This paper introduces a hybrid anomaly detection approach for Cyber–Physical Systems (CPSs) that combines signature-based, threshold-based, and behavior-based anomaly detection methods. The approach leverages Ensemble Learning (EL) to improve predictive performance by combining multiple Machine Learning (ML) algorithms. The study addresses the challenges of high heterogeneity in CPS environments, limited real-world data, and the scarcity of training data for anomalous activities. The proposed method uses a divide-and-conquer strategy, where signature-based and threshold-based methods handle known threats and immutable physical characteristics, while behavior-based anomaly detection is performed using EL. The effectiveness of the approach is validated using two public datasets, Edge-IoTset2023 and CICIoT2023, showing an accuracy improvement of 4–7% over conventional ML classifiers. The results highlight the importance of accurate anomaly detection in CPSs due to the high financial and life safety costs associated with system interruptions. The paper also discusses the limitations and future directions of the proposed method, emphasizing the need for further research in deep learning and threshold tuning to enhance accuracy and reduce false positives and false negatives.This paper introduces a hybrid anomaly detection approach for Cyber–Physical Systems (CPSs) that combines signature-based, threshold-based, and behavior-based anomaly detection methods. The approach leverages Ensemble Learning (EL) to improve predictive performance by combining multiple Machine Learning (ML) algorithms. The study addresses the challenges of high heterogeneity in CPS environments, limited real-world data, and the scarcity of training data for anomalous activities. The proposed method uses a divide-and-conquer strategy, where signature-based and threshold-based methods handle known threats and immutable physical characteristics, while behavior-based anomaly detection is performed using EL. The effectiveness of the approach is validated using two public datasets, Edge-IoTset2023 and CICIoT2023, showing an accuracy improvement of 4–7% over conventional ML classifiers. The results highlight the importance of accurate anomaly detection in CPSs due to the high financial and life safety costs associated with system interruptions. The paper also discusses the limitations and future directions of the proposed method, emphasizing the need for further research in deep learning and threshold tuning to enhance accuracy and reduce false positives and false negatives.