Abstract Photovoltaic (PV) plants increasingly operate as software-defined cyber-physical systems, where firmware updates, remote supervision, and digital control loops expand the attack surface. A key challenge for practical monitoring is the scarcity and diversity of labelled cyberattack traces: PV systems run predominantly under normal conditions, while faults and intrusions are rare and continually evolving. This work presents a topology-aware, graph-attentive one-class framework for physics-based cybersecurity monitoring in PV systems. We represent operating samples as nodes of a multiscale k -nearest-neighbour graph and learn a compact manifold of normal behaviour with a Graph Attention Autoencoder regularised by (i) robust reconstruction, (ii) SVDD-style latent compactness, and (iii) graph smoothness. Anomaly detection uses an ensemble score that combines reconstruction discrepancy and latent-space deviations, yielding a stable decision function across heterogeneous cyber-physical perturbations. We evaluate the approach on Photo-Set, a benchmark dataset for physics-based PV cybersecurity monitoring. Across the available Photo-Set test datasets, the proposed model provides strong ROC and precision–recall characteristics and competitive (often superior) F ₁ and MCC relative to Isolation Forest, One-Class SVM, and Local Outlier Factor. We discuss failure modes on subtle scenarios, ablations that isolate the contribution of graph construction and latent regularisation, and practical guidance for deployment in resource-constrained monitoring pipelines.
Greco et al. (Sat,) studied this question.