Skip to main content

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

Advertisement

Scientific Reports
  • View all journals
  • Search
  • My Account Login
  • Content Explore content
  • About the journal
  • Publish with us
  • Sign up for alerts
  • RSS feed
  1. nature
  2. scientific reports
  3. articles
  4. article
A digital twin and deep-learning ensemble for cyber attack detection in industrial control systems at the IoT edge
Download PDF
Download PDF
  • Article
  • Open access
  • Published: 22 May 2026

A digital twin and deep-learning ensemble for cyber attack detection in industrial control systems at the IoT edge

  • Ali Sayghe1,
  • Mohammad D. Alahmadi2 &
  • Abdulrahman A. Gharawi  ORCID: orcid.org/0009-0002-0341-53863 

Scientific Reports (2026) Cite this article

We are providing an unedited version of this manuscript to give early access to its findings. Before final publication, the manuscript will undergo further editing. Please note there may be errors present which affect the content, and all legal disclaimers apply.

Subjects

  • Engineering
  • Mathematics and computing

Abstract

Industrial Control Systems (ICS) face escalating cyber threats as adversaries increasingly exploit artificial intelligence (AI) to evade conventional defenses. This paper introduces a Digital Twin-enhanced security framework in which a real-time, physics-consistent virtual replica of the controlled industrial process is synchronized with sensor and actuator telemetry from the physical plant and used to validate, suppress, or confirm anomaly scores produced by a deep-learning ensemble. The physical twin is the closed-loop ICS plant (water treatment, water distribution, or chemical process); the Digital Twin is a state-space process model coupled to an Extended Kalman Filter that predicts the next sensor measurement and emits a residual whenever the observation deviates from the physics-consistent prediction. The detection layer combines this Digital-Twin residual signal with a Long Short-Term Memory (LSTM) autoencoder, an attention-based transformer, and an Isolation Forest, fused through a calibrated weighted score that is gated by the residual, so that purely data-driven anomalies that do not violate physics are downweighted and stealthy attacks that violate physics are escalated. Evaluated on three benchmark datasets (Secure Water Treatment testbed [SWaT], Water Distribution [WADI], and Tennessee Eastman) comprising 56 attack scenarios, the framework achieves 97.6% precision, 96.2% recall, an F1-score of 96.9%, and sub-50 ms inference latency. This corresponds to a 3.2 percentage-point F1-score improvement over the strongest baseline (transformer at 93.7%) and a roughly 50% reduction in residual error. Interpretability is supported through attention visualization and Digital-Twin residual analysis, enabling operators to validate detection outcomes. With native Message Queuing Telemetry Transport (MQTT) and Open Platform Communications Unified Architecture (OPC UA) integration, Byzantine fault-tolerant consensus for distributed deployments, and formal verification of safety properties, the framework supports deployment-oriented protection for critical infrastructure aligned with International Electrotechnical Commission (IEC) 62443-4-2 requirements.

Similar content being viewed by others

Interdisciplinary framework for cyber-attacks and anomaly detection in industrial control systems using deep learning

Article Open access 22 July 2025

Smart wastewater management in hydro-technical systems using digital twin technology

Article Open access 07 March 2026

A zero-trust digital twin framework for privacy-preserving multi-dataset intrusion detection in industrial IoT with lightweight blockchain auditing

Article Open access 31 March 2026

Abbreviations

AI:

Artificial Intelligence

C&W:

Carlini & Wagner

EKF:

Extended Kalman Filter

FDI:

False Data Injection

FGSM:

Fast Gradient Sign Method

ICS:

Industrial Control Systems

IEC:

International Electrotechnical Commission

IoT:

Internet of Things

LSTM:

Long Short-Term Memory

MQTT:

Message Queuing Telemetry Transport

NIST:

National Institute of Standards and Technology

OPC UA:

Open Platform Communications Unified Architecture

OT:

Operational Technology

PAC:

Probably Approximately Correct

PBFT:

Practical Byzantine Fault Tolerance

PGD:

Projected Gradient Descent

PLC:

Programmable Logic Controller

RNN:

Recurrent Neural Network

ROC:

Receiver Operating Characteristic

SCADA:

Supervisory Control and Data Acquisition

SEDT:

Security-Enhancing Digital Twin

SNR:

Signal-to-Noise Ratio

SWaT:

Secure Water Treatment

TLS:

Transport Layer Security

WADI:

Water Distribution

Acknowledgements

The authors extend their appreciation to Umm Al-Qura University, Saudi Arabia for funding this research work through grant number: 26UQU4340316GSSR01.

Funding

This research work was funded by Umm Al-Qura University, Saudi Arabia under grant number:26UQU4340316GSSR01.

Author information

Authors and Affiliations

  1. Department of Electrical Engineering, Yanbu Industrial College, Yanbu, Saudi Arabia

    Ali Sayghe

  2. Department of Software Engineering, College of Computer Science and Engineering, University of Jeddah, Jeddah, Saudi Arabia

    Mohammad D. Alahmadi

  3. Department of Computer Science, University College of Al Jamoum, Umm Al-Qura University, Makkah, Saudi Arabia

    Abdulrahman A. Gharawi

Authors
  1. Ali Sayghe
    View author publications

    Search author on:PubMed Google Scholar

  2. Mohammad D. Alahmadi
    View author publications

    Search author on:PubMed Google Scholar

  3. Abdulrahman A. Gharawi
    View author publications

    Search author on:PubMed Google Scholar

Corresponding author

Correspondence to Ali Sayghe.

Ethics declarations

Competing interests

The authors declare no competing interests.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sayghe, A., Alahmadi, M.D. & Gharawi, A.A. A digital twin and deep-learning ensemble for cyber attack detection in industrial control systems at the IoT edge. Sci Rep (2026). https://doi.org/10.1038/s41598-026-53863-z

Download citation

  • Received: 13 October 2025

  • Accepted: 14 May 2026

  • Published: 22 May 2026

  • DOI: https://doi.org/10.1038/s41598-026-53863-z

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Keywords

  • Digital twin
  • Industrial control systems
  • Cyber-physical security
  • Anomaly detection
  • Edge computing
  • AI-driven cyber threats
  • Deep learning
  • Industrial IoT
Download PDF

Advertisement

Explore content

  • Research articles
  • News & Comment
  • Collections
  • Subjects
  • Follow us on Facebook
  • Follow us on X
  • Sign up for alerts
  • RSS feed

About the journal

  • About Scientific Reports
  • Contact
  • Journal policies
  • Guide to referees
  • Calls for Papers
  • Editor's Choice
  • Journal highlights
  • Open Access Fees and Funding

Publish with us

  • For authors
  • Language editing services
  • Open access funding
  • Submit manuscript

Search

Advanced search

Quick links

  • Explore articles by subject
  • Find a job
  • Guide to authors
  • Editorial policies

Scientific Reports (Sci Rep)

ISSN 2045-2322 (online)

nature.com footer links

About Nature Portfolio

  • About us
  • Press releases
  • Press office
  • Contact us

Discover content

  • Journals A-Z
  • Articles by subject
  • protocols.io
  • Nature Index

Publishing policies

  • Nature portfolio policies
  • Open access

Author & Researcher services

  • Reprints & permissions
  • Research data
  • Language editing
  • Scientific editing
  • Nature Masterclasses
  • Research Solutions

Libraries & institutions

  • Librarian service & tools
  • Librarian portal
  • Open research
  • Recommend to library

Advertising & partnerships

  • Advertising
  • Partnerships & Services
  • Media kits
  • Branded content

Professional development

  • Nature Awards
  • Nature Careers
  • Nature Conferences

Regional websites

  • Nature Africa
  • Nature China
  • Nature India
  • Nature Japan
  • Nature Middle East
  • Privacy Policy
  • Use of cookies
  • Legal notice
  • Accessibility statement
  • Terms & Conditions
  • Your US state privacy rights
Springer Nature

© 2026 Springer Nature Limited

Nature Briefing AI and Robotics

Sign up for the Nature Briefing: AI and Robotics newsletter — what matters in AI and robotics research, free to your inbox weekly.

Get the most important science stories of the day, free in your inbox. Sign up for Nature Briefing: AI and Robotics