Adaptive Cyber Threat Detection for Rail SCADA Systems: A Hybrid Machine Learning and Statistical Approach

Supervisory Control and Data Acquisition (SCADA) systems form the digital backbone of modern railway operations, enabling real-time monitoring of critical track geometry parameters including gage, cross-level, alignment, and warp that are essential for preventing derailments and ensuring passenger safety. While SCADA-driven sensing has advanced continuous condition monitoring, it has also introduced new cyber-physical vulnerabilities, particularly stealthy False Data Injection Attacks (FDIAs) capable of masking real defects or fabricating false positives without detection. Existing rule-based and signature-based detection systems fail to identify subtle or novel attacks in high-dimensional, noisy rail geometry data, and most current models require labeled attack datasets that are rarely available. Although unsupervised methods such as autoencoders and Variational Autoencoders (VAEs) can detect deviations from learned normal behavior, they remain limited by non-stationary data characteristics and static detection thresholds. This research proposes a Hybrid VAE with Median Absolute Deviation (MAD) scoring to enable robust, adaptive anomaly detection based on the statistical significance of reconstruction errors. The study investigates whether this approach enhances detection of both subtle and overt FDIAs compared to Isolation Forest and static-threshold VAE baselines, evaluates the effectiveness of MAD-based adaptive thresholding against fixed percentile methods, and examines trade-offs in interpretability, computational load, and reliability across attack intensities. Using an operational track geometry dataset (18,290 samples, 87 features) from Colorado rail testing, the methodology simulates FDIAs through additive spikes, multiplicative distortion, and high-variance noise injection on safety-critical features. Model performance is evaluated using precision, recall, F1-score, and accuracy, with PCA and t-SNE visualization for validation. Findings will provide actionable deployment guidelines for enhancing cyber-physical resilience in railway SCADA systems.

Language

• English

Project

• Status: Active
• Funding: $60,000.00
• Contract Numbers:

  69A3552348323

• Sponsor Organizations:

  Office of the Assistant Secretary for Research and Technology

  University Transportation Centers Program
  Department of Transportation
  Washington, DC  United States  20590
• Managing Organizations:

  Howard University

  2400 6th Street, NW
  Washington, DC  United States  20059
• Project Managers:

  Bruner, Britain

• Performing Organizations:

  University of Maryland, College Park

  Department of Civil and Environmental Engineering
  College Park, MD  United States  20742
• Principal Investigators:

  Attoh-Okine, Nii

• Start Date: 20260102
• Expected Completion Date: 20260930
• Actual Completion Date: 0
• USDOT Program: University Transportation Centers Program

Subject/Index Terms

• TRT Terms: Computer security; Detection and identification systems; Machine learning; Monitoring; Railroad tracks
• Geographic Terms: Colorado
• Subject Areas: Data and Information Technology; Railroads; Security and Emergencies;

Filing Info

• Accession Number: 01976552
• Record Type: Research project
• Source Agency: Research and Education for Promoting Safety (REPS) University Transportation Center
• Contract Numbers: 69A3552348323
• Files: UTC, RIP
• Created Date: Jan 19 2026 4:16PM