To address insufficient robustness in anomaly detection for critical infrastructure (e.g., water treatment networks) under distributional shift and severe class imbalance, this paper proposes Causal Graph-guided Anomaly Detection (CGAD). CGAD constructs separate causal graphs—representing normal and attack states—using dynamic Bayesian networks; anomalies are quantified via topological divergence between these graphs, enabling high-accuracy detection of delayed and structural attacks. Its key innovation lies in the first application of causally invariant graph structures to dual-state modeling, enhanced by a structure-deviation metric that improves both interpretability and dynamic adaptability. Evaluated on four industrial datasets, CGAD consistently outperforms state-of-the-art methods, achieving average improvements of 12.3% in F1-score and 9.7% in ROC-AUC. These results validate CGAD’s effectiveness and robustness in non-stationary, highly imbalanced operational environments.

With the growing complexity of cyberattacks targeting critical infrastructures such as water treatment networks, there is a pressing need for robust anomaly detection strategies that account for both system vulnerabilities and evolving attack patterns. Traditional methods -- statistical, density-based, and graph-based models struggle with distribution shifts and class imbalance in multivariate time series, often leading to high false positive rates. To address these challenges, we propose CGAD, a Causal Graph-based Anomaly Detection framework designed for reliable cyberattack detection in public infrastructure systems. CGAD follows a two-phase supervised framework -- causal profiling and anomaly scoring. First, it learns causal invariant graph structures representing the system's behavior under "Normal" and "Attack" states using Dynamic Bayesian Networks. Second, it employs structural divergence to detect anomalies via causal graph comparison by evaluating topological deviations in causal graphs over time. By leveraging causal structures, CGAD achieves superior adaptability and accuracy in non-stationary and imbalanced time series environments compared to conventional machine learning approaches. By uncovering causal structures beneath volatile sensor data, our framework not only detects cyberattacks with markedly higher precision but also redefines robustness in anomaly detection, proving resilience where traditional models falter under imbalance and drift. Our framework achieves substantial gains in F1 and ROC-AUC scores over best-performing baselines across four industrial datasets, demonstrating robust detection of delayed and structurally complex anomalies.