Information-Theoretic Digital Twins for Stealthy Attack Detection in Industrial Control Systems: A Closed-Form KL Divergence Approach

TL;DR

This paper introduces an information-theoretic digital twin framework using closed-form KL divergence for real-time detection of stealthy cyber-attacks in industrial control systems, offering high accuracy and efficiency.

Contribution

It presents a novel closed-form KL divergence-based digital twin method combining N4SID and Kalman filtering for effective anomaly detection in ICS.

Findings

Achieved F1-scores of 0.832 on SWaT and 0.615 on WADI datasets.

Outperformed deep learning baselines like TranAD in precision.

Provided a 600x inference speedup over transformer-based methods.

Abstract

Digital twins (DTs) are increasingly used to monitor and secure Industrial Control Systems (ICS), yet detecting stealthy False Data Injection Attacks (FDIAs) that manipulate system states within normal physical bounds remains challenging. Deep learning anomaly detectors often over-generalize such subtle manipulations, while classical fault detection methods do not scale well in highly correlated multivariate systems. We propose a closed-loop Information-Theoretic Digital Twin (IT-DT) framework for real-time anomaly detection. N4SID identification is combined with steady-state Kalman filtering to quantify residual distribution shifts via closed-form KL divergence, capturing both mean deviations and malicious cross-covariance shifts. Evaluations on the SWaT and WADI datasets show that IT-DT achieves F1-scores of 0.832 and 0.615, respectively, with better precision than deep learning baselines such as TranAD. Computational profiling indicates that the analytical approach requires minimal memory and provides approximately a 600x inference speedup over transformer-based methods on CPU hardware. This makes the framework suitable for resource-constrained industrial edge controllers without GPU acceleration.