The next-generation of Industrial Automation and Control Systems (IACS) and Supervisory Control and Data Acquisition (SCADA) systems pose numerous challenges in terms of cybersecurity monitoring. We have been witnessing the convergence of OT/IT networks, combined with massively distributed metering and control scenarios such as smart grids. Larger and geographically widespread attack surfaces, and inherently more data to analyse, will become the norm.

Despite several advances in recent years, domain-specific security tools have been facing the challenges of trying to catch up with all the existing security flaws from the past, while also accounting for the specific needs of the next-generation of IACS. Moreover, the aggregation of multiple techniques and sources of information into a comprehensive approach has not been explored in depth. Such a holistic perspective is paramount since it enables a global and enhanced analysis enabled by the usage, combination and aggregation of the outputs from multiple sources and techniques.

This paper starts by providing a review of the more recent anomaly detection techniques for SCADA systems, focused on both theoretical machine learning approaches and complete frameworks. Afterwards, it proposes a complete framework for an Intrusion and Anomaly Detection System (IADS) composed of specific detection probes, an event processing layer and a core anomaly detection component, amongst others. Finally, the paper presents an evaluation of the framework within a large-scale hybrid testbed, and a comparison of different anomaly detection scenarios based on various machine learning techniques.

下一代工业自动化和控制系统（IACS）以及监督控制和数据采集（SCADA）系统在网络安全监控方面提出了许多挑战。我们已经见证了OT / IT网络的融合，并结合了诸如智能电网等大规模分布的计量和控制方案。更大且在地理上分布广泛的攻击面以及本质上需要分析的数据将成为常态。

尽管近年来取得了一些进步，但特定于域的安全工具一直面临着尝试赶上过去所有现有安全缺陷的挑战，同时还考虑了下一代IACS的特定需求。此外，尚未深入探讨将多种技术和信息源整合为一种综合方法。这种整体观点至关重要，因为它可以通过使用，组合和聚合来自多个来源和技术的输出来进行全局和增强的分析。

本文首先回顾了SCADA系统的最新异常检测技术，重点是理论上的机器学习方法和完整的框架。此后，它提出了一个用于入侵和异常检测系统（IADS）的完整框架，该框架由特定的检测探针，事件处理层和核心异常检测组件等组成。最后，本文对大型混合测试平台中的框架进行了评估，并基于各种机器学习技术对不同异常检测场景进行了比较。