Critical infrastructures, e.g., electricity generation and dispersal networks, chemical processing plants, and gas distribution, are governed and monitored by supervisory control and data acquisition systems (SCADA). Detecting intrusion is a prevalent area of study for numerous years, and several intrusion detection systems have been suggested in the literature for cyber-physical systems and industrial control system (ICS). In recent years, the viruses seismic net, duqu, and flame against ICS attacks have caused tremendous damage to nuclear facilities and critical infrastructure in some countries. These intensified attacks have sounded the alarm for the security of the ICS in many countries. The challenge in constructing an intrusion detection framework is to deal with unbalanced intrusion datasets, i.e. when one class is signified by a lesser amount of instances (minority class). To this end, we outline an approach to deal with this issue and propose an anomaly detection method for the ICS. Our proposed approach uses a hybrid model that takes advantage of the anticipated and consistent nature of communication patterns that occur among ground devices in ICS setups. First, we applied some preprocessing techniques to standardize and scale the data. Second, the dimensionality reduction algorithms are applied to improve the process of anomaly detection. Third, we employed an edited nearest-neighbor rule algorithm to balance the dataset. Fourth, by using the Bloom filter, a signature database is created by noting the system for a specific period lacking the occurrence of abnormalities. Finally, to detect new attacks, we combined our package contents-level detection with another instance-based learner to make a hybrid method for anomaly detection. The experimental results with a real large-scale dataset generated from a gas pipeline SCADA system show that the proposed approach HML-IDS outperforms the benchmark models with an accuracy rate of 97%.