Evolution of Artificial Intelligence-Based OT Cybersecurity Models in Energy Infrastructures: Services, Technical Means, Facilities and Algorithms

Abstract

Critical energy infrastructures (CEIs) are fundamental pillars for economic and social development. However, their accelerated digitalization and the convergence between operational technologies (OTs) and information technologies (ITs) have increased their exposure to advanced cyber threats. This study examines the evolution of OT cybersecurity models with artificial intelligence in the energy sector between 2015 and 2024, through a systematic literature review following a four-phase method (planning, development, results, and analysis). To this end, we answer the following questions about the aspects of CEI cybersecurity models: What models exist? What energy services, technical means, and facilities do they encompass? And what algorithms do they include? From an initial set of 1195 articles, 52 studies were selected, which allowed us to identify 49 cybersecurity models classified into seven functional categories: detection, prediction and explanation; risk management; regulatory compliance; collaboration; response and recovery; architecture-based protection; and simulation. These models are related to 10 energy services, 6 technical means, 10 types of critical facilities, and 15 AI algorithms applied transversally. Furthermore, the integrated and systemic relationship of these study aspects has been identified in an IT-OT cybersecurity model for CEIs. The results show a transition from conventional approaches to solutions based on machine learning, deep learning, federated learning, and blockchain. Algorithms such as CNN, RNN, DRL, XAI, and FL are highlighted, which enhance proactive detection and operational resilience. A broader coverage is also observed, ranging from power plants to smart grids. Finally, five key challenges are identified: legacy OT environments, lack of interoperability, advanced threats, emerging IIoT and quantum computing risks, and low adoption of emerging technologies.

1. Introduction

Critical energy infrastructures (CEIs) are essential for economic and social development, ensuring the continuous supply of energy to key sectors such as transportation, healthcare, communications, and industry. Over the past decade, these systems have undergone a significant transformation driven by increasing demand, the depletion of conventional energy sources, and inefficiencies in energy distribution. Innovations such as smart grids and the Internet of Energy (IoE) have emerged, promoting decentralization, distributed storage, and intelligent energy management through information and communication technologies (ICTs) [1]. However, this modernization has also increased the vulnerability of CEIs to cyber threats by expanding the attack surface and making them prime targets for adversaries seeking to disrupt operations. Ensuring cybersecurity in these infrastructures is critical to maintaining operational continuity and preventing serious economic and societal consequences, especially in a constantly evolving threat landscape that demands proactive and resilient approaches.

Cybersecurity in critical energy infrastructures (CEI) is becoming increasingly essential in an environment characterized by growing interconnectivity and reliance on advanced technologies. The integration of ICT into industrial control systems has improved operational efficiency but has also significantly heightened exposure to cyberattacks with potentially devastating impacts on national and economic security. Notable incidents such as the cyberattacks on Ukraine’s power grid (2015 and 2016) and the Colonial Pipeline (2021) underscore the severe consequences of such threats. Recent reports reveal that 90% of organizations using industrial control systems (ICS) have experienced security breaches, with data theft being the most pressing concern [2]. Moreover, economic losses from these attacks amount to hundreds of millions of dollars annually [3]. Emerging technologies such as smart grids and the IoE have broadened the attack surface, making systems more susceptible to sophisticated threats. In this context, the adoption of advanced cybersecurity strategies—such as artificial intelligence (AI), machine learning (ML), and zero-trust architectures—is crucial for real-time anomaly detection, proactive incident response, and ensuring operational resilience. Coordinated efforts among governments, organizations, and industry stakeholders are essential to mitigate risks and protect these critical infrastructures in the face of increasingly complex threats.

The convergence of information technologies (IT) and operational technologies (OT) in CEIs has transformed the cybersecurity landscape by integrating traditionally isolated systems into interconnected networks. IT-OT cybersecurity models aim to ensure operational resilience against cyber threats through innovative approaches. For instance, the hierarchical cyber-physical security model structures protection layers to detect and mitigate vulnerabilities in SCADA networks [4]. Similarly, blockchain-based models ensure data integrity in critical transactions, reinforcing the protection of substations against denial-of-service attacks [5]. Another important approach is the Software-Defined Networking (SDN) model, which dynamically segments traffic between IT and OT networks, optimizing real-time threat detection [6]. Additionally, hybrid models that combine predictive analytics and machine learning enable the simulation of attacks and the evaluation of mitigation strategies in critical environments [7].

Key dimensions of IT-OT cybersecurity models include services, technical means, facilities, and algorithms. In terms of services, federated learning enhances distributed anomaly detection while preserving data privacy across energy networks [8]. Centralized monitoring platforms also support efficient incident management through predictive analytics [9]. Regarding technical means, edge computing technologies have significantly improved local threat detection capabilities by reducing response latency [6]. Moreover, advanced sensors with secure protocols have increased the resilience of smart grids [10].

Critical facilities such as substations and smart grids have adopted blockchain technologies to ensure data integrity and operational security [11]. Hierarchical impact assessment models have also been applied to mitigate risks in SCADA systems [12]. Finally, advanced algorithms have revolutionized threat detection. Deep neural networks and autoencoders can identify anomalous patterns in imbalanced dataset, while metaheuristic optimization algorithms offer efficient solutions for real-time cyberattack mitigation [13].

The convergence of IT-OT and artificial intelligence (AI) in CEIs has redefined the cybersecurity landscape, demanding models that comprehensively address vulnerabilities across services, technical infrastructure, facilities, and algorithms. Regarding services, intrusion detection and prevention systems (IDS/IPS) have significantly evolved through deep learning integration, enabling threat prioritization and real-time incident response [7,14]. For technical infrastructure, edge and fog computing technologies have enhanced responsiveness by processing data close to the source, reducing latency and enabling efficient monitoring in SCADA systems and smart grids [6,15]. As for facilities, substations and electric grids have implemented blockchain to ensure data integrity and defend against targeted cyberattacks, minimizing operational impact [4,11]. In terms of algorithms, deep neural networks and autoencoders have improved anomaly detection in complex datasets, bolstering protection against emerging and sophisticated threats [16]. Within this context, the research question emerges: How have IT-OT cybersecurity models for critical energy infrastructures evolved between 2015 and 2024? Addressing this question is essential to understanding how IT-OT integration has enhanced cybersecurity capabilities, improved attack prevention, and ensured operational continuity throughout this period.

The aim of this study is to analyze the evolution of AI-enhanced IT-OT cybersecurity models in the CEI sector from 2015 to 2024, with the objective of identifying key achievements and remaining challenges. This analysis will provide critical infrastructure security managers and operators with clear guidance on how to optimize their cybersecurity strategies in response to emerging threats, thereby strengthening the protection of vital systems. Furthermore, this study will offer researchers in the cybersecurity field a fresh perspective on the evolution of IT-OT models, serving as a solid foundation for future research and the development of novel defense approaches for critical infrastructures.

The main contributions of this article are: (a) to provide an overview of IT-OT cybersecurity models, detailing their concepts, classifications, and relevance in protecting critical energy infrastructure, along with key dimensions of analysis; (b) to offer an exhaustive inventory of models and technologies implemented in the energy sector to enhance cybersecurity, spanning from traditional solutions to emerging technologies such as AI and blockchain; and (c) to highlight the evolution of OT models from 2015 to 2024, emphasizing the major advances in defense mechanisms against cyber threats and how these strategies have enhanced the resilience of critical infrastructures.

This article is structured into six sections. Section 2 reviews cybersecurity in critical energy infrastructures. Section 3 presents a systematic review of OT cybersecurity models in CEIs. Section 4 analyzes the evolution of OT models from 2015 to 2024, identifying key advances and achievements. Finally, Section 5 and Section 6 discuss the findings and present the conclusions of the study, respectively.

2. Cybersecurity in Critical Energy Infrastructures (CEIs)

2.1. Origin and Importance

Cybersecurity in critical energy infrastructures emerged as a key discipline in response to the growing digitalization of control and operational systems within energy networks. The convergence of information technologies (IT) and operational technologies (OT) has increased vulnerabilities, exposing critical infrastructures—such as those in energy, transportation, and water—to sophisticated cyberattacks [1]. The transition to smart grids and the Industrial Internet of Things (IIoT) has exponentially expanded the attack surface, creating an urgent need to reinforce cybersecurity measures [17]. This transformation has led to the development of regulatory frameworks and standards such as the NIST Cybersecurity Framework and ENISA guidelines.

Cybersecurity in CEIs is fundamental to ensuring the continuity of electricity supply and preventing disruptions to essential services. Recent attacks, such as those on Ukraine’s power grid (2015 and 2016) and the Colonial Pipeline (2021), have demonstrated the vulnerability of OT systems to coordinated cyber threats aimed at destabilizing national economies and societal functions [18]. These incidents highlight the need for proactive cybersecurity approaches that incorporate advanced systems for real-time threat detection and mitigation [19].

2.2. Standards and Regulations

Critical energy infrastructures operate under stringent regulatory frameworks that include international standards such as ISO/IEC 27001:2017 [20], NERC CIP, and the NIST SP 800-82 guidelines. These frameworks provide directives for the protection of industrial control systems (ICS) and SCADA, covering areas such as risk management, network segmentation, and data protection (ISO, 2017). Additionally, ENISA has issued specific recommendations for smart grids, emphasizing the need to strengthen device authentication and enhance intrusion detection capabilities [21].

2.3. Dimensions of CEI Cybersecurity Research

CEI cybersecurity is a crucial domain for ensuring operational resilience against sophisticated cyber threats. Within this context, it is essential to address five fundamental aspects: models, services, technical means, facilities, and algorithms, as shown in Figure 1. These components enable a comprehensive response to the challenges posed by the digitalization and convergence of OT and IT systems.

• IT-OT Models represent integrated approaches that connect IT and OT systems to reinforce cybersecurity in critical infrastructures, facilitating threat detection, mitigation, and proactive incident response. A notable example is the Software Defined Networking (SDN) model, which enables dynamic traffic segmentation between IT and OT systems, enhancing real-time security and reducing the attack surface in SCADA networks [6].
• CEI Services include capabilities such as real-time intrusion detection, predictive monitoring, and automated response systems, which enhance operational resilience by enabling timely threat identification and management. A concrete example is the use of federated learning in smart grids, which supports distributed anomaly detection while preserving data privacy [8].
• Technical Means encompass advanced technologies such as edge and fog computing, which process data close to its origin, reducing latency and increasing the effectiveness of cybersecurity measures in SCADA systems. For instance, edge computing has enabled the deployment of real-time monitoring systems in critical substations, significantly improving response speed to cyber incidents [15].
• Facilities refer to critical physical environments such as smart grids and substations that have adopted advanced sensors and blockchain technologies to ensure operational integrity against cyber threats. An example includes the implementation of blockchain technologies in smart grids to prevent tampering and ensure real-time transaction security [4].
• Algorithms have seen remarkable advancements, particularly in deep learning and autoencoders, which allow the detection of complex anomalies in imbalanced datasets, thereby strengthening the protection of industrial systems. A relevant case is the use of convolutional neural networks (CNNs) combined with hybrid models to accurately classify threats in SCADA systems [16].

The original contribution of this study lies in the development of a comprehensive taxonomy of 49 OT cybersecurity models, systematically classified into seven functional categories and analyzed through five complementary dimensions: energy services, technical means, critical facilities, applied algorithms, and evolutionary period. This structured framework not only synthesizes the literature but also provides a novel lens for understanding the progression of cybersecurity models in critical energy infrastructures, offering value to both academic researchers and energy practitioners.

3. Systematic Review of IT-OT Cybersecurity Models in CEIs

This section presents a systematic literature review on IT-OT cybersecurity models applied to critical energy infrastructures (CEIs), following a four-phase methodology encompassing planning, execution, results, and analysis.

3.1. Methodology

The methodology for the systematic literature review (SLR) was based on an adaptation of the guidelines proposed by Kitchenham & Charters (2007), structured into four phases. This methodology has been applied in various reviews related to CEI cybersecurity, including those by [22,23,24,25,26,27]. The phases are described as follows:

A.

Planning: This phase establishes the research questions and the search and selection protocol, which includes journal sources, search period, search strings, and inclusion and exclusion criteria.

B.

Execution: The search protocol is applied, and articles are selected to answer the research questions.

C.

Results: Statistical data are compiled and presented regarding the selected studies, including publication trends, quality, and distribution.

D.

Analysis: The research questions defined in the planning phase are answered based on the selected literature.

3.2. Planning

To investigate how cybersecurity models for CEIs have evolved, the following research questions (RQs) were formulated:

RQ1: What types of CEI cybersecurity models exist?

RQ2: What energy services are addressed by these models?

RQ3: What technical means are considered in these models?

RQ4: What types of facilities are protected by these models?

RQ5: What algorithms are integrated into these models?

To answer these questions, scientific journal articles were retrieved from the following academic databases: Scopus, Web of Science (WoS), IEEE Xplore, and MDPI. The review covered the period from January 2015 to June 2024, beginning with 2015 as it marks the emergence of the first CEI cybersecurity models. The search string used was: [(model OR “operational technology”) AND cybersecurity AND “artificial intelligence”]. This string was applied to the following fields: “Title-Abs-Key” for Scopus, “Topic” for WoS, “ALL” for IEEE Xplore, and “Title/Keyword” for MDPI. The syntax of the string was adapted as necessary for each database’s search engine. Once the articles were retrieved, inclusion and exclusion criteria were applied, as defined in

Table 1. Inclusion and exclusion criteria.

Selection Criteria

Exclusion Criteria

Primary research articles Address at least one of the research questions Document type: Article Language: English Publication period: 2015–2024

Studies related to sectors other than energy, such as healthcare, education, finance, agriculture, or tourism. Studies that do not apply AI techniques, such as machine learning or neural networks. Studies that address cybersecurity in a general manner without focusing on critical infrastructures. Studies on IoT, big data, blockchain, virtual reality, or quantum computing that do not involve critical infrastructure protection.

.

3.3. Execution

The primary studies identified as potential references during the search process were selected based on the inclusion and exclusion criteria defined earlier. It was essential to review the content of these potential references to assess their relevance to the present study and, specifically, to determine whether they addressed models applicable to CEIs. Most articles were excluded for being outside the scope of this research—for instance, focusing on cybersecurity in generic enterprise networks, assessing vulnerabilities in consumer IoT devices, or addressing unrelated topics such as personal data privacy.

The search protocol defined during the planning phase initially identified 1693 primary studies, distributed as follows: 1195 from Scopus, 382 from Web of Science (WoS), 65 from IEEE Xplore, and 51 from MDPI. During the selection process and following the inclusion and exclusion criteria, an initial filtering by title yielded 299 articles. A second screening based on abstracts reduced the number to 98 articles. Subsequently, a detailed review of introductions and conclusions led to the selection of 71 articles. Finally, after a full-text review, 52 articles were retained. This selection process is illustrated in Figure 2, and the selected articles are listed in Column 4 of

Table 2. Number of potentially eligible studies and selected studies.

Source	# Potentially Eligible Studies	# Selected Studies	Identification Codes
Scopus	1195	21	[R01]–[R21]
WoS	382	25	[R22]–[R46]
IEEE Xplore	65	04	[R47]–[R50]
MDPI	51	02	[R51]–[R52]
Total	1693	52	[R01]–[R52]

# indicates the quantity.

.

Table A1. Selected articles.

Id.	Reference	RC	Id.	Reference	RC	Id.	Reference	RC
[R01]	Wazid, et al. (2024)	[29]	[R19]	Figueroa-Lorenzo, et al. (2020)	[41]	[R37]	Salvi, et al. (2022)	[9]
[R02]	Ghadi, et al. (2024)	[30]	[R20]	Al-Hawawreh, et al. (2021)	[42]	[R38]	Muna, et al. (2023)	[53]
[R03]	Mengara, et al. (2024)	[31]	[R21]	Shalaginov, et al. (2021)	[43]	[R39]	Cvitic, et al. (2022)	[11]
[R04]	Clark, et al. (2024)	[32]	[R22]	Chehri, et al. (2021)	[7]	[R40]	Shtayat, et al. (2023)	[54]
[R05]	Verma, et al. (2024)	[33]	[R23]	Calabrese, et al. (2023)	[44]	[R41]	Laskurain-Iturbe, et al. (2021)	[55]
[R06]	Jithish, J et al. (2023)	[34]	[R24]	Raval, et al. (2024)	[45]	[R42]	Imran, et al. (2024)	[56]
[R07]	Bhardwaj, et al. (2024)	[35]	[R25]	Sarker, et al. (2020)	[46]	[R43]	Laghari, et al. (2021)	[57]
[R08]	Ahakonye, et al. (2024)	[13]	[R26]	Yamin, et al. (2021)	[47]	[R44]	Payne, et al. (2019)	[58]
[R09]	Gueye, et al. (2023)	[36]	[R27]	Schmitt, (2023)	[4]	[R45]	Alzahrani & Aldhyani, (2023)	[19]
[R10]	Sulaiman, et al. (2023)	[14]	[R28]	Mezzina, et al. (2021)	[10]	[R46]	Motwakel, et. al. (2023)	[59]
[R11]	Salvi, et al. (2022)	[9]	[R29]	Khosravy, et al. (2024)	[48]	[R47]	Falco, et al. (2018)	[18]
[R12]	Houmb, et al. (2023)	[37]	[R30]	Salam, et al. (2023)	[49]	[R48]	Zhu, et al. (2019)	[12]
[R13]	Bouramdane, (2023)	[38]	[R31]	Shalaginov, et al. (2021)	[28]	[R49]	Mahmoodi, et al. (2023)	[60]
[R14]	Dari, et al. (2023)	[39]	[R32]	Bhandari, et al. (2023)	[50]	[R50]	Bhardwaj, et al. (2020)	[61]
[R15]	Gaskova, et al. (2023)	[8]	[R33]	Ahmad, et al. (2022)	[15]	[R51]	Oliveira, et al. (2023)	[62]
[R16]	Mall, et al. (2023)	[5]	[R34]	Mogollón-Gutiérrez, et al. 2023	[51]	[R52]	Maghrabi, et al. (2023)	[16]
[R17]	Santoso, et al. (2024)	[40]	[R35]	Tareq, et al. (2022)	[52]
[R18]	Zolanvari, et al. (2023)	[6]	[R36]	Abir, et al. (2021)	[17]

in Appendix A presents the basic information and identification of the 52 selected articles [4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62], from [R01] to [R52].

3.4. Results

3.4.1. Potential Articles

A total of 1693 potential articles were identified through the search process, from which 52 studies were selected. These represent approximately 3% of the total and are presented in Table 2.

3.4.2. Publication Trends

Figure 3 illustrates a consistent increase in the number of published articles addressing CEI cybersecurity models over the period 2018 to 2024. This upward trend likely reflects the growing recognition among researchers and professionals of the importance of modeling and cybersecurity in critical infrastructures, particularly within the energy sector. Furthermore, as shown in Figure 2, the first relevant study in this domain appeared in 2018.

3.4.3. Journals and Articles by Quartile

Figure 4 presents the journals in which the selected articles were published, indicating their respective quartile rankings and the number of articles per journal. The most prominent journals are IEEE Access and the Internet of Things Journal, with six and four articles, respectively. Additionally, 25 journals were grouped under the category “Others,” each contributing one selected article. In total, 34 journals were represented: 24 in Q1, 5 in Q2, 4 in Q3, and 1 in Q4.

With respect to the quality ranking of the journals, 71% (37) of the selected articles were published in Q1 journals, and 17% (9) in Q2 journals, meaning that 88% of the studies were published in top-tier journals (Q1 and Q2) (see Figure 5). This highlights the high quality of the selected studies. Additionally, 2% of the articles fall into a separate category, representing non-indexed publications (brown segment).

3.4.4. Study Classification

Table 3. Classification of studies in the systematic literature review according to the key dimensions of an integrated IT-OT model for CEIs.

RQ	Dimension	Scopus	WoS	IEEE	MDPI	Total
RQ1	IT-OT models	[R1]–[R2], [R6], [R10], [R19]–[R21]	[R37], [R41]	[R47]–[R48]		11
RQ2	Services	[R3]-[R4], [R11]	[R22]–[R23], [R26]–[R27], [R30], [R40], [R42]	[R49]–[R50]		12
RQ3	Technical means	[R5], [R8], [R16]	[R24]–[R25], [R28], [R31]–[R32], [R36], [R40], [R42], [R46]			12
RQ4	Facilities	[R7], [R9], [R12], [R18]	[R33], [R38]–[R39], [R42]–[R44]	[R48], [R50]		12
RQ5	Algorithms	[R13]–[R15], [R17]	[R25], [R29], [R34]-[R35], [R42], [R45]	[R50]	[R51]–[R52]	13
Total (without duplication)		21	25	4	2

presents the classification of the 52 selected studies according to the five analytical dimensions, which correspond directly to the research questions. It is important to note that several studies contribute to more than one category. As observed, 25% of the studies focus on algorithms for CEI cybersecurity, while 23% of the studies pertain to each of the following dimensions: services, technical means, and facilities. This indicates a relatively balanced interest across all five-research dimensions. Appendix A provides a comprehensive overview of the 52 selected articles, as presented in Table A1. This appendix serves to link each article’s unique identifier (ID) to its corresponding reference number, ensuring traceability between the list of analyzed studies and the reference list [R01] to [R52].

3.5. Analysis

This section addresses the research questions formulated in Section 3.2, based on the selected studies.

• RQ1: What types of CEI cybersecurity models exist?

The selected studies did not identify a standardized taxonomy for CEI cybersecurity models. However, the influential book by [1] provides a foundational framework for understanding CEI cybersecurity, highlighting key elements such as the relevance of international standards (ISO/IEC and NIST), inter-institutional collaboration, and risk management, which may contribute to building a comprehensive taxonomy. Developing a robust classification system is essential to facilitate systematic analysis and conceptual clarity. Accordingly, this study proposes a new taxonomy for CEI cybersecurity models. It consists of seven categories, which incorporate the most relevant and current approaches in the field. This taxonomy provides a structured basis for future research and practical applications and is detailed in

Table 4. Taxonomy of cybersecurity models for Critical Energy Infrastructures (CEIs).

Category	Description	Subcategory	Description	Selected Studies
Detection, prediction, and explanation	Use of AI and ML to detect, predict, and explain threats in real time, optimizing OT security.	Intrusion detection	Identification of unauthorized access in OT networks using IDS/IPS techniques.	Wazid et al. (2024) [R01], Gueye et al. (2023) [R09], Sulaiman et al. (2023) [R10]
		Anomaly detection	Identification of atypical patterns in ICS behavior using ML/DL.	Mall et al. (2023) [R16], Mezzina et al. (2021) [R28], Maghrabi et al. (2023) [R52]
		Threat prediction	Use of time series models and neural networks to forecast attacks.	Raval et al. (2024) [R24], Zolanvari et al. (2023) [R18], Ahmad et al. (2022) [R33]
		Decision explanation	Application of Explainable AI (XAI) to interpret detection results.	Ahakonye et al. (2024) [R08], Shtayat et al. (2023) [R40], Falco et al. (2018) [R47]
Risk management	Assessment and mitigation of risks in critical infrastructures using probabilistic models and standards.	Probability-based assessment	Risk quantification through statistical and simulation models.	Figueroa-Lorenzo et al. (2020) [R19], Tareq et al. (2022) [R35], Laghari et al. (2021) [R43]
		Risk management frameworks	Implementation of NIST, ISO 27001, and IEC 62443 in critical systems.	Ahmad et al. (2022) [R33], Alzahrani & Aldhyani (2023) [R45], Mahmoodi et al. (2023) [R49]
		Scenario-based risk analysis	Modeling of attack scenarios to evaluate impact on OT systems.	Schmitt (2023) [R27], Calabrese et al. (2023) [R23], Zhu et al. (2019) [R48]
Standards-based models	Ensure compliance with frameworks such as IEC 62443 and NIST, improving operational security.	Regulatory compliance	Adaptation of critical infrastructures to standards such as NERC CIP.	Imran et al. (2024) [R42], Dari et al. (2023) [R14], Gaskova et al. (2023) [R15]
		ICS security	Application of IEC 62443 in SCADA and PLC systems.	Santoso et al. (2024) [R17], Oliveira et al. (2023) [R51], Bhardwaj et al. (2024) [R50]
Collaborative and information sharing models	Facilitate the sharing of threat intelligence using STIX/TAXII, ISACs, and peer-to-peer platforms.	Threat intelligence	Use of STIX/TAXII to exchange real-time cyber threat data.	Chehri et al. (2021) [R22], Sarker et al. (2020) [R25], Motwakel et al. (2023) [R46]
		Data exchange platforms	Use of ISACs and P2P networks for OT cybersecurity collaboration.	Houmb et al. (2023) [R12], Salam et al. (2023) [R30], Bhandari et al. (2023) [R32]
Incident response and recovery	Automate incident response and optimize recovery using digital twins and contingency plans.	Incident response	Implementation of automated strategies to mitigate attacks in real time.	Al-Hawawreh et al. (2021) [R20], Payne et al. (2019) [R44], Bhardwaj et al. (2020) [R50]
		Infrastructure recovery	Use of digital twins to simulate post-attack recovery scenarios.	Laskurain-Iturbe et al. (2021) [R41], Mezzina et al. (2021) [R28], Maghrabi et al. (2023) [R52]
System architecture-based protection	Integrate OT security through segmentation, micro-segmentation, and blockchain for critical networks.	SCADA and IoT security	Design of secure networks using segmentation and micro-segmentation.	Mahmoodi et al. (2023) [R49], Mogollón-Gutiérrez et al. (2023) [R34], Verma et al. (2024) [R05]
		Blockchain for OT	Use of blockchain to ensure data integrity in energy networks.	Cvitic et al. (2022) [R39], Maghrabi et al. (2023) [R52], Abir et al. (2021) [R36]
Simulation and testing	Simulate attacks and validate defense strategies in ICS and critical energy networks.	Attack simulation	Testing environments to validate defense mechanisms in ICS.	Clark et al. (2024) [R04], Yamin et al. (2021) [R26], Ghadi et al. (2024) [R02]
		Resilience testing	Evaluation of infrastructure robustness against cyberattacks.	Mengara et al. (2024) [R03], Falco et al. (2018) [R47], Schmitt (2023) [R27]

.

Beyond the descriptive taxonomy, a comparative analysis reveals key differences among the seven categories of models. Detection and prediction models are highly applicable in practice due to their integration with SCADA and smart grid environments, but their scalability depends strongly on computational resources. Risk management and standards-based models demonstrate high maturity, as they are widely adopted in regulatory frameworks, yet their applicability can be limited by regional compliance requirements. Collaborative and information-sharing models remain less mature, facing challenges of interoperability and trust, while architecture-based protection and simulation models offer strong scalability potential but are still underexplored in real deployments. This comparison highlights how applicability, scalability, and maturity vary across categories, providing guidance for selecting models aligned with specific operational needs.

The proposed taxonomy, which organizes cybersecurity models into seven categories, is based on the following rationale. First, it provides comprehensive coverage by addressing technical, organizational, and regulatory aspects—from threat detection to operational resilience. Second, it enables specific and in-depth analysis within each category. Finally, it combines theoretical rigor with clear practical applications, making it valuable to researchers, industry professionals, and policymakers by incorporating standards, compliance frameworks, and collaborative models.

3.5.1. Detection, Prediction, and Explanation Models

A total of 16 models were identified across 49 studies, distributed among three subcategories: 8 detection models, cited in 32 studies, 4 prediction models, appearing in 16 studies, and 4 explanation models, also in 16 studies. Detection models primarily focus on identifying intrusions and anomalies; prediction models aim to anticipate cyber threats; and explanation models seek to justify system decisions, enhancing transparency and trust.

Table 5. CEI cybersecurity models for detection, prediction, and explanation.

Subcategory	ID	Model	Description	Applications (Selected Studies)
Intrusion detection	M01	Deep Learning Intrusion Detection System (DL-IDS)	Deep learning for detecting intrusions in OT networks.	Protection in SCADA [R10], Substation monitoring [R18], IIoT security [R25, R30]
	M02	Hybrid IDS Based on Machine Learning	Supervised/unsupervised ML for unauthorized access detection.	Detection in PLCs [R5], OT network security [R12, R20], SCADA traffic analysis [R38]
	M03	Behavior-Based Detection Model	Real-time pattern analysis in OT environments.	OT access monitoring [R7], Industrial traffic analysis [R24], Unauthorized access prevention [R35, R50]
	M04	Federated Learning Intrusion Detection System (FL-IDS)	Distributed detection using federated learning.	Distributed detection in IoT [R6], Smart grid security [R14], Decentralized OT analysis [R33, R49]
Anomaly detection	M05	Autoencoder Anomaly Detection System	Autoencoders for detecting anomalies in SCADA.	Industrial network anomalies [R8], Energy plant security [R15], IIoT traffic analysis [R28, R40]
	M06	Explainable Anomaly Detection (XAI-AD)	XAI for improving anomaly detection.	OT behavior analysis [R13], Real-time monitoring [R19], Fault prediction [R26, R42]
	M07	Anomaly Detection with One-Class SVM	One-Class SVM for detecting anomalies in OT.	Substation monitoring [R9], Industrial network protection [R21], Unusual event detection [R34, R46]
	M08	Deep Autoencoder for Energy Systems	Deep autoencoders for OT energy systems.	Consumption data analysis [R11], Industrial IoT security [R22], OT risk assessment [R29, R47]
Threat prediction	M09	Time Series-Based Threat Prediction	Time series models for cyberattack forecasting.	Attack prediction in OT networks [R3], Threat modeling in SCADA [R17], IIoT risk assessment [R31, R44]
	M10	Recurrent Neural Networks (RNN) for Threat Prediction	RNNs for anticipating threats in OT.	Early malware detection [R4], Cyberattack pattern analysis [R16], Predictive energy security [R27, R39]
	M11	Hybrid Predictive Model with Bayesian Networks	Hybrid model using ML and Bayesian networks.	OT vulnerability assessment [R2], Malicious pattern analysis [R23], Critical IoT security [R32, R45]
	M12	Deep Learning-Based Attack Forecasting	Deep learning for anticipating attacks in OT.	SCADA attack prevention [R1], Cyberattack scenario modeling [R20], Resilience in critical infrastructures [R36, R48]
Decision explanation	M13	Explainable AI for OT Security (XAI-OT)	XAI for justifying cybersecurity decisions in OT environments.	IDS alert interpretation [R7], Prediction justification in IIoT [R18], Attack detection transparency [R30, R41]
	M14	SHAP-Based Intrusion Detection Explanation	SHAP to explain intrusion detection decisions.	OT risk analysis [R12], Anomaly pattern interpretation [R25], Cyber defense explainability [R38, R50]
	M15	LIME for Cybersecurity Decision-Making	LIME to support decisions in cybersecurity contexts.	Security event explanation [R6], Predictive model interpretation [R14], AI transparency in OT [R33, R49]
	M16	Feature Importance Analysis for Threat Detection	Feature importance analysis to improve threat detection.	IDS accuracy enhancement [R5], OT security evaluation [R19], Security decision justification [R28, R43]

details the characteristics of each model. It is worth noting that some studies apply more than one type of model.

3.5.2. Risk Management Models

A total of six risk management models were identified across 18 studies, each applied to a distinct case study. These models are described in

Table 6. CEI cybersecurity risk management models.

Subcategory	ID	Model	Description	Applications (Selected Studies)
Probability-based assessment	M17	Probabilistic Risk Assessment (PRA)	Probabilistic evaluation to quantify risks in OT environments.	Power grid analysis [R2], SCADA security [R16], OT failure estimation [R27]
	M18	Bayesian networks for risk analysis	Bayesian networks to model uncertainty in OT cybersecurity.	Vulnerability assessment [R4], OT incident modeling [R19], Impact prediction [R33]
Risk management frameworks	M19	NIST risk management framework	NIST-based structured framework for OT risk management.	SCADA implementation [R6], Smart grid deployment [R14], Industrial IoT assessment [R30]
	M20	ISO/IEC 27001 risk framework	ISO/IEC 27001-based approach for OT risk mitigation.	Energy systems protection [R9], Critical infrastructure security [R21], IIoT control [R35]
Scenario-based risk analysis	M21	Scenario-based risk analysis	Risk modeling through OT attack scenario simulations.	Smart grid evaluation [R11], Cyberattack simulation [R25], SCADA system analysis [R40]
	M22	Cybersecurity threat modeling	Modeling of threats to anticipate attacks in OT systems.	Attack vector identification [R8], OT network analysis [R22], Energy impact evaluation [R36]

.

3.5.3. Standards-Based Models

A total of five models categorized under standards and compliance were identified across 15 studies, each corresponding to a distinct use case. These models are detailed in

Table 7. CEI cybersecurity models based on standards and compliance.

Subcategory	ID	Model	Description	Applications (Selected Studies)
Regulatory compliance	M23	NIST cybersecurity framework	NIST-based model to protect OT critical infrastructures.	Power grid implementation [R2], SCADA security [R12], OT compliance evaluation [R25]
	M24	ISO/IEC 27001 standards	International standards for OT security management.	Critical infrastructure security [R6], IIoT implementation [R18], Smart grid protection [R30]
	M25	COBIT framework	Model integrating risk management and corporate governance in OT.	SCADA control [R9], Industrial network assessment [R21], Control systems application [R35]
ICS system security	M26	IEC 62443 standards	Model for securing industrial control systems (ICS).	SCADA network protection [R11], Substation security [R22], PLC evaluation [R40]
	M27	Industry 4.0 cybersecurity standards	Standards applied to cybersecurity in industrial environments.	IIoT security [R8], Smart factory protection [R19], OT monitoring system evaluation [R33]

.

3.5.4. Collaborative and Information Sharing Models

A total of five models within the category of collaborative or information-sharing frameworks were identified across 15 studies, each corresponding to a distinct case. These models are presented in

Table 8. Collaborative and information sharing models for CEI cybersecurity.

Subcategory	ID	Model	Description	Applications (Selected Studies)
Threat intelligence	M28	STIX/TAXII-based threat intelligence	Model based on STIX/TAXII for real-time threat intelligence sharing.	Exchange in critical infrastructures [R3], SCADA prevention [R12], Smart grid coordination [R25]
	M29	AI-driven cyber threat intelligence	Use of AI to analyze and exchange cyber threat information in OT environments.	Predictive analysis in IIoT [R7], Attack pattern detection [R16], Industrial network security [R29]
	M30	Collaborative threat sharing network	Interagency collaboration network for sharing cyber threat intelligence.	Shared monitoring in smart grids [R10], Early warning in ICS [R22], SCADA system protection [R37]
Data exchange platforms	M31	ISACs for critical infrastructure security	Model based on Information Sharing and Analysis Centers (ISACs) for OT security.	Electrical infrastructure protection [5], IIoT network coordination [R14], SCADA system security [R30]
	M32	P2P cybersecurity data exchange	Decentralized peer-to-peer data exchange on cyber threats in OT.	Distributed monitoring in OT [R9], Incident response in ICS [R18], Detection in industrial networks [R33]

.

3.5.5. Incident Response and Recovery Models

A total of five models were identified within the incident response and recovery category, across 10 studies. The most referenced approach involves digital twins used to simulate and recover OT systems following cyberattacks. These models are detailed in

Table 9. CEI cybersecurity models for incident response and recovery.

Subcategory	ID	Model	Description	Applications (Selected Studies)
Incident response	M33	Automated incident response system	Automates cyberattack mitigation in critical infrastructures.	SCADA mitigation [R3], IIoT incident response [R10]
	M34	AI-based intrusion response framework	Uses AI for adaptive and automatic responses to attacks.	Industrial network protection [R7], Malware response in OT [R29]
Infrastructure recovery	M35	Digital twin for cyber resilience	Digital twins to simulate and recover OT systems after attacks.	Damage assessment in smart grids [R5], SCADA recovery simulation [R14], IIoT resilience [R25]
	M36	Blockchain-enhanced recovery mechanisms	Blockchain for ensuring data integrity post-attack.	Record protection in ICS [R9], Restoration in energy networks [R22]
	M37	Self-healing networks for critical systems	Self-repairing networks to ensure operational continuity.	Post-attack reconfiguration in OT [11]

.

3.5.6. System Architecture-Based Protection Models

A total of five models in this category were identified across 18 studies. The most frequently referenced are those designed to secure SCADA and IoT environments against cyber threats. These models are detailed in

Table 10. CEI cybersecurity models for system architecture-based protection.

Subcategory	ID	Model	Description	Applications (Selected Studies)
SCADA and IoT security	M38	SCADA security frameworks	Models designed to protect SCADA systems from cyber threats.	SCADA network protection [R2], PLC controller security [R10], Industrial network deployment [R20, R28]
	M39	IoT/IIoT secure architecture	Security design for IoT and IIoT devices in CEIs.	Industrial IIoT security [R7], Smart grid protection [R15], SCADA system evaluation [R30, R39]
	M40	Microsegmentation techniques	Microsegmentation to minimize attack impact and contain breaches.	OT network segmentation [R5], Smart grid protection [R18], SCADA environment deployment [R26]
Blockchain for OT	M41	Blockchain-integrated security models	Blockchain-based models to ensure data integrity in OT systems.	Data validation in SCADA [R9], Energy system security [R22], Critical infrastructure protection [R37, R42]
	M42	Decentralized ledger for critical systems	Distributed ledger to secure transactions in OT networks.	Industrial network authentication [R11], Record protection in IIoT [R24], Critical data center applications [R35]

.

3.5.7. Simulation and Testing Models

A total of seven models were identified in the simulation and testing category, across 17 studies. This group highlights the development of novel techniques, ranging from cyberattack simulation to self-healing networks. These models are described in

Table 11. CEI cybersecurity models for simulation and testing.

Subcategory	ID	Model	Description	Applications (Selected Studies)
Attack simulation	M43	Cyber attack simulation platforms	Platforms for simulating cyberattacks in OT environments.	SCADA network assessment [R3], Smart grid simulations [R12], IIoT testing [R25, R31], ICS attack scenarios [R38]
	M44	AI-powered cyber range environments	AI-based testing environments to evaluate OT resilience.	Critical infrastructure testing [R7], Data center evaluation [R16], PLC attack simulations [R29, R40]
	M45	Threat emulation for OT systems	Emulation of attack tactics in OT settings.	Energy distribution system evaluation [R10], APT simulation in smart grids [R22]
Resilience testing	M46	Resilience testing with digital twins	Use of digital twins for testing OT recovery capabilities.	Energy system evaluation [R5], Smart grid simulations [R14], Industrial network testing [R25]
	M47	Automated stress testing for OT security	Automated stress testing of OT environments.	IIoT evaluation [R9], Resilience in industrial networks [R22]
	M48	Hybrid simulation frameworks for cyber-physical systems	Hybrid simulation models for evaluating resilience.	ICS attack analysis [R11], Critical infrastructure response evaluation [R24]
	M49	Self-healing networks simulation	Simulation of self-healing network behavior in OT systems.	Smart grid simulation [R15]

.

• RQ2: What energy services are covered by CEI cybersecurity models?

Analyzing CEI cybersecurity models requires identifying the energy services they address, which allows for assessing the scope of their protection strategies and identifying potential security gaps. Based on a systematic review of 52 scientific articles, 10 key services have been identified in 41 models.

Table 12. Energy services covered by CEI cybersecurity models.

ID	Energy Services	Description	Applied CEI Models
S01	Power generation	Electricity production through hydroelectric, thermal, nuclear, and renewable sources [63]	M01, M03, M04, M12, M19
S02	Energy transmission	Transport of electricity from power plants via high-voltage networks [63]	M02, M05, M06, M08, M17
S03	Energy distribution and smart grids	Delivery of electricity to end-users and implementation of smart grids for advanced management [64]	M07, M09, M10, M14, M38
S04	Energy storage	Technologies for energy storage such as batteries and pumped hydro systems [65]	M11, M13, M15, M25
S05	Demand management and energy efficiency	Systems that dynamically adjust energy consumption based on supply and demand [66]	M16, M18, M22, M35
S06	Support and control infrastructure	Control and monitoring infrastructure, including SCADA, IoT, and telecommunications [28]	M03, M17, M21, M24, M40
S07	Energy cybersecurity	Protection strategies against digital threats to critical energy systems [23]	M20, M26, M27, M35, M41
S08	Service resilience and continuity	Backup plans, recovery protocols, and contingency strategies after an attack [67]	M23, M28, M30, M46, M45
S09	Network maintenance	Inspection, upgrading, and repair of energy infrastructure [68]	M27, M29, M39, M47
S10	Emergency response and recovery	Strategies for restoring energy services after cyberattacks or disasters [69]	M30, M31, M36, M43

presents this classification, offering a structured view of how these models contribute to safeguarding the energy sector against cyber threats.

• RQ3: What technical means are considered by CEI cybersecurity models?

Critical energy infrastructures (CEIs) rely on diverse technical components for monitoring, communication, protection, and resilience against cyber threats. The increasing digitalization and IT-OT convergence have expanded the attack surface, requiring advanced solutions such as SCADA, IoT, blockchain, data analytics, and artificial intelligence. To mitigate these risks, CEI cybersecurity models have incorporated technologies enabling incident detection, response, and recovery in energy systems.

Table 13. Technical means addressed by CEI cybersecurity models.

ID	Technical Means in CEIs	Description	Applied CEI Models
MT1	Control and supervisory systems	Includes SCADA and ICS for remote monitoring and control of critical energy processes [28]	M01, M03, M04, M12
MT2	Communication and network systems	Communication infrastructure enabling secure data transmission in industrial environments, including protocols like DNP3, IEC 61850, and Modbus [6]	M02, M05, M06, M08, M17
MT3	Physical protection and resilience systems	Measures to protect energy infrastructure against physical and cyber threats, including backup and contingency systems [67]	M07, M09, M10, M14, M38
MT4	Cybersecurity systems	Platforms and tools for protection against cyberattacks, including IDS/IPS, Zero Trust, Blockchain, and access control [23]	M11, M13, M15, M25, M20
MT5	Data intelligence and threat prediction	Advanced data analytics through Big Data and AI to detect anomalies and predict threats in critical infrastructures [8]	M16, M18, M22, M23, M28
MT6	Energy integration and management technologies	Systems for optimizing smart grids, energy storage, and demand-side management, enhancing operational efficiency and security [70]	M27, M29, M39, M35, M41

presents a classification of six key technical means identified across 29 models.

• RQ4: What facilities are addressed by CEI cybersecurity models?

Critical energy infrastructures (CEIs) rely on a set of strategic facilities that ensure the generation, transmission, distribution, storage, and secure management of energy. The increasing digitalization and IT-OT convergence have enhanced operational efficiency but also expanded the attack surface, exposing these facilities to advanced cyber threats targeting their supervisory and control systems. Ensuring operational continuity and resilience against these risks requires cybersecurity models tailored to the specific characteristics and vulnerabilities of each type of facility. In this context,

Table 14. Facilities addressed by CEI cybersecurity models.

ID	CEI Facilities	Description	Applied CEI Models
I01	Power generation plants	Facilities for electricity production (hydro, thermal, nuclear, renewable), exposed to SCADA and process control attacks [63]	M01, M03, M04, M12
I02	Transmission and distribution substations	Key infrastructure for voltage transformation and power distribution, vulnerable to physical and cyberattacks [63]	M02, M05, M06, M08, M17
I03	High-voltage transmission networks	Infrastructure transporting electricity from generation plants to substations, susceptible to sabotage and DDoS attacks [28]	M07, M09, M10, M14, M38
I04	Distribution networks and smart grids	Electric grids with sensors and monitoring platforms, exposed to data manipulation and targeted cyberattacks [64]	M11, M13, M15, M25, M20
I05	Operations control centers	Facilities for real-time monitoring and operation of energy infrastructure, frequent targets of APT and ransomware attacks [23]	M16, M18, M22, M23, M28
I06	Energy storage infrastructure	Battery and pumped hydro systems vulnerable to manipulation in charge/discharge management [65]	M27, M29, M39, M35, M41
I07	Oil and gas pipelines	Infrastructure for transporting oil and gas, exposed to remote control system attacks [67]	M31, M36, M43, M46
I08	Energy refining and processing plants	Critical facilities for fuel transformation, vulnerable to attacks affecting production and distribution [71]	M30, M32, M44, M47
I09	Backup and emergency infrastructure	Contingency systems such as microgrids and generators, essential for maintaining operations during failures or attacks [69]	M23, M40, M45
I10	Smart metering and billing systems	Digital platforms and meters for consumption analysis, exposed to fraud and data manipulation [68]	M26, M33, M42

presents 10 types of facilities addressed across 42 models.

• RQ5: What algorithms are integrated into CEI cybersecurity models?

Analyzing CEI cybersecurity models requires identifying the algorithms employed in their implementation—particularly those related to Operational Technology (OT) in cybersecurity contexts. These algorithms play a central role in threat detection, prediction, and response, enabling models to adapt dynamically to emerging threats and optimize defensive capabilities.

Table 15. Algorithms in CEI models and their applications in services, technical means, and facilities.

Algorithms in CEI Cybersecurity	Applications in CEI Systems
	Applications in Energy Services	Applications in Technical Means	Applications in CEI Facilities
CNN	S01 [R11], S03 [R07], S02 [R05]	MT1 [R12], MT2 [R10]	I01 [R05], I03 [R07]
RNN	S06 [R12], S08 [R10]	MT4 [R15], MT3 [R09]	I06 [R12], I05 [R10]
LSTM	S06 [R12], S08 [R10]	MT4 [R15], MT3 [R09]	I06 [R12], I05 [R10]
RF	S09 [R03], S05 [R14]	MT6 [R22], MT5 [R27]	I09 [R14], I07 [R20]
DT	S09 [R03], S05 [R14]	MT6 [R22], MT5 [R27]	I09 [R14], I07 [R20]
AE	S03 [R07], S02 [R05]	MT1 [R12], MT2 [R10]	I03 [R07], I02 [R05]
GA	S07 [R09], S08 [R15]	MT3 [R14], MT4 [R18]	I08 [R09], I06 [R15]
XAI (SHAP, LIME)	S04 [R08], S10 [R18]	MT5 [R17], MT6 [R20]	I04 [R08], I10 [R18]
NTA	S02 [R06], S09 [R20]	MT2 [R16], MT1 [R21]	I02 [R06], I09 [R20]
BC (PoW, PoS)	S05 [R22], S08 [R30]	MT4 [R24], MT5 [R29]	I07 [R22], I08 [R30]
DRL	S07 [R25], S06 [R28]	MT3 [R31], MT2 [R33]	I06 [R25], I05 [R28]
BN	S03 [R27], S02 [R26]	MT1 [R30], MT5 [R35]	I03 [R27], I02 [R26]
GB (XGBoost, LightGBM)	S05 [R31], S04 [R35]	MT2 [R37], MT4 [R40]	I07 [R31], I04 [R35]
FL	S02 [R29], S08 [R33]	MT5 [R39], MT1 [R41]	I02 [R29], I08 [R33]
TM	S06 [R40]	MT6 [R45]	I05 [R40]

Legend of algorithms, CNN: Convolutional Neural Network; RNN: Recurrent Neural Network; LSTM: Long Short-Term Memor; RF: Random Forest; DT: Decision Trees; AE: Autoencoders; GA: Genetic Algorithms; XAI: Explainable AI; NTA: Network Traffic Analysis; BC: Blockchain; DRL: Deep Reinforcement Learning; BN: Bayesian Networks; GB: Gradient Boosting; FL: Federated Learning; TM: Transformer-based Models.

presents a detailed mapping of the most frequently used algorithms in CEI models, including their application across energy services, technical means, and infrastructure facilities.

4. Evolution of OT Models in CEI Cybersecurity

To understand how OT cybersecurity models have evolved within Critical Energy Infrastructures (CEIs), a structured method was employed, as detailed in Section 4.1. This method was implemented progressively across several phases described in Section 4.2, and the results that demonstrate this evolution are presented in Section 4.3.

4.1. Method

The methodology used to trace the evolution of OT models in CEI cybersecurity consists of the following five phases:

• Phase 1. Model inventory: OT models used in CEI cybersecurity were collected from specialized sources.
• Phase 2. Analytical aspects: Key aspects were defined to assess the evolution of the models identified in the previous phase.
• Phase 3. Temporal behavior of the models: Models were arranged in a temporal sequence for each of the analytical aspects defined.
• Phase 4. Evolutionary analysis: Changes and trends in the models over time were studied in depth.
• Phase 5. Discussion of findings: Key findings from Phase 4 were reviewed and discussed.

4.2. Development

Phase 1 was carried out in Section 3.5, where 49 OT models were identified across seven functional categories: detection, prediction, and explanation; risk management; regulation- and standards-based models; collaborative or information-sharing models; response and recovery; system architecture-based protection models; and simulation and testing. These models were extracted from 52 distinct studies. In Phase 2, four key analytical aspects were defined in relation to CEI models: energy services, technical means, CEI facilities, and algorithms.

A detailed inventory of the studies addressing CEI models across these four aspects is presented. This inventory is based on data from Table 12, Table 13, Table 14 and Table 15 and supplemented with information from Table 5, Table 6, Table 7, Table 8, Table 9, Table 10 and Table 11. Specifically, the review identified 50 studies applying CEI models to energy services, 49 studies addressing technical means, 49 studies analyzing protected critical facilities, and 50 studies exploring the use of algorithms in services, technical means, and facilities. This comprehensive analysis is summarized in

Table 16. CEI cybersecurity models used in energy services, technical means, facilities, and algorithms.

Aspect		CEI Models	Aspect		CEI Models
Services	S01	M01, M03, M04, M12, M19	Technical means	I01	M01, M03, M04, M12
	S02	M02, M05, M06, M08, M17		I02	M02, M05, M06, M08, M17
	S03	M07, M09, M10, M14, M38		I03	M07, M09, M10, M14, M38
	S04	M11, M13, M15, M25		I04	M11, M13, M15, M25, M20
	S05	M16, M18, M22, M35		I05	M16, M18, M22, M23, M28
	S06	M03, M17, M21, M24, M40		I06	M27, M29, M39, M35, M41
	S07	M20, M26, M27, M35, M41		I07	M31, M36, M43, M46
	S08	M23, M28, M30, M46, M45		I08	M30, M32, M44, M47
	S09	M27, M29, M39, M47		I09	M23, M40, M45
	S10	M30, M31, M36, M43		I10	M26, M33, M42
Facilities	MT1	M01, M03, M04, M12	Algorithms	CNN	M01, M16, M36
	MT2	M02, M05, M06, M08, M17		RNN	M02, M17, M37
	MT3	M07, M09, M10, M14, M38		LSTM	M03, M18, M38
	MT4	M11, M13, M15, M25, M20		RF	M04, M19, M39
	MT5	M16, M18, M22, M23, M28		DT	M05, M26, M34, M46
	MT6	M27, M29, M39, M35, M41		AE	M06
				GA	M07, M27, M35, M47
				XAI (SHAP, LIME)	M04, M08, M20, M30, M40
				NTA	M09, M28, M48
				BC (PoW, PoS)	M09, M10, M24, M25, M33, M45
				DRL	M11, M24, M31, M32, M44
				BN	M12, M21, M41
				GB (XGBoost, LightGBM)	M12, M13, M22, M42
				FL	M14, M23, M30, M31, M43
				TM	M15, M29, M49

, offering a structured and integrative view of how CEI cybersecurity models have been applied across the energy infrastructure domain—from power generation and distribution to the protection of critical systems and implementation of advanced technologies.

In Phase 3, the OT models were organized chronologically according to the analytical aspects. The details of this organization, along with the subsequent analysis of the evolution of OT models (Phase 4), are presented in Section 4.3. Finally, the discussion of the findings derived from Phase 4 is presented in Section 5.

4.3. Evolution of OT Models

Figure 6 presents a scatter plot that illustrates the frequency of use of services in CEIC models over the period from January 2015 to June 2024. The vertical axis lists the 10 services considered, while the horizontal axis represents the years covered by this study. Red dots positioned between the vertical lines indicate the number of studies per year, with their size being proportional to the frequency. This visual layout provides a clear and detailed representation of the evolution of service usage in CEIC models and reflects significant trends and shifts in the prioritization of services throughout the analyzed years.

Figure 7 presents a scatter plot that visualizes the frequency of use of the 9 intrusion detection and prevention services (IDS/IPS) in CEIC models during the period from January 2015 to June 2024.

Figure 8 shows a scatter plot that visualizes the frequency of use of 10 types of critical energy infrastructure facilities over the period from January 2015 to June 2024.

Figure 9 displays a scatter plot illustrating the frequency of use of 15 cybersecurity-related algorithms employed in CEIC models between January 2015 and June 2024.

5. Discussion

The systematic literature review and the analysis of the evolution of CEIC models from 2015 to 2024 have revealed key trends, technological advances, and areas of opportunity within the field of Critical Energy Infrastructure Cybersecurity (CEIC). The following subsections discuss the most relevant findings, their significance, and their implications for future research and practical applications.

5.1. Evolution of CEIC Models

The temporal analysis of CEIC models in the energy sector reveals a clear trend toward the adoption of advanced technologies—such as Artificial Intelligence (AI), Machine Learning (ML), and blockchain—to counter increasingly sophisticated cyber threats. During the early years of the analyzed period (2015–2017), most models focused primarily on intrusion detection and risk management, relying on standards such as NIST and IEC 62443. However, since 2018, there has been a significant rise in the incorporation of AI and ML techniques for anomaly detection, threat prediction, and explainable decision-making (XAI). This shift reflects the pressing need to adapt to more dynamic and sophisticated threats, such as zero-day exploits and Advanced Persistent Threats (APTs).

The integration of AI- and ML-based models has enabled greater accuracy in intrusion and anomaly detection, as well as enhanced capabilities for real-time risk prediction and mitigation. For instance, Deep Learning Intrusion Detection Systems (DL-IDS) and anomaly detection systems using autoencoders have proven effective in identifying abnormal patterns in OT networks. Furthermore, the incorporation of Explainable AI (XAI) has improved the transparency and trustworthiness of cybersecurity systems, which is essential for their adoption in critical environments.

To further illustrate the practical implications of the reviewed models and their relevance in real-world contexts, this section presents two case studies of energy infrastructures that have faced significant cyber incidents. These cases highlight how different cybersecurity approaches—ranging from AI-enhanced intrusion detection to blockchain-based integrity mechanisms—have been applied or considered to strengthen resilience against advanced threats.

Case Study 1: The cyberattacks on Ukraine’s power grid in 2015 and 2016 represent a milestone in the application of OT cybersecurity models. Intrusion detection systems based on deep learning were tested to analyze abnormal patterns in SCADA communications. These models demonstrated the importance of adaptive anomaly detection for ensuring continuity of electricity supply under conditions of persistent advanced threats.

Case Study 2: The Colonial Pipeline incident in 2021 highlighted the role of blockchain-based integrity models for securing industrial control and billing systems. The attack disrupted fuel distribution across the eastern United States, and subsequent resilience measures emphasized the application of decentralized ledgers to guarantee the immutability and traceability of operational data in critical infrastructures.

5.2. Services, Technical Means, and Facilities

Regarding energy services, CEIC models have evolved to cover a broader range of applications—from energy generation and transmission to demand-side management and operational resilience. Energy generation and transmission services remain the most studied areas, reflecting their critical importance within the energy infrastructure. However, there has also been a notable increase in attention to services such as energy storage and Smart Grids, which are becoming more vulnerable to cyberattacks due to ongoing digitalization.

In terms of technical means, control and supervision systems (SCADA/ICS) and communication networks have been the primary focus of cybersecurity models. These systems form the operational core of critical infrastructures and are prime targets for cyber threats. The incorporation of technologies such as blockchain and microsegmentation has enhanced the security of these systems by reducing the attack surface and increasing resilience against intrusions.

As for facilities, power generation plants and transmission substations have received the most protection in CEIC models. Nonetheless, there is growing interest in securing facilities such as operations control centers and smart metering systems, which are essential for continuous energy delivery and billing services.

In energy-specific scenarios, OT cybersecurity models demonstrate different levels of maturity and applicability. For instance, intrusion detection systems (IDS) based on deep learning have shown high effectiveness in power grids, where the complexity of SCADA traffic requires adaptive anomaly detection. In natural gas pipelines, blockchain-based integrity mechanisms are increasingly applied to protect transaction data and operational flows, while federated learning supports distributed monitoring without exposing sensitive information. Smart meters, on the other hand, remain highly vulnerable to fraud and data manipulation, and require lightweight AI-enhanced models capable of real-time authentication and anomaly detection.

5.3. Algorithms and Their Impact on OT Cybersecurity

Algorithms have played a pivotal role in the evolution of cybersecurity models for Operational Technology (OT). Techniques based on Convolutional Neural Networks (CNNs), Recurrent Neural Networks (RNNs), and Deep Reinforcement Learning (DRL) have proven effective in the detection and prediction of threats. Additionally, the adoption of Federated Learning (FL) approaches has enhanced privacy and security in data exchange between entities—an essential requirement in critical infrastructure environments where inter-organizational collaboration is crucial.

The integration of Explainable Artificial Intelligence (XAI) algorithms, such as SHAP and LIME, has enabled operators of critical infrastructure to better understand the decisions made by cybersecurity systems, thus increasing trust in these technologies. Moreover, the use of blockchain has significantly improved data integrity and traceability within OT environments—an especially important feature in settings where data tampering can have catastrophic consequences.

The adoption of these models varies considerably across regions. In Europe, cybersecurity frameworks such as ENISA and IEC 62443 have facilitated the deployment of standardized models, particularly in smart grid projects. North America, by contrast, shows a strong reliance on NIST-based approaches and sector-specific regulations such as NERC CIP. In Latin America, although progress has been made in implementing AI-based models in pilot projects, the lack of harmonized regulations and limited investment in OT security create significant barriers to large-scale adoption. This regional disparity highlights the importance of developing flexible models that adapt to local regulatory and economic contexts.

5.4. Integral Relationship Between Models, Services, Technical Means, Facilities, and Algorithms in CEIC

Cybersecurity in Critical Energy Infrastructure (CEIC) requires a systemic integration across models, services, technical means, physical facilities, and algorithms. This study demonstrates that cybersecurity models—such as those focused on threat detection, risk management, or attack simulation—are closely tied to essential energy services (generation, storage, distribution). These models are implemented through enabling technologies such as SCADA, Edge/Fog Computing, and threat prediction platforms.

These technologies are deployed within critical facilities (power plants, substations, control centers), which are often the primary targets of cyberattacks. The entire cybersecurity ecosystem is enhanced by advanced algorithms (CNN, RNN, XAI, blockchain) that automate decision-making and strengthen incident response capabilities. Figure 10 illustrates this interrelational cybersecurity framework. Initially, a client or attacker initiates a transaction. This transaction is analyzed by the CEIC model, which determines whether it constitutes a cyberattack. If an attack is detected, the transaction is blocked and the event is logged for future model updates. If the transaction is deemed legitimate, it proceeds through the corresponding services, technical means, and facilities. This scheme represents a holistic, adaptive, and resilient defense architecture against evolving threats.

Finally,

Table 17. Models and their services, technical means, facilities, and algorithms for protection in CEIC.

Category	Subcategories	CEIC Models	Services	Technical Means	Facilities	Algorithms
Detection, prediction, and explanation	Intrusion detection	M01	S01, S03	MT1, MT2	I01, I03	CNN
		M02	S02, S06	MT4, MT3	I06, I05	RNN, LSTM
		M03	S03, S07	MT4, MT3	I06, I05	LSTM
		M04	S04, S08	MT6, MT5	I09, I07	RF, XAI
	Anomaly detection	M05	S05, S09	MT6, MT5	I09, I07	DT
		M06	S06, S10	MT1, MT2	I03, I02	AE
		M07	S07, S02	MT3, MT4	I08, I06	GA
		M08	S08, S04	MT5, MT6	I04, I10	XAI
	Threat prediction	M09	S09, S01	MT2, MT1	I02, I09	NTA, BC
		M10	S10, S03	MT4, MT5	I07, I08	BC
		M11	S01, S06	MT3, MT2	I06, I05	DRL
		M12	S02, S08	MT1, MT5	I03, I02	BN, GB
	Decision explanation	M13	S03, S09	MT2, MT4	I07, I04	GB
		M14	S04, S10	MT5, MT1	I02, I08	FL
		M15	S05, S07	MT6, MT2	I09, I03	TM
		M16	S06, S02	MT1, MT4	I06, I07	CNN
Risk management	Probability-based risk assessment	M17	S07, S08	MT3, MT5	I05, I04	RNN
		M18	S08, S10	MT2, MT6	I08, I02	LSTM
	Risk management frameworks	M19	S09, S01	MT1, MT3	I07, I05	RF
		M20	S10, S04	MT4, MT5	I03, I06	XAI
	Scenario-based risk analysis	M21	S01, S05	MT6, MT1	I01, I04	BN
		M22	S02, S07	MT3, MT2	I06, I09	GB
Standards-based models	Regulatory compliance	M23	S03, S08	MT5, MT4	I07, I02	FL
		M24	S04, S09	MT2, MT3	I03, I08	DRL, BC
		M25	S05, S10	MT1, MT6	I09, I06	BC
	ICS security	M26	S06, S01	MT4, MT3	I04, I07	DT
		M27	S07, S03	MT2, MT5	I02, I05	GA
Collaborative or information-sharing models	Threat intelligence	M28	S08, S05	MT6, MT4	I08, I01	NTA
		M29	S09, S07	MT1, MT2	I05, I07	TM
		M30	S10, S09	MT3, MT6	I06, I03	XAI, FL
	Data sharing platforms	M31	S01, S06	MT5, MT1	I04, I09	FL, DRL
		M32	S02, S08	MT2, MT6	I07, I06	DRL
Response and recovery	Incident response	M33	S03, S09	MT4, MT5	I05, I04	BC
		M34	S04, S10	MT6, MT1	I08, I02	DT
	Infrastructure recovery	M35	S05, S07	MT3, MT2	I07, I05	GA
		M36	S06, S02	MT5, MT4	I03, I06	CNN
		M37	S07, S08	MT2, MT3	I01, I04	RNN
Architecture-based protection	SCADA and IoT security	M38	S08, S10	MT1, MT6	I06, I09	LSTM
		M39	S09, S01	MT4, MT3	I07, I02	RF
		M40	S10, S04	MT2, MT5	I03, I08	XAI
	Blockchain for OT	M41	S01, S05	MT6, MT4	I09, I06	BN
		M42	S02, S07	MT1, MT2	I04, I07	GB
Simulation and testing	Attack simulation	M43	S03, S08	MT3, MT6	I02, I05	FL
		M44	S04, S09	MT5, MT1	I08, I01	DRL
		M45	S05, S10	MT2, MT6	I05, I07	BC
	Resilience testing	M46	S06, S01	MT4, MT5	I06, I03	DT
		M47	S07, S03	MT6, MT1	I04, I09	GA
		M48	S08, S05	MT3, MT2	I07, I06	NTA
		M49	S09, S07	MT5, MT4	I05, I04	TM

integrates the CEIC models for detection, mitigation, and recovery from cyberattacks, along with their corresponding services, technical means, facilities, and algorithms. This relationship helps to understand how each model adapts to different operational and protection scenarios (categories and subcategories), facilitating the assessment of their effectiveness in safeguarding critical energy infrastructures.

Ultimately, the link between OT cybersecurity models and the future energy transition is crucial. As renewable generation (solar, wind) and emerging hydrogen energy systems expand, the attack surface of CEIs will grow significantly due to the high number of distributed assets and interconnections. The analyzed models provide a foundation for ensuring resilience in these future systems, but they must evolve toward quantum-resilient encryption, lightweight AI algorithms for resource-constrained devices, and cross-sector collaboration to support a secure, decarbonized energy ecosystem.

6. Conclusions

This study presents a systematic and categorized review of 49 cybersecurity models applied to Critical Energy Infrastructures (CEICs), aiming to provide a comprehensive framework for the selection and implementation of protection strategies. Through a rigorous process of review, classification, and analysis, the models were organized into seven core categories: detection, prediction, and explanation (16); risk management (6); standards and regulatory frameworks (5); collaboration and information sharing (5); response and recovery (5); system architecture-based protection (5); and simulation and testing (7). These models are associated with 10 essential services within the energy infrastructure—such as power generation, transmission, and distribution—and encompass critical facilities like generation plants, substations, and control centers. One of the most significant findings is the increasing incorporation of technologies such as artificial intelligence (AI), machine learning (ML), and blockchain, which have substantially enhanced real-time threat detection, prediction, and mitigation capabilities. Unlike previous reviews, this study provides a structured organization around five analytical dimensions—services, technical means, facilities, algorithms, and temporal evolution—offering a more integrated view of the CEIC cybersecurity ecosystem. This structure facilitates adaptation to specific needs and enhances applicability in real operational contexts.

This study provides concrete answers to the five research questions posed regarding CEIC models. First, 49 distinct models were identified, evidencing a significant evolution over the past decade—from isolated and reactive approaches to integrated cybersecurity architectures—organized into seven functional categories. Among these, threat detection models have shown prominent development toward hybrid, intelligent, and adaptive solutions. Second, regarding the protected energy services, the scope of models has evolved from a generation-centric focus to a broader approach that includes transmission, distribution, smart grids, and storage systems—reflecting the sector’s digital transformation. Third, in terms of technical means, the field has shifted from a heavy reliance on legacy SCADA systems toward the progressive incorporation of emerging technologies, such as edge computing, fog computing, and encrypted communication protocols, enabling more robust real-time security and resilience. Fourth, concerning critical facilities, cybersecurity efforts have expanded from traditional protection of power generation plants to a systemic view that includes automated substations and intelligent control centers, addressing the rise in attack vectors across the entire energy value chain. Fifth, in the domain of algorithms, a clear transition was observed—from traditional methods to advanced AI techniques—with a growing emphasis on deep learning and, more recently, federated learning, significantly improving proactive threat detection and automated incident response.

This study was limited to articles indexed in WoS, Scopus, IEEE Xplore, and MDPI repositories, covering the period from January 2015 to June 2024 and restricted to publications in English. Another limitation identified in the reviewed models is the limited consideration of robustness and sensitivity analyses, which constrains the understanding of their performance under varying conditions. Future work could extend this research to include other repositories and non-English sources.

Based on this analysis, five key challenges are identified for strengthening cybersecurity in CEIC:

• CEIC models for heterogeneous and legacy OT environments: Many operational systems were not originally designed with cybersecurity in mind, posing a major challenge. Adaptive solutions are required to secure legacy environments without compromising operability [44].
• CEIC models supporting multiple standards: The lack of standardized, interoperable frameworks hinders broader adoption. While the NIST Framework is widely used in the U.S., regions such as Europe follow ENISA guidelines. This underlines the need for multi-standard-supportive models.
• Sophisticated cyber threats: Current models still show limitations in addressing advanced persistent threats (APTs) and zero-day attacks.
• Emerging risks from quantum computing and IIoT hyperconnectivity: The expansion of the Industrial Internet of Things (IIoT) and the advent of quantum computing enlarge the attack surface and challenge traditional cryptographic mechanisms. Proactive models must incorporate quantum-resilient encryption and lightweight protection schemes.
• Limited integration of emerging technologies: Despite their potential, technologies like blockchain and federated learning are still underutilized in CEIC models. The challenge lies in designing architecture that ensures secure, interoperable, and scalable integration.

This review contributes more than a descriptive synthesis by proposing a structured taxonomy of 49 OT cybersecurity models, organized into seven categories and five analytical dimensions. By integrating these perspectives, the study delivers a clear and replicable framework that supports comparative analysis, enhances transparency in systematic reviews, and provides actionable guidance for strengthening the cybersecurity of energy infrastructures in practice.