This work addresses the limitations of existing industrial control system (ICS) intrusion detection approaches, which are often confined to a single dimension—such as network traffic timing—and thus struggle to effectively detect coordinated cyber-physical attacks that span both network and physical domains. To overcome this, the paper proposes a unified intrusion detection framework that comprehensively covers all ICS dimensions by integrating multi-source data, including network traffic, control commands, and physical process states. Through multidimensional feature fusion, cross-domain anomaly detection, and ICS-specific behavioral modeling, the framework enables holistic awareness and real-time alerting of cyber-physical attacks. The study also systematically identifies and articulates the core challenges in building such an all-encompassing ICS detection system, advocating a paradigm shift from isolated detection mechanisms toward integrated, system-wide monitoring, thereby establishing a foundational problem framework and research direction for future efforts.

Past attacks against industrial control systems (ICS) show that adversaries often target both the ICS network and the physical process to achieve potential catastrophic impact. To secure ICS, intrusion detection systems promise timely uncovering of such adversaries. However, as these detection mechanisms typically focus on isolated characteristics of ICS (e.g., packet timings), multiple detection systems have to be deployed in parallel, complicating their operation in practice. In this work, to spur discussion and further research, we present challenges encountered during our research towards a holistic intrusion detection system aiming to cover all dimensions of an ICS.