Cyber–Physical Resilience: Evolution of Concept, Indicators, and Legal Frameworks

Abstract

The protection of critical infrastructures (CIs) from cyber–physical threats and natural hazards has become increasingly vital in modern society, which relies heavily on the essential services provided by these infrastructures. The European Union has emphasized the importance of this issue by deploying a comprehensive policy package in 2022, including the NIS2 and CER Directives. This paper explores the concept of resilience in critical entities and essential services from a cyber–physical perspective. It addresses the inherent complexity of CIs and discusses challenges, limitations, and future research directions for enhancing their protection in line with EU policies. Furthermore, it introduces a conceptual model of resilience, outlining its analytical dimensions, and reviews current resilience indicators and corresponding assessment frameworks.

1. Introduction

Modern societies widely depend on cyber–physical critical infrastructures (CIs), which are a combination of physical resources and network and information systems. The disruption or destruction of CIs would seriously influence countries’ ability to provide services that are essential to the economy, health, and security activities that affect their population and society [1]. That includes, for example, energy [2,3] or communication systems [4], water distribution [5], and healthcare services [6]. Any disruption in these infrastructures may have severe consequences. For instance, a power failure could trigger a water crisis, disrupt communication networks, and ultimately affect critical medical services, leading to significant economic losses and potential loss of life.

Critical infrastructures face various threats, traditionally categorized into physical and cyber. Physical and cyber threats have been extensively studied as stand-alone; given the fact that these threats, in the current context, reveal themselves and lead to multiple impacts in different dimensions [7], this article will focus on the cyber–physical resilience of complex CIs and entities. Cyber–physical threats can originate from multiple sources and encompass various factors, such as natural disasters, industrial accidents, or malicious activities, such as cyber or terrorist attacks that can interrupt the business and operations of CIs. Given the complementarity of these dimensions, cyber–physical resilience refers to the technical and organizational measures aimed to prevent, protect against, respond to, resist, mitigate, absorb, accommodate, and recover from an incident stemming from physical and/or cyber threats.

Due to their complicated and interrelated nature, the resilience of critical entities is a crucial task. The need recently became eminent for a much more holistic approach that relates to the design of how infrastructure should be operated and designed for resilience, despite obvious requirements following catastrophic events and disruptions (such as 9/11 [8], the 2006 European blackout [9], the 2011 Tohoku earthquake in Japan [10], and the recent COVID-19 pandemic [11]).

Since 2004, the Council of Europe and the European Commission have been actively involved in developing strategies and policy packages [12] aimed at enhancing the protection of critical infrastructures in the European Union. In 2013, after almost a decade of work and acquaintance around protection was achieved [13,14], the same institutions promoted new policies and strategies aimed at embracing the concept of prevention, preparedness, and response [15]; therefore, critical infrastructures located in the EU could prepare to deal with even the most devastating event or disaster [16]. The mentioned issues underscore an urgent need for enhancing resilience through identifying innovative ways to manage the concerned vital systems, along with policy formulation activities in the domain of CI protections. This was the main motive to conduct the current state-of-the-art review. In this light, the following research questions are designed to conduct the research:

RQ1:

How has the concept of resilience evolved in the context of cyber–physical complexities, and what is the current consensus?

RQ2:

What are the existing state-of-the-art indicators and methods available to assess and enhance resilience?

RQ3:

What are the most significant and emerging cyber–physical threats to critical infrastructures?

RQ4:

What is the impact of current European policies and initiatives on the security and resilience of critical infrastructures?

Addressing the research questions, this article offers the following contributions:

• Conceptual Evolution of Resilience: Provides a comprehensive synthesis of how the concept of resilience has evolved within cyber–physical systems, highlighting the shift from static robustness models to dynamic, adaptive, and systemic resilience frameworks.
• Assessment Methodologies: Reviews and classifies existing resilience indicators and assessment methods, emphasizing the need for standardized, real-time, and probabilistic models suitable for cyber–physical contexts.
• Threat Landscape Mapping: Identifies and categorizes emerging cyber–physical threats to critical infrastructures, including AI-driven attacks, supply chain vulnerabilities, and systemic risks arising from interdependencies across sectors.
• Policy and Governance Analysis: Evaluates the impact of key European policies such as the NIS-2 and CER Directives on critical infrastructure resilience, revealing gaps in harmonization, enforcement, and liability frameworks.
• Cross-Cutting Insight—Human–Machine Resilience: Proposes a novel research direction focusing on the integration of human oversight within automated resilience systems, bridging technical resilience with operational decision-making.
• Future-Oriented Contribution: Recommends the development of large-scale digital twin environments for resilience testing, enabling realistic simulation of cyber–physical threats and cross-sector cascading effects.

The remainder of this paper is structured as follows: Section 2: Material and Methods—This section outlines the methodology used to perform a state-of-the-art review, including literature selection criteria and the structure of the analysis of resilience measures. Section 3.2: Definitions and Terminology—This section elaborates on the relevant key terms and concepts related to critical infrastructure protection, resilience, and cyber–physical systems. Section 3: Results and Discussion—This section presents the results of the literature review and in-depth study, discusses the current measures of resilience. Section 4: Conclusions and Potential Future Studies—This section concludes by highlighting key insights, implications for policy and practice, and suggesting directions for future research.

2. Methodology

To conduct a comprehensive state-of-the-art review on resilience studies in the domain of cyber–physical systems, we implemented the approach in Figure 1 for data collection.

Identification of Relevant Papers: We performed a search in the two major academic databases, Scopus (Available online: https://www.elsevier.com/solutions/scopus, accessed on 13 August 2024) for the scientific and research documents and Google Scholar to include relevant EU Directives that are not indexed. It was chosen for its quality, reliability, and comprehensive coverage, which includes the majority of documents published in other databases like WOS and IEEE. Additionally, it provides advanced search capabilities that allow for precise searches based on various criteria, which are crucial for identifying specific studies relevant to a field of interest [17]. Finally, its support for interdisciplinary research by covering multiple fields makes it particularly valuable for comprehensive reviews that address various aspects of a topic [18]. Therefore, it is an essential tool for conducting thorough and effective state-of-the-art reviews.

Search queries: The search queries ($Q_i$, i = 1 to 4) were designed as follows:

Q1

TITLE-ABS-KEY (resilience AND (“Cyber*Physical” OR Complex System*)) Over 10,000 documents were initially identified; however, more than 2000 articles were not even cited one time (some after 10 years). On the other hand, many articles mentioned “resilience” superficially—often only in the abstract due to its trendiness—but this study focused on a more impactful subset. Specifically, only articles cited over 100 times were selected for review, resulting in a refined corpus of 273 publications.

Q2

TITLE-ABS-KEY ((resilience AND Protection) AND “Critical Infrastructure”) A total of 593 documents were identified; however, the majority exhibited a recurring issue—while the term “resilience” appeared in the abstract, it was not meaningfully discussed or even mentioned within the main body of the text.

Q3

TITLE-ABS-KEY ((Protection) AND “Critical Infrastructure”) Over 3000 documents were initially identified; articles cited over 100 times were selected for review, resulting in a refined corpus of 64 publications.

Q4

TITLE-ABS-KEY (resilience AND (“Critical Infrastructure” OR “critical entity”) AND (“Cyber*Physical” OR complex AND system*) AND (directive OR regulation OR policy))

Refined by:

• Document Types: (Article or Review or Book)
• Languages: (English)
• Subject Areas: (LIMIT-TO (SUBJAREA, “ENGI”) OR LIMIT-TO (SUBJAREA, “COMP”) OR LIMIT-TO (SUBJAREA, “SOCI”) OR LIMIT-TO (SUBJAREA, “ENVI”) OR LIMIT-TO (SUBJAREA, “DECI”) OR LIMIT-TO (SUBJAREA, “ENER”) OR LIMIT-TO (SUBJAREA, “BUSI”) OR LIMIT-TO (SUBJAREA, “MATE”) OR LIMIT-TO (SUBJAREA, “ECON”) OR LIMIT-TO (SUBJAREA, “MEDI”) OR LIMIT-TO (SUBJAREA, “AGRI”) OR LIMIT-TO (SUBJAREA, “MULT”))
• Timespan: All years (Until the search was conducted in June 2024 for the current article)

360 documents found.

The initial three search queries (Q1–Q3) were employed to establish the theoretical foundation of resilience by identifying relevant literature on resilience, infrastructure, and related state-of-the-art methods and measures. The results of these queries offered a thorough understanding of the existing knowledge and theoretical frameworks related to resilience. Subsequently, the fourth search query (Q4) was employed to collect articles for the state-of-the-art review, in addition to documents relevant to European Union directives on critical infrastructure resilience, protection, and cybersecurity [19,20,21,22,23,24]. This approach ensured that the review incorporated not only the academic and theoretical perspectives but also practical and regulatory insights from the EU’s regulatory framework.

3. Results and Discussion

3.1. Bibliometric Analysis of Cyber–Physical Resilience Research

A total of 360 documents were identified from the fourth query and reviewed for information extraction and synthesis. The collected data are used in the subsequent sections to extract academic and practical insights. Figure 2 illustrates the primary subject areas of these articles, with engineering and social sciences comprising the largest proportions.

Figure 3 illustrates that the initial article on this topic was published in 2004, highlighting that the subject is relatively recent. The sharp increase in the number of articles published over time indicates a growing trend and heightened interest in this field. This significant upward trend underscores the increasing relevance and importance of the topic in current research and practice.

Figure 4 displays the geographical distribution of research on cyber–physical critical infrastructure resilience based on the fourth search query. The data indicates that the topic is of significant importance in the United States and the United Kingdom, followed by Italy and Germany, with China also contributing notably. However, when analyzing the results from the second search query, Figure 5, which focuses on critical infrastructure protection without accounting for the cyber–physical aspects, a different trend emerges. Despite the USA leading in the overall number of studies, Italy and Germany have individually published more articles, suggesting a potential gap in addressing the cyber–physical nature of emerging threats to critical infrastructures. Furthermore, when considering the entire European Union as a single entity, the ranking shifts, revealing that the EU has the highest volume of research in this domain, followed by the USA and the UK.

The bar chart in Figure 6 shows the top funding organizations contributing to the documents analyzed, with the European Commission and the National Science Foundation being the most significant contributors, each supporting over 20 documents.

The dataset. including 360 articles, was exported to a CSV file for Bibliometric Analysis. The dataset. including 360 articles, was exported to a CSV file for Bibliometric Analysis (The data are stored in a private repository and can be made available upon request by contacting A.A.A.). The file contains information about various publications, including authors, titles, years, cited by counts, and references. To perform a co-citation analysis, we will focus on the “References” and “Cited by” data to identify connections between works. The top 10 most cited papers from dataset are shown in Table 1.

Cosine similarity is used to create clusters based on how often documents were co-cited. Then, a co-citation network was built. The clusters were identified using connected components, grouping documents that were strongly linked, resulting in 10 distinct clusters. For naming the clusters, we applied the TF-IDF algorithm [25,26] to the document titles and keywords within each cluster, extracting the top three keywords to summarize the main themes. These keywords were used to generate descriptive names that reflected the content of the documents in each cluster. The constructed co-citation clusters in Figure 7 represent groups of works that are conceptually related, as they are often cited together by subsequent research.

Table 1. Most cited works in resilience and critical infrastructure studies.

Title	Authors-Reference	Year	Cited by
Challenges in the vulnerability and risk analysis of critical infrastructures	Zio E. [27]	2016	322
Game-theoretic methods for robustness, security, and resilience of cyberphysical control systems: Games-in-games principle for optimal cross-layer resilient control systems	Zhu Q.; BaŞar T. [28]	2015	315
Understanding Compound, Interconnected, Interacting, and Cascading Risks: A Holistic Framework	Pescaroli G.; Alexander D. [29]	2018	213
Resilient control systems: Next generation design research	Rieger C.G.; Gertman D.I.; McQueen M.A. [30]	2009	194
Probabilistic framework to evaluate the resilience of engineering systems using Bayesian and dynamic Bayesian networks	Kammouh O.; Gardoni P.; Cimellaro G.P. [31]	2020	178
Resilience in railway transport systems: a literature review and research agenda	Bešinović N. [32]	2020	177
Review of major approaches to analyze vulnerability in power system	Abedi A.; Gaudard L.; Romerio F. [33]	2019	162
Complex approach to assessing resilience of critical infrastructure elements	Rehak D.; Senovsky P.; Hromada M.; Lovecek T. [34]	2019	153
Assessing and mapping urban resilience to floods with respect to cascading effects through critical infrastructure networks	Serre D.; Heinzlef C. [35]	2018	134
Performance and reliability of electrical power grids under cascading failures	Chang L.; Wu Z. [36]	2011	109

Table 1. Most cited works in resilience and critical infrastructure studies.

Title	Authors-Reference	Year	Cited by
Challenges in the vulnerability and risk analysis of critical infrastructures	Zio E. [27]	2016	322
Game-theoretic methods for robustness, security, and resilience of cyberphysical control systems: Games-in-games principle for optimal cross-layer resilient control systems	Zhu Q.; BaŞar T. [28]	2015	315
Understanding Compound, Interconnected, Interacting, and Cascading Risks: A Holistic Framework	Pescaroli G.; Alexander D. [29]	2018	213
Resilient control systems: Next generation design research	Rieger C.G.; Gertman D.I.; McQueen M.A. [30]	2009	194
Probabilistic framework to evaluate the resilience of engineering systems using Bayesian and dynamic Bayesian networks	Kammouh O.; Gardoni P.; Cimellaro G.P. [31]	2020	178
Resilience in railway transport systems: a literature review and research agenda	Bešinović N. [32]	2020	177
Review of major approaches to analyze vulnerability in power system	Abedi A.; Gaudard L.; Romerio F. [33]	2019	162
Complex approach to assessing resilience of critical infrastructure elements	Rehak D.; Senovsky P.; Hromada M.; Lovecek T. [34]	2019	153
Assessing and mapping urban resilience to floods with respect to cascading effects through critical infrastructure networks	Serre D.; Heinzlef C. [35]	2018	134
Performance and reliability of electrical power grids under cascading failures	Chang L.; Wu Z. [36]	2011	109

The size of the clusters suggests how frequently certain documents are co-cited, helping to identify different research subfields or related areas. Larger clusters, shown with orange nodes in Figure 7, indicate the highest commonality between the papers in terms of citation patterns. The articles in this cluster are shown in Table 2.

The list of clusters with their corresponding document numbers based on the analysis is shown in Table 3.

Table 2. Documents in the largest co-citation cluster with authors and publication years.

Doc	Title	Authors	Year
1	Building Resilience and Recoverability of Electric Grid Communications	Popik T.S.; Winks D. [37]	2020
2	Contextualizing resilience indicators–comparable across organizations yet specific to context	Sanne J.M.; Matschke Ekholm H.; Rahmberg M. [38]	2021
3	Systemic seismic vulnerability and risk assessment of urban infrastructure and utility systems	Poudel A.; Argyroudis S.; Pitilakis D.; Pitilakis K. [39]	2022
4	Input-output impact risk propagation in critical infrastructure interdependency	Owusu A.; Mohamed S.; Anissimov Y. [40]	2019
5	Indication of critical infrastructure resilience failure	Rehak D.; Hromada M.; Ristvej J. [41]	2017
6	City resiliency and underground space use	Sterling R.; Nelson P. [42]	2013
7	A middleware improved technology (MIT) to mitigate interdependencies between critical infrastructures	Balducelli C.; Di Pietro A.; Lavalle L.; Vicoli G. [43]	2008
8	An innovative approach for improving infrastructure resilience	Montgomery M.; Broyd T.; Cornell S.; Pearce O. [44]	2012

Table 2. Documents in the largest co-citation cluster with authors and publication years.

Doc	Title	Authors	Year
1	Building Resilience and Recoverability of Electric Grid Communications	Popik T.S.; Winks D. [37]	2020
2	Contextualizing resilience indicators–comparable across organizations yet specific to context	Sanne J.M.; Matschke Ekholm H.; Rahmberg M. [38]	2021
3	Systemic seismic vulnerability and risk assessment of urban infrastructure and utility systems	Poudel A.; Argyroudis S.; Pitilakis D.; Pitilakis K. [39]	2022
4	Input-output impact risk propagation in critical infrastructure interdependency	Owusu A.; Mohamed S.; Anissimov Y. [40]	2019
5	Indication of critical infrastructure resilience failure	Rehak D.; Hromada M.; Ristvej J. [41]	2017
6	City resiliency and underground space use	Sterling R.; Nelson P. [42]	2013
7	A middleware improved technology (MIT) to mitigate interdependencies between critical infrastructures	Balducelli C.; Di Pietro A.; Lavalle L.; Vicoli G. [43]	2008
8	An innovative approach for improving infrastructure resilience	Montgomery M.; Broyd T.; Cornell S.; Pearce O. [44]	2012

Table 3. Clustered documents with description of each cluster.

No.	Cluster	Included Docs	Description
1	Systems Engineering	Doc 9, Doc 37, Doc 97	Focuses on algorithms and system surveys in CPS research
2	Vulnerability and Seismic Risks	Doc 34, Doc 69	Deals with network analysis and seismic risk in infrastructure
3	Comprehensive Studies	Doc 187, Doc 39	Estimation methods and comprehensive studies on infrastructure
4	Businesses, Community, and Inter-dependencies	Doc 57, Doc 219	Impact of resilience in business and community settings
5	Sustainable Secure Systems	Doc 116, Doc 100	Studies on sustainable systems and their resilience post-COVID
6	Critical Infrastructure	Doc 129, Doc 166, Doc 235, Doc 302, Doc 336, Doc 241, Doc 312, Doc 186	Focuses on resilience in critical infrastructure systems
7	Resilience Network	Doc 138, Doc 140	Network resilience and analysis of vulnerabilities
8	Advances and Shortages and Multi-level Planning	Doc 192, Doc 170	Advances in resilience methodologies and addressing shortages
9	Regional Resilience	Doc 261, Doc 213	Resilience studies focusing on regional infrastructures
10	Resilience Engineering and Risk Management	Doc 218, Doc 254	Engineering solutions for critical infrastructure resilience

Table 3. Clustered documents with description of each cluster.

No.	Cluster	Included Docs	Description
1	Systems Engineering	Doc 9, Doc 37, Doc 97	Focuses on algorithms and system surveys in CPS research
2	Vulnerability and Seismic Risks	Doc 34, Doc 69	Deals with network analysis and seismic risk in infrastructure
3	Comprehensive Studies	Doc 187, Doc 39	Estimation methods and comprehensive studies on infrastructure
4	Businesses, Community, and Inter-dependencies	Doc 57, Doc 219	Impact of resilience in business and community settings
5	Sustainable Secure Systems	Doc 116, Doc 100	Studies on sustainable systems and their resilience post-COVID
6	Critical Infrastructure	Doc 129, Doc 166, Doc 235, Doc 302, Doc 336, Doc 241, Doc 312, Doc 186	Focuses on resilience in critical infrastructure systems
7	Resilience Network	Doc 138, Doc 140	Network resilience and analysis of vulnerabilities
8	Advances and Shortages and Multi-level Planning	Doc 192, Doc 170	Advances in resilience methodologies and addressing shortages
9	Regional Resilience	Doc 261, Doc 213	Resilience studies focusing on regional infrastructures
10	Resilience Engineering and Risk Management	Doc 218, Doc 254	Engineering solutions for critical infrastructure resilience

Conceptually, these clusters are linked by their common goal of enhancing the resilience and reliability of critical systems, though they approach this from different angles (e.g., control systems, game theory, urban resilience, and probabilistic models). The connections between clusters represent an interdisciplinary blending of theory, applied research, and systems engineering to address emerging risks in critical infrastructure and cyber–physical systems.

3.2. Definitions and Terminology

While the risk assessment domain of complex systems is quite mature, with standard terminology and established methods for clear communication and effective mitigation implementation in scientific and professional communities, the corresponding body of knowledge (BOK) on resilience is comparatively underdeveloped. This gap highlights the urgent need for concerted efforts to develop common terminology, definitions, and procedures in the context of critical entities. A shared conceptual framework on resilience would help to advance better practices, mutual and consistent understanding, and application of measures across diverse disciplines and sectors.

Table 4. Definitions of resilience in critical infrastructures. The CP column indicates whether or not the definition encompasses and considers cyber–physical complexity. The last column includes the publication date of each article.

No.	Definition	CP	Date
[45]	A measure of the persistence of systems and of their ability to absorb change and disturbance and still maintain the same relationships between populations or state variables.		1973
[46]	Resilience is clearly related to other configurations of environment–society relationships such as vulnerability and criticality, some of which have an explicit spatial dimension to these social processes.		2000
[47]	The ability of the system to reduce the chances of shock, to absorb a shock if it occurs, and to recover quickly after a shock (re-establish normal performance)		2003
[48]	Resiliency is defined as the capability of a system to maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must.		2005
[49]	Resilience as the inherent ability and adaptive response that enables firms and regions to avoid maximum potential losses.		2005
[50]	Infrastructure resilience is the ability to reduce the magnitude and/or duration of disruptive events. The effectiveness of a resilient infrastructure depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.	✓	2009
[51]	Resilience is generally defined as the holistic ability or capacity of a system to sustain external and internal disruptions without discontinuity of the original functionality or, if discontinued, to recover fully and rapidly.		2009
[52]	The capacity of a system, community, or society potentially exposed to hazards to adapt, by resisting or changing in order to reach and maintain an acceptable level of functioning and structure. This is determined by the degree to which the social system is capable of organizing itself to increase its capacity for learning from past disasters for better future protection and to improve risk reduction measures.	✓	2009
[53]	The capacity to reconfigure, that is adapt, its structure (firms, industries, technologies, institutions) so as to maintain an acceptable growth path in output, employment, and wealth over time.		2011
[54]	The capacity of a civil infrastructure system to minimize performance loss due to disruption, and to recover a specified performance level within acceptable predefined time and cost limits		2013
[55]	Resilience is the capacity of a social–ecological system to absorb or withstand perturbations and other stressors such that the system remains within the same regime, essentially maintaining its structure and functions. It describes the degree to which the system is capable of self-organization, learning, and adaptation.	✓	2014
[56]	The ability to deliver a certain service level even after the occurrence of a disruptive event, such as an earthquake, and to recover the desired functionality as quickly as possible.		2014
[57]	Resilience is determined by three system capacities: the resistant capacity as the ability to prevent any possible hazards and reduce the initial damage level if a hazard occurs, the absorptive capacity as the degree to which the systems absorb the impacts of initial damage and minimize associated consequences, such as cascading failures, and the restorative capacity as the ability to be repaired quickly and effectively.		2014
[58]	Ability of an infrastructure asset to maintain its performance to serve the required functions before, during, and after the occurrence of a natural hazard.		2017
[59]	Resilience is the ability of a system, community, or society exposed to hazards to resist, absorb, accommodate to, and recover from the effects of a hazard in a timely and efficient manner, including through the preservation and restoration of its essential basic structures and functions.	✓	2018
[60]	To plan and prepare for the adverse events (planification), to reduce the impact of events (absorption or resistance), to minimize the time to recovery (recovery), and to evolve through the development of specific processes (adaptability).	✓	2018
[61]	Resilience is the ability of a CIS exposed to hazards to resist, absorb, accommodate to, and recover from the effects of a hazard in a timely and efficient manner, for the preservation and restoration of essential services.	✓	2020
[62]	Resilience is the ability to limit the extent, severity, and duration of system degradation following an extreme event.	✓	2020
[63]	Resilience of an energy system is the capacity of an energy system to tolerate disturbance and to continue to deliver affordable energy services to consumers. A resilient energy system can speedily recover from shocks and can provide alternative means of satisfying energy service needs in the event of changed external circumstances.	✓	2020
[64]	Resilience is characterized by reliability, redundancy, and recoverability.		2022
[65]	Resilience is the ability of a system to deal with the impacts of unspecific and possibly unforeseen disruptive events, and that this ability comprises three pillar capacities whose quality can be extracted from performance curves.	✓	2023

lists the collected definitions of “Resilience” in the critical infrastructure domain from articles and systematic literature reviews (identified with the first and second query string in Section 2).

3.2.1. Resilience Concept Evolution

The evolution of resilience definitions in critical infrastructures over time (see Table 4) reflects a growing complexity in both the understanding of resilience and the cyber–physical systems.

Early Definitions (1970s–2000)

1973 (Holling): Resilience was initially defined as persistence and stability, focusing on the system’s ability to absorb changes and disturbances while maintaining the same relationships within the system. This early definition, developed within ecological systems, highlights a static view of resilience, emphasizing a system’s ability to stay within a stable state.

Adger [46]: The focus expanded to consider the social aspects of resilience, connecting environmental systems with societal relationships like vulnerability and criticality. The addition of spatial dimensions reflects a broader perspective, acknowledging that resilience is not just a system property but also involves human interactions.

2003–2004 (Bruneau, UNISDR): Resilience was then viewed in terms of shock absorption and recovery (Bruneau et al. [47]), emphasizing not only the ability to withstand disturbances but also to recover quickly. In 2004, UNISDR further expanded this by considering how systems, communities, or societies adapt to hazards, underscoring the learning and adaptation aspects of resilience. Organizational capacity to respond to disasters began to be emphasized as a key component of resilience.

Mid-Period (2005–2014)

2005–2011 (Allenby, Rose, Martin): These definitions introduced more complex concepts like graceful degradation (Allenby and Fink [48]), where systems can maintain functionality in the face of change but might lose some functionality gradually rather than suddenly. The focus on adaptive responses (Rose and Liao [49]) and reconfiguration (Martin [53]) indicates a shift towards understanding resilience as an active process, where systems not only resist or recover but also evolve. These definitions suggest a move away from viewing resilience as simply returning to a prior state and towards flexibility and transformation in response to disruptions.

2009–2014 (ResilienceAlliance, National Academies, Bocchini): The definitions during this period reflect a more holistic view of resilience, particularly in social–ecological systems and civil infrastructure. Resilience was seen as the ability to absorb disruptions but also to self-organize, learn, and adapt (The Resilience Alliance [55]). The National Academies’ definition (2012) places emphasis on preparation and adaptation, suggesting that resilient systems must not only withstand shocks but also prepare and evolve in anticipation of future challenges. Civil infrastructure definitions (Bocchini et al. [56]) focused on specific metrics like service delivery and functional recovery after disruptions.

Recent Definitions (2015–2023)

2018–2023 (Pursiainen, IMPROVER, Lim, Mentges): The latest definitions incorporate cyber–physical systems and the complexity of interconnected infrastructures. This includes cyber resilience, reflecting the integration of both physical and digital domains in defining what it means to be resilient. Resilience is seen as not just about recovering quickly but also about having systems that are redundant, reliable, and recoverable (Lim et al. [64]). The IMPROVER and Mentges (2023) definitions also highlight the ability to evolve and deal with unspecific and unforeseen disruptive events, representing a shift towards recognizing the importance of flexibility and innovation in resilience planning. The concept of resilience pillars (Mentges et al. [65]), which can be assessed using performance curves, shows that resilience is now considered a measurable quality that can be systematically evaluated and improved.

3.2.2. Inferences on the Evolution

From Static to Adaptive: Early definitions focused on stability and recovery to a previous state. Over time, resilience evolved to encompass not just recovery but also adaptation, learning, and self-organization. This reflects a recognition that systems cannot always return to their original state after a disruption; instead, they must adapt to new conditions.

Inclusion of Complexity: As resilience theory evolved, there has been a growing recognition of the interconnectedness of systems, particularly the integration of cyber–physical systems in recent years. This shift reflects the increasing importance of digital infrastructure and the unique vulnerabilities posed by the convergence of physical and cyber threats.

Focus on Proactivity: Modern definitions emphasize preparation, anticipation, and planning. Resilience is no longer just reactive but also proactive, focusing on building systems that can anticipate and adapt to unknown future challenges. The emphasis on redundancy, reliability, and recoverability in recent years reflects the importance of designing systems with built-in flexibility to cope with disruptions.

Broadening of Scope: Early definitions were often system-specific, but later definitions take a holistic, multi-dimensional view, encompassing social, ecological, and technical systems. The recognition that resilience operates across different domains, including human and machine networks, is a significant evolution. The introduction of quantitative metrics in recent definitions also shows a shift towards operationalizing resilience as something that can be measured, evaluated, and improved.

In sum, the definitions of resilience have evolved from a focus on stability and recovery to a more nuanced understanding of adaptation, flexibility, and proactivity. Modern resilience thinking now incorporates complex, interconnected systems, especially in the context of cyber–physical systems, and emphasizes the importance of preparedness, learning, and evolution in response to both known and unforeseen challenges. This evolution mirrors the increasing complexity of critical infrastructure and the growing awareness of the need for systems that can adapt and thrive in a rapidly changing, uncertain world.

Cyber threats that have physical impacts, referred to as cyber–physical threats, occur when a digital attack influence a system’s cyber components and causes disruptions to its physical operations. These types of attacks are particularly dangerous in critical infrastructure, where the digital and physical worlds are highly integrated.

For example, the Stuxnet attack [66] on Iran’s nuclear facilities in 2010 is a notable case. The Stuxnet worm targeted industrial control systems, specifically programmable logic controllers (PLCs), which are responsible for automating processes in physical infrastructure. The malware infiltrated the system, manipulating the physical centrifuges used for uranium enrichment, causing them to spin out of control and eventually break down—all while providing normal operational readings to the system operators. This cyber attack had a direct and devastating impact on the physical operations of the facility, demonstrating the potential catastrophic consequences of cyber–physical threats. For this reason, the next section is dedicated to reviewing cyber resilience and examines cyber threats that have had a cyber–physical impact.

Other notable examples in the energy sector include the Ukraine Power Grid Attacks (2015 & 2016), which resulted in widespread power outages affecting hundreds of thousands of homes. These sophisticated attacks exploited malware—primarily BlackEnergy and Industroyer—to compromise SCADA systems and disrupt electricity distribution networks [67,68].

Another significant case is the 2023 cyberattack on Denmark’s energy sector, which highlighted the growing vulnerability of critical infrastructure [69]. In particular, supply chain attacks have emerged as a prominent threat vector. Hackers often target third-party suppliers that have legitimate and privileged access to their clients’ IT environments, using them as entry points into otherwise secure systems. A well-known example is the 2021 ransomware attack on Kaseya, a U.S. IT management firm, which led to the compromise of hundreds of downstream clients through a single software update mechanism.

3.3. Resilience of Cyber–Physical Critical Infrastructures

The analysis of definitions of resilience in critical infrastructures reveals a broad range of perspectives, with a notable subset specifically addressing the cyber–physical (CP) complexity of these systems. Out of the definitions reviewed, 9 out of 18 (50%) explicitly consider the cyber–physical (CP) aspects of resilience. Common characteristics in definitions considering cyber–physical complexity in the definitions are synthesized, and the results are as follows:

• Adaptability and Flexibility: Definitions that encompass CP often emphasize the system’s ability to adapt to changes, absorb disturbances, and recover from disruptions. For instance, definitions by [50,55,60] highlight the system’s capacity for self-organization, learning, and adaptation, which are critical in cyber–physical systems where dynamic changes are frequent.
• Recovery and Restoration: Many definitions focusing on CP stress the importance of recovery and restoration of functionality post-disruption. Refs. [56,59] mention the need for the timely restoration of essential services, reflecting the critical nature of maintaining operational continuity in the face of cyber–physical threats.
• Absorption of Disruptions: The ability to absorb and manage disturbances is a recurrent theme. Definitions by [52,57,60] emphasize the need to handle disruptions effectively, which is crucial for systems with both physical and cyber components.

On the other hand, the repeated elements in definitions are synthesized below:

• Absorption and Adaptation: Many definitions incorporate the concept of absorbing shocks and adapting to changes as core elements of resilience. This includes the system’s capacity to manage and recover from disturbances, as noted in definitions by [50,55].
• Recovery and Restoration: The importance of recovering to a predefined performance level or restoring essential functions is frequently mentioned. Definitions by [56,59] specifically address the recovery aspect, which is essential for ensuring the continuity of critical services.
• Adaptation to Disruptions: The ability to anticipate, absorb, and adapt to disruptions is a common theme, highlighted in definitions by [60,70]. This reflects the need for resilience strategies that account for both immediate and long-term impacts of disruptions.

Definitions referring to cyber–physical complexity concentrate on adaptability, recovery, and absorption. These three features are also those that fit most closely with the intrinsic complexity of critical infrastructures, which are large, interrelated systems that couple physical with informational dimensions. The recurrence of absorbability, adaptation, and recoverability bears witness for the importance of these elements when envisaging the resilience strategies of critical infrastructures.

Despite the differences among these definitions, resilience across various disciplines can generally be defined as a scenario-based concept. Wied et al. [71] proposed a conceptual framework for analyzing the concept of resilience by addressing the following question: Resilience of what, to what, and how? Figure 8 illustrates their conceptual model.

To identify the characteristics of a resilient system, it is valuable to structure the analysis around understanding what core functions or objectives the system is meant to safeguard. This approach clarifies what aspects need to be prioritized in designing or evaluating resilience. Wied et al. [71] analyzed the resilience literature from three angles: Resilience of what, to what, and how? 

Table 5. Core questions for conceptualizing resilience.

Question	Focus
Resilience of what?	The specific system or component being analyzed
Resilience to what?	The types of disturbances or threats considered
Resilience how?	The mechanisms or strategies employed for resilience

summarizes these key aspects.

Among the various models of system resilience, the multi-phase resilience trapezoid proposed by Panteli and Mancarella [72] for power systems can be readily adapted to other types of infrastructure. This model is used widely [73,74,75,76,77,78,79,80] and illustrates how a system’s resilience changes over time in response to a critical event.

Figure 9 shows the phases and state transitions a critical infrastructure may undergo during a critical event. The three-phase model illustrates how a fully operational system is impacted when a disturbance occurs at time $t_e$. As the disruption continues, the system’s performance drops during $t_e-t_{pe}$ (Phase I), marked by a sharp decline in operational capacity. Key phases are described in

Table 6. Comparison of phases and time frames.

Phases	Time Frames	Significance	Description
Phase I	$t_e-t_{pe}$	Initial Disruption	Rapid reduction in resilience and service availability.
Phase II	$t_{pe}-t_r$	Post-Event Degraded State	Stabilization at a lower operational level.
Phase III	$t_r-t_{pr}$	Restoration	Gradual recovery of resilience and operational capacity.

.

As Panteli and Mancarella [72] describe, the performance–time curve (PTC) demonstrates the key resilience features a power system needs to handle evolving conditions during an event. Initially, the system requires robustness to withstand the event. During the post-event degraded state, features like resourcefulness, redundancy, and adaptive self-organization help minimize the impact. Finally, the post-restoration state determines whether or not the system’s resilience returns to pre-event levels, depending on the event’s severity and the resilience exhibited before, during, and after the disturbance.

The behavior of system resilience after a disturbance can exhibit non-linear patterns, reflecting the complex and unpredictable nature of recovery processes, inter-dependency with other components, cascading effects, etc. In this case, instead of a smooth, linear progression, the system’s ability to regain its original state often involves fluctuations, periods of stagnation, and even temporary setbacks. The sample curve illustrating this non-linear behavior is shown in Figure 10.

3.3.1. Cyber Resilience and Prominent Cyber–Physical Threats to Critical Infrastructure

Cyber warfare, cybercrime, cyber resilience, and cyber deterrence have already established themselves as commonly used terms within research projects [81,82,83]. It draws attention to the role of geography in state affairs and implies a new focus on the aggressive pursuit of interests worldwide [84]. The two concepts have combined to produce a subject area concerning the “geopolitics of cyberspace” [85].

The “cyber world” is embracing all the networks, computers, and software, along with the people connected to them. With these fast-moving and sometimes chaotically developing technologies and digitization, critical infrastructures are subject to transformation into cyber–physical systems [86]. Therefore, the role of computerized aspects has been characterized as more critical today than ever before, since cyber threats have come to the forefront of significant risks [87,88,89].

Given this context, the European Union considers its responsibility to be at the forefront of global digital regulation [8]. More than most countries, the EU has recently been quite active through many multilateral forums; it tries to make sure that it gets its voice heard, particularly through the United Nations and the Organization for Security and Cooperation in Europe. To this end, it aims to create a rules-based order in cyberspace by building cyber-resilient societies that respect privacy and the freedom of the internet [90].

The European Council Directive 114/08 was established to ask EU Member States to carry out an assessment to identify and designate what are known as European critical infrastructures (ECIs) [8]. One of the core principles of EU cyber diplomacy, in parallel with European critical infrastructure protection, is “collective action”, which stipulates that a unified response to a cyber attack threatens the cyber–physical critical infrastructures (CPCIs). For instance, cyber attacks targeting sensors and actuators within a critical infrastructure system constitute a cyber–physical threat [91,92].

Both prevention and incident management were enshrined in the strategy, while the so-called “cyber diplomacy toolbox” remained its major achievement [93]. The toolbox provides for a coordinated and targeted response in the event of cybersecurity threats or malicious actions against the EU or its member states [94].

Actors of Cyberspace

Since the service continuity of critical public and corporate infrastructures (CPCIs) is crucial, it is important to identify the threat actors that pose risks to these infrastructures. Figure 11 graphically illustrates the various threat actors. Threat actors can be categorized as follows [95]:

• Nation-State Actors: Government-affiliated groups that engage in cyber activities for espionage, sabotage, or disruption to further national interests.
• Cybercriminals: Individuals or groups motivated by financial gain that engage in activities such as ransomware, phishing, and data theft.
• Hacktivists: Actors promoting political, social, or ideological causes through cyber attacks.
• Insiders: Disgruntled employees or contractors with access to sensitive information who may act out of malice or personal gain.
• Terrorist Groups: Groups using cyber attacks as part of their broader strategy to instill fear or further ideological goals.
• Script Kiddies: Less skilled individuals using pre-existing tools to carry out attacks, often for notoriety or thrill.

Cyberthreats

The types of cyber attacks, often referred to as cyber threats, are as varied as the malicious actors that perpetrate them in cyberspace. These threats can range widely in their methods and impacts, targeting critical public and corporate infrastructures (CPCIs) with potentially devastating consequences [96,97]. In the following subsections, we will explore some of the most prevalent and dangerous cyber threats facing CPCIs today.

Phishing and spear phishing: Phishing is one of the most well-known cyber threats, commonly recognized even by those outside the cybersecurity profession. It is a form of social engineering where attackers attempt to deceive users into ignoring standard cybersecurity protocols and divulging sensitive information such as usernames, passwords, bank account details, or other personal data [98]. Typically, attackers send phishing emails that appear to come from trusted sources, such as government agencies, financial institutions, or even colleagues and friends. These emails often contain links that lead to fraudulent websites designed to capture the user’s personal information or install malware on their devices [99]. When the attack targets a specific individual or organization, it is referred to as “spear phishing” [100].

Distributed Denial of Service (DDoS): Distributed denial of service (DDoS) attacks against CPCIs are widely recognized [101,102]. Typically, the targets of these attacks are companies, government offices, or political entities [103]. In such incidents, cyber attackers attempt to flood the target’s server with a massive volume of requests, leading to the temporary shutdown of the organization’s website (see Figure 12). To generate such a large volume of incoming traffic, attackers utilize a vast network of previously compromised computers, also known as a botnet [104,105].

These hijacked devices, often numbering in the hundreds or thousands, are manipulated to continuously send requests to the target’s website, overwhelming the server with traffic from multiple IP addresses [103]. Nevertheless, while various methods have been developed to detect DDoS attacks against CPCIs (such as using cognitive learning [106], Game-based simulation [107], and differential e-epidemic model [108]), there remains significant scope for future research, particularly in enhancing detection capabilities through AI-based approaches.

Person-in-the-middle: Person-in-the-middle is also a relatively frequent type or malicious activity in the cyberspace. In this case, cyber actors place themselves in the middle of a two-party communication (see Figure 13). Once the attacker intercepts the communication, they filter and steal sensitive information and return different responses to the user. The victim continues to believe that he is communicating, via secure connection, with a website. Sometimes the perpetrators set up fake wi-fi networks or install malware on users’ computers or networks. Also called eavesdropping attacks [109], the ultimate goal of PITM attacks is to gain access to personal data (business, financial, or other) [110].

Masquerading Attacks: Masquerading is a deceptive cyber tactic where an attacker impersonates a legitimate user, device, or system to gain unauthorized access. This method is particularly concerning in critical infrastructure systems as it allows adversaries to exploit trust-based authentication mechanisms and bypass security controls undetected. In industrial SCADA networks, masquerading can be used to forge credentials or manipulate access privileges, granting attackers control over sensitive operational processes. Similarly, in cloud-based cyber–physical systems, attackers may spoof trusted credentials, infiltrating restricted environments without triggering immediate alarms. Another common strategy involves social engineering, where cybercriminals manipulate system operators into executing malicious commands, believing they originate from an authorized entity. By leveraging these deceptive techniques, masquerading attacks pose a significant threat to the integrity and security of critical infrastructure operations.

Other Malicious Activities: This is also constantly changing through the digitalization of practically all levels of society, which speeds up the creation of new forms of cyber threats [111]. In this respect, the threat environment is very dynamic and fast-moving, as is proven by all challenges to cybersecurity. Perhaps, among all types of malicious activities, malware represents the most pervasive and destructive type of cyber threats.

The concept of “malware” is quite broad [112,113] and covers trojans [114], backdoors [115,116], several types of viruses [117], and spyware and worms [118]. Among others, one very dangerous and harmful type of malware is ransomware [119,120], which seems to be extremely prevalent in the current digital world, and consequently it represents a serious cyber threat [121].

Ransomware attacks continue to surge after a worrying jump at the beginning of 2021. This rise has been especially fueled by the global coronavirus pandemic, through which there have been rapid increases in ransomware incidents [122], consequently leading to a rise in the average ransoms demanded from those targeted. It locks the target out of their system and files by encrypting data. In most cases, victims need to pay some kind of ransom, often in cryptocurrency such as Bitcoin, to regain access.

Intrusion Detection: Cyber defense, particularly in the context of conflicts in cyberspace, presents a range of new challenges due to the unique nature of digital technologies, which do not align with traditional conflict management principles developed during the Cold War [123].

One of the primary difficulties is intrusion detection [124] and early warning [125]. In cyberspace, adversaries, whether state-sponsored or ordinary criminals, often operate covertly, making it challenging to detect their activities. While some attacks, such as ransomware, necessitate detection to prompt a response, many intrusions are difficult to identify. Historically, cybersecurity focused on defending the system’s perimeter [126]. However, many attacks now occur internally, highlighting the limitations of perimeter-based defenses. Recent significant cyber incidents, such as the SolarWinds breach, demonstrate that sophisticated attackers can bypass external defenses and remain undetected within the system [121].

External perimeter protection tools like firewalls, secure web gateways, and antivirus solutions are no longer sufficient on their own, as noted by U.S. government agencies investigating the SolarWinds attack. There is no perfect protection; hence, intrusion detection systems (IDSs) are crucial. These systems continuously monitor the entire network, analyzing user behavior and comparing it against known attack signatures to identify potential threats.

Attribution

In the realm of cyberspace conflicts, attribution stands out as one of the most formidable challenges [127]. This process, which aims to answer the seemingly simple question of “who committed the cyberattack”, involves a thorough investigation and analysis by cybersecurity professionals. They gather evidence, establish timelines, and painstakingly reconstruct the attack’s history and profile. This forensic activity seeks to demonstrably identify the perpetrator of a cyber event or determine the individual responsible for the offensive action.

While many experts agree that attribution is indeed challenging, they contend that it is not impossible. There are often numerous clues left behind that, with meticulous effort, can help build a profile of the attacker. However, this notion is challenged by the fact that even major powers with extensive resources and knowledge rarely provide conclusive evidence when attributing attacks. Most attributions involve a degree of speculation, and the strength of the evidence is often debated, leaving it far from legally definitive or corroborative [100].

Despite these challenges, tracing the perpetrator remains a critical task for cybersecurity professionals following any cyber incident, regardless of how long the process may take—whether months or even years. Analysts focus not only on successful attacks that cause tangible damage but also on unsuccessful or aborted attempts, as these can provide valuable insights.

Forensic investigations generally proceed through several “attribution layers” [128]. The initial layer involves understanding the technical aspects of the attack, known as the tactical layer. The next layer focuses on the attack’s architecture and the profile of the attacker, referred to as the operational layer. The final layer aims to identify the responsible party and communicate the results of the investigation.

The difficulty in identifying perpetrators primarily stems from their efforts to erase all traces of their activities. One common tactic is the use of “false-flag” operations, where attackers use third parties to conceal their operations. In such cases, attackers might use the methods or software of hackers from other countries to disguise their own identity. For example, in late 2019, Russian hackers were known to have impersonated an Iranian cyber group to infiltrate networks of various government and economic targets across multiple countries. Similarly, according to U.S. experts and information leaked by Snowden and WikiLeaks, the NSA has also employed such deceptive tactics to obscure its actions.

Deterrence

During the Cold War, deterrence relied on the principle that nuclear powers would avoid attacks because of the threat of devastating retaliation. This clear and simple approach effectively maintained security.

In contrast, this deterrence model does not apply well to cyberspace. In the digital realm, attacks can go undetected or be easily denied, making it difficult to identify and retaliate against the perpetrators. Thus, traditional deterrence, which depends on clear attribution, struggles in the cyber domain.

Key issues arise from this challenge, particularly in establishing attribution and applying deterrence strategies. Effective deterrence requires identifying attackers, signaling a willingness to retaliate, and having the capability to follow through [121]. However, in cyberspace, pinpointing attackers and crafting credible threats are complex and risky, as specific threats might reveal too much about one’s own defenses [126].

Historically, Cold War deterrence included the principle of reciprocity: both sides understood that any attack would be met with retaliation, helping to maintain a tense but stable peace.

3.4. The Role of AI and ML in Cyber–Physical Resilience

Artificial intelligence (AI) and machine learning (ML) are rapidly transforming the cybersecurity landscape, offering both opportunities and challenges for the resilience of cyber–physical systems. While AI can enhance security by detecting, preventing, and responding to threats, it also introduces new attack vectors that adversaries can exploit. The dual role of AI in cyber–physical resilience necessitates a comprehensive understanding of its applications in both offensive and defensive security strategies, leading to an initial need to perform assessment aimed at carefully considering their roles and contributions.

Despite the emerging risks associated with the adoption and integration of new technologies, AI plays a crucial role in enhancing resilience against cyber–physical threats. AI-driven threat detection systems leverage machine-learning algorithms to identify anomalies in network traffic, user behavior, and system logs. These systems continuously learn from historical attack patterns, improving their ability to detect attacks and sophisticated cyber threats [129].

One of the most effective AI applications is predictive maintenance, which enhances the resilience of industrial control systems, smart grids, and transportation networks. By analyzing sensor data, AI can predict potential failures before they occur, allowing for proactive interventions that prevent costly downtimes and disruptions. AI is also transforming incident response automation, where machine-learning models enable rapid threat containment, forensics analysis, and system recovery.

For instance, in transportation infrastructures, Alqahtani et al. introduced a roadmap for enhancing the security and reliability of future transportation systems—specifically for AI-based intrusion detection systems in autonomous vehicles—providing better evaluation tools for detecting and responding to cyber threats [130]. In maritime contexts, Nasr et al. proposed the concept of a maritime security operations center (M-SOC) to enhance real-time cybersecurity for autonomous vessels and AI-based navigation systems [131]. Likewise, Hiziroglu highlighted how AI can enhance healthcare supply chains by improving efficiency, predicting demand, and automating workflows, thereby strengthening the system’s resilience during crises [132].

AI also plays a critical role in environmental resilience and disaster risk management. Rezvani et al. employed geospatial AI and open data sources to create flood risk maps for road networks in Portuguese municipalities, improving emergency planning and infrastructure protection [133]. Khairnar et al. applied Modified CANet, incorporating U-Net and LinkNet elements, for the role of deep learning in improving semantic segmentation using datasets like the Indian Driving Dataset (IDD), which presents unique challenges in chaotic road conditions [134].

Finally, in the transportation field, several works explore how digital and AI technologies contribute to sustainable development by increasing system adaptability. For instance, Eleimat et al. reviewed the role of AI in addressing evolving threats, contributing to the resilience of critical infrastructure [135].

In energy infrastructure, AI is increasingly being adopted to stabilize power grids by dynamically adjusting load distribution and mitigating cyber–physical anomalies in smart meters, substations, and renewable energy networks [136]. The integration of AI with distributed energy resources (DERs) enhances cyber-resiliency, providing improved fault tolerance and adaptive security mechanisms in modern smart grids [137].

While AI strengthens resilience, it also raises a number of ethical and operational challenges. The reliance on AI introduces concerns about algorithmic bias, lack of transparency, data poisoning [138], and over-reliance on automated systems [139].

To mitigate these risks, critical infrastructure operators must adopt a hybrid AI approach, combining machine intelligence with human oversight. Algorithm validation, and robust data governance are essential to ensure AI models remain effective against evolving cyber threats.

3.5. Conceptualizing Resilience: Frameworks, Indicators, and Assessment Methods

The state-of-the-art review identified five core dimensions of resilience: robustness, rapidity, redundancy, resourcefulness, and protectiveness [47,60,65,80,140,141,142]. These dimensions characterize a system’s ability to withstand, recover from, and adapt to disruptions.

Curt and Tacnet [60] further elaborate on resilience by introducing management phases (planning/preparation, absorption, recovery/adaptation), components (anticipation, monitoring/detection, control, feedback), and domains (technical, organizational, human, economic) as essential elements. Incorporating emerging concepts like resilience and sustainability into strategy-making is crucial for developing resilient critical infrastructure [143].

Curt and Tacnet [60] emphasize resilience by introducing key management phases (planning/preparation, absorption, recovery/adaptation) along with essential components, such as anticipation, monitoring/detection, control, and feedback, across various domains, including technical, organizational, human, and economic.

Figure 14 details the management phases introduced by Curt and Tacnet [60] to show the first dimension. It outlines the process from the initial disruption to when the system fully recovers its operational capacity and resilience. This phase involves developing a specific strategy to manage or prevent the critical event.

To assess critical infrastructure resilience, Guo et al. [144] proposed a framework encompassing technical, organizational, social, and economic dimensions. The technical dimension focuses on system performance under stress, including robustness, maintenance, safety, data management, redundancy, and recoverability. Organizational resilience involves adaptability, government preparedness, crisis regulation, first responder readiness, change readiness, and leadership. Social resilience centers on community response and awareness, while economic resilience pertains to financial resources for crisis management.

An overview of key factors related to the technical and organizational dimensions of resilience in critical infrastructure systems is presented in

Table 7. Indicators related to the technical dimension.

Indicator	Description
Robustness	The capacity of the system to withstand shock and critical events without compromising performance or functionality.
Maintenance	Includes preventive maintenance (preparing the system to withstand a disruptive event) and corrective maintenance (repairing damaged components after an event).
Safety Design and Construction	System design characteristics that ensure a high level of resilience.
Data Acquisition and Monitoring	Data acquisition systems collect data necessary for the functioning of critical parts. Monitoring equipment checks data values, triggering alarms if they deviate from the expected range.
Redundancy	Availability of alternative resources (backups, replicate systems, etc.) to replace damaged parts, allowing continued operations.
Recoverability	The ability to restore original functioning and performance, determined by financial, material, and human resources, as well as the recovery process characteristics.

, which outlines the technical dimensions, highlighting factors such as robustness, maintenance, safety design, data acquisition and monitoring, redundancy, and recoverability.

These indicators emphasize the physical and operational attributes that contribute to a system’s resilience during and after disruptive events.

Table 8. Indicators related to the organizational dimension.

Indicator	Description
Adaptability	The capacity of the critical infrastructure organization to dynamically adapt to undesirable circumstances and/or uncertain environments by undergoing necessary changes.
Government Preparation	A government’s preparedness to anticipate events that may lead to crises and its capacity to act swiftly when such events occur.
Crisis Regulation and Legislation	The level of maturity and compliance with laws and regulations, including the degree of crisis awareness and the recentness of these regulations.
First Responder Preparation	The level of preparation, training, commitment, and crisis awareness of first responders (e.g., firefighters, military, police, and emergency forces).
Change Readiness	The organization’s capacity to adapt to environmental changes and perturbations, including the ability to predict and identify risks, and develop alternative strategies accordingly.
Leadership and Culture	The organization’s ability to foster a resilient culture, promoting values like agility, flexibility, innovation, and a transparent commitment to resilience.

focuses on the organizational dimension, addressing adaptability, government preparation, crisis regulation and legislation, first responder preparation, change readiness, and leadership and culture. These indicators capture the strategic, regulatory, and cultural aspects that enable an organization to respond effectively to crises and ensure long-term resilience.

Together, these dimensions illustrate the multifaceted nature of resilience, emphasizing both the technical capabilities and organizational strategies essential for sustaining critical operations in adverse conditions.

3.6. Quantitative Resilience Assessment Frameworks for Cyber–Physical Systems

Traditional resilience assessment approaches rely on qualitative indicators or heuristic-based methods to evaluate the robustness of critical infrastructures. While these methods offer valuable insights, they often lack rigor, making it difficult to assess resilience across different infrastructures and threat scenarios. To address this limitation, quantitative methods such as probabilistic modeling and Bayesian networks have been widely proposed to evaluate resilience in cyber–physical systems. Probabilistic approaches play a crucial role in resilience assessment by modeling system behavior under uncertainty. Markov chains [145] track transitions between operational states—normal, degraded, failure, and recovery—allowing for the estimation of mean time to failure (MTTF) and mean time to recovery (MTTR). These metrics help anticipate disruptions and optimize mitigation strategies.

For more dynamic scenarios, Monte Carlo [146] simulations generate multiple failure and recovery pathways by introducing randomness into system parameters. By analyzing these variations, decision-makers can assess expected downtime and service availability, enabling proactive risk management.

In complex, interconnected infrastructures, Stochastic Petri Nets provide a refined approach by modeling concurrent system failures and dependencies. This method is particularly useful in networked environments, such as power grids and industrial control systems, where disruptions propagate through multiple layers. By integrating probabilistic transitions, these models help design redundancy strategies and failover mechanisms to enhance system resilience.

Together, these techniques offer a structured, quantitative framework for resilience planning, allowing critical infrastructure operators to move beyond qualitative assessments and adopt data-driven risk management.

By integrating these quantitative approaches with existing resilience indicators, cyber–physical system operators can move beyond qualitative assessments and adopt data-driven, predictive resilience frameworks that enhance decision-making in infrastructure protection. The use of probabilistic modeling and Bayesian inference contributes to a more structured and scalable approach to resilience analysis, in alignment with modern risk-based regulatory frameworks such as NIS2, CER, and ENTSOG network codes.

3.7. Legal Frameworks In-Depth Synthesis

Critical infrastructures are increasingly recognized as essential systems requiring robust governance to ensure their resilience against various threats, including cyber–physical and hybrid risks. Legal frameworks play a pivotal role in defining responsibilities, setting standards, and fostering coordination among stakeholders. This paragraph provides a systematic review of key literature focusing on policies, regulations, and governance models that address critical infrastructure resilience. By analyzing contributions from diverse domains, the paragraph highlights best practices, identifies gaps, and offers insights into enhancing the alignment of legal frameworks with resilience goals. Out of the research launched on Scopus according to the approach explained in the previous chapters, the documents in

Table 9. Publications considered by the review.

Title	Ref.	Year
Impact of Distributed Decision-Making on Energy and Social Systems’ Resilience: A Case Study of Solar Photovoltaic in Switzerland	[147]	2021
Strengthening Urban Resilience: Understanding the Interdependencies of Outer Space and Strategic Planning for Sustainable Smart Environments	[148]	2023
Vulnerability and resilience of power systems infrastructure to natural hazards and climate change	[149]	2021
Centralized security governance for air navigation services: Innovative strategies to confront emerging threats against Civil Aviation	[150]	2014
Objective Resilience: Objective Processes	[151]	2022
A review of critical infrastructure protection approaches: Improving security through responsiveness to the dynamic modelling landscape	[152]	2019
Contributions of green infrastructure to enhancing urban resilience	[153]	2018
Simulation Gaming Can Strengthen Experiential Education in Complex Infrastructure Systems	[154]	2018
Cybersecurity policy and the legislative context of the water and wastewater sector in South Africa	[155]	2021
The role of protocol layers and macro-cognitive functions in engineered system resilience	[156]	2019

have been considered for this review.

The above references have been extracted based on relevance and impact for the review in Section 3.5 Legal frameworks often emphasize governance structures to streamline responses to critical infrastructure risks. For instance, Di Maio [150] underscores centralized security governance for air navigation services, emphasizing the integration of IT, physical, and procedural security under a unified system. The study highlights compliance with international standards like the ICAO Annex 17 while adapting them to national contexts. Similarly, Lonergan and Sansavini [147] discuss distributed decision-making in energy systems, calling for policies that foster cross-sectoral coordination to address emerging challenges. The notion of resilience as a policy cornerstone has gained traction in recent years. Schweikert and Deinert [149] explore frameworks for energy infrastructure resilience, differentiating between asset hardening and functional resilience. Their work calls for legal provisions that account for interdependencies among infrastructure sectors. Additionally, Botezatu et al. [148] propose governance models addressing vertical integration, linking urban resilience with outer space infrastructure regulations. Sector-specific regulations often dictate the focus and scope of resilience efforts. Di Maio [150] offers insights into aviation security laws, emphasizing their role in ensuring safety while fostering operational continuity. In the water sector, studies like Malatji et al. [155] highlight cybersecurity governance frameworks tailored to protecting critical services. Such frameworks illustrate the necessity of context-specific legal adaptations, balancing technical advancements with regulatory oversight. Legal frameworks often face barriers, jurisdictional overlaps, and the rapid pace of technological change. Ettouney [151] discusses the complexities of adapting legal provisions to address both current risks and future uncertainties. These challenges are compounded by varying levels of institutional maturity, necessitating collaborative approaches to enhance policy effectiveness.

The

Table 10. Progression of legal frameworks.

Year	Reference	Title	Key contribution
2014	Di Maio [150]	Centralized security governance for air navigation	Integrated approach to security governance, focusing on compliance with international aviation standards.
2021	Schweikert and Deinert [149]	Energy infrastructure resilience policies	Differentiation between asset hardening and functional resilience to address interdependencies.
2021	Lonergan and Sansavini [147]	Distributed decision-making in energy systems	Policies promoting decentralized energy production and resilience in social and technical systems.
2022	Ettouney [151]	Objective resilience processes	Addressing legal and organizational complexities to adapt resilience strategies for future uncertainties.
2023	Botezatu et al. [148]	Urban and outer space resilience	Integration of urban resilience planning with critical space infrastructure governance.
2021	Malatji et al. [155]	Water sector cybersecurity governance	Development of sector-specific cybersecurity frameworks aligned with national policies.

highlights the progression of legal frameworks addressing critical infrastructure resilience, showcasing a shift from sector-specific governance to more integrated and systemic approaches.

Early contributions, such as Di Maio [150], emphasize centralized governance models tailored to specific industries, like air navigation, reflecting a focus on compliance and operational security. Over time, frameworks evolved to address broader challenges, including interdependencies and functional resilience, as seen in the works of Schweikert & Deinert [149] and Lonergan & Sansavini [147]. Recent studies, such as Botezatu et al. [148], demonstrate the increasing complexity of resilience governance, integrating urban and outer space infrastructure considerations. Meanwhile, sector-specific efforts, like those for water cybersecurity (Malatji et al. [155]), highlight the importance of aligning national policies with sectoral needs. Collectively, these contributions underline the dynamic nature of resilience governance, balancing specificity with adaptability to address emerging challenges and technological advancements.

The reviewed literature reveals significant variation in the scope and implementation of legal frameworks across regions and sectors. At the international level, European initiatives like the NIS Directive provide a harmonized approach to cybersecurity, fostering resilience across critical sectors. National adaptations, such as South Africa’s cybersecurity policies for water infrastructure (Malatji et al. [155]), showcase the importance of aligning global standards with local realities. Cross-sector analyses reveal commonalities in resilience governance, including the emphasis on public–private partnerships, risk assessment methodologies, and regulatory enforcement. A deeper examination of the evolution of legal frameworks suggests that progress has been mixed. While certain sectors have seen significant advancements—such as aviation security (Di Maio [150]) and energy resilience (Schweikert & Deinert [149]), others remain fragmented, with outdated or reactive policies struggling to keep pace with technological advancements. The integration of cybersecurity policies into critical infrastructure governance, as demonstrated in Malatji et al. [155], reflects a growing awareness of digital threats, even if enforcement and cross-border cooperation remain challenging. On the positive side, there is a clear trend toward resilience-oriented frameworks that recognize interdependencies across sectors. Studies such as Lonergan & Sansavini [147] highlight the increasing role of distributed decision-making and flexibility in energy infrastructure, reflecting a shift away from rigid, centralized models. Additionally, the integration of urban and outer space resilience (Botezatu et al. [148]) indicates a forward-thinking approach that acknowledges emerging risks. However, progress has not been uniform, and many legal frameworks still lack adaptability and proactive mechanisms. Some regulatory systems continue to focus on compliance rather than resilience, creating rigid structures that fail to address the dynamic and evolving nature of threats. The absence of a global resilience governance framework, as highlighted by Ettouney [151], also indicates insufficient international coordination in managing cross-border risks.

3.8. Current Consensus on Legal Frameworks

The analysis of legal frameworks for critical infrastructure resilience reveals both convergences and divergences in research and policy implementation. While a general consensus exists on the need for regulatory frameworks, gaps remain in terms of practical enforcement, alignment with technological advancements, and cross-sectoral integration. Across the reviewed literature, several key principles in legal frameworks appear widely accepted. Research increasingly emphasizes the shift from compliance-based frameworks to resilience-based governance, aligning with EU strategies such as the NIS2 Directive and the Critical Entities Resilience (CER) Directive. The need to integrate cybersecurity with physical security is well-established, as highlighted in studies on energy resilience [149] and water sector cybersecurity governance [155]. Modern threats—ranging from cyberattacks to climate-induced disruptions—necessitate adaptive legal frameworks rather than rigid, static regulations. These elements align with the EU’s regulatory trajectory, particularly the updated NIS2 Directive, which expands cybersecurity obligations beyond traditional sectors.

However, there are significant gaps between research findings and actual legal frameworks in practice. One of the main discrepancies lies in the integration of cyber–physical security. While research advocates for a unified approach, EU directives continue to treat them separately, with the NIS2 Directive addressing cybersecurity while the CER Directive focuses on physical resilience. This division does not reflect the interconnected nature of modern infrastructures, leaving vulnerabilities unaddressed and opening up to gray areas in their respective interpretation and boundaries.

Moreover, legal frameworks often struggle to keep pace with emerging threats. Research highlights the necessity of forward-looking regulatory models, particularly in domains such as AI-driven cybersecurity and smart grids [151]. Another challenge lies in the uneven implementation of EU directives across member states. The CER Directive, for instance, allows national governments considerable flexibility, resulting in disparities in how resilience measures are applied. This could be justified by the fact that the CER Directive constitutes a leap from the previous one from 2008 [19], and this flexibility in its implementation is given to allow them to reach the common goals by allowing them to adapt their national framework at their respective pace and according to their maturity.

Beyond these structural issues, legal frameworks have yet to fully address new and emerging domains such as AI-driven automation or smart city governance. While research has expanded to cover these areas, EU resilience directives remain largely centered on traditional infrastructure sectors, leaving a regulatory gap that could prove critical in the future.

Bridging these gaps requires several key policy shifts. The integration of cyber and physical security must be strengthened by moving toward a single, comprehensive legal framework. Additionally, regulatory processes need to become more agile, allowing faster adaptation to technological advancements. Cross-sector coordination should also be improved by mandating stronger information-sharing mechanisms, ensuring that resilience strategies are implemented consistently across different industries and jurisdictions. Finally, legal frameworks must evolve to encompass new critical infrastructure sectors, particularly those involving AI, smart grids, and space technology.

3.8.1. Case Studies and Practical Applications

Among the reviewed literature, some interesting and pertinent case studies can be extracted in the following areas:

• Air Navigation Systems

Di Maio [150] presents a case study on centralized security governance in air navigation services. The study demonstrates how integrated defense centers enhance resilience by leveraging real-time threat intelligence and compliance with international aviation security laws.

• Urban Resilience

Botezatu et al. [148] highlight the interplay between urban and outer space infrastructures, advocating for legal frameworks that address interdependencies. Their findings emphasize the role of strategic urban planning in mitigating risks from space debris and ensuring service continuity.

• Energy Resilience

Lonergan and Sansavini [147] explore policies fostering energy system flexibility, particularly in the context of renewable energy adoption. Their research underscores the need for legal instruments that incentivize decentralized energy production while safeguarding grid stability.

3.8.2. Emerging Trends and Future Directions

At the same time, the review has allowed the identification of the following future trends and directions:

• Integration with Cybersecurity

Legal frameworks are increasingly incorporating cybersecurity considerations, as highlighted in studies on water sector resilience (Malatji et al. [155]). This integration ensures comprehensive protection against hybrid threats, combining physical and digital safeguards.

• Technological Innovations

Emerging technologies, such as IoT and AI, present both opportunities and challenges for legal frameworks. Ettouney [151] emphasizes the need for adaptive regulations that accommodate these advancements without stifling innovation.

• Global Resilience Governance

Harmonized international standards, such as those proposed by Schweikert and Deinert [149], are critical for addressing transboundary risks. The development of such standards requires collaborative efforts among nations, industries, and academia.

3.9. Identified Gaps in Cyber–Physical Resilience Research

Despite significant advancements in cyber–physical resilience, several gaps remain unaddressed, limiting the ability of critical infrastructures to withstand and recover from evolving cyber–physical threats.

One of the major gaps is the lack of dynamic, real-time resilience assessment models that can adapt to continuously changing threat landscapes. Existing resilience frameworks often rely on static indicators that do not fully capture the dynamic nature of cyber–physical attacks and their cascading effects across interconnected systems.

Additionally, while artificial intelligence (AI) and machine learning (ML) have been increasingly integrated into cybersecurity, there is limited research on adversarial resilience, the ability of AI-based security mechanisms to resist adversarial attacks or evasion tactics by threat actors.

Another critical gap is the limited availability of large-scale resilience testing environments that replicate real-world cyber–physical scenarios. Most studies rely on simulated or small-scale experimental settings, which do not fully capture the complex interdependencies and cross-border nature of real critical infrastructure systems, such as power grids, transportation networks, and water distribution systems.

Finally, policy and regulatory fragmentation poses a major challenge. While the EU’s NIS-2 and CER Directives aim to improve critical infrastructure security, differences in national implementations and gaps in enforcement create inconsistencies in resilience measures across jurisdictions.

3.10. Future Research Directions in Cyber–Physical Resilience

Given the existing gaps, future research should focus on developing more adaptive, automated, and scalable resilience strategies that align with emerging cyber–physical threats.

1.

AI-Driven Resilience Models

Future research should explore AI-powered frameworks capable of predicting, detecting, and mitigating cyber–physical threats in real time. AI-based autonomous response systems could dynamically adjust cybersecurity postures based on evolving threats, reducing the reliance on static resilience indicators.

2.

Quantification of Cyber–Physical Resilience

A key research priority is the development of standardized resilience quantification metrics. Current approaches often rely on qualitative assessments, making it difficult to benchmark resilience levels across sectors. Research should focus on probabilistic models, Bayesian networks, and Monte Carlo simulations to create more data-driven resilience assessments.

3.

Cross-Sector Resilience Modeling

Research should expand resilience frameworks beyond sector-specific models, focusing on multi-sector dependencies and how disruptions in one sector impact others. Cyber–physical resilience models should integrate supply chain vulnerabilities and systemic risk assessments.

4.

Resilience Testing in Large-Scale Digital Twins

The creation of realistic cyber–physical testing environments, such as digital twins, will be essential for advancing resilience research. These virtual environments should replicate large-scale infrastructure interdependencies, enabling the stress-testing of resilience measures against simulated cyber–physical attacks.

5.

Human–Machine Collaboration in Resilience

Research should explore the optimal balance between automated and human decision-making in resilience management. The growing use of AI-based cyber defenses raises concerns about over-reliance on automation, making it critical to study human oversight models for cyber–physical security.

3.11. Future Policy Directions for Cyber–Physical Resilience

The evolving cyber–physical threat landscape necessitates policy interventions that enhance resilience governance at national and international levels. Future policy directions should focus on the following:

1.

Harmonization of Resilience Standards

A major policy challenge is the fragmentation of resilience regulations across different sectors and jurisdictions. Future policies should align resilience assessment frameworks globally, ensuring consistent cybersecurity and resilience standards across critical infrastructure sectors.

2.

Public–Private Collaboration on Resilience Frameworks

Governments should strengthen collaborative resilience frameworks by incentivizing private-sector investment in cyber–physical security. This includes tax incentives for resilience-enhancing technologies, joint cybersecurity drills, and mandatory reporting of cyber–physical incidents.

3.

Legislative Adaptation to Emerging Cyber–Physical Risks

Existing legal frameworks, including NIS-2 and CER Directives, must evolve to address new risks such as AI-powered cyber threats, quantum computing vulnerabilities, and advanced supply chain attacks. Future policies should introduce mandatory resilience audits and dynamic regulatory adjustments based on emerging threats.

4.

Cyber-Resilience Liability Frameworks

Future policies should establish liability frameworks for cyber–physical incidents, clarifying the responsibilities of critical infrastructure operators, software providers, and cloud service providers. Regulatory bodies should enforce compliance with resilience standards, imposing penalties for negligence in cybersecurity measures. A rigorous compliance assessment process is essential to reinforcing the resilience of critical infrastructure, ensuring that security measures align with evolving threats and regulatory requirements.

5.

Development of Cyber-Resilience Insurance Markets

As cyber–physical threats continue to evolve, cyber-resilience insurance will play a crucial role in mitigating financial risks for critical infrastructure operators. Policymakers should establish clear guidelines for cyber-insurance coverage, ensuring that resilience risk assessments are incorporated into insurance underwriting processes.

4. Conclusions and Potential Future Studies

In conclusion, this study synthesizes existing research on risk assessment methodologies, standards, and frameworks supporting resilience enhancement in cyber–physical–social systems (CPSSs). The analysis reveals key trends, including the role of IoT in risk management and the evolving integration of resilience attributes across both cyber and physical domains. Additionally, bibliometric insights highlight prominent themes and sectoral focuses, which underscore the areas receiving the most academic and industry attention.

Addressing the research questions, the article provides in-depth analysis across four core RQs. In response to RQ1, it offers a comprehensive synthesis of the evolution of resilience in cyber–physical systems, tracing the transition from traditional, static robustness paradigms to more dynamic, adaptive, and systemic resilience frameworks. For RQ2, the article reviews and categorizes the current state-of-the-art resilience indicators and assessment methodologies, underscoring the growing demand for standardized, real-time, and probabilistic models tailored to complex cyber–physical environments. Addressing RQ3, it maps the contemporary threat landscape by identifying significant and emerging cyber–physical risks, including AI-driven attacks, supply chain vulnerabilities, and cascading failures across interconnected infrastructures. Finally, in response to RQ4, the article evaluates the influence of current European policy instruments—specifically the NIS-2 and CER Directives—on the resilience of critical infrastructure, highlighting ongoing challenges related to regulatory fragmentation, enforcement gaps, and the need for cohesive governance frameworks.

By examining governance models, resilience-oriented policies, and sector-specific regulations, the paper underscores the need for adaptable and forward-looking legal instruments. While significant progress has been made, challenges such as jurisdictional conflicts and technological disruptions persist. Addressing these requires a concerted effort to bridge policy gaps, enhance stakeholder collaboration, and align legal frameworks with the evolving risk landscape. Future research should focus on creating dynamic legal structures that balance resilience with innovation, ensuring critical infrastructures’ continued safety and functionality.

Despite these advances, our review identifies notable gaps, particularly the limited exploration of the social and human-centered dimension in resilience assessment. In the social dimension, the critical functionality of the system is highlighted, i.e., how a failure within the system translates to a more extensive social system’s failure with tangible effects on public safety, health, and economic stability. Therefore, the most promising future study would be investigating the cyber–physical–social resilience (CPSRS) of complex systems, particularly critical infrastructures.