1. Introduction

Cybersecurity concerns have developed for SCADA systems, which underpin industrial automation, electricity grids, water treatment facilities, and other important infrastructure [1]. Advanced persistent threats (APT) ransomware, distributed denial-of-service (DDoS) attacks, and zero-day weaknesses are highly dangerous to SCADA networks [2]. SCADA networks have antiquated, vulnerable designs. The confluence of operational technology (OT) and information technology (IT) has expanded the attack surface and the possibility of hostile infiltration [3]. Rule-based access limitations and signature-based intrusion detection systems (IDSs) are inadequate against rising cyber threats since they employ pre-defined attack signatures and static heuristics [4]. Due to constant changes in cyber threats, these measures cannot adapt. Modern cybersecurity frameworks must leverage adaptive, real-time threat detection methods like artificial intelligence (AI), deep learning (DL), and behavioral anomaly detection to withstand dynamic cyber assaults, and this will reduce these hazards’ risks [5].

Intrusion detection is the foundation of SCADA cybersecurity. Traditional intrusion detection systems (IDSs) cannot protect against new threats and zero-day attacks because they use pre-defined signatures and rule-based techniques [6]. These systems also have large false-positive rates, which require unnecessary system interventions and lower detection mechanism confidence [7]. Machine learning algorithms generally lack the feature extraction abilities and flexibility to address SCADA security issues [8]. Although artificial intelligence, machine learning, and anomaly-based detection are potential alternatives [9], this limitation highlights the need for more sophisticated SCADA-specific intrusion detection frameworks that are cognizant of their surroundings.

A recent study provided a novel cybersecurity paradigm. Multi-modal machine learning improves SCADA intrusion detection in this model. This approach resolves key restrictions of prior methods [10]. The system improves threat identification and reduces false positives using CNNs for deep feature extraction, hybrid LSTM networks for temporal pattern analysis, and autoencoders for unsupervised anomaly detection [11]. This ensemble strategy beats earlier solutions, providing a more adaptive and resilient security solution for SCADA-deployed critical infrastructure, and this strategy seems to be better than others [12].

DDoS, ransomware, and sophisticated, persistent threats may disrupt operations and cause significant financial harm [13]. Mission-critical SCADA systems are vulnerable to these assaults because they operate in real time. By using adaptive, behavior-based threat analysis, DL approaches were altered [14]. Traditional security systems are reactive and use signature-based detection, making it hard to detect sophisticated threats. CNNs generate discriminative spatial features from raw network data, and stacked autoencoders learn regular working patterns to detect tiny irregularities [15] accurately. The suggested architecture protects against network attacks using multi-layered defenses. By examining temporal correlations in network data, LSTM networks may discover complex, multi-stage assault sequences [16]. Due to this integrated DL design, SCADA systems have a robust, real-time security mechanism to identify and prevent known and emerging cyber threats.

This research empirically evaluates the HAE–HRL framework’s SCADA system protection. The report shows significant intrusion detection improvements via comprehensive experimental investigation. The study uses benchmark datasets and real-time SCADA network traffic to test the framework [17]. The research found that the framework had greater detection accuracy and lower false-positive rates than previous methods. The findings suggest hybrid deep learning architectures may reduce cybersecurity vulnerabilities in industrial control systems by integrating hierarchical feature extraction with reinforcement learning. The framework’s ability to understand complex temporal patterns and adapt to changing threats suggests a paradigm shift toward more intelligent and autonomous critical infrastructure security solutions. This skill is significant. These results justify using advanced machine learning in industrial cybersecurity. These methods guard against known attack vectors and react to emerging threats quickly.

Motivation: Despite being vital to the nation’s infrastructure, SCADA systems are susceptible to intrusions due to their legacy architecture and interconnectedness. Cyber risks are rising, requiring powerful security systems to identify and stop complex assaults. This study builds a hybrid intrusion detection system (IDS) using deep learning to improve detection accuracy and decrease false positives. Anomaly asymmetry gives defenders a strategic edge by utilizing artificial intelligence to examine massive datasets and find complex patterns that may escape human discovery or regular security processes.

Problem statement: SCADA systems’ intrusion detection systems (IDSs) must overcome high false-positive rates, poor threat response, and poor feature extraction. Due to these shortcomings, SCADA systems are susceptible to hackers who may interrupt critical operations. This study addresses issues by increasing threat detection and SCADA system security. CNNs, autoencoders, and ResNet–LSTM networks are used in the hybrid deep learning HAE–HRL model.

Contribution of this paper

The article’s structure is prearranged as follows: Section 2 provides related work in the field of SCADA systems, examining existing research and developments. Section 3 details the proposed methodology of HAE–HRL, outlining its framework and implementation. Section 4 evaluates the efficiency of HAE–HRL, presenting a thorough analysis of its performance and effectiveness. Finally, Section 5 concludes the study, summarizing key results and recommending potential directions for future study.

2. Related Works

The techniques combine hybrid machine learning models, optimization methodologies, and feature selection tactics to enhance SCADA intrusion detection systems (IDSs). These models reduce false positives, improve detection accuracy, and address critical infrastructure security issues, including insider threats and cyber-physical hazards. They use ensemble learning, deep learning, and optimization [18]. The hybrid ensemble learning model (HELM) uses network sensors to identify SCADA system breaches. It uses UNSW-NB15 and MSU water system data to find breaches using an IDS. Both are water systems. Data preparation involves extracting features using a normalized PCA. The grey wolf optimiser (GWO) uses majority voting to improve classifiers, including bagging, stacking, AdaBoost, naive Bayes, and SVM. Others choose an extreme learning machine (ELM) using the bijective soft-set technique. Traditional intrusion detection systems (IDSs) struggle to meet SCADA concerns. These include outdated protocols, real-time operational restrictions, and high interpretability. Thus, researchers are using protocol-based intrusion detection. These methods examine SCADA communication protocols. These protocols include Modbus [19], DNP3 [20], and IEC 60870-5-104 [21]. These methods have proven that they can locate anomalies by detecting departures from protocol predictions.

The use of cooperative game theory-based Shapley analysis to increase the interpretability of machine learning-based intrusion detection systems is a major advance in this area. Shapley values provide a mathematical framework for quantifying each feature’s impact on model predictions. This paradigm explains why certain network actions are hazardous. SCADA operators must understand and trust intrusion detection system conclusions. Serpil Ustebay and colleagues pioneered protocol-based intrusion detection systems using Shapley analysis [22]. This method efficiently found crucial intrusion detection factors while maintaining high accuracy. Their work shows that Shapley’s analysis may bridge the gap between complex machine-learning models and operator-friendly security solutions. Despite these advances, many challenges remain. Shapley value calculation may be too difficult for real-time applications. Large SCADA networks with significant traffic volumes are particularly affected. Researchers are investigating approximation methodologies as a solution, but further optimization is needed to ensure scalability. Compatibility and performance trade-offs must be considered when combining Shapley-enhanced intrusion detection systems with earlier SCADA systems. In particular, enhanced analytics must not disrupt SCADA systems’ real-time operations.

2.1. Hybrid ML-Based IDS

To identify insider risks in SCADA systems, the study advises using ML techniques, especially ensemble and hybrid approaches [23]. By spotting intricate insider assaults and tackling issues such as data privacy and security, as well as locating pertinent threat data for training, these approaches improve intrusion detection. One practical approach for enhancing detection resilience is observed to be hybrid models. A dual-hybrid IDS capable of identifying false data injection attacks (FDIAs) in smart grids [24] is suggested here. It uses a hybrid DL classifier to combine LSTM networks with CNN. It combines GWO and particle swarm optimization (PSO) for hybrid feature selection. This approach increases computing efficiency, lowers false positives and negatives, and raises the detection accuracy.

2.2. Optimization-Based IDS with DS-LSTM

To provide a unique IDS framework for SCADA systems, the suggested method integrates clustering, optimization, and classification techniques [25]. Deep sequential LSTM (DS-LSTM) for intrusion detection, the multifaceted data clustering models (MDCMs) for pre-processing, and the hybrid gradient descent spider monkey optimizations (GDSMOs) for parameter selection form the framework. Simultaneously, it will reduce the processing time and operations of computations without compromising the higher accuracy in the classification process. The proposed mechanism identifies cyber-attack occurrence in wireless sensor networks through the intelligent hybrid model, which involves a DL hybrid model and the combination of various ML techniques. In such a mechanism, principal component analysis (PCA) and singular value decompositions (SVDs) are incorporated in a feature reduction model, which enables an accelerated detection model and decreases complexity in the developed model [26]. According to the study, the high precision rate of the message queuing telemetry transports (MQTTs) and wireless sensor network (WSN) datasets is 91.98%, and efficiency while taking a detection time of about 23 s.

2.3. Cyber–Physical Risk Assessment Model for SCADA

The proposed approach includes a cyber–physical model for SCADA systems, indicating network breaches and their risk degrees concerning industrial operations. It defines the SCADA network and devices in terms of identifying communication patterns and device state connectivity [27]. Any deviation from this paradigm is considered anomalous, prompting a risk analysis to assess potential threats and their impact. This method thus enhances the effectiveness of understanding cyberattacks by improving detection and analyses. The Genetically Seeded Flora with transformer neural network (GSFTNN) finds vulnerabilities in the SCADA system. It thus detects an operational change that would prove to be evidence of a penetration attempt using its TNN model and GSF feature optimization strategy [28]. The method is more efficient and economical than traditional signature-based systems, among approaches like ResNet, recurrent neural network (RNN), and LSTM. The following results were evaluated regarding the WUSTL-IIOT-2018 ICS SCADA cyber security data.

2.4. PCA–RBN with Emperor Penguin Optimization

The proposed technique improves intrusion detection in SCADA systems by lowering dimensionality using PCA and a radial basis network (RBN) for classification [29]. The Emperor Penguin optimization technique is meant to improve training and stop problems with fading gradients. This method preserves important information while reducing the feature count from 35 to 17, producing good performance measures: 91.22% accuracy, 92.31% precision, 94.09% recall, and 89.20% F1 score. Table 1 shows the comparison of existing methods.

Many hybrid IDS methods, including ELM, DL models, and optimization techniques like GWO, PSO, and PCA, might improve intrusiveness detection in SCADA systems. These methods progress computing efficiency, false positive/negative rates, and detection accuracy. Regarding finding vulnerabilities and cyber-attacks, dual-hybrid IDS, PCA–RBN with Emperor Penguin optimization, and GSFTNN are first picks.

3. Proposed Method

Changing cybersecurity threats requires more a sophisticated IDS. This paper investigates a hybrid DL model, CNN–LSTM, to enhance the IDS’s real-time threat detection accuracy. Multi-threaded packet processing, deep packet inspection, and anomaly detection using NSL-KDD and WSN-DS datasets improve cybersecurity. The paper also presents HAE–HRL for SCADA network security, enhancing defensive systems. To improve the identification of known and undiscovered cyber threats, the proposed HAE–HRL model employs a multi-stage hybrid DL architecture. It is especially useful for critical infrastructures like SCADA systems. To make use of each component’s capabilities in extracting features, reducing dimensionality, and analyzing temporal behavior, the model incorporates three essential components: hybrid autoencoder, ResNet, and LSTM.

3.1. Novel Hybrid Framework for Intrusion Detection

This paper presents an HAE–HRL framework combining autoencoders, CNN-based feature extraction, and a hybrid ResNet–LSTM model to increase the accuracy of cyber threat detection in SCADA systems. From the SCADA dataset, 35 important features were chosen for further analysis because they bore on attack signature patterns and network traffic behavior. Information such as IP addresses used for sending and receiving data, the size of packets, protocols used, connection timestamps, flow rates, error rates, TCP window sizes, and payload entropy are all part of this. The features were selected using correlation and mutual information analysis to improve learning efficiency and decrease redundancy. Standard ML classifiers (SVM, random forest, and KNN), CNN–LSTM, and standalone autoencoder were used as baseline models to assess the performance of the proposed HAE–HRL model. Accuracy, precision, recall, F1 score, AUC–ROC, detection rate, and false alarm rate were measured for assessment. This paper presents HAE–HRL, a novel hybrid cybersecurity framework integrating different machine-learning approaches to improve intrusion detection in SCADA systems. Our framework uses CNNs for deep feature extraction, hybrid LSTM networks for sequential pattern recognition, and autoencoders for anomaly detection, going against the grain of standard intrusion detection systems that depend on single-model techniques. This method is one of a kind since it can learn from its mistakes and identify new types of attacks with few false positives. Improved detection accuracy and enhanced resilience for SCADA security are two additional benefits of the suggested architecture over traditional approaches, which cannot adapt to changing cyber threats.

Figure 1 illustrates a general conceptual overview of how a traditional IDS operates within a network environment. In a network, a collection of computers is connected, and the IDS is crucial in identifying negative behavior. The IDS informs security personnel and logs the incident into a database for further investigation when it discovers a threat. Managing data traffic between the internal network and the World Wide Web, the firewall acts as the next barrier of defense, filtering unauthorized access before it arrives at the router. Captivatingly, the design features a surprise gift that results in a mobile device, maybe hinting at unexpected online assaults like phishing or malware.

(1)$V_{s}w\left[\ll o-sa{n}^{″}\gg \right]:\to Bs\left[o-ap{w}^{″}\right]+Ns{w}^{″}$

Equation (1) shows the relationship between the hybrid anomaly detection method $Ns{w}^{″}$ and signal fluctuations ($V_{s}w$) in SCADA network traffic. While adding newly discovered deviations ($\left[\ll o-sa{n}^{″}\gg \right]$) for adaptive threat detection, it maps baseline safety criteria ($Bs\left[o-ap{w}^{″}\right]$).

(2)$F_{q}s\left[p-ab{n}^{″}\right]:\to Ba\left[w-u{q}^{″}\right]\ast K\left[s-o{w}^{″}\right]$

Using a correction factor ($F_{q}s$) and mapping atypical patterns ($\left[p-ab{n}^{″}\right]$) to weighted standard attributes ($Ba\left[w-u{q}^{″}\right]$), the equation shows the quantification of feature variations ($K\left[s-o{w}^{″}\right]$) in SCADA detection of anomalies. By lowering the number of false positives and increasing the accuracy of cybersecurity, the equation guarantees adaptive feature scaling.

(3)${lp}_{w}s\left[a-q{n}^{″}\right]:\to Bs\left[w-u{i}^{″}\right]+Va\left[p-b{x}^{″}\right]$

Associating aberration quantification (${lp}_{w}s$), weighted baseline parameters for security $\left[a-q{n}^{″}\right]$, and predictive adjustment $Bs\left[w-u{i}^{″}\right]$, the equation simulates the learned forecast weight ($Va\left[p-b{x}^{″}\right]$) for SCADA security. A robust anomaly classification system with few false positives is made possible by Equation (3) optimization of prediction accuracy.

The suggested HAE–HRL model’s autoencoder has a symmetrical design with a network of encoders and decoders. The three layers that make up the encoder are as follows: a dense input layer with 128 neurons, a convolutional layer with 64 filters of size 3 × 3, a ReLU activation, and finally, a max-pooling layer to reduce dimensionality. After that, a bottleneck layer of 32 neurons represents the compressed latent space. Following the same structure as the encoder, the decoder begins with an up-sampling layer and then moves on to a deconvolutional (transposed convolution) layer with 64 filters. Finally, it involves a dense output layer that uses a linear activation function to restore the initial input features.

Figure 2 illustrates a sequential hybrid architecture that integrates CNN and LSTM networks for an IDS. In this design, the CNN first extracts spatial features from the input data, which are then processed by LSTM networks to capture temporal dependencies within those features. This paper introduces a hybrid DL architecture combining CNN and LSTM, applied to the NSL-KDD and WSN-DS datasets. The process begins with data pre-processing, encompassing data cleaning, feature extraction, normalization, and CNN-based feature selection to emphasize significant attributes. A pre-defined threshold is established, enabling the selection of a refined feature subset for further analysis. Subsequently, LSTM networks take precedence, effectively handling the sequential nature of the data. The model is trained, verified, and tested to obtain optimal performance. Two approaches are finally used in classification: Binary categorization lets one distinguish between normal and abnormal activities. Type 1, Type 2, and Type N attacks constitute multiclassification. This architecture increases intrusion detection accuracy, enabling real-time cybersecurity threat identification and reducing unnecessary action.

(4)$f_{2}W:\to Ls\left[s-u{e}^{″}\right]+Va\left[lp-s{n}^{″}\right]\ast Va{w}^{″}\left[l-s{i}^{″}\right]$

The function $f_{2}W$ that controls SCADA anomaly detection is represented by the equation. It connects learned risk states ($Ls\left[s-u{e}^{″}\right]$), predictive variations ($Va\left[lp-s{n}^{″}\right]$), and adaptive adjustments to weights ($Va{w}^{″}\left[l-s{i}^{″}\right]$). By improving the precision of detection and the efficiency of real-time intrusion categorization, Equation (4) strengthens cybersecurity.

(5)$P_{s}w\left[ji-s{n}^{″}\right]:\to Bs\left[w-a{n}^{″}\right]+Ja\left[w-u{e}^{″}\right]$

Equation (5) represents the SCADA system’s predictive security state $P_{s}w$, finding the correlation between signal deviations ($\left[ji-s{n}^{″}\right]$), adaptive baseline safeguards ($Bs\left[w-a{n}^{″}\right]$), and just-in-time abnormal adjustments ($Ja\left[w-u{e}^{″}\right]$. To improve detection accuracy while decreasing false positives, the equation guarantees dynamic threat adaptation.

(6)$P_{f}r\left[u-snw\prime \right]:\to Va\left[w-u{q}^{″}\right]\ast Ms\left[o-sb{e}^{″}\right]$

An equation that links real-time system fluctuations $P_{f}r\left[u-snw\prime \right]$, adaptive variances adjustments ($Va\left[w-u{q}^{″}\right]$), and multi-scale privacy enhancement ($Ms\left[o-sb{e}^{″}\right]$) is the prognostic function for SCADA security. By optimizing predictive adaptability, Equation (6) guarantees strong cybersecurity with few false positives.

3.2. Enhanced Anomaly Detection with Reduced False Positives

While maintaining excellent detection accuracy, using ResNet–LSTM for sequential pattern learning and autoencoders for anomaly detection helps significantly reduce false positives. Figure 3 presents a multi-threaded packet processing technique for controlling network traffic. Thread 1, starting the operation, gathers incoming packets from lines of packet acquisition. Pulling relevant data, Thread 2 packet decoding prepares data for future usage. Refining the data flow and stream processing Thread 3 ensures ordered packet treatment. Thread 4 through Thread n distributes packet processing among many packet detection threads under the load-balancing (LB) scheme. These threads enable efficient identification and analysis of network packets employing data transmission. This method ensures scalability and parallelism for real-time network monitoring, optimizing performance. Shared data applied across detection threads enhance fast threat identification and accuracy.

Deep packet inspection (DPI) and intrusion detection systems(IDSs), which provide great cybersecurity and perfect data flow, fit this paradigm as high-speed network security solutions.

(7)$g_{r}e\left[x-a{n}^{″}\right]:\to Ls\left[ew-u{s}^{″}\right]+Va\left[s-w{n}^{″}\right]$

The generalized response $Va\left[s-w{n}^{″}\right]$ to extracted anomalies is represented by Equation (7) $g_{r}e$, which maps learned secured states ($\left[x-a{n}^{″}\right]$) with reactive variances adjustments $Ls\left[ew-u{s}^{″}\right]$.

(8)$P_{d}er\left[x-ab{n}^{″}\right]:\to Js\left[ew-u{w}^{″}\right]\ast Js\left[w-u{q}^{″}\right]$

Equation (8) shows the correlation between just-in-time security updates ($P_{d}er$) and adaptive quantification adjustments ($\left[x-ab{n}^{″}\right]$), as well as the predictive detection ($Js\left[ew-u{w}^{″}\right]$) of retrieved anomalies ($Js\left[w-u{q}^{″}\right]$).

(9)$v_{F}s\left[\forall -y{w}^{″}\right]:\to Ja\left[w-u{e}^{″}\right]+Va\left[s-u{q}^{″}\right]$

Equation (9) shows the variation function ($v_{F}s$) that is applied to all identified anomalies ($\left[\forall -y{w}^{″}\right]$), connecting adaptive variety adjustments ($Ja\left[w-u{e}^{″}\right]$) with just-in-time updates for safety ($Va\left[s-u{q}^{″}\right]$). By lowering detection errors and boosting intrusion prevention, assuring continual adaptation to emerging cyber threats, and improving SCADA security, the equation is a powerful tool. The suggested HAE–HRL model’s autoencoder has a symmetrical design with a network of encoders and decoders. The three layers that make up the encoder are as follows: a dense input layer with 128 neurons, a convolutional layer with 64 filters of size 3 × 3, a ReLU activation, and finally, a max-pooling layer to reduce dimensionality. After that, a bottleneck layer of 32 neurons represents the compressed latent space.

Traditional SCADA cryptography techniques are in grave danger with the advent of quantum computing. SCADA authentication and communication protocols, such as RSA, ECC, and Diffie–Hellman (DH), depend on computationally complex algorithms, such as integer factorization and discrete logarithms. Since quantum algorithms can solve these issues in polynomial time, many cryptographic methods are susceptible to fast decryption and key recovery, especially by Shor’s algorithm. This makes SCADA data and control commands less secure and more susceptible to interception and manipulation by malicious actors. Given the importance of SCADA systems to vital infrastructure, there is a need to move towards post-quantum cryptographic algorithms that can endure these new challenges and maintain secure communication in future operating settings, especially in light of the advent of quantum computing.

Incorporating quantum-resistant algorithms is becoming essential for safeguarding key infrastructures, including power grids, water systems, transportation networks, and industrial control systems. With the advancement in quantum computing, traditional encryption techniques such as RSA, ECC, and DH face potential threats from quantum algorithms like Shor’s algorithm. To alleviate these risks, quantum-resistant (or post-quantum) cryptographic algorithms such as lattice-based cryptography, hash-based signatures, code-based encryption, multivariate polynomial cryptography, and isogeny-based cryptography are being formulated to ensure robust security in a post-quantum era. These algorithms are designed to withstand conventional and quantum assaults, making them exceptionally appropriate for protecting data transfer, authentication methods, and control signals in critical infrastructure.

The increasing importance of quantum computing in cybersecurity makes this omission significant. Quantum algorithms, such as quantum support vector machines (QSVM) and quantum k-nearest neighbors (QKNN), can improve anomaly detection by using quantum parallelism to analyze high-dimensional data more effectively than conventional methods. Furthermore, quantum optimization methods may decrease training duration, enhance detection precision, and minimize false positives. Using the NSL-KDD dataset, Figure 4 presents a systematic strategy for cyberattack identification and classification. It assigns 20% for testing and 80% for training, starting with dataset separation. The cyber-attack training phase consists of pre-processing (numeralization and feature scaling using UV-Scaler), data organization (null feature removal and protocol-based grouping), and feature extraction. The testing phase follows a like-minded path employing pre-processing, feature extraction, and null feature elimination [30]. Non-attacked data are handled for cyber security and data security (PXORP-ECC); attacked data are recorded for further investigation.

This all-encompassing procedure aggregates security measures with ML techniques to enhance cybersecurity defensive mechanisms.

(10)$P_{w}s\left[a-u{w}^{″}\right]:\to Ls\left[u-s{q}^{″}\right]\ast Ba\left[w-u{e}^{″}\right]$

The weighting of anomaly signals ($P_{w}s$) in the predictive model $Ba\left[w-u{e}^{″}\right]$ is given by Equation (10), which also correlates the learned level states ($\left[a-u{w}^{″}\right]$) with baseline adapting updates ($Ls\left[u-s{q}^{″}\right]$). The equation improves SCADA security by enhancing anomaly detection accuracy and decreasing the number of false alarms caused by adaptive security upgrades.

(11)$F_{e}s\left[p-a{n}^{″}\right]:\to Ba\left[so-s{n}^{″}\right]+Va\left[w-an{q}^{″}\right]$

Equation (11) symbolizes the function for extracting features ($\left[p-a{n}^{″}\right]$) that is applied to predictive anomalies $F_{e}s$, connecting the optimization of baseline security ($Ba\left[so-s{n}^{″}\right]$) with adaptive variance adjustments ($Va\left[w-an{q}^{″}\right]$). Accurate feature selection, reduced false positives, and improved intrusion detection performance are ways the equation improves SCADA security. A systematic strategy for cyberattack identification and classification in SCADA networks is illustrated in Figure 4.

(12)$M_{w}a\left[b-s{n}^{″}\right]:\to Na\left[w-u{o}^{″}\right]+Va\left[o-a{p}^{″}\right]$

Linking networking adaptation ($M_{w}a$) with variance-based optimizer ($\left[b-s{n}^{″}\right]$), the equation represents a model loading function $Na\left[w-u{o}^{″}\right]$ utilized on anomaly-based signals ($Va\left[o-a{p}^{″}\right]$). The equation improves SCADA security by making models more flexible, decreasing detection errors, and making SCADA systems more resistant to cyber threats. The LSTM component of the HAE–HRL model may capture sequential and temporal relationships within SCADA system traffic data. To facilitate hierarchical temporal feature extraction, it comprises two stacked LSTM layers, with 128 memory units in the top layer and 64 units in the bottom layer. A dropout layer is added after each LSTM layer with a dropout rate of 0.3 to prevent overfitting. An activation function called ReLU and a fully linked dense layer consisting of 32 neurons are used to process the final temporal information. Whether multi- or binary-class classification is being performed determines the activation function the output layer uses. Using categorical cross-entropy loss training and the Adam optimizer, the LSTM module can learn time-dependent patterns that signify intrusion signs or unusual system behaviors.

3.3. Improved SCADA System Security

The framework provides exceptional cybersecurity for critical infrastructure, particularly SCADA systems, by quickly detecting network anomalies and malicious activity and addressing unique vulnerabilities. Originally designed to guard SCADA systems against cyberattacks, the innovative IDS known as the HAE–HRL framework (Figure 5), DL mixed with anomaly detection, improves security monitoring. The process begins with data preparation assured of consistent and clean input. After the prominent network characteristics are extracted, a CNN detects deviations via autoencoder reconstruction of normal patterns. Then, a hybrid ResNet–LSTM model enables the system to be flexible enough to meet changing threats by capturing temporal attack patterns. “Adaptive learning for new attack patterns” refers to the continuous model enhancement process, where the system incrementally retrains or fine-tunes the CNN–LSTM model using recently captured anomalies or zero-day attack features. This ensures that the detection model evolves and maintains its efficacy against emerging threats.

This mechanism helps the IDS move beyond static learning into a dynamic detection paradigm, where the system can proactively adapt to sophisticated, evolving threats. The HAE–HRL approach incorporates adaptive learning for novel attack patterns to improve the system’s awareness of changing or new cyber threats in SCADA settings. To keep up with evolving assault tactics, adaptive learning constantly updates model parameters and decision limits thanks to fresh data flowing in. It accomplishes its goals by including incremental updates into training cycles, which allow for fine-tuning the autoencoder and LSTM weights using fresh labeled or unlabeled input samples instead of retraining the complete model. Implemented feature drift detection techniques to track changes in input data distributions and initiate localized model updates when deviations surpass specified thresholds. Due to this feature, the system can identify new abnormalities and adjust its categorization limits appropriately, ensuring it can maintain high detection accuracy even when faced with advanced or unpredictable attacks.

(13)$P_{s}D\left[w-u{w}^{″}\right]:\to Ks\left[w-u{a}^{″}\right]\ast Js\left[w-u{q}^{″}\right]$

Equation (13) shows the predictability of security decisions $P_{s}D\left[w-u{w}^{″}\right]$ using identified anomalies ($Ks\left[w-u{a}^{″}\right]$), connecting knowledge-based security improvements ($Js\left[w-u{q}^{″}\right]$) with immediate delivery adjustments.

(14)$P_{s}e\left[s-w{n}^{″}\right]:\to Ks\left[w-u{q}^{″}\right]+Ba\left[s-u{w}^{″}\right]$

Equation (14) shows the predictive security improvement ($P_{s}e$) that is applied to observed anomalies ($\left[s-w{n}^{″}\right]$) by combining baseline adaptive measures ($Ks\left[w-u{q}^{″}\right]$) with knowledge-based security updates ($Ba\left[s-u{w}^{″}\right]$).

(15)$P_{d}e\left[a-s{n}^{″}\right]:\to Ls\left[3ps-va{q}^{″}\right]+Va\left[s-y{w}^{″}\right]$

Equation (15) ($P_{d}e$) shows the improved predictive detection for anomaly signals ($\left[a-s{n}^{″}\right]$) by integrating learned security patterns ($Ls\left[3ps-va{q}^{″}\right]$) and adaptive variance adjustments ($Va\left[s-y{w}^{″}\right]$). Equation (15) guarantees dynamic adaptability to new cyber dangers, enhances anomaly categorization, and lowers false positives, all of which increase the security of SCADA systems. Anomaly detection and intrusion detection and classification are two important outcomes of the suggested HAE–HRL model. The first is based on the autoencoder stage’s reconstruction error, and the second is the result of the ResNet–LSTM layers’ assignment of each input to a specific class, such as normal, DoS, MITM, probe, or zero-day attack. The autoencoder stage performs an early anomaly filter, and a refined classification is carried out by the ResNet–LSTM block using deep spatial and temporal information. Figure 5 shows the entire technique, which combines all the main parts of the approach, such as the SCADA input data, learning modules for feature extraction, an adaptive learning mechanism, and dual-output generation. Step 4 (autoencoder) is employed for unsupervised anomaly detection. It learns the normal traffic distribution during training and flags deviations (high reconstruction error) as potential anomalies. This step does not classify threats into specific categories. It simply distinguishes “normal” from “abnormal” behavior. Step 5 (SoftMax classifier) then takes either the flagged anomalies or the latent features (from earlier layers) and performs supervised classification and labeling detected anomalies into defined cyber threat categories (e.g., DoS, MITM, spoofing).

Providing details about the CNN and LSTM designs used for comparison is crucial to ensure that all remain accessible and reproducible. Detailing the models’ structure and training concerning the number of layers, activation functions, and optimization strategies could be evaluated objectively compared to the suggested HAE–HRL framework. The convolutional and pooling layers of CNNs make them effective in feature extraction, while the sequential data architecture of LSTMs makes them great at capturing the temporal connections observed in cyberattack patterns. The resulting performance gains in context help explain whether these designs were selected as baseline models or intrusion detection optimizations. Algorithm 1 shows the HAE–HRL intrusion detection in the SCADA system. In the HAE–HRL framework, these integrations of anomaly detection and classification of two components operate in a sequential pipeline rather than in parallel. Specifically, the autoencoder-based anomaly detection functions as a preliminary filtering stage that identifies deviations from normal traffic by evaluating reconstruction error. Only those data instances flagged as anomalous are then forwarded to the classification stage, where the SoftMax classifier assigns them to specific cyber threat categories. This approach ensures that the system first isolates suspicious traffic through unsupervised learning before applying supervised classification, thereby improving detection accuracy and computational efficiency.

This paper presents a CNN–LSTM hybrid model for IDSs, improving intrusion detection by employing classification techniques and feature selection. Using NSL-KDD datasets guarantees real-time cybersecurity monitoring. Multi-threaded packet processing enhances network traffic management, while HAE–HRL enriches SCADA systems via anomaly detection and DL. The proposed systems minimize false positives, improve detection accuracy, and strengthen cybersecurity resilience. The autoencoder identifies unknown or previously unseen threats by detecting anomalies based on reconstruction error. It operates unsupervised, flagging traffic that deviates significantly from the learned normal patterns. Once an anomaly is detected, the latent representation or features extracted from that data point are passed to the classifier, which attempts to label the threat if it matches a known category. In this way, the autoencoder and the classifier are linked sequentially; the autoencoder detects novel or abnormal behavior, while the classifier interprets and labels threats that resemble known attack signatures.

In industrial settings with limited processing resources, deploying CNNs and LSTMs might provide substantial scaling issues. These DL models are inherently resource-intensive, necessitating a significant amount of memory, processing power, and energy usage. This is particularly true when they are employed for real-time intrusion detection in SCADA or other industrial control systems. Regarding DL inference tasks, industrial settings sometimes depend on outdated hardware or embedded systems that do not possess the computing capability necessary to carry them out effectively. As a consequence of this, the implementation of such models may result in latency problems, decreased throughput, or bottlenecks in the system, which would undermine the responsiveness and dependability of essential processes. In addition, the use of computer resources is further strained by the need for periodic retraining and adaptive learning, both of which are required to preserve detection accuracy in the face of ever-changing threat patterns.

A combination of hash-based cryptography and lattice-based encryption has been used to reduce the likelihood of quantum assaults, especially those that use Shor’s technique. The new cryptographic architecture incorporates a hybrid strategy to improve security in the long run by combining conventional and quantum-resistant encryption. Anomaly detection efficiency can be improved with the help of quantum-enhanced ML techniques, which have also been investigated for intrusion detection with Grover’s search algorithm. The CNN component extracts rich spatial features from SCADA traffic, capturing local dependencies. The LSTM then models the temporal sequences in the traffic data, which is especially important for time-series patterns common in cyber-attacks. The autoencoder serves as an anomaly detector, enabling the identification of previously unseen or subtle threat patterns in an unsupervised manner. Finally, the SoftMax classifier provides a supervised categorization of identified threats. Though the structure appears linear, each module performs a distinct role, and their integration is designed to create a layered defense mechanism, first detecting deviations and then classifying them.

4. Result and Discussion

Although essential for industrial activities, SCADA systems run major cybersecurity risks. Conventional intrusion detection techniques suffer in flexibility and false positives. This paper presents an HAE–HRL framework combining CNNs, autoencoders, and ResNet–LSTM to improve detection accuracy, anomaly detection, and adaptability. The method gives SCADA systems better cybersecurity, offering strong resistance against changing cyberattacks. Virtual environments with benchmark datasets and SCADA traffic scenario emulation were the only ones to evaluate the suggested methodology. This study conducted real-world industrial implementation and assessment. Therefore, the findings reflect the controlled test settings, exempt from the real-world unpredictability, hardware limits, and unexpected traffic behavior often encountered in operational SCADA setups. Performance parameters of the model, like detection latency and false-positive rate, are affected by this constraint, which makes them less generalizable.

Figure 6 highlights the false-positive rates of models. HAE–HRL has the lowest (5%), ensuring fewer incorrect alerts. The hybrid model was trained on the NSL-KDD dataset using an NVIDIA RTX 3090 GPU (Santa Clara, CA, USA), was sourced locally in Saudi Arabia, with 20 GB VRAM, 64 GB RAM, and an Intel i9-12900K processor. The total training time for 50 epochs was 3 h and 45 min, with an average epoch duration of 4.5 min. To optimize this, we utilized multi-threaded packet processing, which reduced pre-processing time by 35% compared to single-threaded baselines. Our primary experiments were conducted on the aforementioned high-performance setup. However, recognizing the resource constraints in industrial SCADA environments, we tested the model on an NVIDIA Jetson TX2. Future work will focus on reducing computational overhead and benchmarking real-time performance in industrial environments.

4.1. Dataset Description

SCADA systems must be linked to heterogeneous networks to save money, making security their biggest problem. A small-scale cyber-attack on a computer network will greatly affect SCADA systems since remote terminal units (RTUs) have limited resources. SCADA systems implementing the IEC 60870-5-104 protocol are frequently utilized in power plants [31]. A physical testbed simulates electrical distribution, providing a controlled environment for analysis and testing. Distributed SCADA systems are particularly vulnerable due to their direct integration within community infrastructure, exposing them to a wider range of potential attack vectors. This research seeks SCADA datasets. This work simulates human–machine interface (HMI)–RTU communication and then attacks to interrupt it. Attacks include port scans, brute force, and DoS. DoS attacks include internet control message protocol (ICMP), synchronize (Syn), and International Electrotechnical Commission (IEC) 104 floods. The IEC 104 flood attack overwhelms the remote terminal unit (RTU) with an unknown application service data unit (ASDU) type, disrupting normal operations. Kali Linux serves as the attack platform, while all network traffic is captured in pcap format, and IDSs such as Snort [32] and Suricata [33] analyze the dataset to detect malicious traffic patterns. The simulation environment utilized in this study is shown in Table 2.

The fundamental cryptographic procedures used to safeguard communication, authentication, and data integrity are jeopardized by quantum computing, which poses a significant challenge to the security architecture of SCADA systems. Securing control messages and establishing secure channels between field devices, RTUs, and control centers is accomplished by the majority of SCADA settings using public-key cryptography techniques like RSA and ECC. These cryptosystems, however, may be broken efficiently by quantum algorithms such as Shor’s algorithm. These algorithms solve fundamental mathematical problems, which include integer factorization and elliptic curve discrete logarithms, in a polynomial time. This would allow attackers to decrypt sensitive data, fake command authentication, and breach secure sessions, which might lead to unauthorized access to critical infrastructure. By increasing brute-force key searches, Grover’s approach may degrade symmetric encryption, reducing the effective security strength of the encryption. This is because SCADA systems are often built to have lengthy operating lifespans; thus, introducing adversaries capable of quantum computing might result in serious vulnerabilities if quantum-resistant cryptographic protocols are not proactively implemented.

Consistent trends in SCADA networks rely on anomaly detection (Figure 7). The HAE–HRL framework can separate dangerous activities from normal processes with 93.38% anomaly detection accuracy. Using autoencoders to detect deep abnormalities, the model gains unambiguous identification of deviations from expected behavior. With early identification of cyberattacks guaranteed by this high detection rate, potential ones are prevented. CNN-based feature extraction combined with ResNet–LSTM enhances anomaly detection, enhancing the system’s resilience to changing risks.

(16)$P_{s}w\left[a-qn{w}^{″}\right]:\to Ls\left[io-sn{e}^{″}\right]+Va\left[3d-s{n}^{″}\right]$

By combining adaptive variance adjustments ($P_{s}w$) with learned security insights ($\left[a-qn{w}^{″}\right]$), Equation (16) depicts the predictive secure weighting ($Ls\left[io-sn{e}^{″}\right]$) that will be used for anomaly-based queries ($Va\left[3d-s{n}^{″}\right]$). By boosting intrusion detection accuracy, decreasing false positives, and enhancing adaptive threat categorization, the equation improves SCADA system security for anomaly detection analysis.

Figure 8 shows the accuracy of different models in detecting anomalies. HAE–HRL achieves the highest accuracy (95%), outperforming CNN, LSTM, and a traditional IDS.

4.2. Analysis of Detection Accuracy

Detection accuracy (Figure 9) is a significant metric displaying the general effectiveness of the HAE–HRL system in identifying cyber threats. With an accuracy of 95.22%, the model properly classifies most situations, assuring a consistent cybersecurity solution for SCADA systems. This remarkable accuracy reveals the extent to which deep feature extraction and sequential pattern learning aid in reducing misclassification. As it greatly exceeds traditional methods, the proposed hybrid approach is a great choice for enhancing SCADA intrusion and network anomaly detection.

(17)${Ps}_w\left[i-s{b}^{″}\right]:\to La\left[w-y{q}^{″}\right]+Va\left[so-sn{e}^{″}\right]$

Equation (17) shows the predictive weighting of security ${Ps}_w$ for detected security breaches ($\left[i-s{b}^{″}\right]$), which combines adaptive variance scaling ($La\left[w-y{q}^{″}\right]$) with latent abnormal learning ($Va\left[so-sn{e}^{″}\right]$). The equation improves SCADA system security by minimizing false positives, strengthening cyber resilience, and modifying threat detection thresholds to analyze detection accuracy.

4.3. Analysis of False Positive

The false-positive rate (FPR) counts the percentage of allowed network activity misclassified as risks. With an FPR of 15.25%, the HAE–HRL model suggests that further optimization is needed to reduce the unwanted warnings shown in Figure 10. Reduced FPR is the foundation of SCADA security, as frequent false positives could overwhelm security personnel and induce response weariness. Although the autoencoder has remarkable accuracy, boosting its anomaly detection characteristics might increase performance and aid in lowering false alarms, thus improving intrusion detection dependability.

(18)$D_{s}qw:\to Na\left[\partial \propto -s{t}^{″}\right]+Ba\left[wo-s{n}^{″}\right]$

Integrating networks anomaly adjustments ($D_{s}qw:$) with baseline integrity reinforcement ($Na\left[\partial \propto -s{t}^{″}\right]$, Equation (18) reflects the decision support for querying weighting ($Ba\left[wo-s{n}^{″}\right]$). The equation enhances SCADA on false-positive analysis by providing an adaptive anomaly response.

Figure 11 illustrates the trade-off between true- and false-positive rates. HAE–HRL shows the best curve, indicating superior detection capability with minimal errors compared to CNN and LSTM.

4.4. Analysis of Adaptability

Finding new and changing cyber hazards in SCADA systems requires adaptability. With 92.96% adaptability, the HAE–HRL framework can fit new assault patterns (Figure 12). The model improves detection using sequential pattern recognition and DL-based feature extraction. Unlike conventional approaches that face new challenges, this hybrid technique guarantees real-time learning and adaptability. The great versatility makes the framework a future-proof cybersecurity solution for protecting vital infrastructure.

(19)$T_{s}e\left[o-a{n}^{″}\right]:\to Ls\left[w-u{w}^{″}\right]+Va\left[s-u{e}^{″}\right]$

The equation incorporates learned security patterns ($T_{s}e$) with adaptive variance adjustments ($Ls\left[w-u{w}^{″}\right]$) to represent threat indicate evaluation ($\left[o-a{n}^{″}\right]:\to$) for observed anomalies ($Va\left[s-u{e}^{″}\right]$). Equation (19) improves the security of SCADA systems by making anomaly detection more precise and making dynamic adjustments to account for new cyber threats for adaptability analysis.

4.5. Analysis of Intrusion Detection

A key component of cybersecurity, intrusion detection guarantees quick identification of illegal access and harmful actions. With a 92.96% intrusion detection accuracy, the HAE–HRL system becomes useful in spotting cyberattacks (Figure 13). Integration of CNN-based feature extraction, autoencoders, and ResNet–LSTM guarantees strong threat detection with great accuracy and recall. This result emphasizes how capable the framework is of improving SCADA system security, therefore providing strong protection against advanced cyberattacks.

(20)$P_{s}w\left[u-a{n}^{″}\right]:\to Bs\left[w-ua{q}^{″}\right]+Va\left[s-uw{e}^{″}\right]$

Equation (20) incorporates baseline safety measures $P_{s}w$ and adaptive variable adjustments ($Bs\left[w-ua{q}^{″}\right]$) to provide predictive health weighting ($\left[u-a{n}^{″}\right]$) for unsolved anomalies ($Va\left[s-uw{e}^{″}\right]$). The equation guarantees dynamic adaptation to new cyber dangers and improves the security of SCADA systems in analyzing intrusion detection. Table 3 shows the comparison of the existing method and the proposed method.

Combining DL models under the HAE–HRL architecture enhances the security of SCADA systems. Although it increases adaptability (92.96%), its 93.38% anomaly detection accuracy and 95.22% detection accuracy considerably decrease false positives (15.25%). The proposed system ensures real-time protection against new attacks, provides a powerful, reliable cybersecurity solution for industrial systems, and detects and classifies cyber threats better than present alternatives. Further, the proposed hybrid security combines asymmetric (e.g., anomaly detection, AI) methods to create a multi-layered defense. This reduces the asymmetry in attacker–defender dynamics by addressing known and unknown threats. The proposed method identifies deviations from normal behavior, which is inherently asymmetric because attackers often exploit unknown vulnerabilities or use novel techniques. Anomaly-based detection helps defenders detect zero-day attacks and other asymmetric threats. The proposed hybrid IDS combines signature-based and anomaly-based detection to create a more balanced defense. This ensures that known and unknown threats are addressed, reducing the asymmetry in attacker–defender dynamics.

The HAE–HRL model’s adaptability was tested by adding additional attack patterns that were not in the training dataset. This method simulates SCADA system hazards. The model uses adaptive learning by retraining the autoencoder, ResNet, and LSTM hybrid layers on updated datasets with known and newly uncovered intrusion signs. This is performed inside the model. The model uses temporal relationships detected by the LSTM layer and residual reconstruction errors for feedback-driven threshold setting and anomaly score recalibration. During the adaptability study, time-series data splitting was used to include modified DoS patterns and IEC 104 flood exploitation kinds. Before and after the adaptation cycles, detection accuracy and false-positive rate were measured to assess the model’s adaptability. The hybrid cybersecurity strategy for SCADA systems shows the potential to prevent asymmetric assaults but has limitations. These restrictions show the challenges of implementing sophisticated cybersecurity solutions for susceptible infrastructure and opportunities for improvement. Pre-trained machine learning algorithms may struggle to discover new attack vectors, which is one of the model’s biggest drawbacks. Asymmetric threats are dynamic, and attacker techniques are continually evolving. The model uses adaptive learning but still takes time to recognize and respond to new danger patterns. This delay necessitates continuous upgrades and retraining. Despite being designed to scale with SCADA network complexity, the model performs poorly in large-scale installations. As the network grows, real-time threat detection and response processing resources expand fast. This may delay operations and reduce efficiency. When resources are limited, this limitation is most obvious. The effectiveness of the ML components in the model heavily depends on the availability of high-quality, labeled training data. In practice, obtaining such data for SCADA systems can be challenging due to the sensitive nature of operational data and the lack of standardized datasets. Additionally, any biases or inaccuracies in the training data can compromise the model’s performance. Despite its advanced features, the model is not immune to adversarial attacks targeting ML algorithms. Attackers could exploit vulnerabilities in the model’s decision-making processes, leading to false positives or negatives. Addressing this limitation requires ongoing research into robust and resilient machine learning techniques.

5. Conclusions

Cybersecurity still poses a big challenge, as SCADA systems are prone to network anomalies and cyber-attacks. Often, classic IDSs fail without the flexibility to react to new dangers and high false positive rates. This paper introduced CNNs for feature extraction, autoencoders to detect anomalies by utilizing the HAE–HRL framework, and a hybrid ResNet–LSTM model for sequential analysis to solve these problems. The experimental results of reducing false positives reveal that the proposed approach significantly improves detection accuracy with a 95.22% detection benchmark, 93.38% anomaly detection, and 92.96% intrusion detection. On the other hand, real-time threat detection and improved security are guaranteed by competently identifying cyber hazards in SCADA systems with the HAE–HRL design. The proposed approach enhances our ability to differentiate between legitimate and malicious behaviors while more effectively identifying complex attack patterns than traditional methods. Although the structure is robust, further refinements could reduce the false positive rate (15.25%) and address key challenges associated with intrusion detection systems (IDSs). The proposed hybrid DL method offers a promising approach to safeguard the SCADA systems from evolving risks. This framework increases cybersecurity resilience and more dependable SCADA system protection by increasing anomaly detection and classification accuracy. In the future, the enhancement of HAE–HRL architecture will be explored for real-time deployment in big-scale SCADA systems and reducing the false-positive rate, which will be the main objectives of upcoming research. Furthermore, explainable AI (XAI) techniques facilitate a deeper understanding of threat detection mechanisms, enhancing transparency and trust in cybersecurity systems. Advancing research in transfer learning and adaptive learning methodologies will improve model generalization, ensuring resilience against zero-day attacks and evolving cyber threats. This study fully intends to explore the risks of quantum technology more deeply in future research, including potential mitigation strategies such as quantum-resistant encryption and post-quantum cryptography integration within hybrid intrusion detection frameworks.

Footnotes

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Figure 1 Conceptual overview of traditional intrusion detection system (IDS) operation in a network environment.

Enlarge this image.

Figure 2 A sequential hybrid architecture combining a CNN for spatial feature extraction with LSTM networks to model temporal dependencies in the extracted features.

Enlarge this image.

Figure 3 Illustration of multi-threaded packet processing for efficient network traffic control.

Enlarge this image.

Figure 4 Illustrated systematic strategy for cyberattack identification and classification in SCADA networks.

Enlarge this image.

Figure 5 HAE–HRL: AI-driven cybersecurity framework or SCADA systems with DL-enhanced anomaly detection.

Enlarge this image.

Figure 6 Comparative analysis of false-positive rates (FPR) across different models.

Enlarge this image.

Figure 7 Anomaly detection analysis: assessing model effectiveness and precision.

Enlarge this image.

Figure 8 Illustration of comparative analysis of model accuracy in anomaly detection.

Enlarge this image.

Figure 9 Detection accuracy–evaluating the effectiveness of the HAE–HRL system in identifying cyber threats.

Enlarge this image.

Figure 10 Analysis of false positives: assessing the impact on detection reliability.

Enlarge this image.

Figure 11 ROC curve comparison: visualizing the trade-off between true- and false-positive rates.

Enlarge this image.

Figure 12 Analysis of adaptability: evaluating system flexibility and responsiveness.

Enlarge this image.

Figure 13 Analysis of intrusion detection: evaluating the effectiveness and efficiency of detection systems.

Enlarge this image.