Digital Twin-Driven Intrusion Detection for Industrial SCADA: A Cyber-Physical Case Study

The convergence of operational technology (OT) and information technology (IT) n industrial environments, such as water treatment plants, has significantly increased the attack surface of Supervisory Control and Data Acquisition (SCADA) systems. Traditional intrusion detection systems (IDS) that focus solely on network traffic are often ineffective against stealthy, process-level attacks. This paper proposes a Digital Twin-driven Intrusion Detection (DT-ID) framework that integrates high-fidelity process simulation, real-time sensor modeling, adversarial attack injection, and hybrid anomaly detection using both physical residuals and machine learning. We evaluate the DT-ID framework using a simulated water treatment plant environment, testing against false data injection (FDI), denial-ofservice (DoS), and command injection attacks. The system achieves a detection F1-score of 96.3%, a false positive rate below 2.5%, and an average detection latency under 500 milliseconds, demonstrating substantial improvement over conventional rule-based and physics-only IDS in identifying stealthy anomalies. Our findings highlight the potential of cyber-physical digital twins to enhance SCADA security in critical infrastructure. In the following sections, we present the motivation and approach underlying this framework.