This work addresses the challenge of distinguishing between physical faults and cyberattacks in distributed energy systems, which often manifest as similar anomalies. To this end, the authors propose a Physical-Variable-Oriented Taint Analysis (PVOTA) approach that integrates network logs with physical measurements to construct a cross-domain dependency graph. A context-aware node pruning strategy is designed to enhance the graph’s interpretability, while a domain knowledge–driven pattern matching mechanism bridges the semantic gap between cyber and physical layers, enabling automated root cause inference. Experimental evaluation across four representative scenarios demonstrates the method’s effectiveness and practicality in accurately differentiating false data injection attacks, memory corruption attacks, and undetected physical faults, thereby supporting automated, cross-domain root cause localization.

In recent years, cyberattacks - along with physical faults - have become an increasing factor causing system failures, especially in DER (Distributed Energy Resources) systems. In addition, according to the literature, a number of faults have been reported to remain undetected. Consequently, unlike anomaly detection works that only identify abnormalities, differentiating undetected faults and cyberattacks is a challenging task. Although several works have studied this problem, they crucially fall short of achieving an accurate distinction due to the reliance on physical laws or physical measurements. To resolve this issue, the industry typically conducts an integrated analysis with physical measurements and cyberspace information. Nevertheless, this industry approach consumes a significant amount of time due to the manual efforts required in the analysis. In this work, we focus on addressing these crucial gaps by proposing a non-trivial approach of distinguishing undetected faults and cyberattacks in DER systems. Specifically, first, a special kind of dependency graph is constructed using a novel virtual physical variable-oriented taint analysis (PVOTA) algorithm. Then, the graph is simplified using an innovative node pruning technique, which is based on a set of context-dependent operations. Next, a set of patterns capturing domain-specific knowledge is derived to bridge the semantic gaps between the cyber and physical sides. Finally, these patterns are matched to the relevant events that occurred during failure incidents, and possible root causes are concluded based on the pattern matching results. In the end, the efficacy of our proposed automatic integrated analysis is evaluated through four case studies covering failure incidents caused by the FDI attack, undetected faults, and memory corruption attacks.