Attacks on cyber-physical systems, such as nuclear and water treatment plants, have physical consequences that impact the lives of thousands of citizens. In such systems, it is mandatory to monitor the field network and detect potential threats before a problem occurs. This work proposes a hybrid approach that orchestrates unsupervised and incremental learning methods to detect threats that impact the control loops in a plant. We use online data processing to identify new attack vectors. We train the online incremental learning method as new attacks arrive. We also apply a one-class support vector machine to each monitored sensor or actuator to retrieve abnormal behaviors of their closed control loop. The proposed solution orchestrates the outputs from the two machine learning methods and alerts the system operators when it detects a threat. We evaluate the proposal on the Secure Water Treatment testbed dataset, and the results reveal that our proposal detects threats at more than 90% precision and with accuracy higher than 95%.