The proposed architecture consists of three layers:

Collection and Normalization Layer: Port mirroring on technological segment switches, agents in the Demilitarized Zone (DMZ), telemetry streams from programmable logic controllers (PLC), Supervisory Control and Data Acquisition (SCADA) and technological sensors; decoding of industrial protocols [e.g., Modbus Transmission Control Protocol (Modbus/TCP), OPC Unified Architecture(OPC UA)], normalization into a SIEM event scheme (Knowles et al., 2015; Mugarza et al., 2020).

Analytics layer: two pipelines—network (Byte2Image → CNN + LSTM) and Technological (AE + LSTM). The first identifies low-level traffic anomalies; the second predicts physico-technological values (oven temperature, conveyor speed, dough moisture, drive currents), as well as operator activity profiles (HMI commands, shift patterns).

Cognitive correlation layer: SIEM rules and graph dependencies, UEBA profiles, knowledge of the technological process calendar (recipes, batches, shifts), Zero Trust access policy (micro-segmentation, device verification), and external Indicators of Compromise (IoC) sources (Tariq et al., 2019; Zhao et al., 2022; Homaei et al., 2024).

To ensure conceptual consistency and address the complexity of hybrid threats, the proposed system is structured into three distinct hierarchical levels.

First, Level 0 (Base Pipelines) consists of independent deep learning modules: the network pipeline (Byte2Image-CNN + LSTM) and the technological pipeline (AE + LSTM). These models perform primary feature extraction and provide raw anomaly scores from heterogeneous data sources.

Second, Level 1 (Hybrid Fusion) integrates the outputs from Level 0 using a weighted scoring mechanism. This level is designed to correlate network-layer incidents with physical process deviations.

Finally, Level 2 (Full Cognitive Model) represents the highest level of integration. At this stage, the system incorporates Security Information and Event Management (SIEM) correlation rules and User and Entity Behavior Analytics (UEBA). Level 2 filters the fused scores through the lens of industrial context—such as bakery production shifts, specific recipes, and Zero Trust access policies—to refine detection accuracy and minimize false positives. This hierarchical structure is empirically validated in Section 3, where Level 1 performance is compared in Table 1, and the contribution of Level 2 components is verified through an ablation study in Table 2.

Bakery enterprises are classified as critical infrastructure, where the stability of the technological cycle—from dough mixing to finished product packaging—directly affects quality, safety, and economic resilience. Any failures in the operation of ovens, conveyors, dispensers, or proofing systems lead to batch spoilage, line stoppage, and violation of sanitary standards.

From a food safety perspective, the alignment with ISO 22000 and HACCP (Hazard Analysis and Critical Control Points) principles is critical. A cyber-physical attack targeting the operational technology (OT) layer can have direct biological consequences. For instance, an unauthorized modification of a Modbus Holding Register controlling the oven temperature (e.g., reducing the baking zone temperature by 10 °C) may not trigger a standard IT security alert but results in the “Underbaking” critical control point failure. This permits the survival of pathogens (e.g., Salmonella spp. or Bacillus cereus) in the final product. Therefore, the detection system must treat specific PLC register manipulations not merely as network anomalies but as direct violations of food safety limits.

To enhance the reliability and security of such production facilities, a cognitive architecture for early incident detection has been developed. It combines machine learning methods, behavioral analytics for users and equipment, and the principles of the Zero Trust architecture. The system is focused on preventing hybrid cyber threats—a combination of external attacks on PLC/SCADA controllers and internal risks caused by personnel errors, procedure violations, or the introduction of malicious code.

The architecture is built on three interconnected layers—data collection and normalization, analytics, and cognitive correlation. Interaction between them occurs through forward and feedback loops, ensuring a closed loop of adaptive protection capable of learning from its own data and increasing detection accuracy.

Figure 1 presents the general cognitive architecture of the early incident detection system. The Collection and Normalization Layer is responsible for receiving and pre-processing data from the industrial equipment of the bakery plant. This utilizes port mirroring on switches, agents in the DMZ, telemetry streams from PLC and SCADA, as well as signals from technological sensors. At this stage, data from Modbus/TCP and OPC UA protocols are converted into a unified SIEM event format. This creates a single representation of the information space upon which analytics are built.

The Analytics Layer processes incoming data using two parallel pipelines. The Network Pipeline (Byte2Image CNN + LSTM) converts traffic into visual representations and identifies hidden anomalies in network exchange. The Technological Pipeline (AE + LSTM) analyzes production process parameters—oven temperature, dough moisture, drive currents, conveyor speed—and predicts normal operating modes. The joint use of these pipelines allows for real-time fixation of deviations in equipment operation and operator actions.

The Cognitive Correlation Layer unifies the results of the neural network models with the context of the production cycle. Here, SIEM rules and dependencies, UEBA behavioral profiles, and Zero Trust mechanisms—network micro-segmentation, device verification, and access control—are active. This layer utilizes knowledge about recipes, shifts, batches, as well as external Indicators of Compromise (IoC). It evaluates the aggregate risk and, if necessary, automatically adjusts the response thresholds of the analytical models, returning feedback signals to the previous levels.

Orthogonal feedback loops ensure the architecture’s adaptation: the cognitive layer can change analytics parameters and data collection filters, restricting streams from suspicious sources, updating trusted zones, and increasing detection accuracy.

This architecture implements the principle of intelligent self-regulation—from observation to analysis and action. The system is capable of not only detecting incidents but also predicting their emergence, maintaining continuous control over the bakery plant’s technological network.

The video below explains the core concepts of the IEC 62443 standard, which the proposed architecture complies with for industrial cybersecurity.

The implementation of a probabilistic risk-indicator is necessitated by the stochastic nature of cyber-physical threats in food production, where binary detection is often insufficient for nuanced decision-making. This approach allows for the quantification of incident intensity over time, providing a mathematical basis for automated response that accounts for uncertainty. This modeling is grounded in the Neyman–Pearson criterion for optimal statistical decision theory, ensuring a formal balance between detection sensitivity and a fixed false positive rate (Neyman and Pearson, 1933; Basseville and Nikiforov, 1993). Such risk-oriented frameworks are essential for maintaining process continuity in ICS environments under conditions of incomplete data (Inoue et al., 2017; Tuptuk et al., 2021).

Let λ ( t ∣ ℱ t ) —be the incident intensity driven by the observed filtering ℱt (logs, telemetry, behavioral features). The probability of at least one incident occurring over the horizon H is given by Equation (1): ℙ ∃ , incident [ t , t + H ] = 1 − exp ! ( − ! ∫ ! t t + H ! λ ( τ ∣ F t ) , dτ ) (1)

In practical implementation λ ( · ) is approximated by model outputs and the densities of anomaly scores. An incident is escalated when the integral risk across assets exceeds the threshold τ t : R t = ∑ a w a P ( I t a = 1 ∣ F t ) , decision: R t > τ t . The combined anomaly score s t incorporates the autoencoder’s reconstruction error, the probability of the “normal” class from the LSTM, and the entropy dynamics (Equation 2): s t = α , ∣ x t − x ̂ t ∣ 2 2 + ( 1 − α ) , ( 1 − pθ ( y t = 0 ∣ z 1 : t ) ) + β , Δ H t (2)

Where α , β ∈ [ 0 , 1 ] , z 1 : t —the features, H t —is the entropy of the class distribution over the window.

To mitigate the “alarm fatigue” common in industrial monitoring, we formulate the threshold selection as a constrained optimization problem rather than a static value. This is critical for bakery plants where technological cycles (e.g., cooling or fermentation) create natural drifts in baseline data. By minimizing detection latency while respecting strict FPR and computational resource constraints, the system remains viable for deployment on edge gateways with limited processing power (Anthi et al., 2021; Kantharaju et al., 2024). This optimization follows the dual-multiplier approach for stochastic resource allocation in real-time OT networks (Tuptuk et al., 2021; Inoue et al., 2017). The problem of choosing the threshold τ t is formulated as the optimization of the detection latency D ( τ ) subject to constraints on the False Positive Rate (FPR) and the computational budget on edge nodes (Equation 3): min τ t ; E [ D ( τ ) ] ∏ pu FPR ( τ t ) ≤ ε , C ( τ t ) ≤ C max (3)

The resource constraint C__max is defined based on the specifications of typical industrial edge gateways (e.g., NVIDIA Jetson Nano or Raspberry Pi 4-class devices). Specifically, the inference time per sample must not exceed 100 ms, and the peak RAM usage for the model must remain below 2 GB to allow coexistence with other SCADA processes. The optimization objective is to minimize detection latency τ while maintaining FPR ( τ _t) ≤ 0.5% within these hardware boundaries.

The solution is approximated by a stochastic gradient method with dual multipliers for the constraints (online readjustment every ΔT minutes) (Anthi et al., 2021; Kantharaju et al., 2024).

The Byte2Image transformation is selected to overcome the limitations of traditional deep packet inspection (DPI), which struggles with encrypted or proprietary industrial protocols used in modern PLCs. By visualizing raw traffic as 2D structural patterns, the model leverages the spatial feature extraction capabilities of CNNs to identify malformed frames and reconnaissance activity (Lin et al., 2022). The integration of an LSTM layer is further justified by the need to capture temporal dependencies in multi-stage attack scenarios, where malicious intent is revealed through sequences of packets rather than isolated events (Anthi et al., 2021; Abhishek and Singh, 2023). The Network Pipeline is designed to process heterogeneous traffic by transforming raw packet data into a format suitable for computer vision. To handle network traffic variability, raw PCAP packet payloads are truncated or padded to a fixed length of L = 1,024 bytes. These bytes are then reshaped into a square matrix of size N × N, where N = 32. The mapping logic is defined as (Equation 4):

P ( i , j ) = B k , where k = i × N + j (4)

Here, P(i, j) represents the pixel intensity at coordinates (i, j), and B_k is the decimal value of the k-th byte (ranging from 0 to 255). This results in a 32 × 32 grayscale image that preserves the spatial correlations and structural patterns of protocol headers (e.g., Modbus function codes or TCP flags) and payloads.

These images are fed into a hybrid CNN-LSTM architecture. The CNN layers perform spatial feature extraction, while the LSTM layer captures temporal dependencies between consecutive packets in a session. To ensure reproducibility, the detailed hyperparameters for both the CNN-LSTM and AE-LSTM models (used in the technological pipeline) are provided in Table 1. To address the class imbalance identified in the dataset (see Section 3.1), we employed the Focal Loss function instead of standard cross-entropy, which forces the model to focus on hard-to-classify attack samples.

Byte sequences of packets/sessions are translated into fixed-dimension images N × N (grayscale or pseudocolor with channel splitting: header/payload/metadata). For the k -th fragment b k , 1 : N 2 ∈ 0 , ⋯ , 255 N 2 :

N × N (grayscale or pseudo-color when splitting channels: header/payload/metadata). For the (k)-th fragment b k , 1 : N 2 ∈ 0 , ⋯ , 255 N 2 (Equation 5): I k = reshape ( b k , 1 : N 2 , N , N ) , h t = LSTM ! ( g ϕ ! ( I t ) ) , y ̂ t = σ ( Wh t + b ) (5)

Where gϕ ( · ) —is the convolutional feature extractor, and σ—is the logistic function. This approach is robust to traffic polymorphism and adapted to weak labels (weak labels) (Lin et al., 2022).

In the technological layer, the scarcity of labeled attack signatures for specific bakery equipment necessitates an unsupervised learning paradigm. The Autoencoder (AE) is employed to learn the latent representation of “normal” physical processes, using reconstruction error as the primary anomaly metric (Gauthama Raman et al., 2021). To account for the inherent time-series nature of sensor telemetry (e.g., temperature and dough viscosity), the AE is combined with an LSTM network. This hybrid architecture ensures the detection of both point anomalies and subtle long-term drifts in physical parameters, which is a key requirement for reliable digital twin-based monitoring (Holdbrook et al., 2024; Homaei et al., 2024). The autoencoder AE ψ reconstructs the observed vector x t (telemetry, commands), the LSTM predicts the next point/distribution, and the joint loss function sets a compromise between reconstruction, regularization, and the metric objective (Equation 6): L ( θ , ψ ) = ∑ t = 1 T ( ∣ x t − x ˜ t ∣ 2 2 + λ 1 , KL ( qψ ( z t ∣ x t ) , ∣ , N ( 0 , I ) ) + λ 2 , CE ( y ̂ t , y t ) ) (6)

Where cross-entropy loss (CE) is used in the objective. The anomaly signal is the reconstruction error and/or large predictive residuals on the recorded operating modes of furnaces, conveyors, and dispensers (Gauthama Raman et al., 2021; Holdbrook et al., 2024).

The bakery network often features outdated SSL/TLS implementations (e.g., forced protocol downgrades for backward compatibility) and insecure SNMP v1/v2c configurations (community strings, lack of encryption). These factors are exploited in attacks on equipment firmware update channels, inter-plant VPNs, and monitoring: injection of fake firmware, interception of configurations, and telemetry spoofing (Xie et al., 2021; Li et al., 2024; Ahmad et al., 2023). In our architecture, this is accounted for in asset risk profiles, SIEM rules, and training scenario sets (see “Results” section).

SIEM accumulates events from network sensors, operating system (OS)/database (DB) logs, SCADA/HMI, VPNs, and authentication infrastructure. UEBA builds trusted profiles of operators and service accounts (shift activity, commands, and deviations from technology maps). Zero Trust ensures microsegmentation, continuous device verification, and the principle of least privilege (at the PLC/SCADA and engineering workstation level) (Tariq et al., 2019; Mugarza et al., 2020; Zhao et al., 2022; Homaei et al., 2024). The resulting solution mitigates the risk of covert movements and enhances observability.

To transition from raw anomaly detection to a cognitive security framework, the system implements a decision-making layer based on three functional mechanisms:

Cross-domain correlation (SIEM-ready logic): Unlike standalone detectors, this layer synchronizes events from the network (Level 0) and technological (Level 0) pipelines. A high-priority incident is flagged only when anomalies in both domains occur within a 60-s temporal window, significantly reducing false positives caused by isolated sensor noise or transient network jitter.

To ensure robust conclusions and address statistical validity, each model was trained and evaluated in repeated runs with different random seeds (N = 10). The train/validation/test split was kept fixed across models; only training stochasticity (initialization and minibatch order) was varied. We report mean ± standard deviation for F1 and AUC across runs.

For uncertainty quantification, we computed 95% confidence intervals (CI) for F1 and AUC using stratified bootstrap resampling of the test sessions (10,000 resamples). This provides sample-level uncertainty estimates beyond single-point metrics.

To compare models statistically, we applied a paired non-parametric Wilcoxon signed-rank test on per-run metric values (F1 and AUC) between the fusion model and each baseline/ablation variant, using α = 0.05. For multiple pairwise comparisons, Holm–Bonferroni correction was applied. This procedure evaluates whether improvements are consistent across runs rather than driven by a single favorable training instance.

The experimental validation was conducted using a high-fidelity Digital Twin of the bakery line, implemented in the Factory I/O simulation environment coupled with Siemens S7-PLCSIM to emulate the logic of S7-1200 controllers. The physical logic—including oven thermodynamics (heat transfer coefficients), conveyor friction, and dough viscosity—was modeled using MATLAB/Simulink blocks linked via OPC UA. This setup allows for the generation of realistic sensor noise and the simulation of mechanical inertia, which is often absent in purely dataset-based studies.

The telemetry data collection focused on specific Modbus and OPC UA tags critical for the technological process. Data collection was performed from mirrored switch ports, DMZ agents, and PLC/SCADA telemetry (OPC UA, Modbus/TCP, HTTPS, and SNMP). To increase the variability of attack traffic, real network data were augmented with replayed fragments from open datasets such as UNSW-NB15, CIC-IDS2017, and ToN_IoT. A summary of the dataset used for model training and evaluation is provided in Table 3.

Normal operations represent uninterrupted production shifts without violations of process workflows. The data were collected from the actual production line and include network exchanges (OPC UA, Modbus/TCP, HTTPS, and SNMP) and telemetry (oven temperature, dough humidity, drive currents, conveyor speeds). The “sessions” field indicates the number of aggregated network sessions and synchronized technological observation windows.

Technological transitions and pauses include real telemetry captured during start-up/shutdown sequences, recipe changeovers, and sanitation breaks. These segments were not labeled as incidents, as the deviations were caused by standard operating modes. Such data are used to train the model to distinguish normal process variability from actual attack behavior.

Non-threatening anomalies comprise real episodes of sensor degradation (noise, brief dropouts, calibration drift), confirmed by maintenance logs. These cases were not labeled as incidents because no signs of malicious interference were observed. Including such data improves the model’s robustness to false alarms in the presence of “noisy” sensor signals.

Attack scenarios consist of a set of both real injected events (scanning, credential brute-forcing, unauthorized Modbus writes, SNMP manipulation, SSL/TLS downgrade, fake firmware injection, lateral movement, Domain Name System (DNS) exfiltration) and replayed fragments from open-source datasets (UNSW-NB15, CIC-IDS2017, ToN_IoT), adapted to the testbed’s format. Each episode was assigned an “incident” label, which explains the equal number of sessions and labels in the corresponding dataset row. The analysis of “pre-attack,” “during-attack,” and “post-attack” phases refers to the synchronization of telemetry and network data windows within the digital twin environment. For each scenario, time-series data and network sessions were aggregated into observation windows relative to the exact moment of incident injection. This phase-based approach ensures that the dynamic shifts in physical parameters (e.g., pressure or temperature) are correctly correlated with network anomalies. The contribution of this temporal segmentation is empirically reflected in the final detection metrics and response latency (Table 1), as well as in the ablation study (Table 2), which compares configurations with and without cognitive context correlation.

In addition to standard datasets, we injected three domain-specific attack scenarios into the Digital Twin to validate the cognitive capabilities:

Oven thermal runaway: a gradual (“low-and-slow”) increase in the oven temperature setpoint by 0.5 °C per minute, aiming to burn the product without triggering sudden threshold alarms.

The percentage column in Table 3 indicates the relative share of each category within the total dataset. The overall volume and category distribution reflect the actual data collected on the testbed and the aggregation rules used for session grouping. Network protocols and topology (IEC 62443 zones, DMZ, VLANs) were configured as described above.

Note on application: These data were used to train two analytical pipelines—the network Byte2Image CNN + LSTM and the technological AE + LSTM—as well as for subsequent cognitive event correlation within the SIEM/UEBA system, incorporating production cycle context and Zero Trust policies.

To ensure conceptual consistency, the proposed system is evaluated across three hierarchical levels. The Base Pipelines (Level 0) provide raw anomaly scores from network and technological data. The Hybrid Fusion Model (Level 1) integrates these scores to improve overall detection breadth. Finally, the Full Cognitive Model (Level 2) incorporates high-level correlation rules (SIEM) and behavioral profiles (UEBA). As shown in Table 2 (Ablation Analysis), the transition from Level 1 to Level 2 results in a measurable improvement: the F1-score increases from 0.94 to 0.95, and the False Positive Rate (FPR) decreases from 0.58% to 0.49%. This empirical evidence confirms that cognitive components (UEBA and correlation rules) are not merely conceptual but serve as a functional mechanism for reducing false alarms and enhancing detection stability. All metrics in Table 1 are reported as mean ± std. over N = 10 runs. In addition, 95% bootstrap confidence intervals for the Fusion Model are provided in Appendix A to quantify uncertainty on the held-out test setEvaluation metrics and OT interpretation. Precision measures the proportion of raised alerts that correspond to true incidents [TP/(TP + FP)]. In OT deployments, high Precision is essential to avoid excessive operator interventions and production disruptions caused by false alarms. Recall [TP/(TP + FN)] measures the proportion of real incidents that are detected; in critical infrastructure, low Recall is unacceptable because missed attacks can propagate into physical/process damage. F1-score is the harmonic mean of Precision and Recall and summarizes the operational trade-off between false alarms (FP) and missed detections (FN). AUC (Area under the ROC Curve) summarizes discrimination across all thresholds and enables fair comparison when the operating threshold may change under different risk levels or edge resource constraints.

Models compared. We evaluated the following models:

Gradient Boosting baseline on engineered features (flow rates, port distributions, error counters).

Threshold values for incident detection were adapted according to the optimization criterion, which minimizes the average detection delay while adhering to constraints on the False Positive Rate (FPR) and the computational resource limitations of edge nodes (Equation 7): min τ E [ D ( τ ) ] ∏ pu FPR ( τ ) ≤ ε , C ( τ ) ≤ C max (7)

Where ε = 0 , 5 % —is the permissible false alarm rate, and C max —is the computational cost limit per edge network node. For each pipeline, an online readjustment of the threshold τ t was performed every ΔT = 10 minutes, taking into account the current dynamics of the event stream. Standard accuracy metrics were used for quality assessment (Equations 8–10): Precision = TP TP + FP (8) Recall = TP TP + FN (9) F 1 = 2 · Precision · Recall Precision + Recall (10)

Where TP , FP , FN —are the number of true positive, false positive, and false negative detections, respectively; F1 denotes the F1-score (harmonic mean of Precision and Recall) Standard accuracy metrics (7)–(9) were used for quality assessment. For an Industrial Control System (ICS) environment, the selected metrics provide a comprehensive evaluation of operational stability. Precision is interpreted as a measure of “operational suitability,” as high precision minimizes false alarms that lead to costly and unnecessary production halts. Recall reflects “detection completeness,” which is critical for the safety of the technological cycle. The F1-score provides a balanced assessment in conditions of class imbalance, where both missed detections and false alarms carry high economic risks. Finally, AUC is used as a threshold-independent measure of class separability, confirming that the improvement in results is a robust property of the architecture rather than an artifact of a specific detection threshold τ . Together, the simultaneous growth in these metrics alongside reduced response latency (Table 1) validates the superiority of the proposed fusion architecture for real-time OT applications. As seen in Table 1, the hybrid cognitive model provides the best values for Precision >0.94, Recall >0.91, and an average response time of less than 1.2 s, confirming the effectiveness of integrating network and technological analyses.

Evaluation metrics and OT interpretation. Precision measures the proportion of detected incidents that are true incidents (i.e., how many raised alerts are correct). In OT environments, high Precision is critical to reduce false alarms and “alarm fatigue,” because unnecessary operator interventions may disrupt production and increase downtime.

Recall (True Positive Rate) measures the proportion of real incidents that are successfully detected. For critical infrastructure and OT processes, missing an attack or hazardous manipulation is unacceptable; therefore, Recall must remain high even when the system is tuned to minimize false alarms.

F1-score is the harmonic mean of Precision and Recall, providing a balanced single-number summary when both false alarms (FP) and missed detections (FN) are costly. We report F1 to reflect the trade-off between operational feasibility (Precision/FPR) and safety-critical coverage (Recall).

AUC (Area under the ROC Curve) summarizes model discrimination across all possible decision thresholds and is therefore threshold-independent. This is important for OT deployments because the operating threshold may change under different resource constraints or risk levels, and AUC enables fair comparison of models under varying thresholds.

The improvement is explained by the synergy of network and technological pipelines, which reduces the probability of missed attacks and decreases response latency. To evaluate the contribution of each component of the hybrid model, an ablation analysis was conducted (see Table 2). The threshold improvement in the F1 metric when adding the cognitive correlation layer was calculated as (Equation 11): Δ Q i = Q fusion − Q − i (11)

Where Q fusion —is the quality of the full model, and Q − i is the quality after excluding the i-th component. The average improvement in the F1 metric when adding the cognitive correlation layer was Δ Q i ≈ + 0 , 03 , indicating the significance of integrating SIEM events and the production cycle context.

Thus, in Table 2, the integration of the cognitive correlation layer, contextual profiles, and operator behavioral characteristics allowed for a reduction in false positives by almost 25% compared to purely neural network approaches and increased the model’s resistance to data drift in production conditions. In addition, for a practical assessment of the system’s effectiveness, an integral accuracy index I eff was applied (Equation 12): I eff = Precision + Recall + AUC 3 − k · t avg t max (12)

Where t avg —is the average response time t max = 3 s—is the normative threshold value, and k = 0 , 2 —is the delay penalty coefficient, and the Area Under the Receiver Operating Characteristic (ROC) curve (AUC) is used as a threshold-independent performance metric. For the fusion model, I eff = 0 , 93 , which corresponds to a high level of efficiency according to IEC 62443 requirements and the national standards of the Republic of Kazakhstan.

The obtained results confirm that the proposed cognitive architecture provides the necessary accuracy and speed of incident detection at an optimal level of computational costs and can be recommended for implementation in bakery industry enterprises.

The results obtained have formed an empirical basis for further discussion of the identified patterns and for determining directions for optimizing cognitive cybersecurity tools in an industrial environment. The conducted experiments confirmed the effectiveness of the proposed model for early incident detection. The hybrid fusion architecture, which combines features from behavioral, technological, and network levels, demonstrated the best results: average values of Precision = 0.96, Recall = 0.93, F1 = 0.95, and AUC = 0.98, with an average response time of less than 1.2 s. This indicates the system’s high capability to distinguish between normal and anomalous states even under conditions of noisy or incomplete data (Mugarza et al., 2020; Qureshi et al., 2024).

A comparison of the models revealed a pattern: the higher the degree of contextual integration of data from different domains (network traffic, technological parameters, and command logs), the more robust the system is to drift and false positives (Tariq et al., 2019; Dietz and Pernul, 2020). This opens up prospects for the further development of multi-agent cognitive systems that combine User and Entity Behavior Analytics (UEBA) with digital twins of technological processes (Holdbrook et al., 2024; Kantharaju et al., 2024).

The results obtained demonstrate not only the possibility of achieving high detection accuracy in real production conditions but also create scientific prerequisites for developing a universal industrial cyber defense architecture based on intelligent agents (Knowles et al., 2015; Bhamare et al., 2020; Cherdantseva et al., 2016; Anthi et al., 2021; Tuptuk et al., 2021; Inoue et al., 2017).

Transitioning to the “Discussion” section will allow for the interpretation of the identified patterns in the context of regulatory requirements, practical implementation limitations, risk assessment, and the economic efficiency of integrating cognitive mechanisms into industrial digital twins (Zhang et al., 2023; Homaei et al., 2024).

Figure 2 illustrates the system’s performance during the ‘Oven Thermal Runaway’ scenario described in Section 3.1. The Digital Twin (AE + LSTM pipeline) accurately predicted the expected temperature trajectory (Blue Line). The divergence between the observed telemetry (Red Line) and the prediction allowed the system to detect the anomaly at t = 45 s, during the latent attack phase, well before the critical safety threshold was breached. This confirms the model’s ability to operate effectively across pre-attack, attack, and mitigation phases.

To move beyond conceptual claims and verify the impact of the high-level cognitive layers, an ablation study was conducted. We compared the performance of the baseline integrated pipelines (Level 1) against the full architecture including the cognitive engine (Level 2).

As shown in the results (Table 2), the baseline combination of pipelines (Network + Tech) achieved an F1-score of 0.94. However, the introduction of UEBA and Correlation Rules (Level 2) provided a significant reduction in the False Positive Rate (FPR) from 0.58% to 0.49%. This improvement is attributed to the system’s ability to filter out non-malicious operational drifts, such as recipe changes or scheduled maintenance, which base detectors often misinterpret as anomalies.

Furthermore, the Zero Trust Policy engine improved the response time by an average of 0.1 s (from 1.3 to 1.2 s). By pre-defining “trusted zones” and “least privilege” communication paths, the system can prioritize alerts from critical assets and bypass heavy computation for clearly unauthorized access attempts, leading to faster mitigation and reduced “alarm fatigue” for the operator.

The most significant result of the experiments is the confirmation of the hypothesis regarding the synergistic effect achieved by combining the network and technological data processing pipelines. The integration of these approaches made it possible to reach an F₁ score of 0.95 with an average response time under 1.2 s, significantly outperforming traditional gradient boosting algorithms and classical machine learning models (Abhishek and Singh, 2023).

The Byte2Image CNN + LSTM architecture demonstrated a strong ability to detect low-level anomalies in network traffic, including polymorphic attacks and data manipulation in PLC/SCADA channels (Kravchik and Shabtai, 2018; Lin et al., 2022). Meanwhile, the AE + LSTM pipeline, focused on analyzing technological time series, showed high accuracy in forecasting normal operational modes and detecting hidden deviations in equipment performance (Gauthama Raman et al., 2021; Holdbrook et al., 2024). Thus, the multidomain approach has proven effective in providing comprehensive observability of industrial environments.

An important aspect confirming the novelty of the study is the analysis of the impact of the cognitive correlation layer. This layer, which implements the intelligent integration of the technological cycle context, user behavior profiles (UEBA), and SIEM rules, enabled a reduction of false positives by nearly 25% compared to purely neural network-based models.

Reducing false alarms is critical in industrial environments, where such events can lead to production line shutdowns and financial losses (Knowles et al., 2015; Zhao et al., 2022; Dietz and Pernul, 2020). This result shows that cognitive correlation not only enhances system accuracy but also creates an adaptive feedback mechanism capable of dynamically adjusting response thresholds according to the current state of the production network (Kantharaju et al., 2024). It ensures resilience to network drift and sensor degradation.

From a theoretical standpoint, the results confirm the validity of applying a multidomain approach and a probabilistic risk model (Anthi et al., 2021; Tuptuk et al., 2021; Inoue et al., 2017). Using a model that links event intensity, priority, and asset state enables a shift from reactive detection to predictive risk management.

The developed architecture fully complies with international standards such as IEC 62443 and ISO/IEC 27019, as well as harmonized Kazakh national standards (ST RK ISO/IEC 27001-2022 and ST RK GOST R 56939-2016) (Nisar et al., 2022; Zhang et al., 2023; Qureshi et al., 2024). This ensures its applicability to critical infrastructure. The incorporation of Zero Trust principles (Tariq et al., 2019; Homaei et al., 2024) enables proactive response aligned with modern cybersecurity requirements.

The practical significance of the system lies in its modularity and readiness for integration into existing Security Operations Centers (SOC). The pseudocode and modular structure (Config, IngestAndNormalize, RiskModel, AdaptiveThreshold) facilitate deployment on edge nodes (Edge Computing), ensuring scalability and minimal latency (Gauthama Raman et al., 2021; Kravchik and Shabtai, 2018).

The results also emphasize the potential of digital twins for enhancing security. Using a bakery plant digital twin not only for verification but also as a tool for model training and testing allowed the identification of rare attack scenarios not present in standard datasets (Zhang et al., 2023).

Future research directions include expanding the system’s cognitive layer, particularly through the integration of graph neural networks to analyze complex interdependencies between assets (Kantharaju et al., 2024), and employing cyber threat ontologies for automatic event interpretation and adaptive reconfiguration of defense scenarios.

We acknowledge that the reliance on older datasets (UNSW-NB15, CIC-IDS2017) combined with simulated OT data may not fully capture the complexity of zero-day exploits in 2026. Furthermore, “data drift” (e.g., sensor aging or recipe changes) remains a challenge. Future work will focus on implementing online learning mechanisms to update the AE + LSTM model parameters dynamically without stopping the production line, ensuring the system adapts to long-term operational shifts.