Text

Image of burning factory and failing power tower

Teaching factories to fight back

Teaching factories to fight back

A single cyberattack on a power grid can leave millions in the dark. A compromised water treatment plant could poison a city. As our factories and infrastructure grow smarter, they also grow more vulnerable. But what if industrial networks could learn to protect themselves—sensing danger the way your body senses infection?

As factories, energy systems, and water plants become increasingly connected, their exposure to cyberattacks grows.

Alireza Dehlaghi Ghadim's research builds what can be described as a digital immune system for industrial networks—teaching them to sense and identify, and making it possible to respond to malicious activity much like the human body detects and fights infections.

By combining machine learning with deep knowledge of industrial processes, the research produced open-source frameworks and datasets that allow companies to safely "train the immune system" of their networks—testing, learning, and improving cyber-resilience without risking real operations.

These innovations are already being adopted by researchers and industry partners worldwide, strengthening the digital health and trustworthiness of the systems that keep modern society running.

The Problem

Industrial Control Systems (ICS) run the processes that keep societies functioning—from energy to manufacturing. Their growing connectivity exposes them to cyberattacks capable of halting production or endangering lives. Traditional firewalls and rule-based intrusion detection cannot keep pace with new or previously unknown attacks. Yet applying machine learning in such time-critical and resource-limited systems has proved difficult due to a lack of realistic data, costly testbeds, and high false-alarm rates.

The Research

Between 2020 and 2025, Dehlaghi Ghadim explored how to make machine learning–based intrusion detection systems usable in real industrial settings rather than just in theory. The work resulted in:

ICSSIM – a flexible, low-cost test environment that makes it possible to safely simulate realistic cyber-attacks on industrial systems.

ICSFlowGenerator and ICS-Flow – freely available tools and datasets that allow researchers to extract features from network traffic and train/test algorithms for detecting abnormal behaviour.

Federated and semi-supervised learning – adapted for attack detection in ICS, helping systems learn from distributed data and limited attack examples.

A decision-support layer – reduces false alarms and helps operators focus on genuine threats.

From Lab to Industry

Working with ABB, Arctos Lab, RISE, Scania, TietoEvry and Westermo within EU projects INSECTT, DAIS and INTERSTICE, the tools were validated in industrial testbeds mirroring real factory networks. Their open release through GitHub and publications has enabled global reuse by researchers and security engineers. Industry partners now apply these resources to benchmark new security solutions without risking live operations.

Results

  • Reduced cost and time for cybersecurity experimentation in industry
  • Over 50 organizations worldwide using the ICS-Flow dataset
  • Enhanced Swedish and European industrial resilience through validated AI-based defense approaches
  • Strengthened MDU's position as a hub for trusted smart-system security

What's Next

Bridging AI and industrial cybersecurity requires both technical and organizational innovation—sharing data, building trust, and embedding AI safely in operations. Future work will extend the framework to real-time decision support and integration with models of industrial systems that mirror their physical counterparts.

Why This Matters for MDU

This research embodies MDU's vision of Trusted Smart Systems—combining AI, dependability and industry co-production to safeguard society's critical infrastructure. By showing how academic innovation at MDU translates into tangible benefits for industry and public security, the work also reinforces the bridge between research and education.

The results form the core of Alireza Dehlaghi Ghadim's PhD thesis and support MDU's educational offering in Cybersecurity, including the Cybersecurity Master's Programme, doctoral training, and online courses for professionals. Through this integration, the research helps build critical cybersecurity competence among future engineers while upskilling today's workforce.

Aligned with MDU's Vision

This research exemplifies Mälardalen University's vision of educating for global citizenship by combining collaboration, curiosity, and impact.

  • Developed in close co-production with industry partners, it strengthens MDU's role as an international knowledge node in industrial cybersecurity.
  • By openly sharing datasets and tools now used worldwide, it contributes to a collaborative and curiosity-driven learning culture.
  • Ultimately, it helps prepare future-ready, responsible engineers who safeguard the systems that underpin a sustainable society.

Read more in the publication from the proceedings of the International Conference on Emerging Technologies and Factory Automation (ETFA) -> IEEE