Cybersecurity in Cyber–Physical Power Systems

: The current energy transition combined with the modernization of power systems has provided meaningful transformations in the transmission, distribution, operation, planning, monitoring, and control of power systems. These advancements are heavily dependent on the employment of new computing and communications technologies, which, combined with traditional physical systems, lead to the emergence of cyber–physical systems (CPSs). In this sense, besides the traditional challenges of keeping a reliable, affordable, and safe power grid, one must now deal with the new vulnerabilities to cyberattacks that emerge with the advancement of CPSs. Aware of this perspective and the severity of the ongoing challenges faced by the industry due to cyberattacks, this paper aims to provide a comprehensive survey of the literature on cybersecurity in cyber–physical power systems. For this, clear deﬁnitions, historical timelines, and classiﬁcations of the main types of cyberattacks, including the concepts, architectures, and basic components that make up, as well as the vulnerabilities in managing, controlling, and protecting, a CPS are presented. Furthermore, this paper presents defense strategies and future trends for cybersecurity. To conduct this study, a careful search was made in relevant academic and industrial databases, leading to a detailed reporting of key works focused on mitigating cyberattacks and ensuring the cybersecurity of modern CPSs. Finally, the paper presents some standards and regulations that technical and international institutions on cybersecurity in smart grids have created.


Introduction
The Industrial Revolution, which took place in the middle of the 18th century, changed the daily life of the population and made possible the production of large amounts of energy, products, and goods through the invention of the steam engine and the use of fossil fuels, which were the great driving force of this era.This historical period transitioned from small-scale handmade manufacturing to mass manufacturing with machines [1][2][3].Due to society's changing habits and the parallel overuse of these fuels that were rich in coal, hydrocarbons, and later petroleum derivatives, the planet's temperature has gradually changed, as presented in countless measurements and studies carried out over time [4][5][6][7].The global average temperature is a simple parameter used to measure the climatic changes that the planet goes through over time.Global warming is a phenomenon that directly influences this parameter.As the burning of fossil fuels develops, it promotes the increase of CO 2 concentration in the atmosphere and therefore increases the greenhouse effect and global warming [7,8].The unregulated growth in the global average temperature entails numerous impacts on the planet.Reference [9] addresses a review of the literature about the impacts that climate change generates due to the increase in the planet's average temperature.In addition, this study addresses the effects that climate change brings to planet Earth, human life, and the environment.The increasing occurrence of emergency

•
A robust review of the literature that is capable of guiding decision-making on a possible operational scenario in which the cyber-physical power system suffers cyberattacks, indicating a possible solution to this problem.

•
A theoretical framework capable of assisting in the planning and developing of cybersecurity systems for cyber-physical systems.

•
A tool to prevent and mitigate these types of attacks.

•
A review of the layers, basic components, and key vulnerabilities of the devices that comprise the control and management system for cyber-physical systems.

•
A robust history and the main types of cyberattacks against industrial systems, as well as the main standards and regulations developed for cybersecurity in microgrids.
The structure of the paper is organized as follows.Section 2 presents key concepts, historical timelines, and definitions of different types of cyberattacks.Section 3 discusses preliminary concepts and the basic layers, components, and the vulnerabilities in managing and controlling a CPS.Section 4 presents applications of cybersecurity in the monitoring and control system and in protection systems in power systems.Furthermore, it presents defense strategies and future trends for cybersecurity.Finally, Section 5 presents some standards and protocols created by scientific institutions on cybersecurity in smart grids.Section 6 makes the final considerations, giving this work's general contributions and suggestions for future works.Figure 1 provides the framework of the paper.

Background
Cyberattacks are virtual actions that aim to infiltrate individuals' or organizations'

Background
Cyberattacks are virtual actions that aim to infiltrate individuals' or organizations' computer networks, typically seeking to cause harm or disrupt service.These attacks can have different focuses, from compromising data integrity to stealing confidential information [28].Therefore, developing adequate protection layers for a CPS is necessary to ensure the security and reliable operation of power and energy systems.Still, during recent years, the power industry has been subjected to an increasing number of cyberattack attempts.Beginning in the 1980s, about 800 cyberattacks have been observed in the energy sector [29].

History of Cyberattacks
In recent years, several cyberattacks have hit the control system of the electric power sector around the world [30].In June 2007, a power outage lasting approximately 46 min in the Tempe area of Arizona affected about 100,000 customers, leading to a loss of 400 MW of load.The cause of the outage was due to the accidental activation of the load reduction program [29,31,32].Similarly, in February 2008, a system disturbance in South Florida caused by a transmission system failure led to a loss of 2300 MW of load [29,31,32].These two reported incidents were not considered intentional and malicious attacks; however, it shows the cyber vulnerabilities in the power system.In this context, the work in [32] presents a detailed survey and analysis to understand the motivation of the main cyberattacks that occurred between 2001 and 2013.In addition, this survey informs the attack targets and describes the techniques used by the attackers [32].The identified main targets of cyberattacks were those directed at countries with national security risks; the country's strategic infrastructure, industries, and companies; global espionage; and the encouragement of hacker activity [32].A historical analysis of the major cyber incidents that have occurred worldwide, with the first event dating back to 1903, is available in [33].
From these lists, it is possible to infer how these attacks occurred, identify possible vulnerabilities, and observe an increasing number of attacks in recent years and the greater complexity and refinement in cyber invasions.In 2010, the control facilities of the nuclear power plant in Iran were attacked by a computer worm called Stuxnet [33][34][35].This malware is dangerous because it self-replicates, spreads throughout the system, and exploits unpatched vulnerabilities in the operating system of process computers [33].Stuxnet is considered one of the main cyberattacks described in the literature, as it has caused changes in countries' cybersecurity strategies and policies [33,35].A recent example of the devastating effects of cyberattacks occurred on December 2015, in the Ukraine, where 225,000 consumers lost their energy supply for a few hours due to a forced blackout [32,34,[36][37][38].This event became known as the worst power system blackout caused by a cyberattack ever recorded in the literature [32,34,36,37].
The healthcare sector, universities, research centers, hospitals, and laboratories during the coronavirus disease pandemic (COVID-19) suffered a coordinated set of cyberattacks on their information and communication system.These attacks aimed to extract unauthorized information from the development of vaccines and drugs that combat COVID-19.In March 2020, a university hospital in the Czech Republic suffered a cyberattack that disrupted its Internet network and caused delays and postponements of surgeries and emergency care [39].Nine other cyberattacks and breaches in the healthcare sector during the COVID-19 pandemic are presented in more detail in [39].Table 1 presents a historical perspective of critical cyberattacks on industrial control systems and the power and energy sector.
In addition to cyberattacks, the power grid is also subject to cyber-terrorism actions focusing on spreading fear to the population under service [40,41].In this new form of terrorism, Pakistan stands out with the largest number of attacks (439), followed by Yemen (170), Colombia (161), and Iraq (146).Figure 2 shows the number of terrorist attacks that the electricity sector of selected countries experienced between 2010 and 2014 [40,41].

Classification of Cyberattacks
Smart microgrids are a major target of cyberattacks that can be typically clustered into three distinct types of attack classification [31,[46][47][48][49][50][51]: This section seeks to provide a general overview and description of the main types of cyberattacks currently identified in the literature, Figure 3.The reader interested in a detailed analysis for each cyberattack is kindly referred to the reference works cited in each subsection.Table 1.Cyberattacks in industrial control systems and the power and energy sector [33,34,38,[42][43][44][45].

URSS
Code manipulation Pipeline destruction in Siberia due to manipulation of control software code causes valves to malfunction [38].Bellingham, USA Code manipulation Code manipulation that led to a slowdown of a pipeline SCADA system [38].

Queensland, Australia Attack
Cyberattack on Maroochy Water Services.This wireless attack remotely controlled 150 pumping stations and released millions of gallons of untreated sewage [33].Ohio, USA Malware The Ohio nuclear power plant suffers the injection of a Malware (Slammer Worm) into its control system [34,38].Idaho National Laboratory, USA Attack A hacker injected false data and controlled a generator breaker.This cyberattack became known as the Aurora Attack [34,38].

Turkey Attack
Explosion of oil and barrels in Turkish pipelines caused by false data injection attacks that manipulated the control system [34,38].Malware Night Dragon malware: This cyberattack was targeted at large companies in the energy and oil sector [33].Global Malware Duqu/Flame/Gauss malware: This malware was discovered by Hungarian researchers in 2011 and aims to steal information from the control system of companies and their suppliers [33].Global Campaign (series of attacks) In 2012, a set of cyberattacks targeting the oil and natural gas industry was discovered.This series of attacks is called the Gas Pipeline Cyber Invasion Campaign [33].Saudi Arabia and Qatar Malware Power generation and supply has been affected due to this malware attack on the computer system of large energy companies in the Middle East.This attack is known as Shamoon Malware [33,34,38].

USA and Russia Attack
In 2013, the attackers carried out a cyberattack on a company that provides maintenance services on a store's air-conditioning, heating, and ventilation system.From this attack, the hacker was able to extract financial data from the target stores.This cyber event became known as Target Stores Attacks [33].

USA and Iran Attack
The Bowman Dam that controls the water level after abnormal storms was accessed by Iranian invaders through a cyberattack, according to the US.This cyber event became known as the New York Dam Attack [33].

USA and Russia Malware
The Havex malware is a trojan horse that has the ability to remotely access and collect unauthorized information from industrial control systems [33].

Germany Attack
A steel mill in Germany suffered a cyberattack based on spear-phishing and social engineering.The attackers gained access to the industrial control system and caused several failures in the control, operation, and triggering of equipment [33].

Global Malware
BlackEnergy malware is a cyberattack that aims to extract information from the various Human-Machine Interface providers [33].USA, Turkey, Switzerland, and Russia

Campaign (series of attacks)
The energy sector in the USA, Turkey, and Switzerland suffered a campaign of cyberattacks aimed at spying and accessing confidential information from the control process.This cyber incident became known as Dragonfly/Energetic Bear Campaign No. 1 [33].

Ukraine Attack
In 2015, the blackout in Ukraine was caused by the injection of false data into the power grid.This cyber event affected thousands of users for a few hours and was considered the first successful attack on a country's power system [33,34,38,42].

Syria and USA Attack
A water treatment company suffered a cyberattack on its control system that modified the dosage of chemicals used in its processing.This cyberattack became known as the Kemuri Water Company Attack [33].

Saudi Arabia and other Middle Eastern countries Malware
After four years, the Shamoon malware was used again for a cyberattack on the computer system of the civil aviation sector in Saudi Arabia and other Middle Eastern countries.This attack aimed to erase data from the system [33].The Ukrainian power grid once again suffered a cyberattack that led to power outages.This time, this attack was more robust, and a denial-of-service attack hit the telephone system.The new malware used in this attack is known as Crashoverride [33,42].USA and Ukraine Malware CRASHOVERRIDE is malware responsible for generating power interruptions in countries' power systems.The cyberattack in the Ukraine in 2019 used this mechanism [33].Iran, USA, Saudi Arabia, and South Korea Group (set of malwares) APT33 is a set of malwares that aims to spy on the aviation, energy, and petrochemical industries.In addition, this cyberattack has the destructive ability to erase process data and share confidential information with attackers [33].Ukraine, Russia, USA, UK, and Australia Attack NotPetya is malware that was initially used against the Ukraine and has the ability to target a nation's critical infrastructure.It is a destructive cyberattack of Russian origin [33].USA Campaign (series of attacks) Dragonfly/Energetic Bear No. 2 is a set of cyberattacks that target a country's strategic infrastructure sectors, such as the electric and nuclear power grids and the water supply [33].Middle Eastern countries Malware TRITON/Trisis/HatMan consists of new malware that has the ability to access and modify confidential information and execute algorithms that destabilize the industrial security system [33].

USA Attack
A cyberattack interfered with power grid operations in the US on 5 March 2019.The type of attack used was denial of service.This was the first cyberattack in the wind and solar energy sector [34].India Malware The Kudankulam nuclear power plant in India suffered a cyberattack in 2019 [34].

Venezuela Attack
In 2019, the power grid in Venezuela was attacked, causing a power outage for more than five days in several states, including the capital [42,43].Portugal Ransomware (malware) The giant Portuguese energy company, Energies of Portugal, was attacked in 2020 by Ragnar Locker.The attackers reportedly stole 10 TB of confidential data [43].Brazil Attack On 16 June 2020, a Brazilian power generation and distribution company, Light S.A., was attacked by a Sodinokibi malware and had its operation temporarily halted [43].

Venezuela Attack
In 2020, the power grid in Venezuela was attacked, causing a power outage in several states, except the capital [44].USA Ransomware (malware) A set of hackers used the ransomware attack and broke into Colonial Pipeline's network and digital systems, leading to an outage of the pipeline for several days [45].

Classification of Cyberattacks
Smart microgrids are a major target of cyberattacks that can be typically clustered into three distinct types of attack classification [31,[46][47][48][49][50][51]: (i).Availability; (ii).Integrity; (iii).Confidentiality.This section seeks to provide a general overview and description of the main types of cyberattacks currently identified in the literature, Figure 3.The reader interested in a detailed analysis for each cyberattack is kindly referred to the reference works cited in each subsection.

Availability
Real-time data of power grids must be readily available for access and consultation with system operators and automated control systems.Ensuring this data security is necessary because catastrophic consequences such as brownouts and blackouts can occur based on its tampering and/or lack of availability.In this sense, cyberattacks focused on data availability happen when malicious information is sent, causing network or server congestion.Consequently, an interruption or delay of data communications occurs.This event is called a data availability attack [31,[46][47][48][49][50][51].The next sections describe the main attacks against data availability.

A. DoS/DDoS
Denial-of-service (DoS) attacks aim to overload the network and block system communication to interrupt the user's request for service.One way to carry out these attacks is to intentionally send many messages on the control channel to congest the network and obstruct communication.The attacker can carry out the attacks directly by using one's personal computer or indirectly through bots (the hacked system that is under the control of the attacker), or both [50].Furthermore, these attacks are dangerous and cause considerable losses [50,[52][53][54].
A variant of DoS attacks is denoted as a distributed denial-of-service (DDoS) attack.A DDoS consists of a distributed attack coordinated by an attacker who acts as the "Attacker-in-Chief" or several bots that attack the target and make the network resources unavailable to the user [50,[52][53][54][55][56][57].The DDoS attack is considered one of the most destructive network attacks [56].The attacker follows four steps to begin the attack [57]: • It studies the system information to find possible vulnerabilities in the network and then sends an attack;

Availability
Real-time data of power grids must be readily available for access and consultation with system operators and automated control systems.Ensuring this data security is necessary because catastrophic consequences such as brownouts and blackouts can occur based on its tampering and/or lack of availability.In this sense, cyberattacks focused on data availability happen when malicious information is sent, causing network or server congestion.Consequently, an interruption or delay of data communications occurs.This event is called a data availability attack [31,[46][47][48][49][50][51].The next sections describe the main attacks against data availability.

A. DoS/DDoS
Denial-of-service (DoS) attacks aim to overload the network and block system communication to interrupt the user's request for service.One way to carry out these attacks is to intentionally send many messages on the control channel to congest the network and obstruct communication.The attacker can carry out the attacks directly by using one's personal computer or indirectly through bots (the hacked system that is under the control of the attacker), or both [50].Furthermore, these attacks are dangerous and cause considerable losses [50,[52][53][54].
A variant of DoS attacks is denoted as a distributed denial-of-service (DDoS) attack.A DDoS consists of a distributed attack coordinated by an attacker who acts as the "Attackerin-Chief" or several bots that attack the target and make the network resources unavailable Energies 2023, 16, 4556 9 of 34 to the user [50,[52][53][54][55][56][57].The DDoS attack is considered one of the most destructive network attacks [56].The attacker follows four steps to begin the attack [57]: • It studies the system information to find possible vulnerabilities in the network and then sends an attack;

•
The attacker creates bots that install malicious programs on the invaded computers so that they can be controlled.The hacked computers are called zombies;

•
The attacker encourages the invaded computers to send various attack messages to target the victim;

•
The attacker extracts the information of interest and erases the data from memory.

•
The main consequences of DoS/DDoS attacks are as follows [50,56]: Blocking authorized users' access to system resources.
The following describes some types of DoS/DDoS attacks.

A1. ICMP
The Internet Control Message Protocol (ICMP) is the protocol responsible for reporting errors to clients while delivering Internet Protocol (IP) packets.This protocol acts at the network layer of the TCP/IP (transmission control protocol) model.The attacker generates and sends numerous ICMP requests, congests the information traffic, and exploits the bandwidth of the victim's system [50,54,58].There are two ways for ICMP to occur: the "ping of death attack" and the "smurf attack" [50].

A2. HTTP
The Hypertext Transfer Protocol (HTTP) is the protocol responsible for transferring hyperlinks and is the basis of data communication on the web.This protocol acts at the application layer of the TCP/IP model.The target of these attacks receives numerous GET and POST messages in order to overload, congest, interrupt, and confuse the traffic of truthful information and the communication of web applications that use the HTTP protocol [50,59].In contrast to the ICMP attack, the HTTP attack does not exploit system bandwidth significantly, since a high number of requests is not required [50,59].

A3. TCP SYN
The TCP SYN attack consumes system memory and makes the user's access to services unavailable.Furthermore, it uses an imperfection in the TCP protocol to perform the invasion.The communication process takes place in a "three-way handshake" format.There are three steps in this process.In the first step, the user sends the "synchronization" (SYN) request to the network server.Then, to authorize the communication, the server sends an acknowledgment (ACK) and returns the SYN request to the user.In the last step, in theory, the client should send an ACK message to confirm and acknowledge the communication.However, this message does not reach the server.In this last step, the attacker is sending numerous fake SYN messages, and by not providing the ACK, it generates a communication failure and network overload [50,54,60].

A4.UDP
The user datagram protocol (UDP) is a protocol that acts at the transport layer of the TCP/IP model.In addition, it has the characteristic of being a connectionless protocol.In this type of attack, the attacker creates and sends many packets with fake addresses to increase network traffic.In this way, it floods the system bandwidth.The server cannot check and respond to requests correctly and starts to crash.This attack implies the unavailability of system services for authorized users.The attacker may have a specific target or a totally random port [50,54,57,61,62].

Integrity
For adequate functioning and control of power grids, it is necessary that the data present accuracy, coherence, and veracity.Attacks happen when some command signal or the periodic measurements are altered, damaging the integrity of the data [31,[46][47][48]50,51].False Data Injection (FDI) is an example of an attack focused on affecting data integrity [48,49].In the following, key attack strategies focused on compromising data integrity are presented.

A. Cross-Site Scripting
Cross-Site Scripting (XSS) attack is an important type of code injection attack (CIA) and one of the most common.This attack exploits the system's security weaknesses by executing an invalid code.The attacker creates the malicious code and propagates it through the web browser.When the victim accesses the infected site, the attacker can access the system's sensitive information [50,[63][64][65].Thus, the integrity of the victim's data is in danger since the system has been hacked.The XSS attack can happen persistently, non-persistently, or through a "document object model" (DOM) [65].

B. Data Diddling
Data Diddling Attacks consist of an attack that modifies the information in the database without authorization, which is illegal.In addition, the attack can change the status of files from permanent to temporary or from private to public, among other inappropriate changes that damage the integrity of the information [50,66].

C. Salami
Salami Attacks consist of performing small attacks on the network data system to extract an adequate amount of sensitive information without being noticed by the security system.These attacks provide a larger attack and, consequently, larger damage to the company [50,66].

D. Session Hijacking
A Session Hijacking attack is the misuse of a part of the network, causing the attacker to become a participant with access to the information on that part of the system.The attacker can send false information packets to other users as if the attacker was one of the network administrators.The hijacker seeks to find and exploit the weaknesses and unencrypted protocols of the network [50,67].

E. SQL Injection
The SQL Injection Attack, like the XSS attack, is an important type of code injection attack and one of the most common.The attacker seeks to use weaknesses in SQL statements to access database information.This attack happens when the hacker uses an improper SQL command that provides access to a website's database.With this improper entry, the attacker can access all the victim's information in this database and delete, modify, download, or do any other improper activity [50,63,68].Tautologies, Arbitrary String Patterns, Group Concatenate String, Stored Procedures, and Alternate Encoding are some types of SQL injection attacks [63].

F. Replay
A replay attack (RA) is a form of cyberattack that aims to compromise the integrity of the information of the system components.This attack aims to monitor and record a real sequence of sensor measurements and, during the invasion, replace the real measurements with these previously recorded values.These recorded data are replayed and repeated uninterruptedly until the end of the attack.Therefore, the replay attack takes place in two stages, the monitoring stage and the replaying stage.This fraudulent replay attack does not require deep system knowledge and usually targets and affects the operation of the sensors, actuators, controllers, and estimators of the cyber-physical system [36,69].

Confidentiality
Sensitive system information should only be accessed by authorized individuals to ensure data confidentiality.Thus, when unauthorized individuals access the system planning, the control, operating strategies, and user information are no longer secure.Therefore, it is subject to espionage and misuse by third parties.Thus, attacks on data confidentiality can affect the functioning of the system and also cause financial and physical/technical impacts [31,[46][47][48]50,51].

A. Eavesdropping
The process of secretly listening in on the network to unauthorized conversations is called eavesdropping.The eavesdropper has access to privileged and confidential information among network users.In this way, the eavesdropper can read, insert false information into the network, and delete or do any illicit activity with the system data [50,70].Therefore, with this attack, the confidentiality of communication is damaged.

B. Keylogger
Keylogger consists of a malicious software program that is installed on the system without the knowledge and authorization of the client.It is intended to monitor and capture the user's activities intentionally.Subsequently, attackers have access to this confidential data and can steal from, harm, or exploit the victims [50,[71][72][73].Keyloggers can be implemented using hardware or, more usually, software, wireless, and acoustic [72,73].A credit card machine that records and then makes the password available to others is an example of a keylogger [71].Therefore, this type of attack compromises the secrecy of information.

C. Password Attacks
The simplest and cheapest way to initially protect the information systems of a user, a company, or the government is through authentication using passwords [74].However, this method presents some vulnerabilities because the user can create a password considered weak, reuse the same password on several sites, access unreliable sites, type passwords on unreliable computers, and other actions that compromise the confidentiality of passwords and, consequently, facilitate the action of hackers [74,75].There are numerous ways for the attacker to discover the user's password.In this context, we can highlight the following [50]:

•
Attack based on the combination of all characters contained in the dictionary; • Attack using hacking software that tries numerous possible password combinations,

•
Guessing attack, the attacker uses the victim's personal data to discover the password.
The discovery of the password by a third party can lead to leaks and theft of sensitive information, economic losses, invasion of privacy, and other catastrophic consequences for the user.
Changing passwords periodically is a simple way to defend password integrity [76].Generally, passwords created by the user him/herself and which are memorable are easier to crack by attackers.Thus, some tips for creating a strong and unique password using mnemonic passwords are given below [75,77]:

•
Sentence substitution: Choose a sentence and substitute each word or digit with other characters; • Keyboard change: Choose a basic password and then add characters according to the random movement chosen by the user.You must save this movement; • Use the formula: Put the password in the format of an equation or function with numbers and characters, • Special character insertion: Replace conventional characters in the basic password with special characters.

D. Snooping
Snooping is a cyberattack that has the passive characteristic where the attacker seeks to obtain sensitive information from users [50,78].Snooping can happen in a direct way where the attacker unnoticed watches the victim enter his password or any other confidential information.In this way, making a physical attack.Snooping can also be performed online, where the hacker monitors the target via the Internet in order to obtain network data, company confidential information, and passwords from the victim.In addition, this attack can happen by hacking into security cameras, switches, and routers on the network, thus making it a digital attack [50].

E. Social Engineering
Social Engineering consists of a cyberattack that aims to target the individual rather than the network structure of the system [79].This attack uses persuasion techniques to trick and manipulate victims until they reveal confidential information that benefits the attacker [50,79,80].
Nowadays, due to the use of social networks, individuals share personal information for free, and this fact helps criminals to profile each person and then perform a Social Engineering attack [79].In this way, phone calls, email exchanges, social networks, and conventional websites are all used as objects for attacks [79,81]

F. Traffic Analysis
The Traffic Analysis attack is a cyberattack where the attacker performs a previous analysis of the communication traffic between the sender and receiver.It aims to extract confidential information to learn about the network's vulnerabilities.Subsequently, it carries out the planning for the execution of the theft.This attack has a passive characteristic and hurts the confidentiality and privacy of the users' information [50,52].

Cyber-Physical System
Technological advances in industries drive the emergence of cyber-physical systems [82,83].Figure 4 illustrates the CPS system in a block diagram.This type of system integrates the physical aspects of a process and digital technology [84,85].In addition, using computational concepts, the CPS can act and expand the components on the shop floor, being an important factor in the technology development [84].The CPS develops a leading role in the development of the industrial Internet of Things (IIoT) and Industry 4.0 [86].This evolution in the industry provides better access to the information provided by sensors and, consequently, impacts the generation of a high number of data continuously, the so-called big data [87].In this way, the CPS provides a precise and real-time operation [82,86,88].Currently, the CPS is the object of study in the literature, since it impacts the economy, environment, and people's daily lives.In this context, the work developed in [89] presents a review of the literature on CPS applications in 10 research fields: agriculture, education, energy management, environmental monitoring, medical devices and systems, process control, security, smart city and smart home, smart manufacturing, and transportation systems.

E. Social Engineering
Social Engineering consists of a cyberattack that aims to target the individual rather than the network structure of the system [79].This attack uses persuasion techniques to trick and manipulate victims until they reveal confidential information that benefits the attacker [50,79,80].
Nowadays, due to the use of social networks, individuals share personal information for free, and this fact helps criminals to profile each person and then perform a Social Engineering attack [79].In this way, phone calls, email exchanges, social networks, and conventional websites are all used as objects for attacks [79,81]

F. Traffic Analysis
The Traffic Analysis attack is a cyberattack where the attacker performs a previous analysis of the communication traffic between the sender and receiver.It aims to extract confidential information to learn about the network's vulnerabilities.Subsequently, it carries out the planning for the execution of the theft.This attack has a passive characteristic and hurts the confidentiality and privacy of the users' information [50,52].

Cyber-Physical System
Technological advances in industries drive the emergence of cyber-physical systems [82,83].Figure 4 illustrates the CPS system in a block diagram.This type of system integrates the physical aspects of a process and digital technology [84,85].In addition, using computational concepts, the CPS can act and expand the components on the shop floor, being an important factor in the technology development [84].The CPS develops a leading role in the development of the industrial Internet of Things (IIoT) and Industry 4.0 [86].This evolution in the industry provides better access to the information provided by sensors and, consequently, impacts the generation of a high number of data continuously, the so-called big data [87].In this way, the CPS provides a precise and real-time operation [82,86,88].Currently, the CPS is the object of study in the literature, since it impacts the economy, environment, and people's daily lives.In this context, the work developed in [89] presents a review of the literature on CPS applications in 10 research fields: agriculture, education, energy management, environmental monitoring, medical devices and systems, process control, security, smart city and smart home, smart manufacturing, and transportation systems.
The following sections display the architecture layers and basic components of a CPS.

Cyber-Physical System Layers
The architecture of a CPS is divided into three main typical layers: perception layer, transport layer, and the application layer.Figure 5 illustrates the architecture of a CPS from the layers' point of view.In the following, the characteristics of each layer are presented and discussed.The following sections display the architecture layers and basic components of a CPS.

Cyber-Physical System Layers
The architecture of a CPS is divided into three main typical layers: perception layer, transport layer, and the application layer.Figure 5 illustrates the architecture of a CPS from the layers' point of view.In the following, the characteristics of each layer are presented and discussed.

Perception Layer
The first layer of the CPS architecture is called the perception layer.This layer holds all the equipment that will interpret the physical phenomena and transform them into electrical signals and, subsequently, into information.Some equipment of this first layer is aggregators, actuators, sensors, transducers, Global Position System (GPS), cameras, "Radio-Frequency Identification" (RFID) tags, lasers, and any other intelligent equipment of the so-called "factory floor" [86,90].This layer aims to collect real-time process information to perform planning, monitoring, and control of the physical system.Due to these factors, in the literature, this layer is also known as the "sensing layer" and "recognition layer" [56,90].

Transport Layer
The second layer of the CPS architecture is called the transport layer.This is the intermediate layer between perception layer and application layer, thus being responsible for the communication of data between the layers.This seamless communication is accomplished through wired or Wi-Fi Internet networks, Bluetooth technology, Infrared (IR), 4G and 5G, Zigbee, and Internet protocols, among other technologies that aid communication.In addition, this layer is responsible for routing and transporting data through routers, switches, hubs, gateways, and clouds.In the literature, the intermediate layer is also known as the transmission layer or network layer [56,90].

Application Layer
The last and most interactive layer of the CPS architecture is called the application layer.The role of this layer is to receive information from the transport layer, analyze it and send appropriate command signals to the devices located in the perception layer to act in the physical process.The application layer uses intelligent decision-making algorithms to analyze the information received and, consequently, make the most appropriate control decision for the proper functioning of the physical system [91].In addition, system

Perception Layer
The first layer of the CPS architecture is called the perception layer.This layer holds all the equipment that will interpret the physical phenomena and transform them into electrical signals and, subsequently, into information.Some equipment of this first layer is aggregators, actuators, sensors, transducers, Global Position System (GPS), cameras, "Radio-Frequency Identification" (RFID) tags, lasers, and any other intelligent equipment of the so-called "factory floor" [86,90].This layer aims to collect real-time process information to perform planning, monitoring, and control of the physical system.Due to these factors, in the literature, this layer is also known as the "sensing layer" and "recognition layer" [56,90].

Transport Layer
The second layer of the CPS architecture is called the transport layer.This is the intermediate layer between perception layer and application layer, thus being responsible for the communication of data between the layers.This seamless communication is accomplished through wired or Wi-Fi Internet networks, Bluetooth technology, Infrared (IR), 4G and 5G, Zigbee, and Internet protocols, among other technologies that aid communication.In addition, this layer is responsible for routing and transporting data through routers, switches, hubs, gateways, and clouds.In the literature, the intermediate layer is also known as the transmission layer or network layer [56,90].

Application Layer
The last and most interactive layer of the CPS architecture is called the application layer.The role of this layer is to receive information from the transport layer, analyze it and send appropriate command signals to the devices located in the perception layer to act in the physical process.The application layer uses intelligent decision-making algorithms to analyze the information received and, consequently, make the most appropriate control decision for the proper functioning of the physical system [91].In addition, system monitoring is performed in this layer, seeking to map the behavior of the physical system to assist in the decision-making process.Furthermore, the application layer can save previous decision-making from obtaining operational improvements and future feedback [86,90].

Cyber-Physical System Components
The components that make up a CPS are divided into three groups: (i).Physical components; (ii).Detection components, (iii).Control and communication components.

Physical Components
The physical components of a CPS are sets of equipment that enable the operation of the physical process.The major components of a Cyber-physical Power System (CPPS) are the power generators, transformers, switchgear, transmission line, circuit breakers, motors, cylinders, and numerous other loads that describe the power system [92].

Detection Components
The sensing components are devices that are physically connected to the physical system and are responsible for observing and extracting information from the process.This unit highlights three types: sensors, aggregators, and actuators.

• Sensors
These devices are in the perception layer and are connected directly to the physical system components.The sensors are responsible for interpreting the physical phenomenon and transforming it into a signal that can be interpreted.In addition, they have the function of collecting the information from the physical system and through the aggregators sending it to the transport layer [86,93].

• Aggregators
These are devices that are mostly located in the transport layer and responsible for processing the data received by the sensors.It works as a "bridge" that transports the data obtained by the sensors, from the perception layer to the transport layer.Online data aggregators are found in routers, switches, gateways, and other devices performing this transport function [86,93].

• Actuators
These are devices located in the application layer.Actuators receive a message indicating their operation based on data processing and decision-making from the aggregators.In addition, they are responsible for modifying system parameters so that the process operates properly.Actuators receive messages in the form of electrical signals and hydraulic or pneumatic energy and generate physical actions as responses [86,93].Motors, valves, and cylinders are examples of actuators.

Control and Communication Components
The control and communication components of a CPS are devices responsible for monitoring and managing the physical system.In addition, they seek to control the process to achieve z satisfactory performance, reliability, and security.Therefore, control devices are fundamental for the robustness of the system.In this perspective, Programmable Logic Controllers (PLCs), Distributed Control Systems (DCSs), and Remote Terminal Units (RTUs) are elements that stand out to control, and the Supervisory Control and Data Acquisition (SCADA) and Phasor Measurement Unit (PMU) perform the data acquisition in a CPS system.The following sections detailed describe these components.

•
Programmable Logic Controllers (PLCs) PLCs are digital computers that, through user programming, can automate and control modern industrial processes.Initially, these devices were developed to replace industrial relay panels and emulate the behavior of electrical diagrams.Besides that, this device presents characteristics that facilitate fault diagnosis, good flexibility, resistance to vibrations, immunity to electrical noise, support algorithms and loops, easy programming, low cost, robustness, and good reliability, among other important aspects [86,94].The basic building blocks that make up the PLC hardware are a rack, a power supply, a programming unit, input and output (I/O) modules, and the central processing unit (CPU) [95].Thus, the PLC is used for various industrial control and automation applications, from simple to more complex systems [95].

•
Distributed Control Systems (DCSs) Centralized control for large and complex systems may present a different efficiency, reliability, controllability, flexibility, and robustness as communication failures [96].From this perspective, physical system processes are divided into subsystems and locally controlled through industrial computers, thus allowing the distribution of control and greater flexibility in operator action [86,96].In addition, monitoring can be performed through supervisory systems that provide online and remote control.In this way, DCSs have reduced implementation costs while increasing the reliability and robustness of the system [86].

•
Remote Terminal Units (RTUs) RTUs are electronic devices that extract the signal samples, investigate, and identify possible failures and then restore the data in a distribution system [97].In comparison with PLC, the RTU does not perform well in algorithms and control loops, as well it presents low immunity to vibrations and noise [86].Its main application is focused on geographical telemetry systems, being used to extract information from the system, send/receive messages, and perform control actions in a SCADA system [98], while presenting some processing capacity due to its microprocessor unit [86].In addition, some RTUs can also control numerous systems that are connected to the control room [99].

•
Supervisory Control and Data Acquisition (SCADA) These systems use software to collect, measure, monitor, process, and control the data and equipment in a CPS [100].The SCADA system extracts and processes the data generated by the PLCs and RTUs [101].The typical SCADA system architecture features a "Human-Machine Interface" (HMI), hardware, software, RTU, central supervisor, database, measurement devices, and process actuation [100,102].These systems' communication networks can be based on Internet protocols, providing benefits in monitoring, planning, management, and control of the CPS.However, this can also bring some harm, such as a higher number of cyberattacks on the vulnerabilities of the SCADA system [103].

•
Phasor Measurement Unit (PMU) PMU technology is used in power systems to measure a "quantity" called a phasor.The phasor is a graphical representation of the magnitude and phase angle of an alternating current electrical quantity at a specific time.In this way, it aims to improve the precision of the visualization of electrical quantities at all points of the network and, therefore, facilitate the diagnosis of possible failures in the system [104,105].Using GPS for the time-stamping of samples, PMUs can measure the frequency and the rate of change of the frequency of electrical signals.For this reason, they are also known as synchrophasors [106].Systems with PMUs have a higher update rate and accuracy of around 1 µs compared to SCADA systems [107,108].From this perspective, using data acquisition with PMU technology provides real-time measurement, analysis, and control of system dynamics that cannot be achieved using a traditional SCADA system.

Cyber-Physical System Vulnerabilities
The current integration between people and machines controlled remotely in real-time by Internet networks, data processing, and new computer and information technologies provide benefits regarding the efficiency and performance of the control system in industries and in the automation of processes.In counterpart, this system presents new evils concerning the cybersecurity of information on physical devices, communication, monitoring, operation, and control of the cyber-physical system.
From this perspective, the cyber-physical system presents new weaknesses in its operation that are known as cyber, physical, and cyber-physical vulnerabilities.The cyber vulnerability relates to the network system, communications, smart devices, remote access, and unintentional failure of employees and vendors [109].The physical vulnerability is related to physical attacks on the devices that make up the infrastructure of the cyberphysical system, such as the sensors, transducers, actuators, motors, cylinders, pumps, valves, transmission line cables, and distribution and transmission transformer towers, among other physical devices that make up an industrial system [109].Finally, there is the cyber-physical vulnerability which represents a new type of vulnerability that is concerned with the weaknesses and damage presented by the junction of cyber and physical devices and components of the critical infrastructure of an industrial cyber-physical system [109].
Modern systems of monitoring, control, and industrial management are performed by SCADA systems or other industrial control systems that use as a primary element a set of systems with PLCs [110,111].PLCs, through their inputs, are responsible for receiving and processing the data received by sensors and transducers connected to the industrial process, and through a programming logic and signal issued, they can determine how the actuators, motors, frequency inverters, relays, transformers, and other final control elements will work in the industrial process [110].From this perspective, the PLC integration with new Internet technologies makes it a target of cyberattacks on its communication network, such as Stuxnet [111], Triton, and Black Energy [112], and consequently, such devices present a vulnerability in cybersecurity and are part of the critical infrastructure of the industrial control system of a CPS.
PLCs are connected to and integrated into the Internet of Things; therefore, they are vulnerable to malicious threats in their control logic.This type of attack is called control logic injection, and it aims to cause failures and disruptions in the processes controlled by PLCs.In this perspective, the author of [112] presents recent work on control logic injection attacks and points out the recommendations and current challenges in the security and protection of information in PLC-controlled systems.Besides the control logic injection attack, there is the denial-of-service attack, wherein a large number of malicious packets are sent and transmitted that exploit the possible security vulnerabilities of a PLC system [113].Thus, the author of [113] discusses a methodology capable of detecting anomalies based on monitoring the behavior of the CPU of a PLC in a water tank control system.
Cybersecurity in management and control systems with PLCs is important to maintain the availability, integrity, and confidentiality of process data and ensure proper and resilient operation of the industrial system.Thus, the author of [114] presents a study that points out the challenges in information security and discusses the security of communication protocols in Industry 4.0 systems that use PLCs and SCADA.The author of [111] takes a different approach than the conventional one, considering the communication network between engineering stations and PLCs as an object of study and analysis of cybersecurity.

Cybersecurity Applications and Methodology
We followed a methodological approach based on the strategy proposed in the Introduction, and this section presents the state-of-art of cybersecurity applications based on multiple scholarly and industrial database resources, including but not limited to Science Direct, IEEE Xplore, Google Scholar, and MDPI databases, among others.The literature search on cybersecurity applications is divided into three main categories: cybersecurity on monitoring systems, cybersecurity in control systems, and cybersecurity in protection systems, as shown in the Figure 6.Thus, the subsections below are meant to provide the available references of each topic of interest.
Direct, IEEE Xplore, Google Scholar, and MDPI databases, among others.The literature search on cybersecurity applications is divided into three main categories: cybersecurity on monitoring systems, cybersecurity in control systems, and cybersecurity in protection systems, as shown in the Figure 6.Thus, the subsections below are meant to provide the available references of each topic of interest.

Cybersecurity on Monitoring Systems
The cybersecurity of the monitoring system of a CPS is extremely important because it considers the security of the information collected by sensors and measurement instruments.Therefore, for this process to achieve satisfactory results, the monitoring system must present information security and reliability.In this category, 10 key works were selected and are shown in Table 2.
For monitoring industrial systems, industrial cyber-physical systems (ICPSs) are used, consisting of a link between the software and hardware parts of the system.Reference [115] developed a methodology called Multilayer Run-Time Security Monitor (ML-RSM), which is capable of identifying divergences caused by communications and attacks on the application layer, as well as preventing the spread to other control layers.The robustness of this approach is tested in a water distribution monitoring system [115].To monitor and secure ICPSs, the author of [116] developed a robust tool capable of identifying possible cyberattacks through hierarchically distributed intrusion detection.Furthermore, through the adaptive Kalman filter, the monitoring and detection of possible anomalies in the CPS are performed [116].
To identify the interdependence of physical and cyber failures, the Reference [117] proposes an Anomaly Detection System (ADS).In this system, sensors collect data in the physical space and cyber sensors in real-time collect and analyze the network information.The methodology was tested on the IEEE-33 bus model, and three types of unsupervised machine algorithms were used for validation: one-class support vector machines (OCSVMs), Local Outlier Factor (LOF), and autoencoders (AEs) [117].The critical infrastructures of the CPS are targets of cyberattacks, and in this context, the author of [118] proposes an anomaly detection methodology using machine-learning algorithms that relate physical and cyber-physical aspects to enhance the security of a power plant.
Resilience is an important characteristic of achieving reliability and security in a cyber-physical system.Thus, the author of [119] developed a technique to continuously measure and monitor it.This technique detects elements that undermine resilience and addresses probabilistic concepts, graph analysis, game theory, attack information, and CPS vulnerabilities [119].The Cyber-Physical Security Assessment Metric (CP-SAM) has been tested and validated on a real MG model.

Cybersecurity on Monitoring Systems
The cybersecurity of the monitoring system of a CPS is extremely important because it considers the security of the information collected by sensors and measurement instruments.Therefore, for this process to achieve satisfactory results, the monitoring system must present information security and reliability.In this category, 10 key works were selected and are shown in Table 2.

Cyber-power system
The test was performed using a real microgrid model [119]  Accurately monitor data and protect the PLC against cyberattacks.In addition, a system is proposed to ensure the operation of the Reactor Protection System.

Isolated networks of nuclear power plants
The proposed approach is tested through an experiment that injects dummy data into PLCs [122] AI algorithms Real-time detection of anomalies in electrical appliances.
Data acquisition, fault identification, management, and real-time monitoring of energy data based on AI algorithms.

Industrial Internet of Things
Hardware design, server, and database creation in open source and computer simulation [123] Adaptive method and multicriteria optimization Cyberattacks and network traffic anomaly detection.Creating an adaptive system to manage and monitor information security.

CPS
Experimental study of intelligent home intrusion detection [124] For monitoring industrial systems, industrial cyber-physical systems (ICPSs) are used, consisting of a link between the software and hardware parts of the system.Reference [115] developed a methodology called Multilayer Run-Time Security Monitor (ML-RSM), which is capable of identifying divergences caused by communications and attacks on the application layer, as well as preventing the spread to other control layers.The robustness of this approach is tested in a water distribution monitoring system [115].To monitor and secure ICPSs, the author of [116] developed a robust tool capable of identifying possible cyberattacks through hierarchically distributed intrusion detection.Furthermore, through the adaptive Kalman filter, the monitoring and detection of possible anomalies in the CPS are performed [116].
To identify the interdependence of physical and cyber failures, the Reference [117] proposes an Anomaly Detection System (ADS).In this system, sensors collect data in the physical space and cyber sensors in real-time collect and analyze the network information.The methodology was tested on the IEEE-33 bus model, and three types of unsupervised machine algorithms were used for validation: one-class support vector machines (OCSVMs), Local Outlier Factor (LOF), and autoencoders (AEs) [117].The critical infrastructures of the CPS are targets of cyberattacks, and in this context, the author of [118] proposes an anomaly detection methodology using machine-learning algorithms that relate physical and cyber-physical aspects to enhance the security of a power plant.
Resilience is an important characteristic of achieving reliability and security in a cyber-physical system.Thus, the author of [119] developed a technique to continuously measure and monitor it.This technique detects elements that undermine resilience and addresses probabilistic concepts, graph analysis, game theory, attack information, and CPS vulnerabilities [119].The Cyber-Physical Security Assessment Metric (CP-SAM) has been tested and validated on a real MG model.
The monitoring of security risks in the power system is important to investigate the failures and identify the vulnerabilities of the CPS.In this context, Reference [120] proposes an architecture analysis to identify irregularities and a learning algorithm based on time series to predict abnormal network situations in the power system [120].For estimating the cybersecurity of the power system, Reference [121] used the fuzzy hesitant methodology of the Analytic Hierarchy Process (AHP) and the Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS).Furthermore, to verify the quality of the proposed methodology, the author tested six different projects [121].
The isolated networks of nuclear power plants (NPPs), e.g., PLC networks, are not immune to cyberattacks.Thus, the authors of [122] developed blockchain technology responsible for monitoring data accuracy and protecting the PLC from cyberattacks.Furthermore, a system is proposed to ensure the operation of the Reactor Protection System (RPS).
In the industrial sector, the use of the Industrial Internet of Things technology has seen continuous growth encompassing artificial intelligence (AI), computing, and cybersecurity.In this scenario, Reference [123] proposes an approach for data acquisition, fault identification, management, and real-time monitoring of energy data based on AI algorithms.
Information security in the monitoring layer of the CPS is important to maintain data integrity.In this sense, Reference [124] proposes an adaptive method that analyzes and solves a multicriteria optimization problem where the available inputs are mutable, seeking to ensure data integrity.
In Table 2, all the discussions mentioned above and research on cyberattacks on monitoring systems are analyzed and detailed.
Thus, the works discussed in this section present real-time defense strategies for protection against cyberattacks and in the detection of physical, cyber, and cyber-physical anomalies.The strategies are based on adaptive methods, Fuzzy Logic, AI and machinelearning algorithms, blockchain technology, prediction algorithms, and the Kalman filter.Therefore, these are important techniques found in the literature that seeks to improve the reliability, resilience, and cybersecurity of the devices that compose the monitoring system of a CPS.

Cybersecurity on Control Systems
The cybersecurity of the Centralized or Distributed Control System of a CPS must be effective against cyberattacks from the simplest to the most complex form of systems.This is because the control system is responsible for correcting the process variables to achieve satisfactory operating parameters.Thus, for a process to achieve satisfactory results, the control system must be based on security and reliability information.The current power system presents a characteristic with distributed generation and devices interfaced with power electronics, generators, motors, and transformers connected in a grid.Thus, the cybersecurity of frequency and voltage control in these devices is a concern to ensure the transient and steady-state stability of the system.In this category, 10 key works were selected and are shown in Table 3.

Model Predictive Control
Cyberattacks of denial of service and fake data injection types Develop a frequency control approach tolerant to cyberattacks.
Frequency Control of power systems.
The controller was tested on an IEEE benchmark system.[125] Adaptive control based on real-time CI (Computational intelligence).
Cyberattacks on the power system.
It presents a real-time testing methodology for analyzing and controlling power system stability and cybersecurity.

Power System
The test methodology was designed based on OPAL-RT and the SEL351S protection system. [126] Robust controller based on Port Controlled Hamiltonian with dissipation (PCHD)

False data injection attacks
A defense approach based on the energy conversion perspective.
Control system for a permanentmagnet synchronous motor.
The proposed approach is tested on an industrial CPS that controls a synchronous machine. [127] Long Short-Term Memory (LSTM) with Temporal Convolutional Neural Network (TCN)

False data injection attacks
A multivariate approach capable of accurately detecting the injection of false data into the CPS in real-time.

Smart Grid Control System
The performance of the designed framework is verified using an IEEE system and trained with Tensorflow libraries using Keras. [ Sliding mode controller (SMC) methodology based on Adaptive Dynamic Programming (ADP)

False data injection attacks
A decentralized control approach to large-scale system security was developed to mitigate the effects of unknown injection attacks.

Decentralized Optimal Control Problem
The test was performed on a two-machine Energy system subjected to 3 separate attacks. [129] Designs a finite time interval sliding mode controller for Markovian hopping systems

Random injection attacks
A control approach that supports probabilistic injection of false data.

Markovian jump cyber-physical systems
The test was performed with single-link robot arm model. [ Observer-based controller DoS attacks Proposes a control algorithm approach that is not vulnerable to DoS attacks.

A class of two-timescale cyber-physical systems
The effectiveness of the proposed approach was tested in two types: Comparison Simulation and through the inverted pendulum system controlled by a DC motor. [131]

H∞ controller DoS attacks
Performs a design study of the H∞ controller to mitigate the effects of the DoS attack.

ICPSs
To demonstrate the effectiveness of the proposed approach, numerical simulations are performed. [132]

ICPSs
For testing and validation of the proposed approach, simulations are performed for the quadruple-tank process. [133] Offense-defense game model Malware attacks Presents an online technique based on the offense-defense game model capable of identifying these malware attacks.

Electrical vehicles
Numerical and dynamic simulation in GAMS and MATLAB software.[134] The power system is considered a critical infrastructure in the control system of a CPS due to the automation of generation, transmission, and distribution operations.In this context, frequency control is a target of these cyberattacks, and Reference [125] sought to tackle this problem by proposing distributed frequency controls based on Model Predictive Control (MPC) to improve the dynamic response of the system and mitigate eventual failures.This controller was tested on an IEEE benchmark system, and through device speed measurement and indirect estimation of the reference value, the controller presents the ability to withstand cyberattacks of denial of service and fake data injection types.
To analyze power system stability control and cybersecurity, Reference [126] presents a real-time test bench for CPS.In this simulator, it is possible for the user to simulate fault situations and analyze the impacts generated.In addition, it presents an adaptive control for a multi-machine power system.
False data injection attacks aim to compromise the satisfactory operation and control system of a CPS by inserting false information into the measurements of sensors and control signals.To mitigate this type of attack, Reference [127] proposes a controller designed from the perspective of power conversion that changes its parameters dynamically as the system suffers cyberattacks.By adjusting the amount of damping insertion, the controller stabilizes and ensures the dynamic operation of the system [127].
Real-time and accurate identification of the location of the attack is important to ensure the smooth operation of the system.Thus, the authors of [128] developed a multivariate methodology capable of accurately detecting false data injection into the CPS in real-time.The proposal consists of a parallel framework that relates Long Short-Term Memory (LSTM) with Temporal Convolutional Neural Network (TCN) [128].
For large systems, Reference [129] presents a decentralized control approach that uses the sliding mode controller (SMC) methodology based on Adaptive Dynamic Programming (ADP) to mitigate the effects of unknown injection attacks.This control strategy was tested by three distinct attacks for a system with two machines [129].Furthermore, the insertion of false data into the control signal can happen randomly to cause uncertainty and disturbances in the process.Given this vulnerability, the authors of [130] designed a finite time interval sliding mode controller for Markovian hopping systems that supports probabilistic fake data injection.
The application of network technologies in communication and control makes the CPS vulnerable to DoS attacks.Therefore, to combat this type of two-timescale attack, Reference [131] proposes a control algorithm approach using the observer concept for a category of two-timescale CPSs (TTSCPSs) [131].For an ICPS with a Hybrid Trigger Mechanism (HTM) subjected to DoS attack, the authors of [132] performed an H∞ controller design study to mitigate the effects of this attack.
There are attacks that target manipulating the process plant conditions to harm the integrity of the system.In this perspective, Reference [133] created a control structure with disorderly signal encoding and decoding devices that can identify stealthy attacks on the CPS.Therefore, it maintains the nominal operating performance without attacks on the system and provides a robust and resilient CPS to attacks.
EVs are also a target for cyberattacks because of their interconnected network of wireless sensors.Reference [134] presents a methodology based on the offense-defense game model capable of identifying these malware attacks and, consequently, preventing them from reaching EVs.
In Table 3, all the discussions mentioned above and research on cyberattacks on control systems are analyzed and detailed.
Thus, the works discussed in this section present defense strategies for protection against cyberattacks such as false data injection, denial of service, random injection, malwares, and eavesdropping on control systems.The defense strategies are based on the development of observer and H∞ based controllers; robust, adaptive, predictive, nonlinear control techniques; game theory; and dynamic programming.Therefore, these are important methodologies found in the literature that seek to improve reliability, resilience, and cybersecurity in the control system of industries, electric transportation, smart grids, and the power system in general.

Cybersecurity in Protection Systems
The modern power system has increasingly used situation awareness, electronics, and computer technologies in its operation, planning, control, and protection.Consequently, while meaningfully improving multiple processes, it has also become particularly fragile to cyberattacks.Among these vulnerabilities, it is worth noting that attacks on fault relays and other safety devices that compose the protection system in power systems are critical events that can cause blackouts and other major disruptions to the operation of the system.Thus, due to the possibility of network connected operation, in the islanded mode, or new connections of islanded networks, it becomes the protection system one of the main points of interest to ensure cybersecurity in MG.In this category, 10 key works were selected and are shown in Table 4.

LCDRs
The developed methodology is validated using the IEEE-39 bus model and the OPAL simulator. [135] A state observer with unknown input Injection of false data into LCDRs Detect injection of false data and distinguish it from internal LCDRs operational failures.

LCDRs
The developed methodology is validated using the IEEE-39 bus model.[136] The developed method consists of passive oscillator circuits

Injection of false data into LCDRs
Presents a study on the impacts of attacks on time synchronization and false data in microgrids and acts to solve the problem from the physical perspective.

LCDRs
The proposed method is analyzed in simulation and validated through numerical analysis.[137] Model-based on intelligent learning with Multilayer Perceptron

Injection of false data into LCDRs
The detection of cyberattacks against LCDRs is performed using a learning-based framework.

LCDRs
The developed methodology is confirmed using the IEEE-39 bus model.[138] Energies 2023, 16,4556  Ability to detect the best defense plan and mitigate the damage to the protection relays.

Power distribution system
The developed methodology is tested on the IEEE 123-node test feeder.[140] Multi-Agent Distributed Deep Learning

Injection of false data to the relays
This technique can detect the injection of false data to the relays before it simulates a false fault.
The protection system of a power grid.
The proposed cyberattack detection method is tested on the electrical networks: IEEE 6-bus, IEEE 14-bus, and IEEE 118-bus.[141] Adaptive technique Injection of false data to the relays This methodology has the objective of mitigating false attacks on the protection relays and avoiding power interruptions in the grid.

Protection relays
A real-time digital simulator was used to validate the proposed approach.[142] Rule-based algorithm and the principle of relay coordination

Malicious attacks on the protection relays
It presents a defense strategy against malicious attacks and unwanted modifications to the protection relays.

Protection relays
The proposed technique is tested and validated on a framework with relays and a real-time digital simulator for cyber-physical systems. [143]

Cyberattacks and protection system anomalies
Intelligent algorithm with the ability to monitor and detect in real time the anomalies of the protection system caused by malicious attacks.

Transmission protection systems
The proposal is validated on the IEEE test system with relays. [144] Line current differential relays can detect faults accurately and were quickly and have been increasingly used in power system protection.Thus, with the integration of technology with the cyber-physical system, the study of the vulnerabilities of relays to cyberattacks has aroused interest.Thus, Reference [135] investigated the impacts and proposes a methodology based on the differential between measured and calculated voltages for detecting the injection of false data into line current differential relays (LCDRs).The developed methodology was validated using the IEEE-39 bus model and the OPAL simulator.For this problem, the author of [136] proposes a technique based on a state observer with unknown input that can detect the injection of false data and distinguish it from internal operational faults.To make systems using LCDRs more resilient, Reference [137] presents a study on the impacts of attacks on time synchronization and false data in microgrids.The technique proposed in [137] solves the problem from the physical perspective, using a passive oscillator circuit that, under failure, generates as a response a specific damped frequency.In contrast, Reference [138], to solve the problem presented in [137], used artificial intelligence concepts.Thus, the author proposes a model based on intelligent learning with Multilayer Perceptron (MLP) topology [138].Moreover, for systems that use LCDRs as protection, the author of [139] proposes an anomaly-based framework that employs the Isolation Forest algorithm to detect cyberattacks and differentiate them from false attacks.This methodology was developed using the IEEE-9 bus model.The power distribution system also presents vulnerabilities to cyberattacks.Therefore, it is important to improve cybersecurity in these systems.In this perspective, Reference [140] presents a methodology based on game theory that is capable of detecting the best defense plan and mitigating the damage caused to the protection relays in the system.
The protection system of a power grid uses remote relays as defense devices.However, these components are considered critical and present vulnerabilities to cyberattacks.Thus, Reference [141] proposes a robust neural-network-based methodology called Multi-Agent Distributed Deep Learning (MADDL).This technique can detect the injection of false data to the relays before the data simulate a false fault.Reference [142] proposes an adaptive technique in which relays communicate with each other to check the state of the variables at each point of the protection system of a microgrid.This methodology has the objective of mitigating false attacks on the protection relays and avoiding power interruptions in the grid caused by the attack of a false data injection.Reference [143] presents a cooperative defense strategy against unwanted modifications of protective relay settings caused by malicious attacks.The proposed algorithm is based on principles that aim to manage relays.
The transmission system is sensitive to cyberattacks due to embedded electronics and computing technologies in the protection system.From this perspective, Reference [144] developed an intelligent algorithm that was validated in the IEEE test system with relays, which can monitor and detect in real-time possible malicious attacks that cause anomalies to the protection system.
In Table 4, all the discussions mentioned above and research on cyberattacks in protection systems are analyzed and detailed.
Thus, the works discussed in this section present strategies to improve and ensure cybersecurity in the protection system and the defense devices of microgrids.The defense strategies presented are based on AI and deep-learning algorithms, adaptive techniques, passive oscillator circuits, game theory methodology, and state observer control.Therefore, these are important techniques found in the literature that seek to mitigate cyberattacks to improve the reliability, resilience, and cybersecurity of an MG protection system.

•
Strategies based on protection against cyberattacks are related to meters, sensors, aggregators, actuators, defense devices, and all other components that make up the physical part of a MG and a CPS.

•
Identification-based strategies aim to mitigate or eliminate the unwanted effects of cyberattacks.Detection can happen in a static manner, in which it seeks to achieve stationary stability, and in a dynamic manner, in which dynamic information is used in the detection process [47].
The defense strategies used in the works discussed in Sections 4.1-4.3 are based on traditional theories and concepts of modern, robust, adaptive, and predictive control: AI, machine-learning, and deep-learning algorithms.However, to improve cybersecurity in an SG, the author [69,145] points out new avenues of research that use digital signal processing techniques; blockchain techniques for SG (Reference [122] used blockchain technology to defend the Reactor Protection System of a nuclear power plant); and use of new techniques for creating cryptography based on quantum computing and, consequently, big data anal-ysis for making more efficient and reliable cybersecurity algorithms.Creating, updating, developing, and discussing new standards, protocols, and regulations are important defense strategies to improve cybersecurity in MG.Section 5 presents cybersecurity standards and regulations in SGs.
Therefore, based on the current scenario in the power sector, it is possible to infer the following future trends of cyberattacks in MG:

•
Modernization of the electricity system: The gradual replacement of conventional power generation by clean energy increases the penetration of renewables, modifies the behavior, and adds the characteristic of intermittent generation to the system.Moreover, the use of new IoT technologies and the integration between devices and sectors provide the emergence of smart grids, which, due to the dependence on the Internet for operation and communication, present cyber vulnerabilities.Thus, the MG needs reliable and resilient cybersecurity in order not to harm its communication, state estimation, frequency control, voltage regulation, and the performance of its applications, such as the possibility of operation in the islanded mode and the connection of other islanded grids.

•
Transportation and electrification: The process of electrification of transportation is a strategy that encourages the development, production, and use of electrically powered buses, vehicles, trains, and subways, as well as being an important factor in decreasing the emission of polluting gases into the atmosphere.These technological vehicles connected to charging stations modify and are part of the MG.Thus, this new means of transportation becomes a target of cyberattacks, and the security of charging stations is considered a point of vulnerability and of research interest [146].From this perspective, the author of [147] designed simulation software to evaluate the cyber vulnerability of electric vehicle charging structures and devices.Therefore, cybersecurity in transportation electrification is a current problem that is under research and development.

Regulations and Standards
In recent years, the inclusion of new information technologies in the modern power system infrastructure has led it to approach the characteristics of a cyber-physical system.In this way, it presents the benefits, pitfalls, and vulnerabilities of a CPS.Therefore, governments, companies, and technical and scientific organizations continuously seek to create a comprehensive document containing aspects and specifications that regulate and, consequently, increase the safety, reliability, and operation.These documents are referred to as cybersecurity standards and regulations.In this section, some of the key cybersecurity standards and regulations related to smart grids are described.

i. AMI-SER
The advanced metering infrastructure (AMI) of a smart grid has vulnerabilities in its communication infrastructure and in its supporting information infrastructure and, consequently, compromises the cybersecurity of the electric grid [92].Seeking to address this perspective, the AMI System Security Requirements (AMI-SER) cybersecurity protocol was created.The security guidelines in this document were developed in 2008 by the UCA International users' group (UCAIug) [47,92,148,149].This protocol specifically addresses cybersecurity requirements for procurement and has geographic coverage in the US.It outlines technical standards to ensure robust security for the advanced metering infrastructure of a smart grid [92].Thus, this protocol aims to provide a set of requirements that ensure proper operation, adequate availability of services, and reliability and security of the information in the system.AMI is the main component of a smart grid to which this protocol is applied.In addition, this standard presents safety requirements and objectives that can be used in manufacturers' industrial compliance testing [92,148,149].More details about the standard can be found in [149].

ii. IEC 62351
The IEC 62351 protocol is an international industry standard developed by the International Electrotechnical Commission (IEC) whose first parts were published in 2007 and are constantly being updated [148].IEC 62351 consists of cybersecurity standards that aim to improve security in smart power system devices and preserve the confidentiality, authenticity, and integrity of information [150].This standard specifically addresses the cybersecurity of protocols and can be applied to all components of a smart grid architecture [92,148].In addition, this standard has a global scope and presents technical solutions, safety requirements, and objectives that can be used in industrial compliance testing.The IEC 62351 standard is separated into 16 chapters (IEC 62351-1 through IEC 62351-13; IEC 62351-90-1, IEC 62351-90-2, and IEC 62351-100-1), and each part addresses a distinct area [47,92].
iii.NERC-CIP The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) standard establishes minimum parameters to be followed to ensure bulk power system cybersecurity [92,151].NERC-CIP presents a set of standards and requirements that aim to build a robust and secure framework that is capable of protecting the critical infrastructure and cyber devices of a smart grid and, consequently, assist in its reliable operation [92,148,152].This standard was published in 2013 with US coverage and presents more general high-level guidance [92].The NERC-CIP protocol is a standard capable of protecting an enterprise's critical infrastructure and can be applied to address critical system issues such as security management control; identify network hot spots; provide recovery, reporting, and response patterns; address physical and personal security; and standardize boundary regions that present satisfactory electronic security [92,148,152].

iv. NIST Standard
The development of cybersecurity standards and techniques for US smart grids is the responsibility of the National Institute of Standards and Technology (NIST).Thus, in 2010, the NIST standard was published that addresses cyber and information security and risk management [92].Although it is a protocol created in the US, it is used worldwide in developing companies and systems [92].This protocol presents high-level technical solutions and general guidelines [92].References [92,148] present other variations of the NIST standard.v.
NIST SP 800-82 The National Institute of Standards and Technology Special Publication (SP) 800-82 (NIST SP-800-82) is the main NIST guideline governing industrial control and automation system security in the US and is also used worldwide [148].This protocol, which was published in 2013, presents technical solutions and special suggestions regarding susceptibility and penetration-checking devices [92,148].In addition, compliance with the standard ensures that the system security control will operate correctly and obtain satisfactory results [47].The standard can be used in control and automation systems that use the system SCADA [92,148].

vi. NISTIR 7628
Created in 2014 in the US and with global reach, the National Institute of Standards and Technology Interagency Report 7628 (NISTIR 7628) is a guideline for smart grid cybersecurity [148].For smart system grids, this guide disseminates a set of cybersecurity defense techniques and rules [47,148].Furthermore, this guide contains 10 chapters and 10 Appendices divided into 3 volumes [47,153], and it is applied to all devices that constitute the smart grid.The full standard can be found in [153]. .This technical guideline presents 10 chapters and 5 appendices and is responsible for the minimum requirements of Energy storage systems' interoperability [148].The guideline presents technical solutions with important guidelines, strategies, and definitions that are associated with the current cybersecurity requirements for industrial applications and projects related to an energy storage system in smart grids [148,153].The full standard can be found in [154].
viii.IEEE C37.240 The use of new intelligent and information technologies in the communication, control, automation, and protection system of power system substations raises concerns from the point of view of cybersecurity.In this context, in 2014, the IEEE published a standard with global scope entitled "IEEE Standard Cybersecurity Requirements for Substation Automation, Protection, and Control Systems" [155].The standard presents sound technical solutions and engineering practices and is also responsible for providing minimum requirements for the substation communication system to achieve adequate cybersecurity [148,155].In this way, the standard aims to seek a balance between technical and economic feasibility with current cybersecurity concepts [148,155].
The interested reader is referred to [92,148] for additional works on the smart grid's cybersecurity standards and regulations.

Conclusions
This paper provides a review of the literature on cybersecurity in cyber-physical systems.The research was motivated by the recent modernization actions and policies in the energy sector, including incentives for the insertion of renewable energy sources, new information technologies, communication, monitoring, and networks allied to IoT concepts, artificial intelligence, machine learning, and modern control techniques.Thus, the current energy system presents the benefits that new technologies have provided, as well as the vulnerabilities and evils associated with modern cyber-physical systems.
The cyber-physical system can be typically described based on a three-layer architecture: perception layer, transport layer, and application layer.In addition, physical components, sensing components, and control and communication components are the three groups of devices that constitute a typical CPS.Power generators, transformers, transmission lines, circuit breakers, switchgear, and power system loads are part of the physical components of a power system.Sensors, actuators, and aggregators are part of the sensing component group.Finally, PLC, DCS, RTU, SCADA, and PMU are part of the control and communication components.To understand and identify vulnerabilities, it is important to understand the interrelationship between the components and layers of a CPS.
Based on the research conducted, it is possible to conclude that cyberattacks are a challenging and critical reality of modern cyber-physical systems.Given the long-term history of attacks and recent major disruptive attacks such as Ukraine's power sector outage in 2015, it is necessary to develop and ensure that adequate protection layers are available and in place at all system levels.Furthermore, it is important to know the classification of the various types of cyberattacks found in the literature to find out and understand how each attack works.Subsequently, planning and creating mechanisms to mitigate and nullify the effects of cyberattacks is necessary.In this context, international technical and scientific institutions such as IEEE, IEC, NIST, and UCAIug, among others, have created a series of standards and regulations to improve cybersecurity in smart grids and the industrial sector.For future works, one must perform a literature survey on the relationship between cyberattacks and cyber terrorism in cyber-physical systems.

Figure 2 .
Figure 2. Number of terrorist attacks in the electricity sector of selected countries [40,41].

Figure 2 .
Figure 2. Number of terrorist attacks in the electricity sector of selected countries [40,41].

Figure 4 .
Figure 4. Block diagram of a cyber-physical system.

Figure 4 .
Figure 4. Block diagram of a cyber-physical system.

Figure 6 .
Figure 6.Literature search on cybersecurity applications.

Figure 6 .
Figure 6.Literature search on cybersecurity applications.
vii.IEEE 2030 Std.2 Published in 2015 and with worldwide reach, the IEEE 2030 Std.2 standard entitled "IEEE Guide for the Interoperability of Energy Storage Systems Integrated with the Electric Power Infrastructure" is a set of standards created by IEEE [153]
. Phishing; Grooming; Pretexting; Profile Cloning; Face-to-Face Interaction; Shoulder Surfing; Quid Pro Quo Attacks; Diversion Theft Attacks; Piggybacking or Tailgating or Trailing and Pretending; File Masquerade; Baiting; Reverse Social Engineering; Scareware or Pop-Up Windows; and Water-Holing are some types of social engineering [81].