Cyber-Physical Fusion for GNN-Based Attack Detection in Smart Power Grids

Recent research has shown promise in using machine learning for cyberattack detection in power systems. However, current studies face limitations: a) dependence on either physical or cyber features, overlooking multi-modal cyber-physical (CP) correlations; b) unrealistic full observability assumptions; c) focus on detecting basic attacks instead of advanced threats such as ransomware (RW); and d) use of deep learning (DL) models built for 2D data, despite the graph-structured nature of power systems. To address these gaps, we develop a CP testbed using OPAL-RT and a cyber range to simulate both physical and cyber layers under full and partial observability. The testbed produces a realistic multi-modal dataset covering normal operations and various cyberattacks, including RW, brute force, false data injection, reverse shell, and backdoor. Using this dataset, we design graph neural network (GNN)-based multi-modal intrusion detection systems (IDSs) that fuse CP features and capture spatio-temporal dependencies. Results show that CP fusion improves detection rates (DRs) by up to 16% compared to single-modal inputs. The proposed GNN-based IDSs outperform benchmarks by up to 26% in DR, remain effective under partial observability, and demonstrate up to 6% improvement in scalability when applied to larger system topologies.