This work addresses the challenge of detecting stealthy false data injection attacks (FDIAs) in industrial control systems, which manipulate system states within physically plausible bounds and thus evade conventional detection. To overcome the limitations of deep learning methods—prone to overfitting—and traditional approaches—lacking scalability in high-dimensional settings—the authors propose a closed-loop information-theoretic digital twin framework. By integrating N4SID subspace identification with steady-state Kalman filtering, the framework introduces a closed-form KL divergence metric to quantify residual distribution shifts in real time, simultaneously capturing perturbations in both mean and covariance without requiring model training. Evaluated on the SWaT and WADI datasets, the method achieves F1 scores of 0.832 and 0.615, respectively, outperforming deep learning baselines such as TranAD while running approximately 600× faster on CPU with minimal memory footprint, making it suitable for GPU-less industrial edge controllers.

Digital twins (DTs) are increasingly used to monitor and secure Industrial Control Systems (ICS), yet detecting stealthy False Data Injection Attacks (FDIAs) that manipulate system states within normal physical bounds remains challenging. Deep learning anomaly detectors often over-generalize such subtle manipulations, while classical fault detection methods do not scale well in highly correlated multivariate systems. We propose a closed-loop Information-Theoretic Digital Twin (IT-DT) framework for real-time anomaly detection. N4SID identification is combined with steady-state Kalman filtering to quantify residual distribution shifts via closed-form KL divergence, capturing both mean deviations and malicious cross-covariance shifts. Evaluations on the SWaT and WADI datasets show that IT-DT achieves F1-scores of 0.832 and 0.615, respectively, with better precision than deep learning baselines such as TranAD. Computational profiling indicates that the analytical approach requires minimal memory and provides approximately a 600x inference speedup over transformer-based methods on CPU hardware. This makes the framework suitable for resource-constrained industrial edge controllers without GPU acceleration.