System-aware contextual digital twin for ICS anomaly diagnosis

TL;DR

This paper introduces a system-aware, unsupervised digital twin framework with LLM-based interpretability for real-time anomaly diagnosis in ICS, addressing limitations of existing methods.

Contribution

It presents a novel unsupervised, system-aware digital twin approach combined with LLMs to improve interpretability and real-time detection in ICS anomaly diagnosis.

Findings

Achieves real-time detection efficiency on public ICS benchmarks.

Provides consistent and interpretable anomaly diagnoses.

Enables low-latency warnings suitable for complex industrial environments.

Abstract

Industrial Control Systems (ICS) integrate computing, physical processes, and communication to operate critical infrastructures such as power grids, water treatment plants, and oil and gas facilities. As ICS become increasingly targeted by cyberattacks, timely and reliable anomaly diagnosis is essential for protecting operational safety. However, existing ICS anomaly detection approaches face practical limitations: supervised methods require extensive labeled attack data and suffer from class imbalance, while model-based detectors often lack the ability to provide deep insight into the root causes of anomalies, leading to elevated false alarms and making it difficult for operators to initiate a timely response. In this work, we propose a system-aware unsupervised framework for ICS anomaly diagnosis that combines lightweight online detection with contextual explanation. The system identifies deviations from observed normal behaviors without prior knowledge of system topology. To support actionable response, we further concatenate a contextual digital twin augmented with an Large Language Model (LLM) to enhance interpretability, which translates detection evidence into grounded diagnostic hypotheses and verification steps for operators. Experiments on public ICS benchmarks demonstrate that the proposed framework achieves real-time detection efficiency and provides consistent, interpretable anomaly diagnoses, enabling low-latency warning and practical deployment in complex industrial environments.