Byte-Level Anomaly Detection in ICS Serial Communication Channels

Anomaly detection plays a critical role in securing Industrial Control Systems (ICS). Yet, most existing approaches focus on Ethernet-based protocols, overlooking the still-prevalent legacy serial channels. Originally designed with reliability rather than security in mind, these unencrypted low-level protocols are particularly susceptible to stealthy manipulation. Moreover, many current detection methods depend on Deep Packet Inspection (DPI) and protocol-specific feature engineering, which restricts their applicability across heterogeneous or undocumented proprietary industrial networks. This paper introduces Byte-Level Anomaly Detection for Serial ICS (BLAD-SICS), a method that models serial traffic as a continuous stream of raw bytes, thereby avoiding the constraints of DPI and handcrafted protocol-dependent features. Leveraging the ByT5 language model, the proposed system captures both structural syntax and temporal semantics of benign Modbus over Serial Line communications. To support protocol-agnostic detection, we propose a Dual-Model Ensemble that integrates single-packet syntactic inspection with sequence-level contextual analysis. The approach is evaluated on a highly randomized SCADA dataset containing 35 cyber-attack categories. A one-class classifier trained exclusively on benign traffic achieves 0.9166 accuracy and an Attack F1-Score of 0.8195, representing realistic zero-day conditions. These results demonstrate the effectiveness of raw byte-level modeling for securing industrial bus communications without relying on predefined signatures or parsed protocol features.