SecHOT-GNC: Security-Oriented Hardware- and OT-Aware Graph Neural Clustering for Attack-Chain Community Detection in Industrial Fiber Manufacturing Systems

Abstract

Industrial fiber manufacturing systems increasingly rely on tightly coupled operational technology (OT) networks and heterogeneous hardware controllers, making them vulnerable to multi-stage attack chains that traverse cyber–physical dependencies. Existing graph-based security analytics often ignore hardware constraints and OT process semantics, leading to unstable communities, weak attack-chain consistency, and limited deployability on shop-floor compute. This paper proposes SecHOT-GNC, a security-oriented, hardware- and OT-aware graph neural clustering framework for attack-chain community detection in industrial fiber manufacturing. We model the plant as a multi-layer heterogeneous graph that integrates OT assets (PLCs, HMIs, drives, sensors), communication flows, process topology, and hardware attributes (resource budgets, firmware/OS class, interface types, timing constraints). SecHOT-GNC couples OT-aware message passing with a security-driven clustering objective that aligns communities with plausible attacker paths by jointly optimizing (i) attack-chain consistency, (ii) OT-process coherence, (iii) hardware feasibility under on-device constraints, and (iv) robustness to noisy/partial telemetry. The framework further produces interpretable community rationales via edge/feature attributions and yields community-level risk scores to support prioritization of defense actions. Experiments on industrial fiber manufacturing datasets and attack simulations demonstrate that SecHOT-GNC improves attack-chain community quality and stability over representative baselines, while maintaining practical inference latency and memory footprints suitable for edge/plant deployment.