Home / Research / Quantum Kernels

Quantum kernels for industrial control: can NISQ hardware actually defend a power plant?

A field report on the IEEE Access 2026 paper, what an 8-qubit ZZFeatureMap really buys you when you take it off the simulator and onto IBM's 156-qubit ibm_fez, and why that matters for SCADA defenders today, not in 2035.

Shujaatali Badami · Sole author · IEEE Access · 2026 · · ~9 min read

At a glance

AUC-ROC, SWaT (sim.)0.9912± 0.004
AUC-ROC, HAI (sim.)0.8309± 0.050
Δ over RBF SVM (HAI)+10.8%AUC
Feature mapZZFeatureMap8 qubits
Hardwareibm_fez156 qubits
Transpiled depth7628 CNOTs
Sim → HW gap17-20%fidelity
Robustness5-seed CVstratified

Pipeline · classical → quantum kernel → SVM

ICS sensor stream encoded by ZZFeatureMap, kernel evaluated on NISQ hardware, classified by classical SVM. ICS telemetry x ∈ ℝᵈ SWaT · HAI sensors ZZFeatureMap · 8q H⊗φ Z Z Z K(x,x') |⟨φ|φ'⟩|² Gram Execution noise-free statevector → theoretical ceiling IBM ibm_fez · 156q · transpiled → depth 76 · 28 CNOTs · 17-20% drop Classical SVM · QSVM decision: nominal vs anomalous
Hybrid pipeline. The classical SVM solver is unchanged; only the kernel call goes to the quantum device. Hardware-agnostic: any IBM, IonQ, or Quantinuum backend.

Abstract, IEEE Access, 2026

Modern Industrial Control Systems face sophisticated cyber-physical attacks that exploit nonlinear correlations between process variables, rendering traditional linear classifiers ineffective. This paper presents a hardware-agnostic Quantum Support Vector Machine framework employing an 8-qubit ZZFeatureMap kernel for anomaly detection in critical water-treatment and thermal-power infrastructure. Performance benchmarks were established via noise-free statevector simulation; physical realizability was separately validated on IBM's 156-qubit ibm_fez processor. Through cross-testbed validation on the SWaT and HAI datasets, the simulated approach achieves AUC-ROC of 0.9912 ± 0.004 on SWaT and 0.8309 ± 0.050 on HAI, a +10.8% AUC improvement over classical RBF-kernel SVMs on the harder testbed. Hardware execution on ibm_fez confirms physical realizability with circuit depth 76 and 28 CNOT gates, while revealing an expected fidelity degradation of approximately 17-20% relative to ideal simulation. All experimental artifacts are open-sourced.

Read on IEEE Xplore ↗ PDF (Open Access) ↓ DOI ↗ Code & data ↗

01The problem with linear thinking

A modern water-treatment plant or thermal power station does not get attacked by a single anomalous reading. It gets attacked by a broken correlation. A skilled adversary nudges the chlorine dosage and the flow rate together so that each value, on its own, still looks fine, but the joint behaviour is wrong. The relationship between the two is what's been compromised, not either individual measurement.

This is exactly the regime where classical linear classifiers fall apart. Linear SVMs see only marginal distributions; tree ensembles see only thresholds. RBF-kernel SVMs help, but their similarity function is radial and isotropic, it has no notion that "sensor 14 and sensor 19 are physically coupled" while "sensor 14 and sensor 31 are not." The geometry of the problem isn't reflected in the geometry of the model.

A quantum kernel reaches a feature space whose structure already mirrors the system being defended.

That is the opening this paper takes. The contribution is not "quantum machine learning beats classical machine learning", that claim, in 2026, is unearned and overhyped. The contribution is more disciplined: a hardware-agnostic framework, cross-testbed validation, and execution on a real 156-qubit processor, separating what the math promises from what today's silicon delivers.

02Why ZZFeatureMap, and why eight qubits

The encoding does most of the work in any kernel method. Here, an 8-dimensional sensor vector is mapped onto an 8-qubit register through a Pauli feature map composed of Hadamard layers, single-qubit Z-rotations parameterized by individual features, and entangling ZᵢZⱼ rotations parameterized by feature products. That last term is the whole point: ZᵢZⱼ creates an entanglement structure on the quantum state whose geometry directly encodes pairwise feature correlation.

For ICS data this is structurally appropriate. Coupled process variables, flow and pressure, voltage and current, dosage and pH, are exactly pairwise-correlated quantities. The kernel inherits an inductive bias tuned to the system, not to the dataset. A classical RBF kernel can learn correlations from data given enough samples; a ZZ-feature-mapped kernel has them by construction.

Eight qubits is an engineering choice, not a theoretical one. It's the largest size where (a) statevector simulation still fits inside a 32-bit working memory budget, allowing a clean noise-free comparison; (b) transpiled circuits remain shallow enough to execute on current NISQ hardware before decoherence dominates; (c) the kernel exhibits enough expressive capacity to separate the harder HAI attack classes. Going larger does not, today, monotonically improve outcomes, past a depth of roughly 80, hardware noise erases whatever extra expressive capacity a deeper feature map provides.

03Two testbeds, two difficulty regimes

SWaT, Singapore University of Technology and Design's six-stage water-treatment testbed, is the well-known benchmark. Its attacks are largely local: a malicious actuator command is reflected, eventually, in a downstream sensor. Most modern detectors, classical or quantum, hit AUC > 0.98 on SWaT.

HAI, the Hardware-in-the-Loop Augmented ICS dataset published by the Affiliated Institute of ETRI, is harder. Attacks span multiple stages of a thermal-power loop and combine slow drifts with stealthy short bursts. Classical RBF SVMs typically land in the high-0.7 AUC range here; deep models do better but require attack volumes that operators in the real world never have.

Both testbeds were used to guard against single-dataset overfitting, a recurring weakness in ICS security results. Cross-testbed validation, with identical preprocessing and identical hyperparameter search budgets, lets the comparison say something honest about the method rather than the dataset.

04What the numbers actually say

On SWaT, the simulated quantum kernel scores AUC-ROC = 0.9912 ± 0.004, statistically tied with a tuned RBF SVM. This is a feature, not a flaw: the SWaT attack space is mostly local, the bias-fit is good for both kernels, and there is little headroom left for any model.

On HAI, the simulated quantum kernel scores 0.8309 ± 0.050. The classical RBF baseline lands at roughly 0.75, the headline +10.8% AUC improvement. Variance is higher (± 0.050), as expected when the underlying signal is weaker, but a paired comparison across the five seeds shows the gap is consistent rather than driven by one lucky split.

Hardware execution on IBM's ibm_fez processor, a 156-qubit Heron-class device, was the real test. After transpilation the 8-qubit feature map landed at depth 76 with 28 two-qubit CNOT operations. The job completed; physical realizability is no longer hypothetical. End-to-end fidelity, however, dropped by 17-20% relative to ideal simulation. That gap is the price of running on today's hardware, and it sets the agenda for what comes next.

05Reading the simulation-to-hardware gap

The 17-20% degradation is not noise, it is structure. Two-qubit CNOTs dominate the error budget at roughly 1% per gate; with 28 of them in the transpiled circuit, accumulated error alone explains a large fraction of the gap. T₂ decoherence over a depth-76 schedule explains the rest. Single-qubit gates are essentially free at this scale.

What the gap suggests, concretely, is that error mitigation, Zero-Noise Extrapolation, Probabilistic Error Cancellation, is the next research lever, not deeper circuits. Halving the gap to under 10% is plausible on existing hardware with current mitigation methods. Closing it entirely will need either fault-tolerant qubits or a feature map redesigned to commute through the dominant error channels.

06Why this matters in 2026, not 2035

Most quantum-machine-learning claims hide behind the phrase "once fault-tolerant hardware is available." Kernel methods are different. Training is still classical, the SVM solver runs on a laptop. The quantum device is called only to populate the Gram matrix. Shallow Pauli feature maps fit inside today's coherence budgets. And because the kernel is hardware-agnostic, the same code that runs on ibm_fez compiles, unmodified, onto IonQ's trapped-ion devices and Quantinuum's H-series.

For a SCADA defender, the practical question is not "is this faster than classical" but "does this catch attacks the classical detector misses?" On the harder of the two public ICS benchmarks, the answer is yes, by a margin large enough to matter for incident-response budgets. That is the bar the paper aims at.

07How this fits the broader portfolio

This work is one layer of a defence-in-depth posture for critical infrastructure. Post-quantum cryptographic primitives, Kyber, Dilithium, SPHINCS+, protect the network and key-establishment layer against future quantum cryptanalysis. The companion VLSI energy-efficiency work at IEEE ICAIC 2026 creates the silicon headroom to run those PQC primitives on resource-constrained endpoints. Quantum-kernel anomaly detection, the subject of this paper, then defends the operational telemetry layer above the cryptographic floor, catching adversaries who already have access to the network.

Together these threads form a coherent agenda: a critical-infrastructure stack that is quantum-secure at the wire and quantum-aware in the SOC.

08Reproducibility

Every figure, every number, every transpilation pass is reproducible. The full training, evaluation, and hardware-submission pipeline lives at github.com/Ali-Badami/Quantum-IDS. The simulation tier runs on any laptop with Qiskit; the hardware tier requires an IBM Quantum account but uses the public free-tier devices. Statistical robustness is reported as mean ± standard deviation over five stratified-sampling seeds; nothing in the paper rests on a single lucky split.

09What comes next

  • Error mitigation. Closing the 17-20% simulation-to-hardware gap toward 5-10% with ZNE and PEC.
  • Larger feature maps. 16-24 qubit ZZFeatureMaps on next-generation Heron and IonQ Forte devices, exploring whether the HAI gap widens or saturates.
  • PQC integration. A single ICS gateway that authenticates with Kyber + Dilithium and detects with quantum kernels, ending the handshake-and-monitor split that today forces operators to pick one.
  • Operator-in-the-loop evaluation. Moving beyond AUC to mean-time-to-detect against a live red-team, the metric defenders actually buy budget against.
Questions

Frequently asked.

/faq
Q01What is a quantum kernel and why use one for anomaly detection?
A quantum kernel is a similarity function K(x, x') = |⟨φ(x)|φ(x')⟩|², evaluated by encoding classical data into a quantum state on a parameterized circuit and measuring the overlap between two such states. The kernel is then handed to an ordinary classical SVM solver. For ICS anomaly detection, the ZZFeatureMap encoding produces an entangled feature space whose ZᵢZⱼ structure naturally captures pairwise correlations between coupled sensors, the inductive bias needed for cyber-physical systems where attacks manifest as broken correlations, not as anomalous individual values.
Q02Why ZZFeatureMap specifically, and why exactly eight qubits?
ZZFeatureMap is a Pauli feature map with second-order ZᵢZⱼ entangling rotations and is conjectured to be classically hard to simulate. Its pairwise-interaction structure mirrors how attackers perturb correlations between coupled process variables in ICS. Eight qubits is the largest size that fits inside the 32-bit statevector simulator's working memory while still admitting reliable execution on current 156-qubit NISQ devices after transpilation, deeper or wider circuits dissolve into decoherence on today's hardware.
Q03How does it perform versus classical SVMs?
On SWaT (water treatment) the simulated quantum kernel achieves AUC-ROC = 0.9912 ± 0.004, statistically tied with a tuned classical RBF SVM. On HAI (thermal power), the harder testbed, it reaches 0.8309 ± 0.050, a +10.8% AUC improvement over the RBF baseline. The advantage shows up precisely where classical kernels struggle: long-horizon dependencies and stealthier multi-stage attacks.
Q04Did this run on real quantum hardware or only in simulation?
Both, deliberately separated. Performance benchmarks were established via noise-free statevector simulation to fix the theoretical ceiling. Physical realizability was then validated by executing the transpiled 8-qubit circuits, depth 76, 28 CNOT gates, on IBM's 156-qubit ibm_fez NISQ processor. Hardware fidelity dropped by approximately 17-20% relative to ideal simulation, consistent with current gate-error and decoherence budgets.
Q05What datasets did you use and why those?
SWaT (Secure Water Treatment, six-stage water-purification testbed) and HAI (Hardware-in-the-Loop Augmented ICS, thermal/hydro power generation). Together they cover process-type diversity, attack-style diversity, and difficulty regimes, SWaT is comparatively well-separated; HAI is harder and is where classical methods break. Cross-testbed validation guards against single-dataset overfitting, a recurring weakness in published ICS anomaly-detection results.
Q06Why not just use deep learning?
Critical-infrastructure operators do not have massive labelled attack datasets. Real attacks are rare and often classified, and synthetic ones are notoriously easy for deep models to overfit. Kernel methods generalize from limited samples, they encode the geometry of the problem in the kernel rather than learning it from data. Quantum kernels extend that advantage by reaching feature spaces no classical kernel can efficiently represent.
Q07Is this useful today, before fault-tolerant quantum computers exist?
Yes. Kernel methods are one of the few quantum-machine-learning techniques where today's NISQ hardware can plausibly add value. Training stays classical; only the Gram-matrix entries call the quantum device. Shallow ZZFeatureMap circuits fit inside current coherence budgets. The framework is hardware-agnostic, it transpiles to IBM, IonQ, or Quantinuum backends without code changes.
Q08How does this connect to your post-quantum cryptography work?
Both protect critical infrastructure but at different layers. Post-quantum cryptography (Kyber, Dilithium, SPHINCS+) defends the network and key-establishment layer against future quantum cryptanalysis. Quantum-kernel anomaly detection defends the operational telemetry layer, catching attackers who already bypassed perimeter controls. Together they form defence-in-depth: PQC at the wire, quantum kernels in the SOC.
Q09Are the experiments reproducible?
Yes. All circuits, training scripts, dataset preprocessing, and evaluation harnesses are open-sourced at github.com/Ali-Badami/Quantum-IDS. Statistical robustness uses 5-seed stratified cross-validation; reported numbers are mean ± standard deviation.
Q10What are you working on next?
Three directions: (1) error-mitigated execution to push the simulation-to-hardware gap below 10%; (2) larger feature maps (16-24 qubits) on next-generation processors; (3) integration with post-quantum cryptographic key-exchange so a single ICS gateway can both authenticate quantum-securely and detect quantum-securely.
Adjacent

Related publications.

/related
IEEE ICAIC · 2026

AI-Optimized VLSI Architecture for Energy-Efficient and Sustainable IoT Systems

52% energy-efficiency gain creates the silicon headroom to run PQC primitives on resource-constrained endpoints, the layer below the kernel work above.

DOI ↗
IEEE ICPCT · 2025

Quantum Bootstrap in Microcanonical Ensembles

Microcanonical resampling reduces computational overhead in quantum many-body simulations, methodologically adjacent to the simulation-tier benchmarks here.

DOI ↗
IEEE ICBATS · 2025

Mitigating Tails Switching in Multibranch Proof-of-Stake Systems

Quantum-inspired selection mechanism preventing fork-switching attacks, a different application of quantum-style geometry to a security problem.

DOI ↗
Reference

Cite this work.

/cite
@article{badami2026quantumkernels,
  title   = {Hardware-Agnostic Quantum Kernel Feature Mapping for Anomaly
             Detection in Critical Infrastructure: A Cross-Testbed Validation
             on NISQ Processors},
  author  = {Badami, Shujaatali},
  journal = {IEEE Access},
  year    = {2026},
  doi     = {10.1109/ACCESS.2026.3679234},
  url     = {https://ieeexplore.ieee.org/document/11457916},
  note    = {Open Access. Code: https://github.com/Ali-Badami/Quantum-IDS}
}
S. Badami, "Hardware-Agnostic Quantum Kernel Feature Mapping for Anomaly
Detection in Critical Infrastructure: A Cross-Testbed Validation on NISQ
Processors," IEEE Access, 2026, doi: 10.1109/ACCESS.2026.3679234.
Badami, S. (2026). Hardware-agnostic quantum kernel feature mapping for
anomaly detection in critical infrastructure: A cross-testbed validation
on NISQ processors. IEEE Access. https://doi.org/10.1109/ACCESS.2026.3679234

Badami (2026), in IEEE Access, introduces a hardware-agnostic Quantum Support Vector Machine framework using an 8-qubit ZZFeatureMap kernel for anomaly detection in critical infrastructure. The work cross-validates on the SWaT and HAI ICS testbeds, reporting AUC-ROC of 0.9912 on SWaT and 0.8309 on HAI, a +10.8% improvement over classical RBF-kernel SVMs on the harder testbed, and confirms physical realizability through circuit execution on IBM's 156-qubit ibm_fez NISQ processor.