Review of Cyberattack Implementation, Detection, and Mitigation Methods in Cyber-Physical Systems

Abstract

With the rapid proliferation of cyber-physical systems (CPSs) in various sectors, including critical infrastructure, transportation, healthcare, and the energy industry, there is a pressing need for robust cybersecurity mechanisms to protect these systems from cyberattacks. A cyber-physical system is a combination of physical and cyber components, and a security breach in either component can lead to catastrophic consequences. Cyberattack detection and mitigation methods in CPSs involve the use of various techniques such as intrusion detection systems (IDSs), firewalls, access control mechanisms, and encryption. Overall, effective cyberattack detection and mitigation methods in CPSs require a comprehensive security strategy that considers the unique characteristics of a CPS, such as the interconnectedness of physical and cyber components, the need for real-time response, and the potential consequences of a security breach. By implementing these methods, CPSs can be better protected against cyberattacks, thus ensuring the safety and reliability of critical infrastructure and other vital systems. This paper reviews the various kinds of cyber-attacks that have been launched or implemented in CPSs. It reports on the state-of-the-art detection and mitigation methods that have been used or proposed to secure the safe operation of various CPSs. A summary of the requirements that CPSs need to satisfy their operation is highlighted, and an analysis of the benefits and drawbacks of model-based and data-driven techniques is carried out. The roles of machine learning in cyber assault are reviewed. In order to direct future study and motivate additional investigation of this increasingly important subject, some challenges that have been unaddressed, such as the prerequisites for CPSs, an in-depth analysis of CPS characteristics and requirements, and the creation of a holistic review of the different kinds of attacks on different CPSs, together with detection and mitigation algorithms, are discussed in this review.

1. Introduction

Since the beginning of the millennium, there has been an exponential increase in the use of the modern computer for different forms of computation at any given time and place. Currently, many different fields of computation are focusing on cyber-physical systems (CPSs) to increase reliability, resilience, and the safety of physical processes [1,2,3]. A CPS involves the combination of several areas of science and engineering to achieve a unified task [4]. One of the widely used definitions of a CPS is the “integration of calculation and physical process, which involves embedded computers, network monitoring and controlling the physical process”. The physical processes are usually engineering processes in systems such as bio-medical systems, defense systems, electrical power systems, process control in chemical and mechanical engineering systems, and transportation systems [5,6,7,8,9]. A cyber system often involves 3C technology (communication, computation, and control) with a feedback loop to the physical system. With a feedback loop, real-time communication, usually two-way, is achieved to monitor and control the physical system in a safe and reliable way. Generally, a CPS has actuators, sensors, and other communication links/protocols that interface with the physical system. They are mostly supervised by a supervisory control and data acquisition (SCADA) system or other dedicated control centers [10,11]. A SCADA system oversees the high-level management and control of the CPS. In early SCADA systems, communication was usually between a few devices via telemetry, which allowed for regulated access to information between linked devices in a CPS [12]. These SCADA systems were known as “monolithic” SCADA systems because of the closed communication network that was usually adopted [13,14]. As the use of the internet has increased in recent years, “networked” SCADA systems were developed. A networked SCADA system can be hosted on local area networks (LANs) or wide area networks (WANs) to exploit information technology (IT) for dedicated communication [15]. For example, in smart grids, for a typical CPS, measurements such as voltage, current, and frequency are collected from physical plants by the sensors and transmitted via remote terminal units (RTUs) to the SCADA system that hosts various control architectures; signals are sent back to different actuators in the physical plant for efficient and safe operation [16]. A CPS involves a heterogeneous integration of subsystems with physical and network characteristics. The open communication structure of a CPS allows for tampering, falsification, delay, invasion, and other kinds of attack on the data transmission that may affect the physical operation of the system [17,18,19]. These cyber-attacks are a major concern in terms of the safety, reliability, resilience, and security of a CPS. The impacts of an attack on a CPS can range from service disruption and theft, to equipment damage and information theft, as well as, in more severe cases, the loss of lives.

Over the years, several kinds of attacks have been successfully launched on various CPSs. The passport control system at the Istanbul Ataturk airport was attacked by hackers, which led to the delay and cancellation of flights [20]. The David–Besse nuclear plant in Ohio was attacked by the Slammer worm from a contractor’s system. The worm initiated a denial of service attack on the control system. The impact of the worm led to the deactivation of the safety and protection devices for about 6 h [21]. In 2007, the code-named “Aurora” attack was launched on a generator control system. This led to the continuous tripping of the protection devices, which caused a loss of synchronization between the generator and grid. It was reported the Aurora attack caused an explosion at the generator that was valued at $1 million [22]. Another successful cyber-attack with significant impact is the Ukraine attack that caused a major blackout affecting over 220,000 customers for several hours [23]. In 2009, two industrial control systems—Pacific Energy Resources, California, and Energy Future Holdings, Texas—were attacked by two ex-staff members. They attacked the leak detection system of the marine oil plant and energy forecast system of the nuclear plant, respectively [24]. In 2012, Aramco, Saudi Arabia, and RasGas, Qatar, were attacked by malware that caused significant disruptions in the generation of energy and affected business processes. An attack on a SCADA-based water CPS that caused usual behaviour in the system is reported in [25]. The attack affected the pump and caused a denial of service of the central control system. Even after the control software was reinstalled, the pumps continued to change their configurations erratically until an engineer discovered that it was a cyber-attack carried out about three months after the initial attack was launched by the attacker [24]. For health-based CPSs, attacks can be programmed on devices such as pacemakers, neurostimulators, and other embedded computers that can be programmed wirelessly [26]. It was demonstrated that implantable defibrillators can be reconfigured without permission. In 2009, an employee of the Carrell Clinic, Texas installed malware that granted remote access to the control of the heating, ventilation, and air conditioning (HVAC) system of the clinic [26]. Several other attacks have been reported in the transportation and defense sectors [27].

These cyber-attack incidents have alerted governments to the severe impacts of these attacks. Thus, various ways to ensure the security of CPSs have been enacted. For example, the National Institute of Standards and Technology (NIST) provides regulation for the security of cyber systems [28,29]. Additionally, the International Society of Automation (ISA) provides the regulation for cyber-based industrial process control systems [30]. Researchers continue to investigate the various loopholes in modern CPSs that make them vulnerable to cyber-attacks. This begins with the identification of attacks, then moves forward to impact assessments of the identified attacks, and concludes with mitigation strategies for these attacks. While several reviews have been conducted in the areas of cyber-attacks and CPSs, they do not provide a holistic review of the different kinds of attacks on different CPSs, together with detection and mitigation algorithms. To fill this gap, this review article presents a survey of cyber-attacks on various CPSs, the implementation of these attacks from a hacker’s perspective, and defense (detection and mitigation) strategies from the defender’s perspective.

A comprehensive literature search method was adopted in this review. The keywords “Cyberattack” and “ Cyber-physical systems” were used to carry out the initial search on Google Scholar to obtain articles that were not necessarily reviewed, which including journal and conference papers. Other journal and conference databases, such as IEEE-Xplore, Science Direct, Web of science and Researchgate, were searched for peer-reviewed journal and conference papers and other specialized publications. The initial search returned 3200 articles; the articles that were returned were screened using titles not related to the subject and articles not written in English, thereby excluding 258 articles. Some web pages and duplicates were further eliminated, thereby excluding 278 articles. Further elimination based on dates was carried out; the year range of choice was 2013–2023, and the total number of relevant articles for review was 169.

The remainder of this paper is organized as follows: Section 2 discusses the basic features and requirements of a typical CPS; in Section 3, cyberattack detection, mitigation, and strategies are presented; Section 4 provides attack implementation and mitigation from an industrial perspective; Section 5 discusses the current challenges and future directions in CPS security; and Section 6 provides the conclusion.

2. Cyber-Physical Systems: Characteristics and Requirements

As previously mentioned, CPSs are an integration of physical systems with a cyber system to create a heterogeneous system. The cyber components of the CPS guarantee the intelligent, secure, resilient, and safe operation of the physical system. Nowadays, most CPSs are internet enabled and use an open-access communication network [31]. This open communication network characteristic make them highly vulnerable to cyberattacks and other malicious activities. The actuators and sensors in the physical system receive and send signals or measurement data from the SCADA system, control centers, and distributed controllers for real-time monitoring and control [32]. In this section, the essential characteristics or requirements of CPSs are discussed, because they are the targets for attackers.

2.1. Safety

Safety is essential, and it is one of the most important features of a CPS. The safe failure fraction (SFF) is defined by IEC 61508 as a confirmation of safety-related system fail-safes. This decides the safety integrity level (SIL) for safe operating functions using a risk-based approach [33]. IEC 61508 is regarded as a basic safety standard for the industry. Other standards were developed using risk acceptance, risk analysis, and hazard criteria (such as ISA 84/IEC 61511) and are in operation [34]. The intra-relationships within the CPS, the inter-relationships between the CPS and the environment, and the inter-relationships between the CPS and the users, are the root causes of safety issues [35]. Safety in a CPS is assessed by identifying assets, analyzing vulnerabilities, and measuring and evaluating probable damage [33].

2.2. Availability

The availability requirements ensure that only authorized users and systems have access to certain CPS features at all times. For a CPS, the availability of measurement data and signals from the control systems, the actuators in the physical plant, and the operator’s room, including the communication devices, is important. Availability may be controlled more strictly compared to IT systems, where delays may have minor consequences. In CPSs, a delay in the availability of data may be as a result of a successful attack on the system [30].

2.3. Integrity

Integrity refers to the authenticity of the data and information that are being routed to the CPS. The transmitted data or message should be trustworthy and without compromise from unauthorized or malicious systems or users. The violation of data integrity in a CPS poses a threat to the safety of the the physical system or its environment [36,37]. The risk of data manipulation in a CPS is high; thus, some CPSs, such as those using smart grids, use a bad data detection scheme to ascertain the integrity of measurements, such as voltage and frequency, received from the power system.

2.4. Security

The security requirement of CPSs is very important, because the cyber system in a CPS structure represents the vulnerability of the entire system to malicious activities. CPS cybersecurity has been identified as a critical issue that must be continually addressed to ensure a secure and safe system. The NIST [38], ISA [39], National Infrastructure Protection Plan (NIPP), and IEEE 1402 [40,41], are amongst the several organizations working on the continuous development of the security requirements of CPSs.

2.5. Timeliness

Based on the real-time operation of CPSs, it is important that the data and information are generated and transmitted in real-time for the system to function properly [42]. Delay in the transmission and processing of data in a CPS can have varying degrees of consequence in a CPS.

2.6. Confidentiality

The confidentiality requirement in a CPS refers to the protected access of information only to authorized systems or users [36]. In IT systems, confidentiality in achieved by encrypting or protecting the information with passwords or security keys by the sender, and only authorized or dedicated systems can successfully decrypt the information. However, in a CPS, since the timeliness of data is a crucial requirement, the encryption and decryption processes do not take precedence over data availability. Therefore, methods to protect the transmitted data from external parties without compromising timeliness in the CPS are active areas of research.

2.7. Authentication and Authorization

The authorization requirement refers to prohibiting access to intruders or unauthorized persons to the system. In a CPS, authorization differentiates legal and illegal access to other CPS requirements such as data integrity, confidentiality, and availability. However, authentication refers to the process to ascertain the legitimate identity of the different communication agents within the CPS [43].

3. Cyber-Attack Detection and Mitigation Methods

Various techniques for detecting and mitigating cyber-attacks have been reported. Existing detection techniques may be categorized broadly as model-based detection or data-driven detection schemes, as illustrated in Figure 1. On the basis where state estimation is used in the detection process, model-based detection techniques may be divided into estimation-based and estimation-free approaches. In this section, the various model-based detection approaches are reviewed.

3.1. Model-Based Methods

A system is often described using a state–space form when using model-based methodologies. Methods that are based on estimation are used in order to monitor the status of the system and provide analytical redundancy for the purpose of attack detection [44]. The most recent advancements in the following methods are surveyed and include the following: (1) the Kalman Filter (KF) [45,46]; (2) the Sliding Mode Observer (SMO) [47,48]; and (3) the Unknown Input Observer (UIO) [49,50].

3.1.1. Kalman Filter (KF)-Based Methods

The Kalman filter (KF) is an iterative mathematical process that executes an optimal predictor–corrector-type estimator by minimizing the estimated error covariance when certain presumptive requirements are satisfied. There are numerous attack detection algorithms that are derived from the standard KF; these include, but are not limited to, the following: an extended Kalman filter (EKF); an unscented Kalman filter (UKF); an adaptive Kalman filter (AKF); and a constrained Kalman filter (CKF). The literature indicates that hybrid implementations of these methods have been successful. To detect a false data injection attack (FDIA) in a power system CPS, a novel attack detection approach was reported in [51]. This used integrated model-based and data-driven methods. The proposed model implemented the AKF and convolutional neural networks (CNN). As a consequence of the capability of attackers to execute an FDI attack at any location in the system, a study [52] analysed the performance of a system under the risk of potential FDIAs on sensors, actuators, and physical systems, both individually and in their combined locations. The study considered the following seven attacks:

• Compromised actuator;
• Compromised physical system;
• Compromised sensor;
• Compromised actuator and physical system;
• Compromised actuator and sensor;
• Compromised physical system and sensor;
• Compromised actuator, physical system, and sensor.

The impact on the security of the system under the above-mentioned attacks was analyzed. The system was modelled as a discrete linear time-invariant system with white Gaussian noise. The system incorporated both an attack detector in the form of a chi-square detector and a KF as a state estimator. A chi-square detector can reliably identify DoS attacks and other random attacks. The process measurements are sent to the system estimator equipped with a chi-square ($x^2-detector$), and the output of the estimator provides input to the physical system. Simulation results have indicated the attacker’s ability to generate errors that are bounded in certain scenarios, while in other cases, the errors can be unbounded. The effectiveness of the model was demonstrated by comparing the results with those of previous studies [53,54,55,56].

The process state and measurement of the KF-based system can be described as follows:

$$\left\{\begin{array}{c}{x}_{k+1}=A_k{x}_k+B_k{u}_k+w_k\hfill \\ y_k=C_k{x}_k+v_k.\hfill \end{array}\right.$$

(1)

The process state vector is $x_k$, where $k\in \mathbb{N}$ is the time step. $x_k\in {\mathbb{R}}^n$, $u_k\in {\mathbb{R}}^p$, and $y_k\in {\mathbb{R}}^m$ are the state, control variable, and measurement vectors, respectively. $w_k$ is the process noise, and $v_k$ is the measurement noise, which is white Gaussian noise with covariances Q and R that satisfy the requirements $E[w_k{w}_j^T]={\delta }_{kj}{Q}_k$, $E[v_k{w}_j^T]={\delta }_{kj}{R}_k$, $E[w_k{v}_j^T]=0$ and ${\forall }_k$, $j\in \mathbb{N}$. The time update using the KF is given by the following:

$$\left\{\begin{array}{c}{\widehat{x}}_{k|k-1}^{{}^{\prime }}=A_k{\widehat{x}}_{k|k-1}^{{}^{\prime }}+B_k{\widehat{u}}_{k|k-1}^{{}^{\prime }}\hfill \\ P_{k|k-1}=A_k{P}_{k-1}{A}_k^T+Q_k.\hfill \end{array}\right.$$

(2)

The state estimation is updated using the following:

$$\left\{\begin{array}{c}{K}_k=P_{k|k-1}{C}_k^T{\left(C_k{P}_{k|k-1}{C}_k^T+R_k\right)}^{-1}\hfill \\ {\widehat{x}}_k^{{}^{\prime }}={\widehat{x}}_{k|k-1}^{{}^{\prime }}+K_k\left(y_k-C_k{\widehat{x}}_{k|k-1}^{{}^{\prime }}\right)P_k=(I-K_k)P_{k|k-1},\hfill \end{array}\right.$$

(3)

where ${\widehat{x}}_{k|k-1}^{{}^{\prime }}$ is the prior estimate of the system at the time step k with the error covariance $P_{k|k-1}$. $K_k$ is the KF gain, ${\widehat{x}}_k^{{}^{\prime }}$ is the posterior estimate, and $P_k$ is the error covariance. The residue signal ${\widehat{z}}_k^{{}^{\prime }}$ and the state estimation error $e_k^{{}^{\prime }}$ are defined by the following:

$${\widehat{z}}_k^{{}^{\prime }}\triangleq y_k^{{}^{\prime }}-C_k{\widehat{x}}_{k|k-1}^{{}^{\prime }}$$

(4)

$$e_k^{{}^{\prime }}\triangleq x_k^{{}^{\prime }}-{\widehat{x}}_k^{{}^{\prime }}.$$

(5)

Considering a steady-state KF where $P_{k|k-1}$ and $K_k$ are constants, the error covariance matrix and KF gain are computed as follows:

$$P_k\triangleq \underset{k\to \infty }{lim}{P}_{k|k-1}$$

(6)

$$K_k\triangleq P_k{C}_k^T{\left(C_k{P}_k{C}_k^T+R_k\right)}^{-1}.$$

(7)

In the steady state, the value of $P_k$ is obtained by solving the discrete-time Riccati equation [52,57]. Consequently, the estimated state equation can be rearranged to yield the following:

$${\widehat{x}}_{k+1}^{{}^{\prime }}=A_k{\widehat{x}}_k^{{}^{\prime }}+B_k{\widehat{u}}_k^{{}^{\prime }}+K_k\left(y_{k+1}^{{}^{\prime }}-C_k\left(A_k{\widehat{x}}_k^{{}^{\prime }}+B{\widehat{u}}_k^{{}^{\prime }}\right)\right)$$

(8)

$${\widehat{x}}_{k+1}^{{}^{\prime }}=A_k{\widehat{x}}_k^{{}^{\prime }}+B_k{\widehat{u}}_k^{{}^{\prime }}+K_k{z}_{k+1}^{{}^{\prime }}.$$

(9)

The estimated state is sent to the controller to optimize the cost function, which is determined by the following equation:

$$J=min\underset{T\to \infty }{lim}\frac{1}{T}E\left[\sum _{k=0}^{T-1}\left(x_k^{{}^{\prime }T}G\right)x_k^{{}^{\prime }}+u_k^{{}^{\prime }T}H{u}_k^{{}^{\prime }}\right],$$

(10)

where G and H are positive weight matrices [58], and $u_k^{{}^{\prime }}$ is the controller output. The controller gain can be calculated from the following:

$$L=-{\left(B_k^{T}F{B}_k^T+H\right)}^{-1}{B}_k^{T}F{A}_k^T,$$

(11)

where F is the solution of the Riccati equation, which is defined as follows:

$$F=G+A_k^{T}F{A}_k-A_k^{T}F{B}_k\left(H+B_k^{T}F{A}_k^T\right).$$

(12)

Finally, the $x^2$ detector is used for FDIA detection. In the absence of an attack, the system residue has a zero-mean and covariance defined as $(C_k{P}_k{C}_k^T+R)$. A threshold value of $n>m$ is given as input to the detector, where its computation yields the degree of freedom, and $E[z_k^{{}^{\prime }T}{\sum }_z^{-1}{z}_k^{{}^{\prime }}=m]$. In the absence of an attack, the value of $x^2$ is greater than n; otherwise, the value of $x^2$ is less than n. With the proposed model, seven different FDIA were detected, which demonstrated the effectiveness of the proposed model. The KF and the $x^2$ detector were used in [59] to investigate the performance deterioration of CPSs confronted by stealthy FDIAs.

There is no doubt that the hybrid detection method of the KF and detector is an effective technique of attack detection; however, in [60], the KF was adopted for state estimation, and the Euclidean detector was emploted for the FDIA of a smart grid. A Euclidean detector was proposed to overcome the limitations of the detector outline [61]. From the results, it was evident that the Euclidean detector could effectively detect sophisticated injection attacks.

3.1.2. Sliding Mode Observer Methods

A conventional state estimate controller has the capability to confine the system to a bounded domain; however, the system cannot converge to its original state. The variable structure control system, such as a sliding mode control, can be implemented in a CPS to mitigate the discrepancy between the actual plant and the mathematical model, which may result from disturbances. The sliding mode strategy forces the state of a system towards a manifold, from which state dynamics and estimation errors slide toward the origin of the state space [62,63]. This regulates the system’s state when controlling the system and forces the state estimates toward their actual value, all within a finite amount of time and in the presence of uncertainties and disturbances. In the presence of a fault or disturbance, the SMO-based observer generates a sliding motion on the error to provide state estimates that approximate the actual output [64]. Therefore, the system dynamic behavior may be modified by the selection of the switching function. Subsequently, the closed-loop response becomes entirely insensitive to uncertainties in the system; hence, we have the robustness of the SMO [65,66].

The authors of [67] conducted a study that examined the reliability of an ASMO on a smart grid under an FDIA. The cyberattacks targeted the CPS through the actuators. The SMO error detection model was established, followed by the model for estimating the actual attack signal, which formed part of the attack reconstruction model. The reconstructed signal and the state signal were implemented in the proposed ASMO to eliminate the adverse effects of the FDIA. The proposed control strategy was evaluated in a power system with three generator buses and six load buses. The simulation results demonstrated that the proposed control technique was superior to existing results in securing the system against malicious attacks. Subsequently, in [68], the sliding mode observer was implemented in an improved approach to detect cyber attacks on power systems. The study explored the challenge of automatically detecting cyber attacks in CPSs, especially when an attacker has corrupted some state variables. Timeliness and accuracy are two characteristics that the proposed adaptive sliding mode observer ASMO-based detector must satisfy in order to perform detection and response operations that are both efficient and effective. The ASMO-based detector was equipped with parameter adjustment using a differential evolutionary algorithm. In contrast to existing techniques, the proposed methodology detected unknown attack vectors and modified the parameters to detect attacks quickly and accurately. On an IEEE-39 bus system under state attack, a conventional SMO-based detector and the ASMO-based detector were implemented for a comparative study. Based on the simulation results, the SMO-based detector did not yield accurate detection for the random attack vector. However, the ASMO-based detector showed $100\%$ accuracy. Based on the vulnerability of conventional distributed secondary control, a DC microgrid in [47] incorporated a distributed sliding mode observer (DSMO) in its secondary control scheme. Several cyber-attacks on a communication-based hierarchical control system were presented in [69]. The simulations of the proposed model were carried out on a 48 V DC microgrid with four distributed energy resources (DERs) controlled by the DSMO-based secondary control system. The DSMO detected and compensated for the false signals with the control variables of the secondary control to eliminate the adverse impact under various types of attacks. The effectiveness of the controller was demonstrated by the experiments carried out on a 48 V DC microgrid with two DERs.

Based on a second-order SMO and a hybrid logic dynamic model, a technique for detecting open-circuit faults of a sensorless inverter was presented in [70]. However, the chattering issue of the SMO was quite severe. This encouraged a study, as reported in [71], which proposed a method of diagnosing inverter anomalies under DoS attack. The proposed control strategy incorporated the internal estimation and SMO to improve the convergence speed of the SMO and reduce chattering, thus increasing the robustness of the fault diagnosis system. The linear system is similar to (1) but can be written as follows:

$$\left\{\begin{array}{c}\widehat{x}\left(t\right)=Ax\left(t\right)+\theta Bu\left(t\right)+Dv\left(t\right)\hfill \\ y\left(t\right)=Cx\left(t\right),\hfill \end{array}\right.$$

(13)

where $A\in {\mu }_{n\times n}$, $B\in {\mu }_{n\times 1}$, $C\in {\mu }_{1\times n}$, and $D\in {\mu }_{n\times q}$ are matrix constants. $x\in {\mathbb{R}}^n(x\left(t_0\right)=x_0)$, $x\in \mathbb{R}$, and $y\in \mathbb{R}$ are the state variable, input variable, and output variable, respectively. $v\in {\mathbb{R}}^q$ is the upper and lower bounds of both known and unknown disturbances, and $\theta$ is an uncertain parameter, and its upper and lower bounds are known as $\theta \in [{\theta }_{-},{\theta }_{+}]$. The state output of the initial system can be estimated more accurately through the convex weighted sum upper and lower bound SMO estimator. The sliding mode gain $K_s$ is given by the following:

$$K_s>\frac{{\left|\right|D\left|\right|}_{v_{min}}+{\left|\right|D\left|\right|}_{v_{max}}}{\left|\right|C\left|\right|}.$$

(14)

Considering the upper and lower bound SMO expressed in

$$\left\{\begin{array}{c}{\widehat{x}}^{{}^{\prime }+}\left(t\right)=A{\widehat{x}}^{+}\left(t\right)+{\theta }^{+}Bu\left(t\right)+E(y-C{\widehat{x}}^{+}\left(t\right))+K_s(sgn(y-C{\widehat{x}}^{+}\left(t\right))+D{v}_{max}\hfill \\ {\widehat{x}}^{{}^{\prime }-}\left(t\right)=A{\widehat{x}}^{-}\left(t\right)+{\theta }^{-}Bu\left(t\right)+E(y-C{\widehat{x}}^{-}\left(t\right))+K_s(sgn(y-C{\widehat{x}}^{-}\left(t\right))+D{v}_{min},\hfill \end{array}\right.$$

(15)

the weighted estimator of the state $x\left(t\right)$ is defined as follows:

$$\widehat{x}\left(t\right)=\alpha {\widehat{x}}^{-}\left(t\right)+(1-\alpha ){\widehat{x}}^{+}\left(t\right),$$

(16)

where $\alpha$ is the weighting factor:

$$\alpha =\frac{y-C{\widehat{x}}^{+}}{C({\widehat{x}}^{-}-{\widehat{x}}^{+})}.$$

(17)

When $\alpha$ = 0, the estimated value of the interval SMO is equivalent to the estimated value of the upper bound SMO. Subsequently, when $\alpha$=1, the estimated value of the interval SMO is equal to the estimated value of the lower bound SMO. Thus, the hybrid logic model of the inverter developed in [71] can be given as follows:

$$\left\{\begin{array}{c}i=Ai+\theta Bu+Dv\hfill \\ y\left(t\right)=Ci.\hfill \end{array}\right.$$

(18)

The upper and lower bound SMO of (18) can be described by the following:

$$\left\{\begin{array}{c}{\widehat{i}}^{{}^{\prime }+}=A{\widehat{i}}^{+}+{\theta }^{+}Bu+E(y-C{\widehat{i}}^{+})+K_s(sgn(y-C{\widehat{i}}^{+})+D{v}_{max}\hfill \\ {\widehat{i}}^{{}^{\prime }-}=A{\widehat{i}}^{-}+{\theta }^{-}Bu+E(y-C{\widehat{i}}^{-})+K_s(sgn(y-C{\widehat{i}}^{-})+D{v}_{min}.\hfill \end{array}\right.$$

(19)

Hence, the real-time estimate of the system can be obtained from the following equation:

$$\widehat{i}=\alpha {\widehat{i}}^{-}+(1-\alpha ){\widehat{i}}^{+}.$$

(20)

The observations from the simulation demonstrate that the technique is highly effective for the detection of inverter DoS attacks.

3.1.3. Unknown Input Observer Methods

A variety of factors necessitate many plants to be modeled with disturbances. Conventional observers have a Luenberger structure that requires the utilization of all input signals to get an estimate of the state vector. This makes the implementation of such observers more challenging. Hence, this constraint makes them inefficient for a wide variety of applications. In contrast, unknown input observers (UIOs) treat uncertainty and disturbance as unknown inputs, thereby allowing them to be approximated and exploited in closed-loop control and to operate in real-time [18,72]. Thus, their use in attack detection applications becomes more feasible.

A fault detection problem was addressed in [73] for non-linear continuous-time multi-agent systems with external disturbances and random time-varying delay. External perturbations and errors caused by other agents were designated as unknown inputs and separated into two components to overcome the UIO’s rigorous rank requirements. Based on the established numerical model and simulation results, system faults were efficiently detected, and the residual signal was resilient against disturbances.

An innovative UIO-based sensor detection technique for an MG with various types of energy sources was presented in [72]. The load fluctuations and output power variations were modeled as unknown inputs. The simulation results provided a measure of the model’s degree of accuracy. The results illustrated the sensor’s ability to detect various types of sensor faults and the robustness of the isolation scheme.

Three novel methods for estimating unknown inputs were developed in [74]; the success of each technique was contingent on the configuration of the system’s unknown inputs. A UIO was developed in [75] as a mechanism for state estimates of the load frequency control (LFC) loop of a power system that considered renewable energy sources as unknown inputs. A new UIO that is able to yield the asymptotic system state estimate and unknown input reconstruction concurrently through an interval observer was developed in [76].

In [19], the authors presented a secondary frequency control, which is a hybrid-based control strategy. The UIO was implemented in a standalone MG for state estimation, cyberattack detection, and reconstruction. In order to reduce the degree of frequency variation that the cyberattack may have driven, a type-2 fuzzy logic system was implemented. The stand-alone MG model can be represented in a state–space form and is similar to (1) and (13):

$$\left\{\begin{array}{c}{X}^{{}^{\prime }}\left(t\right)=AX\left(t\right)+BU\left(t\right)+Ed\left(t\right)\hfill \\ Y\left(t\right)=CX\left(t\right),\hfill \end{array}\right.$$

(21)

where A, B, C, and E are the state, input, output, and disturbance matrices, respectively. X, U, and d are the state, known input, and unknown input or disturbance vectors, respectively. The proposed UI model was defined with the following variables: $Z\left(t\right)$ is the state vector of the UIO, and $\widehat{X}\left(t\right)$ is the estimated state of the MG. The parameters N, G, Q, and H are matrices that describe the estimation characteristics of the UIO. The state estimation error must satisfy the following condition in the presence of unknown inputs:

$$\underset{t\to \infty }{lim}e\left(t\right)=X\left(t\right)-\widehat{X}\left(t\right)=0.$$

(22)

Consider the first derivative of (22), which is given by the following:

$$\dot{e}\left(t\right)=\dot{X}\left(t\right)-\dot{\widehat{X}}\left(t\right)=0.$$

(23)

Expanding $\dot{e}\left(t\right)$ yields the following:

$$\begin{array}{cc}\hfill \dot{e}\left(t\right)=& \left(A-HCA-QC\right)e\left(t\right)+\left(N-(A-H{C}_1{A}_1-QC)\right)Z\left(t\right)\hfill \\ \hfill & +\left(Q_2-(A-HCA-Q_{1}C)\right)Y\left(t\right)+\left(T-(I-HC)\right)BU\left(t\right)\hfill \\ \hfill & +\left(HC-I\right)Ed\left(t\right),\hfill \end{array}$$

(24)

which must satisfy the following:

$$\begin{array}{cc}\hfill & H={\left(CE\right)}^{-1}E,T=I-HC,N=A-HCA-Q_{1}C,\hfill \\ \hfill & Q_2=NH,Q=Q_1+Q_2.\hfill \end{array}$$

(25)

If all the eigenvalues of N are stable, then $e\left(t\right)$ will approach zero asymptotically. Thus, (24) can be reduced and expressed as the following:

$$\begin{array}{c}\hfill \dot{e}\left(t\right)=Ne\left(t\right).\end{array}$$

(26)

The necessary and sufficient conditions to be satisfied for the UIO are the following:

• $rank\left(CE\right)=rank\left(E\right)$;
• ($C,P$) is a detectable pair, where $P=A-E{\left({\left(CE\right)}^{T}CE\right)}^{-1}{\left(CE\right)}^{T}CA$.

3.1.4. Model-Based Machine Learning Methods

The basic principle of model-based machine learning methods is to develop a typical custom model that is specifically designed for particular applications. Examples of model-based machine learning methods are given in [77,78,79]. Machine learning methods are discussed further in Section 3.2.2.

3.1.5. Advantages and Disadvantages of Model-Based Methods

Memory is an essential resource for data-driven detection algorithms, since the process of monitoring a large number of training samples demands the use of extensive amounts of the resource. The key advantage that model-based detection algorithms provide over data-driven detection algorithms is their independence from the historical dataset, which is a necessary requirement for data-driven detection algorithms. The substantial amount of computing complexity required for each measurement sample obtained is a major hindrance. When an iterative process that has potential divergence concerns is involved, the severity of this issue is amplified significantly. As a direct consequence, the algorithm scalability is adversely affected. The most significant disadvantage of using model-based algorithms is the requirement for both the system parameters and a model. The performance of this detection method might be compromised by any slight inaccuracies in these parameters.

Table 1. A summary of model-based methods and their detection accuracies.

Reference	Method	System	Attack Type/Mode	Attacked Element	Detection Accuracy/Rate	Measures
[80]	EKF	Automotive Systems	DoS FDIA	Path Tracking: control of autonomous vehicles	High	Detection and isolation
[81]	KF	Industrial Control Systems (ICS)	Zero-Alarm	Sensor	90 %	Detection
[82]	Sliding Mode Observer	Power Systems	FDIA	Load Frequency Control System	High	Detection and isolation
[83]	Optimal Sliding mode observer	Magneti-Tape-Drive Servo System	FDIA	Actuators	High	Detection
[84]	UI Interval Observer-Based	Smart Grid	FDIA	Smart Sensor	-	Detection and isolation
[49]	UI Observer-Based	DC Micro-Grid	FDIA	Phasor Measurement Unit (PMU)	-	Detection and isolation
[85]	Distribution System State Estimation (DSSE)	Power System	Generic	-	High ≈ 100%	Detection
[86]	Sliding Mode Observer	Generic Sub-System	FDIA	Sensor	-	Detection and mitigation
[87]	Weighted Least Square (WLS)	Smart Grid	FDIA	-	High	Detection
[88]	Watermarking	Control System	DoS	Sensor Attack	High	Detection

briefly summarizes the different model-based techniques discussed in the reviewed literature. The next section will review data-driven methods, which have the advantage of being model-free.

3.2. Data-Driven Methods

Data-driven methods are model-free, i.e., the detection process of an FDIA involves neither models nor system parameters, unlike the model-based methods. Data-driven methods can be divided into three main groups based on the data used to detect the FDIA in a smart grid. These are the following [87]:

• Data mining methods.
• Machine learning methods.
• Other methods outside of 1 and 2.

3.2.1. Data Mining Methods

These methods are applied to large datasets to discover patterns. Data measurement variables received from a particular system can be processed to draw inferences about data patterns or hidden features using data mining methods. The data mining method is an interdisciplinary field, because it is interconnected with machine learning methods and statistics. The authors of [89] explored the data mining methods in Twitter’s Smart Living Environments to address security issues using nearly one million tweets collected under the user-generated data (UGD) framework. These were subjected to a random forest classifier, logistic regression, a multinomial naïve Bayes classifier, and a support vector classifier under the sentiment analysis.

Tomasevic et al. [90] explored data mining methods to investigate the performance of students during exams. This was done to discover high-risk students who were on the verge of dropping out from a particular course to forecast their final exam scores. It was discovered that demographic data did not give sufficient forecasting accuracy, but past performance data and student engagement data gave high precision when fed into artificial neural networks.

Salo et al. [91] conducted a review to detect intrusion systems using data mining methods. The research gap that established the efficiency of the classifiers in identifying network traffic intrusions when aging datasets are used for training was observed. Mughal [92] reviewed the tools and algorithms used in web data mining techniques. Different web data mining types, which help to find informative data from increasingly large and difficult web domains, were described.

Data mining techniques were used in educational environments as described in [93]. These techniques help better understand student results, interests, and behavior. The work reviewed more than 100 documents, analyzed 7 domains, and discussed 12 data mining techniques used to solve, understand, and analyze problems in an educational environment.

Data mining techniques were applied in the study reported in [94] to identify significant features in forecasting heart disease. The study developed prediction models for heart disease using a combination of seven classification techniques: logistic regression, naive Bayes, support vector machine, vote (a hybrid method involving logistic regression and naive Bayes), neural network, decision tree, and k-NN. The forecasting of the survival of heart failure patients was improved when using data mining methods and synthetic minority oversampling techniques [95]. For effective prediction, the study used nine classification models: support vector machine, extra tree classifier, random forest, logistic regression, decision tree, gaussian naive Bayes classifier, gradient boosting classifier, stochastic gradient classifier, and adaptive boosting classifier.

The study reported in [96] integrated data mining algorithms into the PostgreSQL management system. The induction rule and decision tree data mining algorithms were analyzed in the process. This resulted in higher results and response time. Decision making for predicting student performance in the university admission systems was investigated using data mining methods in [97]. The applicants’ early academic performance outcomes were predicted with high precision based on some pre-admission criteria such as general aptitude test scores, scholastic achievement admission test scores, and high school grade averages.

3.2.2. Data-Based Machine Learning Methods

In data-based machine learning (ML) methods, machines can be trained to do complex tasks; ML algorithms are data-driven and, therefore, depend largely on the data input from the system to enhance the learning of the machine. Based on the learning procedures of the machine, ML can further be classified as unsupervised learning, supervised learning, and reinforcement learning methods. These methods are reviewed below.

Unsupervised Learning Method

This machine learning method clusters and analyzes unlabeled data to find hidden patterns and classifications without the necessity of human intervention. The machine classifies the data points according to their hidden structures, thereby discovering false data injection algorithms (FDIA), because their data classes should be different from that of normal data in smart grids. Examples of unsupervised learning methods are the hidden Markov model (HMM), probabilistic neural network (PNN), deep belief network (DBN), isolation forest (IF), hierarchical clustering (HC), principal component analysis (PCA), fuzzy clustering (FC), and k-means clustering (KMC). The KMC methods is popular in classification problems, where it works by separating into k clusters and the s observed variables. The cluster prototype, which is the nearest mean, dictates which observation s belongs to a particular cluster k. For n samples s of mean ${\phi }_i$ in k sets y, the minimization problem, is defined as follows [87]:

$$\underset{y}{arg\; min}\sum _{i=1}^k\sum _{s\in y_i}\left|\right|s-{\phi }_i{\left|\right|}^2,$$

(27)

where $y_i$ is the set with mean ${\phi }_i$. Although this method is very sensitive to sample noise, its advantage is embedded in its simplicity. In FC, a sample could be a subset of many clusters with diverse grades, thereby leading to a more elaborate clustering process and giving rise to overlapped clusters with well-defined boundaries. HMM is a unique time series model used in FDIA detection for predicting sample models [98]. PNN is a form of feedforward neural network (FNN), which is much faster than multilayer perceptron networks. It is mostly used in classification problems and pattern recognition [99]. In DBN, the time for training the network can be reduced by setting the initial weights as the learned weights and later turning it into a generatively pre-trained deep neural network (DNN) by backpropagation [100]. IF, which is a collection of different isolation trees, is acknowledged as an outlier detection method. With more dimensional datasets, there is a higher possibility of more isolation trees in IF. Because anomalies, such as false data, are usually different from other data, the IF method can isolate them, since there are few of them [101]. In summary, each of these methods is unique despite giving similar results.

Supervised Learning Methods

This machine learning method clusters and analyzes labeled data to find hidden patterns and classifications. This is done with human aid. Thus, each output has a link to a particular input. Examples of supervised learning methods are linear regression (LR), random forests (RF), decision tree (DT), extended nearest neighbor (ENN), k-nearest neighbor (KNN), the extreme learning machine (ELM), autoencoder (AE), artificial neural networks (ANN), and the support vector machine (SVM). LR models, which are known to be simple and straightforward to implement, highlight a connection between independent variable x and dependent scalar variable $f\left(x\right)$ so that the following is obtained [102]:

$$f\left(x\right)=wx+b,$$

(28)

and minimizing, using the least square method, gives the following:

$$\underset{w,b}{min}\sum _i{\left(f\left(x_i\right)-(w{x}_i+b)\right)}^2,$$

(29)

where b and w represent the bias and weight vectors, respectively.

DT models predict their outputs by mapping samples to their targets. The DT learns by creating subsets from input variables. The DT is easy to construct but has the problem of overfitting [103]. RF models have been developed to overcome the problems of overfitting in neural networks by using ensemble learning. Several DTs can be combined to form an RF. The mean and mode values of individual tree classifications lead to the classification of the RF [104].

In the KNN method, a sample is assigned to the class of the nearest possible k-neighbor by the classifier. The assigned class is determined by the Euclidean distance between the prelabeled sample $s_j$ and the unlabeled sample $s_i$:

$$d_{i,j}=\left|\right|s_i-s_j{\left|\right|}_2.$$

(30)

The classification of the new sample is determined by the lowest distance between the prelabeled samples and the unlabeled sample. The disadvantages of this technique are the prelabeled sample density and distribution [105]. The ENN method was designed to overcome these disadvantages by considering local neighbors of the class and the global distribution to predict the class of the new sample [106].

An AE is a neural network providing nonlinear solutions by decoding and encoding sample variables. When the error between the network input and the decoded sample exceeds a threshold level, an alarm is triggered, which results in the detection scheme. The limitation of this technique is the extensive training time required [107]. Meanwhile, the ELM method was designed to overcome this disadvantage such that the biases of the hidden layers and input weights of ELM are randomly chosen [108].

The ANN was inspired by the working principles of the biological brain [109]. It is used to approximate, estimate, and classify functions [110]. An ANN can have one or multiple hidden layers [111,112]. The output produced by an ANN depends on the activation function, bias, and input weighted sum to the neuron [113].

A convolutional neural network (CNN) does not adopt the matrix multiplication that is generally used, but instead uses the convolution at the layers. It has found wide application in image processing and pattern recognition because of its ability to obtain different characteristics from samples [114].

The deep neural network (DNN) is another neural network method with a high level of precision due to its multiple hidden layers [115].

An SVM is a binary-based non-probabilistic linear method that is based on two parallel hyper-plane boundaries that yield the following:

$$w^T\left(\varphi \right)s_i+b=+1,\mathrm{if}{y}_i=+1$$

(31)

$$w^T\left(\varphi \right)s_i+b=-1,\mathrm{if}{y}_i=-1,$$

(32)

where samples $s_i$ are mapped by function $\varphi (.)$ to a linearly separable space, b is the offset constant, and w is the hyperplane orthogonal normal vector. The limitations of an SVM are the requirement for extensive training time and the choice of the kernel function, while its simplicity of implementation is its major advantage [66].

Semi-Supervised Learning Method

Semi-Supervised learning predicts the output using labelled data; it also learns the larger data distribution shape using unlabelled data. Semi-Supervised learning also has applications in cybersecurity, as shown in [116,117,118].

Reinforcement Learning Methods

In this method, the previous experiences of the machine help it to chart a new course that leads to optimal action. This is achieved through the trial-and-error method, which leads to a series of fruitful choices in the reinforced process by solving the problem in an appropriate manner [119].

3.2.3. Advantages and Disadvantages of Data-Driven Methods

Advantages

The advantages of data-driven methods as compared to their model-based counterparts include the following [120,121,122,123]:

• It has a more powerful ability to select informative samples.
• Although its training is slower, its prediction is faster.
• Its dependence on prior assumptions and human experiences is low.
• It is more efficient to run computationally and simple to implement.
• It depends on the I/O data and does not depend on the prior knowledge of the system in question.
• Updating the model with changing conditions over time is straightforward.

Disadvantages

Its comparative disadvantages include the following [120,121]:

• Designing a good data-driven network architecture is a huge task.
• Its statistical and physical meaning may not be very clear.
• It usually requires considerable amounts of sample data for training.
• The availability of sufficiently large empirical and historical data determines the confidence level of its predictions.
• In some instances, such as the case of a new component or system, obtaining historical data may be difficult. Some cases may require a long time and expensive tests to generate the required data.

Table 2. A summary of data-based methods and their detection accuracies.

Reference	Method	System	Attack Type/Mode	Attack Parameter	Detection Accuracy/Rate	Measures
[124]	Dynamic-Estimator- Based Cyber-Attack Tolerant Control (CTC)	Power Systems	Generic (malware attacks, password attacks, phishing attacks, and SQL injection attacks)	-	Estimation error $\approx {10}^{-17}$; norm order $\approx {10}^{-34}$, which is $\approx 0$.	Detection and isolation
[125]	Federated Learning, (Gated Recurrent Units and Random Forest)	Vehicular Sensor Networks (VSN)	Intrusion	Car Hacking: Attack and Defense Challenge 2020 dataset.	99.52% and 99.77%	Detection
[126]	Short Circuit Analysis	Industrial Power Plants	Short-Circuiting	Equipment (transformer, breaker, generator, etc.) security breach	High	Detection
[127]	Parallelized Database Approach	Healthcare Systems	Malicious transactions, damage	Damage assessment	High	Detection and isolation.
[128]	Retrospective Impact Analysis	National Health Service (NHS)	WannaCry attack, ransomware attack.	Missed appointments, deaths, and fiscal costs attributable to the ransomware	High	Detection
[129]	A Hybrid Deep Random Neural Network	Industrial Internet of Things (IIoT)	Generic	Two IIoT security-related datasets	98% and 99%	Detection
[130]	Survey	Unmanned Aerial Vehicles (UAV)	Channel jamming, message interception, deletion, injection, spoofing, etc.	Cyberattack counter-measures	-	Prevention, detection, and mitigation
[131]	Unified Architectural Approach	Industrial Control Systems (ICSs)	Generic	Cyberattack resilience	High	-
[132]	Controller Switching	Process Control System (PCS)	Multiplying the data communicated over the link by a factor	Control system and attack-sensitive parameters	High	Detection
[133]	AI Engine, Two-Fold Feature Selection, and Hyper-Parameter Optimization	Network Traffic System	Intrusion	Binary attack, synthesized atypical attack flows	90%	Detection

briefly summarizes the different model-based techniques discussed in the reviewed literature.

3.3. The Role of Machine Learning Methods in Cyber Assaults

ML methods are now widely used to salvage many cyber assaults; such roles are categorized into five classes: the analysis of raw data; the management of alerts; the detection of assaults; the assessment of risk exposure; and threat intelligence.

3.3.1. Analysis of Raw Data

The cybersecurity domain deals with heterogenous systems that generate different types of raw data, such as alerts, reports, and logs. ML leverages its ability on such raw data to maximize the opportunities to provide solutions to cybersecurity problems. The more the availability of such data, the more promising the use of ML in cyber security. The benefits of such data came to the fore after several high-profile cyber-assaults. In [134], large-scale log analysis was carried out using ML, in which, out of the 800 incidents detected, 65% were discovered to be true cybersecurity incidents, whereas the non-ML methods used were only able to detect 8 incidents correctly. Likewise, in [135], DeepLog was trained on only 1% of the available data, but achieved a cybersecurity detection rate of almost 100%.

3.3.2. Management of Alerts

It is known that, with or without ML, a perfect detection system cannot be developed. Hence, ML has been used to prevent the automatic execution of actions due to incorrect predictions. Detection system outputs come in the form of alerts, and thousands of such alerts are generated in modern environments every hour [136,137]. To overcome this challenge, ML could be deployed to filter, prioritize, and aggregate the alerts into a more generalized event [138]. Significant quantities of alerts are not malicious but amount to false alarms. Such alerts could be filtered using ML; for instance, in [139], ML was able to reduce false alarms by about 75% as against about a 30% reduction of false alarms using a non-ML method. In situations where many alerts are encountered by security administrators, ML has been used to identify and prioritize the most critical alerts, as ML ranks alerts in order of sensitivity [140]. Also, large amounts of data are well managed by aggregating similar alerts, finding correlations between them, and identifying causal relationships responsible for security problems [141].

3.3.3. Detection of Assaults

Before ML methods were developed, existing cybersecurity detection methods were error-prone, time-consuming, and unable to cope with modern environments that are characterized by increasing growth. But with ML, there are fewer manual efforts, and greater accuracy is achieved [142]. This improved performance is due to ML’s intrinsic capability to learn weak signals or make up for missing data and outliers. ML analyzes large data by learning patterns, thereby identifying abnormal or irregular activities from normal or regular ones [143].

3.3.4. Assessment of Risk Exposure

ML strengthens a system by concentrating on its weak point and predicting its most likely threat. In [144], ML crafted attacks using reinforcement learning against a network intrusion detection system (NIDS), which achieved a 90% speedup as against a random attack process. In [145], the weaknesses of databases were assessed against SQL injection attacks using ML were investigated. In the study reported in [146], fake user accounts on social media were identified by correlating different sources using ML, thereby reducing such accounts by 30%.

3.3.5. Threat Intelligence

Threat intelligence acts by collecting and analyzing data for anticipated novel attacks. This is a proactive method for keeping defenses up-to-date, as reported in [147], where threat intelligence using the ML method was configured in such a way that the protection of the business with the most-critical infrastructure was prioritized. Examples where ML was used in threat intelligence can be found in [148,149,150,151].

4. Industrial Review

There have been several published studies on industrial cyber-attacks, but there is a need for publication of more up-to-date and relevant research. Ref. [152] presented the results of attack simulations published between 1999 and 2019 and highlighted the steps taken that resulted in successful attacks. The results garnered eleven key contributions and different implementation methods for attack simulations. However, the methodology for constructing a fully unified view of attack simulation remains unclear.

In [153], the IoT-based cyber-attack paths to critical industrial services and infrastructure were assessed in a risk-like manner to determine their current threat and to explore mitigation methods for different application domains.

An exploration of machine learning techniques regarding the stability and security of power systems was carried out in [154]. A comprehensive review of the studies using machine learning methods for the stability and security of the power systems was carried out. In particular, dynamic security assessment, power quality disturbance, and cyber-attack detections were focused on. The limitations, contributions, and methodologies of the test systems, datasets, and classifier designs were highlighted.

Setola itet al [155] presented the behavior of process-engineering-based cyber-attacks. Some relevant approaches, which are useful for protection against industrial control systems, were considered.

In [156], a cyber-attack detection model for industrial control systems was developed using an ensemble deep learning method. This constructed a balanced representation for the problem of the imbalanced nature of industrial control system datasets. The model helps improve the security of the network in preventing critical failures in the industrial control system against cyber-attacks.

The authors in [157] reviewed and defined industrial cyber-physical systems from a cyber-security viewpoint. Real-life industrial cyber-physical system incidents were evaluated using multi-dimensional adaptive attack taxonomy. In [158], the manufacturing sector was the focus of the review of cyber-security problems in critical infrastructures in the industries. The study helped in developing strategies for modeling cyber-security objectives for the mitigation of the effects of cyber-attacks on industrial control system infrastructures.

In [159], the authors proposed a key component kit in an industrial control system as a robust cyber-attack detection method using false data injection techniques in nuclear power plant settings. In the study reported in [160], cyber-security standards were reviewed, and roadmaps were provided to implement, converge, map, align, and identify the right strategies and standards for securing Industrial Internet of Things machine-to-machine communications.

Currently, in most governmental and non-governmental institutions, social, cultural, commercial, and industrial operations are executed in cyber-space. Many of these establishments are currently facing cyber-attacks. Without electronic technology, it is a big challenge to protect this data from cyber-attacks. Cyber-Attacks target industries and other establishments to cause financial, political, or military havoc [161]. The havoc could take the form of data distribution services (DDSs), knowledge breaks, and PC viruses. As a result, establishments use different solutions to protect their systems against cyber-attacks. This section is reviewed to re-emphasize the need for the awareness of industrial cyber-attacks and to showcase some recent advances in industrial prevention and mitigation methods. Researchers globally have proposed different methods, which are either in the study phase or operation phase.

5. Current Challenges and Future Directions

The integration of a CPS into critical infrastructure systems has greatly improved efficiency, accuracy, and safety. However, the dependence on a CPS has made these systems vulnerable to cyber-attacks. In this section, the current challenges and future directions of cybersecurity for a CPS are discussed.

5.1. Complexity of CPS Models

As previously mentioned, CPSs are complex systems that involve multiple components such as sensors, actuators, controllers, and software. This complexity makes it difficult to identify vulnerabilities and potential attack vectors. Additionally, the inter-connectivity of a CPS with other systems and networks further complicates the security landscape. The complexity also makes it difficult to accurately model a modern CPS for cyber-security studies. Thus, advanced modeling methods that can accurately capture the behaviour of emerging CPSs are required to guarantee the security of all components of the CPS.

5.2. Advanced Measurement and Data Collection Techniques

Typically, in prior research, the outcomes regarding detecting attacks, secure estimation, and secure control, particularly when faced with different kinds of attacks, were developed utilizing data from a single measurement device. However, this approach can lead to significant system degradation. In reality, physical systems such as robots and vehicles have redundant measurement devices that may remain available for feedback, even if some of them are compromised. For instance, mobile robots often have numerous measurement devices that provide information about the robot such as local and relative positions, angular velocity, and speed. These devices have different methods of implementation and function on multiple time scales. Consequently, it is hard for an adversary to attack all of these devices and jam all of the communication channels [60,162]. An investigation into applying multiple measurement devices and data collection techniques is worthy of future consideration [163,164,165,166,167,168]. Nevertheless, collecting and fusing data from various sensors is a complicated task, since most measurement devices operate non-simultaneously, which introduces new challenges due to the presence of different time scales.

5.3. Detection of Advanced and Stealthy Attacks

With the development of new technologies, cyber-attacks are advancing quickly. Advanced attacks have been launched successfully. Stealth FDIAs can be launched randomly and avoid detection by current detection techniques. Thus, preventing sophisticated attacks on a CPS is a difficult but necessary topic that requires further attention. In addition, the area of confidentiality attack detection has not been studied robustly compared to availability and integrity attacks detection. Given the need for privacy protection in a modern CPS, it is important to investigate the impacts on confidentiality attacks.

5.4. Standardization of Security Measures for a CPS

Inadequate security testing is another major challenge in cyber-security for a CPS. Many CPSs are tested for functionality but not for security. As a result, vulnerabilities may go undetected until an actual attack occurs. The standardization of security measures for CPSs will help reduce the complexity of developing security strategies. Standards should be developed for security controls, access controls, and incident response.

5.5. Testing of Detection and Mitigation Methods

In model-based detection and mitigation methods, key parameters such as detection thresholds and other control parameters play a very crucial role. However, the choice of these parameters largely affects the accuracy of the detection and mitigation methods. While some methods attempt to identify a trade-off between these parameters, since they have varying efficiencies, other methods may forgo one efficiency to optimize another. Hence, it is important to investigate the testing of current and future cyber-attack detection methods to analyze the performance and efficiency of the different detection and mitigation parameters. Additionally, CPSs have different characteristics that make the detection and mitigation methods only suitable to a specific CPS and undesirable for other types of CPSs. Thus, providing the appropriate performance analysis of existing and future CPSs is an area that is worthy of consideration.

6. Conclusions

Demands for improved security, operational efficiency, and environmental protection have hastened the adoption of CPSs, which are now standard features of modern businesses. Given the essential nature of the services provided by CPSs, any disruption to them might have dire effects. This highlights the difficulty inherent in designing a system that can withstand attacks. This paper presents a summary of the requirements that CPSs need to satisfy, in addition to the characteristics that they are expected to exhibit. A concise categorization of the various types of detection and mitigation strategies is provided. Furthermore, recent research on the detection and mitigation techniques of cyber-attacks in CPSs has been discussed, and models have been described. Subsequently, an analysis of the benefits and drawbacks of model-based and data-driven techniques was carried out. This paper presents a survey of the relevant industrial research. In conclusion, the limitations and opportunities for future research focuses were discussed. These are based on recent advancements.