The CUSUM algorithm is a sequential analysis technique that detects shifts in the statistical mean of a process. It works by accumulating the deviations of each data point from a reference or target value. When the cumulative sum of these deviations exceeds a predefined control limit or threshold, the algorithm signals that a statistically significant change has occurred, making it highly effective for identifying subtle, persistent drifts rather than abrupt spikes.
Glossary
CUSUM Algorithm

What is the CUSUM Algorithm?
The Cumulative Sum (CUSUM) algorithm is a sequential analysis technique used in changepoint detection that accumulates deviations from a target mean, triggering an alert when the cumulative sum exceeds a defined threshold.
In SCADA anomaly detection, CUSUM monitors operational parameters like voltage, pressure, or command frequencies to identify malicious deviations from a behavioral baseline. Its memory-based accumulation makes it sensitive to slow, low-and-slow attacks that signature-based systems miss, while its computational simplicity allows deployment directly on resource-constrained intelligent electronic devices.
Key Characteristics of CUSUM
The Cumulative Sum algorithm is a cornerstone of statistical process control, designed to detect subtle but sustained shifts in a process mean that individual point tests like Shewhart charts might miss.
Sequential Accumulation of Error
CUSUM operates by accumulating deviations from a target value over time. Unlike threshold-based methods that look at single data points, CUSUM integrates the difference between each observation and a reference mean. This sequential summation makes it exceptionally sensitive to small, persistent shifts in the process mean, as the cumulative statistic steadily drifts away from zero when a change occurs.
The Decision Interval (H) Threshold
An alarm is triggered when the cumulative sum exceeds a predefined decision interval (H). This threshold is not arbitrary; it is typically selected based on the desired Average Run Length (ARL). A larger H value reduces false alarms but increases the time to detect a real shift. The standard CUSUM is often implemented as a two-sided test, using separate upper (C+) and lower (C-) cumulative sums to detect both increases and decreases in the mean.
Reference Value (K) and Drift Sensitivity
The reference value (K), often set to half the magnitude of the shift considered critical, acts as a slack parameter. By subtracting K from each deviation before accumulation, the algorithm filters out random noise and prevents the sum from drifting due to normal variance. This parameter directly tunes the algorithm's sensitivity to a specific magnitude of change, making it optimal for detecting a pre-specified shift size.
Non-Parametric Variants
While the standard CUSUM assumes normally distributed data, non-parametric CUSUM variants exist for scenarios where the underlying data distribution is unknown or heavy-tailed. These methods operate on ranks or signs of the data rather than raw values, providing robust changepoint detection without distributional assumptions. This is critical in OT environments where sensor noise profiles may not follow a Gaussian distribution.
Application in SCADA Anomaly Detection
In industrial control systems, CUSUM is deployed to detect stealthy command injection attacks that subtly modify process parameters over time. Instead of triggering on a single malicious Modbus write, a CUSUM-based detector monitors the cumulative deviation of a sensor reading from its predicted baseline. A slow, deliberate manipulation—such as gradually opening a pressure valve—will eventually cause the cumulative sum to breach the decision interval, alerting operators to a low-and-slow cyber-physical attack.
CUSUM vs. Shewhart Charts
Shewhart control charts (e.g., X-bar charts) are effective for detecting large, sudden shifts but are statistically weak against small, sustained drifts. CUSUM complements Shewhart charts by integrating historical data. A common hybrid approach uses a Shewhart chart for gross error detection and a CUSUM chart for subtle drift detection. This dual strategy provides comprehensive monitoring coverage for both abrupt faults and gradual degradation in industrial processes.
Frequently Asked Questions
Explore the mechanics, applications, and tuning parameters of the Cumulative Sum algorithm, a foundational sequential analysis technique for real-time changepoint detection in industrial control systems.
The Cumulative Sum (CUSUM) algorithm is a sequential analysis technique that detects shifts in the statistical mean of a process by accumulating deviations from a target value over time. Unlike simple thresholding on raw data points, CUSUM maintains a running sum of the differences between observed values and a reference mean. The algorithm operates in two phases: first, it calculates an upper cumulative sum (S_H) and a lower cumulative sum (S_L) for each new observation. When the process is in control, these sums hover near zero. When a sustained shift occurs, the relevant sum begins to drift upward. A changepoint is declared when either (S_H) exceeds a predefined decision interval (H) or (S_L) falls below (-H). This mechanism makes CUSUM exceptionally sensitive to small, persistent shifts—often detecting a 1-sigma change in half the time required by a standard Shewhart control chart. The algorithm is memory-efficient, requiring only the previous cumulative sum and the current observation to update, making it ideal for streaming SCADA telemetry where computational overhead must be minimized.
CUSUM vs. Other Anomaly Detection Methods
Comparative analysis of sequential changepoint detection algorithms for identifying malicious commands in industrial control system traffic.
| Feature | CUSUM | Isolation Forest | Autoencoder | LSTM Sequence Model |
|---|---|---|---|---|
Detection Paradigm | Sequential changepoint accumulation | Random partitioning isolation | Reconstruction error thresholding | Prediction error on sequence |
Training Data Requirement | Target mean only | Full dataset required | Full dataset required | Labeled sequence data required |
Real-Time Streaming Support | ||||
Memory Footprint | O(1) constant | O(n) tree ensemble | High (neural weights) | High (recurrent weights) |
Sensitivity to Concept Drift | High (manual threshold reset) | Moderate (retraining needed) | High (retraining needed) | Moderate (online fine-tuning) |
Interpretability | High (cumulative sum trace) | Moderate (path length) | Low (black-box latent space) | Low (black-box hidden state) |
False Positive Rate on Noisy SCADA | 0.3% | 0.5% | 0.8% | 0.1% |
Detection Latency | < 1 ms | 5-10 ms | 15-30 ms | 10-20 ms |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The CUSUM algorithm belongs to a broader family of sequential analysis and changepoint detection techniques. Understanding these related concepts is essential for selecting the right method for SCADA anomaly detection.
Sequential Probability Ratio Test (SPRT)
A foundational sequential hypothesis testing method developed by Abraham Wald that predates and informs CUSUM. SPRT evaluates incoming observations one at a time and makes a decision—accept, reject, or continue sampling—as soon as sufficient evidence accumulates. Unlike fixed-sample tests, SPRT minimizes the expected number of observations required to reach a decision at a given error threshold. In SCADA anomaly detection, SPRT is often used for rapid intrusion detection where minimizing detection delay is critical.
Shewhart Control Chart
The simplest statistical process control method, which flags an anomaly when a single observation exceeds a threshold—typically three standard deviations from the mean. Unlike CUSUM, Shewhart charts have no memory of past observations, making them insensitive to small, sustained shifts. In ICS environments, Shewhart charts are useful for detecting sudden, catastrophic deviations like a voltage collapse but fail to identify slow, stealthy attacks that gradually drift a process variable out of specification.
Exponentially Weighted Moving Average (EWMA)
A control chart technique that applies geometrically decreasing weights to past observations, giving more influence to recent data. EWMA bridges the gap between Shewhart charts and CUSUM by providing a tunable smoothing parameter λ. A smaller λ gives more weight to historical data, improving detection of small shifts. In operational technology monitoring, EWMA is frequently used for real-time sensor validation, detecting subtle calibration drifts in pressure transmitters and flow meters before they trigger false alarms.
Bayesian Changepoint Detection
A probabilistic framework that computes the posterior distribution over possible changepoint locations given observed data. Unlike CUSUM's frequentist approach, Bayesian methods quantify uncertainty about whether and when a change occurred. The technique models the run length—the time since the last changepoint—and updates beliefs recursively. In SCADA security, Bayesian changepoint detection excels at identifying multiple change points in complex, non-stationary ICS traffic patterns where prior knowledge about attack signatures is available.
Generalized Likelihood Ratio (GLR) Test
A changepoint detection method that compares the maximum likelihood under the null hypothesis of no change against the maximum likelihood under the alternative hypothesis that a change occurred at an unknown time. GLR extends CUSUM by handling cases where post-change parameters are unknown. In industrial control system anomaly detection, GLR is valuable when the exact nature of an attack—such as the specific manipulated register value or command frequency—cannot be specified in advance.
Page's Cumulative Sum Test
The original formulation by E.S. Page in 1954 that introduced the CUSUM decision interval scheme. Page's test accumulates the log-likelihood ratio of each observation and resets the cumulative sum to zero whenever it becomes negative, then signals when it exceeds a threshold h. This one-sided formulation is the direct ancestor of modern CUSUM implementations used in DNP3 and Modbus traffic monitoring, where the direction of deviation—such as an unexpected increase in write commands—is known a priori.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us