, anonymized industrial cybersecurity datasets — which currently do not exist due to data sensitivity — would enable the research community to develop and benchmark models appropriate for real-world ICS environments.

A student team could prototype a lightweight anomaly detection model (e.g., autoencoder or isolation forest) that runs on resource-constrained hardware (Raspberry Pi or Arduino-class) monitoring simulated SCADA network traffic, benchmarking detection accuracy against inference latency and memory constraints. This is a well-scoped embedded systems and security project. Alternatively, a team could design a hybrid edge-cloud IDS architecture for a specific ICS protocol (Modbus, DNP3, or IEC 61850), demonstrating how computationally expensive deep learning analysis can be performed asynchronously without disrupting real-time control operations.