SC-GAT: A Stabilized Causal Graph Attention Network for Detecting Attacks in Water Treatment Plant

The convergence of Information Technology (IT) and Operational Technology (OT) in Industrial Control Systems (ICS) has exposed critical infrastructure to sophisticated multi-stage attacks. Traditional Intrusion Detection Systems (IDS) typically operate in a uni-modal fashion, monitoring either network traffc or physical sensor telemetry in isolation.

This separation fails to capture the causal “control loop” dynamics, rendering them blind to stealthy attacks where adversaries spoof sensor data to mask malicious control logic. To bridge this gap, we propose a novel Early Causal Fusion framework. We construct a Physics-Informed Heterogeneous Graph where physical components (actuators) are structurally linked to network entities (controllers) based on the system’s piping and instrumentation topology. To address the granularity mismatch between bursty network logs and continuous sensor telemetry, we introduce a Stabilized Causal Graph Attention Network (SC-GAT) equipped with pre-norm residual blocks. We validate our approach on the Secure Water Treatment (SWaT) dataset. While the model exhibits intermittent detection behavior typical of unsupervised learning—resulting in a Raw F1-Score of 0.28—it successfully identifies the onset of critical attacks with high sensitivity. Under the standard Point Adjustment protocol, the framework achieves an F1- Score of 0.92, demonstrating that explicitly modeling the causal intersection of cyber and physical domains significantly enhances detection capabilities against complex, multi-modal threats.