Water systems face sophisticated cyberattacks that endanger public health and safety; however, existing model-agnostic attribution methods (e.g., SHAP, LEMNA) fail to capture dynamic interactions between sensors and actuators, leading to inaccurate root-cause localization. To address this, we propose the first Factorization Machine (FM)-based attack attribution framework, which explicitly models both linear and second-order interactive effects among sensors and actuators for fine-grained ranking of attack sources. Evaluated on two real-world water system datasets—SWaT and WADI—the framework achieves an average 20% higher attribution accuracy than SHAP and LEMNA under multi-feature, complex attack scenarios. This advancement significantly strengthens attack provenance capabilities in industrial control systems and establishes a novel, interpretable, and deployable paradigm for cybersecurity management of water infrastructure.

Water systems are vital components of modern infrastructure, yet they are increasingly susceptible to sophisticated cyber attacks with potentially dire consequences on public health and safety. While state-of-the-art machine learning techniques effectively detect anomalies, contemporary model-agnostic attack attribution methods using LIME, SHAP, and LEMNA are deemed impractical for large-scale, interdependent water systems. This is due to the intricate interconnectivity and dynamic interactions that define these complex environments. Such methods primarily emphasize individual feature importance while falling short of addressing the crucial sensor-actuator interactions in water systems, which limits their effectiveness in identifying root cause attacks. To this end, we propose a novel model-agnostic Factorization Machines (FM)-based approach that capitalizes on water system sensor-actuator interactions to provide granular explanations and attributions for cyber attacks. For instance, an anomaly in an actuator pump activity can be attributed to a top root cause attack candidates, a list of water pressure sensors, which is derived from the underlying linear and quadratic effects captured by our approach. We validate our method using two real-world water system specific datasets, SWaT and WADI, demonstrating its superior performance over traditional attribution methods. In multi-feature cyber attack scenarios involving intricate sensor-actuator interactions, our FM-based attack attribution method effectively ranks attack root causes, achieving approximately 20% average improvement over SHAP and LEMNA.