Causal Digital Twins for Cyber-Physical Security: A Framework for Robust Anomaly Detection in Industrial Control Systems

TL;DR

The paper addresses the problem that correlation-based anomaly detection in water-ICS often yields false alarms and poor root-cause analysis. It presents a Causal Digital Twin (CDT) framework that integrates automated causal graph discovery, Structural Causal Models, interventional DT construction, and counterfactual reasoning to enable association, intervention, and counterfactual queries. Key contributions include automated causal structure discovery with $90.8\%$ physical-constraint compliance, F1-scores of $0.944$ (SWaT), $0.902$ (WADI), and $0.923$ (HAI), a 74\% reduction in false positives, 78.4\% Top-1 root-cause accuracy, and counterfactual defenses reducing attack success by $73.2\%$, all with $3.2$ ms real-time latency. The results demonstrate a scalable, interpretable, causality-aware security framework for medium-scale water systems and support cross-dataset transfer, enabling proactive defense planning.

Abstract

Industrial Control Systems (ICS) in water distribution and treatment face cyber-physical attacks exploiting network and physical vulnerabilities. Current water system anomaly detection methods rely on correlations, yielding high false alarms and poor root cause analysis. We propose a Causal Digital Twin (CDT) framework for water infrastructures, combining causal inference with digital twin modeling. CDT supports association for pattern detection, intervention for system response, and counterfactual analysis for water attack prevention. Evaluated on water-related datasets SWaT, WADI, and HAI, CDT shows 90.8\% compliance with physical constraints and structural Hamming distance 0.133 $\pm$ 0.02. F1-scores are $0.944 \pm 0.014$ (SWaT), $0.902 \pm 0.021$ (WADI), $0.923 \pm 0.018$ (HAI, $p<0.0024$). CDT reduces false positives by 74\%, achieves 78.4\% root cause accuracy, and enables counterfactual defenses reducing attack success by 73.2\%. Real-time performance at 3.2 ms latency ensures safe and interpretable operation for medium-scale water systems.

Figures (6)

• Figure 1: Simpson’s Paradox in Water Treatment Systems
• Figure 2: Three Levels of Causal Analysis (Pearl's Hierarchy): (a) Association, (b) Intervention, and (c) Counterfactuals, illustrating the necessary complexity for robust cyber-physical security.
• Figure 3: Causal versus Statistical Anomaly Detection in SWaT Attack Scenario. (Top) Statistical anomaly detection using moving Z-score cannot detect the gradual attack until t=160. (Middle) Detection based on causal mechanism violation finds the attack at t=110, giving earlier warning. (Bottom) Sensor readings during stealthy LIT101 manipulation attack, showing causal detection advantage of 50 time steps.
• Figure 4: Detection Performance Comparison: F1-scores across seven baseline methods on the SWaT dataset. Our CDT framework achieves an F1-score of $0.944 \pm 0.014$, representing a statistically significant improvement ($^{***}p < 0.001$) over existing approaches. Error bars show 95% confidence intervals.
• Figure 5: Computational performance breakdown: offline tasks (Causal Discovery, SDM Estimation) run at initialization, while online tasks (Anomaly Detection, Root Cause Analysis, Counterfactual Analysis) operate in real time. Times for discovery/estimation are in minutes; others in milliseconds.