**1. Introduction**

Water is becoming scarcer. According to the United Nations World Water Development Report published in 2018 [1], nearly half the world's population, around 3.6 billion people, face water-scarcity for at least one month per year, and it is expected that over 5 billion people will suffer some water shortage by 2050. The World Bank estimates that around 45 million cubic meters of water are lost each day in developing countries, costing over US\$3 billion per year [2]. This loss is mainly due to inefficient infrastructure, ageing infrastructure that leaks, and non-revenue water due to lack of billing or inaccuracies in costing such as metering issues [2]. It affects both developed and developing countries. In England and Wales 2954 million litres of water are leaked each day from distribution networks and supply pipes [3].

Climate change, water pollution, increasing urbanisation and population growth, ageing and inefficient infrastructure, compliance with tighter regulation and water quality standards are some of the challenges faced by water sector in seeking to maintain their services. To resolve these challenges, water and wastewater providers are moving towards smart water systems [4–6] that are reliable, efficient and that support real-time decisionmaking. This is particularly true in the UK, where the UK government has established strategic priorities for the period from 2020 to 2025 aimed at securing long-term resilience in the water industry; these are supported by major investments by water companies and providers [7,8].

Water systems are a type of cyber–physical system (CPS) that integrate computational and physical capabilities to control and monitor physical processes. In the past, water system security was achieved largely through isolation, limiting access to control components. However, with the emergence of IoT, water systems, as with other critical infrastructure services, are increasingly using a smart systems philosophy. This promotes

the incorporation of IoT and analytics into industrial control systems (ICS) to improve the sensing and control capacity and ensure better integration with business processes. Collectively, this is known as the Industrial Internet of Things (IIoT), often labelled Industry 4.0, in which IoT is applied to industrial applications. It relies on connecting multiple layers of cyber–physical systems to facilitate autonomous decentralised decision-making and to improve the use of real-time data and predictive analytics to promote reliability, efficiency and productivity. With these technological advances, water systems that collect, treat, transport and distribute water to customers are undergoing a similar transformation, becoming highly connected and facing new technological challenges in the drive to provide safe water reliably.

ICS deployment often follows a hierarchical architectural approach that is sometimes characterised using the Purdue reference model [9], as shown in Figure 1. This spans multiple layers, encompassing the variety of equipment and communication protocols and the range of goals and complexity that are likely to be found in these environments [9].

Level 5, the enterprise network, is the level at which business decisions are made, and in which the regular corporate systems (enterprise desktops and servers) operate. At Level 4, the site business planning and logistics applications and systems are found. At Level 3, the operations network, operations management systems such as domain controllers, data collection servers (historians) and application servers are found. Level 2, supervisory control, consists of devices that monitor and control the process at the lower levels. Typically, these consist of supervisory interfaces for the operators, engineering workstations, and distributed control servers that monitor and control various parts of production. At Level 1, controllers monitor and control a set of devices autonomously and/or based on decisions that come from the supervisory system. They receive inputs from instrumentation equipment (e.g., field devices) such as sensors, and send output signals to other devices (actuators). Level 0 is where the actual process takes place, containing the sensors and actuators connected via a fieldbus network.

**Figure 1.** Purdue reference model with SWAN layers.

According to the Smart Water Networks Forum (SWAN) [10], a global non-profit hub consisting of international water companies, academics, regulators, and other water experts, smart water networks are the "entire system of data technologies connected to or serving the water distribution network [and] it is informative to separate its components into layers." These layers [10] are similar to those found in Purdue reference model, as indicated in Figure 1:


The adoption of network communication, the increasing use of commercial-off-theshelf (COTS) components and the deployment of wireless systems in Purdue and SWAN architecture layers bring new security challenges as they have the potential to expose water systems to a wide variety of adversaries. The number of reported attacks targeting cyber–physical systems that are critical for national infrastructure services has been on the increase and, as the evidence from successful attacks such as Stuxnet [11], DuQu [12], BlackEnergy [13] and Havex [14] shows, such attacks can have catastrophic consequences. The criticality of water to human life and the ecosystem means that water systems are an obvious target for political, military and terrorist actors [15,16].

Table 1 reports some of the incidents against water infrastructure services that have been made public. These indicate the potential for successful attacks to exploit a wide variety of vulnerabilities and so cause both direct disruption of services and damage to control equipment and communication networks that, in turn, may affect essential services. The broader impacts of such attacks lie in the health of both the public and the ecosystem, as well as in financial and reputational losses for the companies affected. Hassanzadeh et al. [17] report a review of 15 water incidents, including some of the attacks summarised in Table 1. A widely referenced source for cyber-security incidents in the water sector is the work carried out by Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the United States. This tells us that, in 2015, the US Department of Homeland Security (DHS) recorded 25 cyber-security incidents from the water sector [18].


**Table 1.** Past attacks on water systems.

Cyber-attacks against infrastructure services are often not made public and attribution of these incidents can be a complex and uncertain process, requiring well-developed skills and capabilities [30] to identify the actors. Nevertheless, publicly reported incidents show that the sources of cyber-attacks against water systems appear to include a wide variety of actors. These include hacktivists who perform cyber-attacks often based on a political ideology; disgruntled former employees seeking revenge; cybercriminal networks motivated by monetary gain; and hacker hobbyists who attack for fun, curiosity, or the desire for recognition [31]. Other potential adversaries include nation-state-sponsored attacks for political gain and industrial espionage; rival organisations or companies seeking business advantage; terrorist groups attacking national security; and insiders motivated by problems at work, political or monetary gain, fear/coercion or just for the thrill or fun.

The current history of incidents suggests that the design and performance of advanced targeted attacks against operational processes (OP) require actors with more than just IT skills [32]. Until recently, most of the cyber-attacks against cyber–physical processes were carried out by insiders, with most of the remainder conducted by nation states. In other words, most attacks have been conducted by those with the knowledge, skills and resources needed to cause a real physical impact. More recently, however, there has been

an increasing incidence of cyber-criminals targeting industrial processes, with the aim of installing ransomware [33].

In this paper, we present a systematic literature review and evaluate the current state of cyber-security of cyber–physical systems within the water sector, focusing on process control layers, as the corporate IT layers are primarily affected by security problems covered by traditional information security. Our aim is to identify what is being done, by whom, where, how and what aspects of cyber-security are being covered.

The remainder of this paper is structured as follows. Section 2 provides brief overview of cyber–physical system security. Section 3 describes the research questions and methodology used for carrying out the systematic review. Key research findings are reported and discussed in Section 4. Section 5 highlights the limitations of existing studies and discusses some direction for future research. Finally, Section 6 concludes the paper.

## **2. Cyber–Physical Systems**

The term "cyber–physical system" (CPS) was first coined by Helen Gill at the National Science Foundation (NSF) in 2006 to describe "physical, biological and engineered systems whose operations are integrated, monitored, and/or controlled by a computational core" [34]. Since then, CPS have attracted significant research effort, including initiatives in Industry 4.0, the Internet of Things and the Industrial Internet of Things. As computer scientist Edward A. Lee points out [35], terms such as the Internet of Things (IoT), Industry 4.0, the Industrial Internet (II), Machine to Machine (M2M), the Industrial Internet of Things (IIoT) and other similar terms have been strongly connected with CPS, and sometimes used interchangeably and sometimes for specific sectors (e.g., Industry 4.0 for manufacturing). However, these terms cover "implementation approaches (e.g., the "Internet" in IoT) or particular applications (e.g., Industry 4.0)" [35]. CPS are found in a broad range of sectors including health care and medicine, materials, manufacturing, automotive, aerospace, utilities, chemical, civil infrastructure and transportation [34]. Despite the differences in interpretation, many industry sectors share common technologies and, by extension, share similar concerns relating to their security. A common concern for all these sectors in adopting new enabling technologies for CPS is to ensure security in the face of cyber-attacks.
