Hybrid unsupervised machine learning framework for industrial control system intrusion detection

A system for monitoring an industrial system for cyberattacks includes an industrial control system including a plurality of actuators, a plurality of sensors each arranged to measure one of a plurality of operating parameters, and an edge device and a computer including a data storage device having stored thereon a program that includes each of a time-series database including expected operating ranges for each operating parameter, a clustering-based database that includes clusters of operating parameters having similarities, and a correlation database that includes pairs of operating parameters that show a correlation. An alarm system is operable to initiate an alarm in response to current operating data including a measurement from one of the plurality of sensors falling outside of an expected range, a change in the expected clustering of one of the plurality of sensors based on the current operating data from each of the plurality of sensors, and a variation in the current operating data between two of the plurality of sensors that falls outside of an expected correlation of the two of the plurality of sensors.