LLM-Augmented Behavioural and Physical-Layer Reasoning for Detecting Stealthy and Supply Chain Attacks in Cyber-Physical Systems

Cyber-Physical Systems (CPS) are a backbone of critical infrastructures across sectors such as water treatment, energy, and manufacturing. Increasing use of digital technology has led to the interconnection between computation and physical processes. The advent of Internet of Things (IoT) has increased the complexities in the interconnected CPS systems. Anomalies in CPS systems might emerge due to cyber-attacks, malfunctions or faults. Furthermore, these systems are increasingly being targeted by sophisticated attacks, including supply chain compromises where adversaries implant malicious logic or firmware updates during the development lifecycle. Due to the critical nature of these systems and the services provided by them, timely and accurate detection of these anomalies is crucial for the integrity, reliability and availability of CPS.;Existing anomaly detection solutions use model-driven or data-driven approaches to identify anomalies. In the data-driven approaches research works have integrated both IT (e.g., system logs, user activity) and OT (e.g., sensor readings, actuator states) data to improve detection of anomalies. However, these methods typically rely on statistical correlations, machine learning classifiers, or rule-based systems that lack the semantic understanding needed to detect stealthy, novel threats—especially those that exhibit subtle behavioural deviations without overt indicators of compromise. Especially, the cyber-attacks that target the software supply chain to tamper the firmware or CPS software bypass security checks and cause significant damage to these systems. There is also a proposition that human experts need to be involved in the loop to identify anomalies that existing methods might miss.;This research proposes a novel framework that leverages the semantic reasoning capabilities of Large Language Models (LLMs) to detect cyber-physical anomalies by aligning software behaviour with physical-layer outcomes to detect such complex supply chain attacks. Unlike prior IT/OT fusion approaches, which correlate disjointed events across domains, the proposed method aims to combine LLM knowledgebase, temporal, causal, and functional relationships between system commands, sensor feedback, and actuator states to detect anomalous system behaviour. The main aim of this work is to detect stealthy threats that might show normal physical behaviour while subverting underlying control logic.;The main objectives are: (1) to construct time-aligned and state-aware cyber-physical behaviour traces from publicly available CPS datasets; (2) develop multi-modal input generation pipeline to get LLM response (3) to develop few-shot and fine-tuned LLM workflows that detect inconsistencies between intended commands and observed physical effects; and (4) to generate human-understandable explanations of suspected anomalies, including hypotheses about compromise origin (e.g., supply chain or insider threat).;Existing methods such as the use of LLMs for automated physical invariant extraction and ensemble learning in ICS anomaly detection—demonstrates the increasing viability of advanced AI in this space. However, these methods often remain narrowly scoped, do not model causality, or focus solely on offline learning. In contrast, the framework offers a unified model for behaviour-aware threat detection that can adapt to unseen anomalies and explain them in natural language. By bridging cyber and physical layers through LLM-based reasoning, this research advances the field toward trustworthy, transparent, and adaptive CPS security.