MACHINE LEARNING–BASED CYBERSECURITY MODELS FOR SAFEGUARDING INDUSTRIAL AUTOMATION AND CRITICAL INFRASTRUCTURE SYSTEMS

Abstract

This quantitative study had evaluated machine learning–based cybersecurity models for safeguarding industrial automation and critical infrastructure systems through a multi-case comparative experiment. Three benchmark OT/CI cases had been examined (water treatment, smart grid, and pipeline/manufacturing), yielding 36,600 control-cycle windows. Normal operation had dominated all cases, ranging from 82.0% to 86.0% of windows, while attack windows had remained between 14.0% and 18.0%. Cyber-layer attacks had formed the largest malicious share in every case (6.4%–9.2%), followed by physical/process-integrity attacks (4.1%–6.1%) and hybrid multi-stage events (2.7%–3.5%). Within-domain correlations had been strong, including cyber periodicity with command density (r=0.82) and actuator–sensor synchrony with residual stability (r=0.79). Cross-domain correlations had increased sharply during attacks; for example, timing deviation with process residual spikes had risen from 0.34 in normal windows to 0.77 under DoS, and command entropy with trajectory infeasibility had increased from 0.29 to 0.74 under stealth drift. Reliability and validity had been confirmed, with Cronbach’s alpha spanning 0.83–0.91 and fused blocks reaching 0.91, while fused factors had shown the strongest normal-attack mean gap (1.52 SD units). Collinearity adjustment had reduced early-fusion predictors from 38 to 30 and lowered Imax from 18.9 to 8.9. Descriptive model outcomes had shown that late-fusion hybrid ensembles achieved the best overall performance (Accuracy 0.969±0.011; Precision 0.934±0.022; Recall 0.902±0.029; F1 0.918±0.024; ROC-AUC 0.964±0.012; FPR 0.025±0.006; Latency 2.08±0.30 s), exceedingly deep early-fusion models (Recall 0.886; FPR 0.029) and classical supervised cyber-only baselines (Recall 0.781; FPR 0.041). Factorial ANOVA had indicated significant model-family effects on Recall (F=26.84, p<0.001, ηp²=0.32) and F1 (F=21.09, p<0.001, ηp²=0.27), alongside a significant fusion effect on Recall (F=19.57, p<0.001, ηp²=0.17). Attack-type analysis had shown highest detectability for DoS (Recall 0.93) and command injection (0.90), with lower Recall for replay (0.84), false data injection (0.82), and stealth drift (0.78). Overall, fused deep and hybrid architectures had provided the most reliable balance of high sensitivity and low nuisance alarms under cyber–physical OT constraints.