To address high false-positive rates and challenges in root-cause localization for cyber-physical attack detection in water-system industrial control systems (ICS), this paper proposes a causal digital twin framework that integrates causal discovery, structural equation modeling, and real-time digital twin technology to enable intervention analysis and counterfactual reasoning. Departing from conventional correlation-based modeling, the framework achieves F1 scores of 0.923–0.944 on SWaT, WADI, and HAI datasets, attains 90.8% compliance with physical constraints, reduces false positives by 74%, and maintains an ultra-low response latency of 3.2 ms. Root-cause localization accuracy improves to 78.4%, while attack success rate drops by 73.2%. The core innovation lies in the first deep integration of causal inference into digital twin architectures for water-system security—yielding high-accuracy, interpretable, and intervention-capable protection.

Industrial Control Systems (ICS) in water distribution and treatment face cyber-physical attacks exploiting network and physical vulnerabilities. Current water system anomaly detection methods rely on correlations, yielding high false alarms and poor root cause analysis. We propose a Causal Digital Twin (CDT) framework for water infrastructures, combining causal inference with digital twin modeling. CDT supports association for pattern detection, intervention for system response, and counterfactual analysis for water attack prevention. Evaluated on water-related datasets SWaT, WADI, and HAI, CDT shows 90.8% compliance with physical constraints and structural Hamming distance 0.133 $pm$ 0.02. F1-scores are $0.944 pm 0.014$ (SWaT), $0.902 pm 0.021$ (WADI), $0.923 pm 0.018$ (HAI, $p<0.0024$). CDT reduces false positives by 74%, achieves 78.4% root cause accuracy, and enables counterfactual defenses reducing attack success by 73.2%. Real-time performance at 3.2 ms latency ensures safe and interpretable operation for medium-scale water systems.