Next Article in Journal
Study on the Replacement of Rail Vehicle Air-Conditioning Refrigerants with Low-GWP Refrigerant Mixtures
Previous Article in Journal
Dynamic Risk Assessment of Equipment Operation in Coalbed Methane Gathering Stations Based on the Combination of DBN and CSM Assessment Models
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Evolution of Artificial Intelligence-Based OT Cybersecurity Models in Energy Infrastructures: Services, Technical Means, Facilities and Algorithms

by
Hipolito M. Rodriguez-Casavilca
1,
David Mauricio
1 and
Juan M. Mauricio Villanueva
2,*
1
Faculty of Systems and Informatics Engineering, Universidad Nacional Mayor de San Marcos, Lima 15081, Peru
2
Electrical Engineering Department, Federal University of Paraíba, Joao Pessoa 58051-900, Brazil
*
Author to whom correspondence should be addressed.
Energies 2025, 18(19), 5163; https://doi.org/10.3390/en18195163
Submission received: 10 August 2025 / Revised: 14 September 2025 / Accepted: 18 September 2025 / Published: 28 September 2025

Abstract

Critical energy infrastructures (CEIs) are fundamental pillars for economic and social development. However, their accelerated digitalization and the convergence between operational technologies (OTs) and information technologies (ITs) have increased their exposure to advanced cyber threats. This study examines the evolution of OT cybersecurity models with artificial intelligence in the energy sector between 2015 and 2024, through a systematic literature review following a four-phase method (planning, development, results, and analysis). To this end, we answer the following questions about the aspects of CEI cybersecurity models: What models exist? What energy services, technical means, and facilities do they encompass? And what algorithms do they include? From an initial set of 1195 articles, 52 studies were selected, which allowed us to identify 49 cybersecurity models classified into seven functional categories: detection, prediction and explanation; risk management; regulatory compliance; collaboration; response and recovery; architecture-based protection; and simulation. These models are related to 10 energy services, 6 technical means, 10 types of critical facilities, and 15 AI algorithms applied transversally. Furthermore, the integrated and systemic relationship of these study aspects has been identified in an IT-OT cybersecurity model for CEIs. The results show a transition from conventional approaches to solutions based on machine learning, deep learning, federated learning, and blockchain. Algorithms such as CNN, RNN, DRL, XAI, and FL are highlighted, which enhance proactive detection and operational resilience. A broader coverage is also observed, ranging from power plants to smart grids. Finally, five key challenges are identified: legacy OT environments, lack of interoperability, advanced threats, emerging IIoT and quantum computing risks, and low adoption of emerging technologies.

1. Introduction

Critical energy infrastructures (CEIs) are essential for economic and social development, ensuring the continuous supply of energy to key sectors such as transportation, healthcare, communications, and industry. Over the past decade, these systems have undergone a significant transformation driven by increasing demand, the depletion of conventional energy sources, and inefficiencies in energy distribution. Innovations such as smart grids and the Internet of Energy (IoE) have emerged, promoting decentralization, distributed storage, and intelligent energy management through information and communication technologies (ICTs) [1]. However, this modernization has also increased the vulnerability of CEIs to cyber threats by expanding the attack surface and making them prime targets for adversaries seeking to disrupt operations. Ensuring cybersecurity in these infrastructures is critical to maintaining operational continuity and preventing serious economic and societal consequences, especially in a constantly evolving threat landscape that demands proactive and resilient approaches.
Cybersecurity in critical energy infrastructures (CEI) is becoming increasingly essential in an environment characterized by growing interconnectivity and reliance on advanced technologies. The integration of ICT into industrial control systems has improved operational efficiency but has also significantly heightened exposure to cyberattacks with potentially devastating impacts on national and economic security. Notable incidents such as the cyberattacks on Ukraine’s power grid (2015 and 2016) and the Colonial Pipeline (2021) underscore the severe consequences of such threats. Recent reports reveal that 90% of organizations using industrial control systems (ICS) have experienced security breaches, with data theft being the most pressing concern [2]. Moreover, economic losses from these attacks amount to hundreds of millions of dollars annually [3]. Emerging technologies such as smart grids and the IoE have broadened the attack surface, making systems more susceptible to sophisticated threats. In this context, the adoption of advanced cybersecurity strategies—such as artificial intelligence (AI), machine learning (ML), and zero-trust architectures—is crucial for real-time anomaly detection, proactive incident response, and ensuring operational resilience. Coordinated efforts among governments, organizations, and industry stakeholders are essential to mitigate risks and protect these critical infrastructures in the face of increasingly complex threats.
The convergence of information technologies (IT) and operational technologies (OT) in CEIs has transformed the cybersecurity landscape by integrating traditionally isolated systems into interconnected networks. IT-OT cybersecurity models aim to ensure operational resilience against cyber threats through innovative approaches. For instance, the hierarchical cyber-physical security model structures protection layers to detect and mitigate vulnerabilities in SCADA networks [4]. Similarly, blockchain-based models ensure data integrity in critical transactions, reinforcing the protection of substations against denial-of-service attacks [5]. Another important approach is the Software-Defined Networking (SDN) model, which dynamically segments traffic between IT and OT networks, optimizing real-time threat detection [6]. Additionally, hybrid models that combine predictive analytics and machine learning enable the simulation of attacks and the evaluation of mitigation strategies in critical environments [7].
Key dimensions of IT-OT cybersecurity models include services, technical means, facilities, and algorithms. In terms of services, federated learning enhances distributed anomaly detection while preserving data privacy across energy networks [8]. Centralized monitoring platforms also support efficient incident management through predictive analytics [9]. Regarding technical means, edge computing technologies have significantly improved local threat detection capabilities by reducing response latency [6]. Moreover, advanced sensors with secure protocols have increased the resilience of smart grids [10].
Critical facilities such as substations and smart grids have adopted blockchain technologies to ensure data integrity and operational security [11]. Hierarchical impact assessment models have also been applied to mitigate risks in SCADA systems [12]. Finally, advanced algorithms have revolutionized threat detection. Deep neural networks and autoencoders can identify anomalous patterns in imbalanced dataset, while metaheuristic optimization algorithms offer efficient solutions for real-time cyberattack mitigation [13].
The convergence of IT-OT and artificial intelligence (AI) in CEIs has redefined the cybersecurity landscape, demanding models that comprehensively address vulnerabilities across services, technical infrastructure, facilities, and algorithms. Regarding services, intrusion detection and prevention systems (IDS/IPS) have significantly evolved through deep learning integration, enabling threat prioritization and real-time incident response [7,14]. For technical infrastructure, edge and fog computing technologies have enhanced responsiveness by processing data close to the source, reducing latency and enabling efficient monitoring in SCADA systems and smart grids [6,15]. As for facilities, substations and electric grids have implemented blockchain to ensure data integrity and defend against targeted cyberattacks, minimizing operational impact [4,11]. In terms of algorithms, deep neural networks and autoencoders have improved anomaly detection in complex datasets, bolstering protection against emerging and sophisticated threats [16]. Within this context, the research question emerges: How have IT-OT cybersecurity models for critical energy infrastructures evolved between 2015 and 2024? Addressing this question is essential to understanding how IT-OT integration has enhanced cybersecurity capabilities, improved attack prevention, and ensured operational continuity throughout this period.
The aim of this study is to analyze the evolution of AI-enhanced IT-OT cybersecurity models in the CEI sector from 2015 to 2024, with the objective of identifying key achievements and remaining challenges. This analysis will provide critical infrastructure security managers and operators with clear guidance on how to optimize their cybersecurity strategies in response to emerging threats, thereby strengthening the protection of vital systems. Furthermore, this study will offer researchers in the cybersecurity field a fresh perspective on the evolution of IT-OT models, serving as a solid foundation for future research and the development of novel defense approaches for critical infrastructures.
The main contributions of this article are: (a) to provide an overview of IT-OT cybersecurity models, detailing their concepts, classifications, and relevance in protecting critical energy infrastructure, along with key dimensions of analysis; (b) to offer an exhaustive inventory of models and technologies implemented in the energy sector to enhance cybersecurity, spanning from traditional solutions to emerging technologies such as AI and blockchain; and (c) to highlight the evolution of OT models from 2015 to 2024, emphasizing the major advances in defense mechanisms against cyber threats and how these strategies have enhanced the resilience of critical infrastructures.
This article is structured into six sections. Section 2 reviews cybersecurity in critical energy infrastructures. Section 3 presents a systematic review of OT cybersecurity models in CEIs. Section 4 analyzes the evolution of OT models from 2015 to 2024, identifying key advances and achievements. Finally, Section 5 and Section 6 discuss the findings and present the conclusions of the study, respectively.

2. Cybersecurity in Critical Energy Infrastructures (CEIs)

2.1. Origin and Importance

Cybersecurity in critical energy infrastructures emerged as a key discipline in response to the growing digitalization of control and operational systems within energy networks. The convergence of information technologies (IT) and operational technologies (OT) has increased vulnerabilities, exposing critical infrastructures—such as those in energy, transportation, and water—to sophisticated cyberattacks [1]. The transition to smart grids and the Industrial Internet of Things (IIoT) has exponentially expanded the attack surface, creating an urgent need to reinforce cybersecurity measures [17]. This transformation has led to the development of regulatory frameworks and standards such as the NIST Cybersecurity Framework and ENISA guidelines.
Cybersecurity in CEIs is fundamental to ensuring the continuity of electricity supply and preventing disruptions to essential services. Recent attacks, such as those on Ukraine’s power grid (2015 and 2016) and the Colonial Pipeline (2021), have demonstrated the vulnerability of OT systems to coordinated cyber threats aimed at destabilizing national economies and societal functions [18]. These incidents highlight the need for proactive cybersecurity approaches that incorporate advanced systems for real-time threat detection and mitigation [19].

2.2. Standards and Regulations

Critical energy infrastructures operate under stringent regulatory frameworks that include international standards such as ISO/IEC 27001:2017 [20], NERC CIP, and the NIST SP 800-82 guidelines. These frameworks provide directives for the protection of industrial control systems (ICS) and SCADA, covering areas such as risk management, network segmentation, and data protection (ISO, 2017). Additionally, ENISA has issued specific recommendations for smart grids, emphasizing the need to strengthen device authentication and enhance intrusion detection capabilities [21].

2.3. Dimensions of CEI Cybersecurity Research

CEI cybersecurity is a crucial domain for ensuring operational resilience against sophisticated cyber threats. Within this context, it is essential to address five fundamental aspects: models, services, technical means, facilities, and algorithms, as shown in Figure 1. These components enable a comprehensive response to the challenges posed by the digitalization and convergence of OT and IT systems.
  • IT-OT Models represent integrated approaches that connect IT and OT systems to reinforce cybersecurity in critical infrastructures, facilitating threat detection, mitigation, and proactive incident response. A notable example is the Software Defined Networking (SDN) model, which enables dynamic traffic segmentation between IT and OT systems, enhancing real-time security and reducing the attack surface in SCADA networks [6].
  • CEI Services include capabilities such as real-time intrusion detection, predictive monitoring, and automated response systems, which enhance operational resilience by enabling timely threat identification and management. A concrete example is the use of federated learning in smart grids, which supports distributed anomaly detection while preserving data privacy [8].
  • Technical Means encompass advanced technologies such as edge and fog computing, which process data close to its origin, reducing latency and increasing the effectiveness of cybersecurity measures in SCADA systems. For instance, edge computing has enabled the deployment of real-time monitoring systems in critical substations, significantly improving response speed to cyber incidents [15].
  • Facilities refer to critical physical environments such as smart grids and substations that have adopted advanced sensors and blockchain technologies to ensure operational integrity against cyber threats. An example includes the implementation of blockchain technologies in smart grids to prevent tampering and ensure real-time transaction security [4].
  • Algorithms have seen remarkable advancements, particularly in deep learning and autoencoders, which allow the detection of complex anomalies in imbalanced datasets, thereby strengthening the protection of industrial systems. A relevant case is the use of convolutional neural networks (CNNs) combined with hybrid models to accurately classify threats in SCADA systems [16].
The original contribution of this study lies in the development of a comprehensive taxonomy of 49 OT cybersecurity models, systematically classified into seven functional categories and analyzed through five complementary dimensions: energy services, technical means, critical facilities, applied algorithms, and evolutionary period. This structured framework not only synthesizes the literature but also provides a novel lens for understanding the progression of cybersecurity models in critical energy infrastructures, offering value to both academic researchers and energy practitioners.

3. Systematic Review of IT-OT Cybersecurity Models in CEIs

This section presents a systematic literature review on IT-OT cybersecurity models applied to critical energy infrastructures (CEIs), following a four-phase methodology encompassing planning, execution, results, and analysis.

3.1. Methodology

The methodology for the systematic literature review (SLR) was based on an adaptation of the guidelines proposed by Kitchenham & Charters (2007), structured into four phases. This methodology has been applied in various reviews related to CEI cybersecurity, including those by [22,23,24,25,26,27]. The phases are described as follows:
A.
Planning: This phase establishes the research questions and the search and selection protocol, which includes journal sources, search period, search strings, and inclusion and exclusion criteria.
B.
Execution: The search protocol is applied, and articles are selected to answer the research questions.
C.
Results: Statistical data are compiled and presented regarding the selected studies, including publication trends, quality, and distribution.
D.
Analysis: The research questions defined in the planning phase are answered based on the selected literature.

3.2. Planning

To investigate how cybersecurity models for CEIs have evolved, the following research questions (RQs) were formulated:
RQ1: What types of CEI cybersecurity models exist?
RQ2: What energy services are addressed by these models?
RQ3: What technical means are considered in these models?
RQ4: What types of facilities are protected by these models?
RQ5: What algorithms are integrated into these models?
To answer these questions, scientific journal articles were retrieved from the following academic databases: Scopus, Web of Science (WoS), IEEE Xplore, and MDPI. The review covered the period from January 2015 to June 2024, beginning with 2015 as it marks the emergence of the first CEI cybersecurity models. The search string used was: [(model OR “operational technology”) AND cybersecurity AND “artificial intelligence”]. This string was applied to the following fields: “Title-Abs-Key” for Scopus, “Topic” for WoS, “ALL” for IEEE Xplore, and “Title/Keyword” for MDPI. The syntax of the string was adapted as necessary for each database’s search engine. Once the articles were retrieved, inclusion and exclusion criteria were applied, as defined in Table 1.

3.3. Execution

The primary studies identified as potential references during the search process were selected based on the inclusion and exclusion criteria defined earlier. It was essential to review the content of these potential references to assess their relevance to the present study and, specifically, to determine whether they addressed models applicable to CEIs. Most articles were excluded for being outside the scope of this research—for instance, focusing on cybersecurity in generic enterprise networks, assessing vulnerabilities in consumer IoT devices, or addressing unrelated topics such as personal data privacy.
The search protocol defined during the planning phase initially identified 1693 primary studies, distributed as follows: 1195 from Scopus, 382 from Web of Science (WoS), 65 from IEEE Xplore, and 51 from MDPI. During the selection process and following the inclusion and exclusion criteria, an initial filtering by title yielded 299 articles. A second screening based on abstracts reduced the number to 98 articles. Subsequently, a detailed review of introductions and conclusions led to the selection of 71 articles. Finally, after a full-text review, 52 articles were retained. This selection process is illustrated in Figure 2, and the selected articles are listed in Column 4 of Table 2. Table A1 in Appendix A presents the basic information and identification of the 52 selected articles [4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62], from [R01] to [R52].

3.4. Results

3.4.1. Potential Articles

A total of 1693 potential articles were identified through the search process, from which 52 studies were selected. These represent approximately 3% of the total and are presented in Table 2.

3.4.2. Publication Trends

Figure 3 illustrates a consistent increase in the number of published articles addressing CEI cybersecurity models over the period 2018 to 2024. This upward trend likely reflects the growing recognition among researchers and professionals of the importance of modeling and cybersecurity in critical infrastructures, particularly within the energy sector. Furthermore, as shown in Figure 2, the first relevant study in this domain appeared in 2018.

3.4.3. Journals and Articles by Quartile

Figure 4 presents the journals in which the selected articles were published, indicating their respective quartile rankings and the number of articles per journal. The most prominent journals are IEEE Access and the Internet of Things Journal, with six and four articles, respectively. Additionally, 25 journals were grouped under the category “Others,” each contributing one selected article. In total, 34 journals were represented: 24 in Q1, 5 in Q2, 4 in Q3, and 1 in Q4.
With respect to the quality ranking of the journals, 71% (37) of the selected articles were published in Q1 journals, and 17% (9) in Q2 journals, meaning that 88% of the studies were published in top-tier journals (Q1 and Q2) (see Figure 5). This highlights the high quality of the selected studies. Additionally, 2% of the articles fall into a separate category, representing non-indexed publications (brown segment).

3.4.4. Study Classification

Table 3 presents the classification of the 52 selected studies according to the five analytical dimensions, which correspond directly to the research questions. It is important to note that several studies contribute to more than one category. As observed, 25% of the studies focus on algorithms for CEI cybersecurity, while 23% of the studies pertain to each of the following dimensions: services, technical means, and facilities. This indicates a relatively balanced interest across all five-research dimensions. Appendix A provides a comprehensive overview of the 52 selected articles, as presented in Table A1. This appendix serves to link each article’s unique identifier (ID) to its corresponding reference number, ensuring traceability between the list of analyzed studies and the reference list [R01] to [R52].

3.5. Analysis

This section addresses the research questions formulated in Section 3.2, based on the selected studies.
  • RQ1: What types of CEI cybersecurity models exist?
The selected studies did not identify a standardized taxonomy for CEI cybersecurity models. However, the influential book by [1] provides a foundational framework for understanding CEI cybersecurity, highlighting key elements such as the relevance of international standards (ISO/IEC and NIST), inter-institutional collaboration, and risk management, which may contribute to building a comprehensive taxonomy. Developing a robust classification system is essential to facilitate systematic analysis and conceptual clarity. Accordingly, this study proposes a new taxonomy for CEI cybersecurity models. It consists of seven categories, which incorporate the most relevant and current approaches in the field. This taxonomy provides a structured basis for future research and practical applications and is detailed in Table 4.
Beyond the descriptive taxonomy, a comparative analysis reveals key differences among the seven categories of models. Detection and prediction models are highly applicable in practice due to their integration with SCADA and smart grid environments, but their scalability depends strongly on computational resources. Risk management and standards-based models demonstrate high maturity, as they are widely adopted in regulatory frameworks, yet their applicability can be limited by regional compliance requirements. Collaborative and information-sharing models remain less mature, facing challenges of interoperability and trust, while architecture-based protection and simulation models offer strong scalability potential but are still underexplored in real deployments. This comparison highlights how applicability, scalability, and maturity vary across categories, providing guidance for selecting models aligned with specific operational needs.
The proposed taxonomy, which organizes cybersecurity models into seven categories, is based on the following rationale. First, it provides comprehensive coverage by addressing technical, organizational, and regulatory aspects—from threat detection to operational resilience. Second, it enables specific and in-depth analysis within each category. Finally, it combines theoretical rigor with clear practical applications, making it valuable to researchers, industry professionals, and policymakers by incorporating standards, compliance frameworks, and collaborative models.

3.5.1. Detection, Prediction, and Explanation Models

A total of 16 models were identified across 49 studies, distributed among three subcategories: 8 detection models, cited in 32 studies, 4 prediction models, appearing in 16 studies, and 4 explanation models, also in 16 studies. Detection models primarily focus on identifying intrusions and anomalies; prediction models aim to anticipate cyber threats; and explanation models seek to justify system decisions, enhancing transparency and trust. Table 5 details the characteristics of each model. It is worth noting that some studies apply more than one type of model.

3.5.2. Risk Management Models

A total of six risk management models were identified across 18 studies, each applied to a distinct case study. These models are described in Table 6.

3.5.3. Standards-Based Models

A total of five models categorized under standards and compliance were identified across 15 studies, each corresponding to a distinct use case. These models are detailed in Table 7.

3.5.4. Collaborative and Information Sharing Models

A total of five models within the category of collaborative or information-sharing frameworks were identified across 15 studies, each corresponding to a distinct case. These models are presented in Table 8.

3.5.5. Incident Response and Recovery Models

A total of five models were identified within the incident response and recovery category, across 10 studies. The most referenced approach involves digital twins used to simulate and recover OT systems following cyberattacks. These models are detailed in Table 9.

3.5.6. System Architecture-Based Protection Models

A total of five models in this category were identified across 18 studies. The most frequently referenced are those designed to secure SCADA and IoT environments against cyber threats. These models are detailed in Table 10.

3.5.7. Simulation and Testing Models

A total of seven models were identified in the simulation and testing category, across 17 studies. This group highlights the development of novel techniques, ranging from cyberattack simulation to self-healing networks. These models are described in Table 11.
  • RQ2: What energy services are covered by CEI cybersecurity models?
Analyzing CEI cybersecurity models requires identifying the energy services they address, which allows for assessing the scope of their protection strategies and identifying potential security gaps. Based on a systematic review of 52 scientific articles, 10 key services have been identified in 41 models. Table 12 presents this classification, offering a structured view of how these models contribute to safeguarding the energy sector against cyber threats.
  • RQ3: What technical means are considered by CEI cybersecurity models?
Critical energy infrastructures (CEIs) rely on diverse technical components for monitoring, communication, protection, and resilience against cyber threats. The increasing digitalization and IT-OT convergence have expanded the attack surface, requiring advanced solutions such as SCADA, IoT, blockchain, data analytics, and artificial intelligence. To mitigate these risks, CEI cybersecurity models have incorporated technologies enabling incident detection, response, and recovery in energy systems. Table 13 presents a classification of six key technical means identified across 29 models.
  • RQ4: What facilities are addressed by CEI cybersecurity models?
Critical energy infrastructures (CEIs) rely on a set of strategic facilities that ensure the generation, transmission, distribution, storage, and secure management of energy. The increasing digitalization and IT-OT convergence have enhanced operational efficiency but also expanded the attack surface, exposing these facilities to advanced cyber threats targeting their supervisory and control systems. Ensuring operational continuity and resilience against these risks requires cybersecurity models tailored to the specific characteristics and vulnerabilities of each type of facility. In this context, Table 14 presents 10 types of facilities addressed across 42 models.
  • RQ5: What algorithms are integrated into CEI cybersecurity models?
Analyzing CEI cybersecurity models requires identifying the algorithms employed in their implementation—particularly those related to Operational Technology (OT) in cybersecurity contexts. These algorithms play a central role in threat detection, prediction, and response, enabling models to adapt dynamically to emerging threats and optimize defensive capabilities. Table 15 presents a detailed mapping of the most frequently used algorithms in CEI models, including their application across energy services, technical means, and infrastructure facilities.

4. Evolution of OT Models in CEI Cybersecurity

To understand how OT cybersecurity models have evolved within Critical Energy Infrastructures (CEIs), a structured method was employed, as detailed in Section 4.1. This method was implemented progressively across several phases described in Section 4.2, and the results that demonstrate this evolution are presented in Section 4.3.

4.1. Method

The methodology used to trace the evolution of OT models in CEI cybersecurity consists of the following five phases:
  • Phase 1. Model inventory: OT models used in CEI cybersecurity were collected from specialized sources.
  • Phase 2. Analytical aspects: Key aspects were defined to assess the evolution of the models identified in the previous phase.
  • Phase 3. Temporal behavior of the models: Models were arranged in a temporal sequence for each of the analytical aspects defined.
  • Phase 4. Evolutionary analysis: Changes and trends in the models over time were studied in depth.
  • Phase 5. Discussion of findings: Key findings from Phase 4 were reviewed and discussed.

4.2. Development

Phase 1 was carried out in Section 3.5, where 49 OT models were identified across seven functional categories: detection, prediction, and explanation; risk management; regulation- and standards-based models; collaborative or information-sharing models; response and recovery; system architecture-based protection models; and simulation and testing. These models were extracted from 52 distinct studies. In Phase 2, four key analytical aspects were defined in relation to CEI models: energy services, technical means, CEI facilities, and algorithms.
A detailed inventory of the studies addressing CEI models across these four aspects is presented. This inventory is based on data from Table 12, Table 13, Table 14 and Table 15 and supplemented with information from Table 5, Table 6, Table 7, Table 8, Table 9, Table 10 and Table 11. Specifically, the review identified 50 studies applying CEI models to energy services, 49 studies addressing technical means, 49 studies analyzing protected critical facilities, and 50 studies exploring the use of algorithms in services, technical means, and facilities. This comprehensive analysis is summarized in Table 16, offering a structured and integrative view of how CEI cybersecurity models have been applied across the energy infrastructure domain—from power generation and distribution to the protection of critical systems and implementation of advanced technologies.
In Phase 3, the OT models were organized chronologically according to the analytical aspects. The details of this organization, along with the subsequent analysis of the evolution of OT models (Phase 4), are presented in Section 4.3. Finally, the discussion of the findings derived from Phase 4 is presented in Section 5.

4.3. Evolution of OT Models

Figure 6 presents a scatter plot that illustrates the frequency of use of services in CEIC models over the period from January 2015 to June 2024. The vertical axis lists the 10 services considered, while the horizontal axis represents the years covered by this study. Red dots positioned between the vertical lines indicate the number of studies per year, with their size being proportional to the frequency. This visual layout provides a clear and detailed representation of the evolution of service usage in CEIC models and reflects significant trends and shifts in the prioritization of services throughout the analyzed years.
Figure 7 presents a scatter plot that visualizes the frequency of use of the 9 intrusion detection and prevention services (IDS/IPS) in CEIC models during the period from January 2015 to June 2024.
Figure 8 shows a scatter plot that visualizes the frequency of use of 10 types of critical energy infrastructure facilities over the period from January 2015 to June 2024.
Figure 9 displays a scatter plot illustrating the frequency of use of 15 cybersecurity-related algorithms employed in CEIC models between January 2015 and June 2024.

5. Discussion

The systematic literature review and the analysis of the evolution of CEIC models from 2015 to 2024 have revealed key trends, technological advances, and areas of opportunity within the field of Critical Energy Infrastructure Cybersecurity (CEIC). The following subsections discuss the most relevant findings, their significance, and their implications for future research and practical applications.

5.1. Evolution of CEIC Models

The temporal analysis of CEIC models in the energy sector reveals a clear trend toward the adoption of advanced technologies—such as Artificial Intelligence (AI), Machine Learning (ML), and blockchain—to counter increasingly sophisticated cyber threats. During the early years of the analyzed period (2015–2017), most models focused primarily on intrusion detection and risk management, relying on standards such as NIST and IEC 62443. However, since 2018, there has been a significant rise in the incorporation of AI and ML techniques for anomaly detection, threat prediction, and explainable decision-making (XAI). This shift reflects the pressing need to adapt to more dynamic and sophisticated threats, such as zero-day exploits and Advanced Persistent Threats (APTs).
The integration of AI- and ML-based models has enabled greater accuracy in intrusion and anomaly detection, as well as enhanced capabilities for real-time risk prediction and mitigation. For instance, Deep Learning Intrusion Detection Systems (DL-IDS) and anomaly detection systems using autoencoders have proven effective in identifying abnormal patterns in OT networks. Furthermore, the incorporation of Explainable AI (XAI) has improved the transparency and trustworthiness of cybersecurity systems, which is essential for their adoption in critical environments.
To further illustrate the practical implications of the reviewed models and their relevance in real-world contexts, this section presents two case studies of energy infrastructures that have faced significant cyber incidents. These cases highlight how different cybersecurity approaches—ranging from AI-enhanced intrusion detection to blockchain-based integrity mechanisms—have been applied or considered to strengthen resilience against advanced threats.
Case Study 1: The cyberattacks on Ukraine’s power grid in 2015 and 2016 represent a milestone in the application of OT cybersecurity models. Intrusion detection systems based on deep learning were tested to analyze abnormal patterns in SCADA communications. These models demonstrated the importance of adaptive anomaly detection for ensuring continuity of electricity supply under conditions of persistent advanced threats.
Case Study 2: The Colonial Pipeline incident in 2021 highlighted the role of blockchain-based integrity models for securing industrial control and billing systems. The attack disrupted fuel distribution across the eastern United States, and subsequent resilience measures emphasized the application of decentralized ledgers to guarantee the immutability and traceability of operational data in critical infrastructures.

5.2. Services, Technical Means, and Facilities

Regarding energy services, CEIC models have evolved to cover a broader range of applications—from energy generation and transmission to demand-side management and operational resilience. Energy generation and transmission services remain the most studied areas, reflecting their critical importance within the energy infrastructure. However, there has also been a notable increase in attention to services such as energy storage and Smart Grids, which are becoming more vulnerable to cyberattacks due to ongoing digitalization.
In terms of technical means, control and supervision systems (SCADA/ICS) and communication networks have been the primary focus of cybersecurity models. These systems form the operational core of critical infrastructures and are prime targets for cyber threats. The incorporation of technologies such as blockchain and microsegmentation has enhanced the security of these systems by reducing the attack surface and increasing resilience against intrusions.
As for facilities, power generation plants and transmission substations have received the most protection in CEIC models. Nonetheless, there is growing interest in securing facilities such as operations control centers and smart metering systems, which are essential for continuous energy delivery and billing services.
In energy-specific scenarios, OT cybersecurity models demonstrate different levels of maturity and applicability. For instance, intrusion detection systems (IDS) based on deep learning have shown high effectiveness in power grids, where the complexity of SCADA traffic requires adaptive anomaly detection. In natural gas pipelines, blockchain-based integrity mechanisms are increasingly applied to protect transaction data and operational flows, while federated learning supports distributed monitoring without exposing sensitive information. Smart meters, on the other hand, remain highly vulnerable to fraud and data manipulation, and require lightweight AI-enhanced models capable of real-time authentication and anomaly detection.

5.3. Algorithms and Their Impact on OT Cybersecurity

Algorithms have played a pivotal role in the evolution of cybersecurity models for Operational Technology (OT). Techniques based on Convolutional Neural Networks (CNNs), Recurrent Neural Networks (RNNs), and Deep Reinforcement Learning (DRL) have proven effective in the detection and prediction of threats. Additionally, the adoption of Federated Learning (FL) approaches has enhanced privacy and security in data exchange between entities—an essential requirement in critical infrastructure environments where inter-organizational collaboration is crucial.
The integration of Explainable Artificial Intelligence (XAI) algorithms, such as SHAP and LIME, has enabled operators of critical infrastructure to better understand the decisions made by cybersecurity systems, thus increasing trust in these technologies. Moreover, the use of blockchain has significantly improved data integrity and traceability within OT environments—an especially important feature in settings where data tampering can have catastrophic consequences.
The adoption of these models varies considerably across regions. In Europe, cybersecurity frameworks such as ENISA and IEC 62443 have facilitated the deployment of standardized models, particularly in smart grid projects. North America, by contrast, shows a strong reliance on NIST-based approaches and sector-specific regulations such as NERC CIP. In Latin America, although progress has been made in implementing AI-based models in pilot projects, the lack of harmonized regulations and limited investment in OT security create significant barriers to large-scale adoption. This regional disparity highlights the importance of developing flexible models that adapt to local regulatory and economic contexts.

5.4. Integral Relationship Between Models, Services, Technical Means, Facilities, and Algorithms in CEIC

Cybersecurity in Critical Energy Infrastructure (CEIC) requires a systemic integration across models, services, technical means, physical facilities, and algorithms. This study demonstrates that cybersecurity models—such as those focused on threat detection, risk management, or attack simulation—are closely tied to essential energy services (generation, storage, distribution). These models are implemented through enabling technologies such as SCADA, Edge/Fog Computing, and threat prediction platforms.
These technologies are deployed within critical facilities (power plants, substations, control centers), which are often the primary targets of cyberattacks. The entire cybersecurity ecosystem is enhanced by advanced algorithms (CNN, RNN, XAI, blockchain) that automate decision-making and strengthen incident response capabilities. Figure 10 illustrates this interrelational cybersecurity framework. Initially, a client or attacker initiates a transaction. This transaction is analyzed by the CEIC model, which determines whether it constitutes a cyberattack. If an attack is detected, the transaction is blocked and the event is logged for future model updates. If the transaction is deemed legitimate, it proceeds through the corresponding services, technical means, and facilities. This scheme represents a holistic, adaptive, and resilient defense architecture against evolving threats.
Finally, Table 17 integrates the CEIC models for detection, mitigation, and recovery from cyberattacks, along with their corresponding services, technical means, facilities, and algorithms. This relationship helps to understand how each model adapts to different operational and protection scenarios (categories and subcategories), facilitating the assessment of their effectiveness in safeguarding critical energy infrastructures.
Ultimately, the link between OT cybersecurity models and the future energy transition is crucial. As renewable generation (solar, wind) and emerging hydrogen energy systems expand, the attack surface of CEIs will grow significantly due to the high number of distributed assets and interconnections. The analyzed models provide a foundation for ensuring resilience in these future systems, but they must evolve toward quantum-resilient encryption, lightweight AI algorithms for resource-constrained devices, and cross-sector collaboration to support a secure, decarbonized energy ecosystem.

6. Conclusions

This study presents a systematic and categorized review of 49 cybersecurity models applied to Critical Energy Infrastructures (CEICs), aiming to provide a comprehensive framework for the selection and implementation of protection strategies. Through a rigorous process of review, classification, and analysis, the models were organized into seven core categories: detection, prediction, and explanation (16); risk management (6); standards and regulatory frameworks (5); collaboration and information sharing (5); response and recovery (5); system architecture-based protection (5); and simulation and testing (7). These models are associated with 10 essential services within the energy infrastructure—such as power generation, transmission, and distribution—and encompass critical facilities like generation plants, substations, and control centers. One of the most significant findings is the increasing incorporation of technologies such as artificial intelligence (AI), machine learning (ML), and blockchain, which have substantially enhanced real-time threat detection, prediction, and mitigation capabilities. Unlike previous reviews, this study provides a structured organization around five analytical dimensions—services, technical means, facilities, algorithms, and temporal evolution—offering a more integrated view of the CEIC cybersecurity ecosystem. This structure facilitates adaptation to specific needs and enhances applicability in real operational contexts.
This study provides concrete answers to the five research questions posed regarding CEIC models. First, 49 distinct models were identified, evidencing a significant evolution over the past decade—from isolated and reactive approaches to integrated cybersecurity architectures—organized into seven functional categories. Among these, threat detection models have shown prominent development toward hybrid, intelligent, and adaptive solutions. Second, regarding the protected energy services, the scope of models has evolved from a generation-centric focus to a broader approach that includes transmission, distribution, smart grids, and storage systems—reflecting the sector’s digital transformation. Third, in terms of technical means, the field has shifted from a heavy reliance on legacy SCADA systems toward the progressive incorporation of emerging technologies, such as edge computing, fog computing, and encrypted communication protocols, enabling more robust real-time security and resilience. Fourth, concerning critical facilities, cybersecurity efforts have expanded from traditional protection of power generation plants to a systemic view that includes automated substations and intelligent control centers, addressing the rise in attack vectors across the entire energy value chain. Fifth, in the domain of algorithms, a clear transition was observed—from traditional methods to advanced AI techniques—with a growing emphasis on deep learning and, more recently, federated learning, significantly improving proactive threat detection and automated incident response.
This study was limited to articles indexed in WoS, Scopus, IEEE Xplore, and MDPI repositories, covering the period from January 2015 to June 2024 and restricted to publications in English. Another limitation identified in the reviewed models is the limited consideration of robustness and sensitivity analyses, which constrains the understanding of their performance under varying conditions. Future work could extend this research to include other repositories and non-English sources.
Based on this analysis, five key challenges are identified for strengthening cybersecurity in CEIC:
  • CEIC models for heterogeneous and legacy OT environments: Many operational systems were not originally designed with cybersecurity in mind, posing a major challenge. Adaptive solutions are required to secure legacy environments without compromising operability [44].
  • CEIC models supporting multiple standards: The lack of standardized, interoperable frameworks hinders broader adoption. While the NIST Framework is widely used in the U.S., regions such as Europe follow ENISA guidelines. This underlines the need for multi-standard-supportive models.
  • Sophisticated cyber threats: Current models still show limitations in addressing advanced persistent threats (APTs) and zero-day attacks.
  • Emerging risks from quantum computing and IIoT hyperconnectivity: The expansion of the Industrial Internet of Things (IIoT) and the advent of quantum computing enlarge the attack surface and challenge traditional cryptographic mechanisms. Proactive models must incorporate quantum-resilient encryption and lightweight protection schemes.
  • Limited integration of emerging technologies: Despite their potential, technologies like blockchain and federated learning are still underutilized in CEIC models. The challenge lies in designing architecture that ensures secure, interoperable, and scalable integration.
This review contributes more than a descriptive synthesis by proposing a structured taxonomy of 49 OT cybersecurity models, organized into seven categories and five analytical dimensions. By integrating these perspectives, the study delivers a clear and replicable framework that supports comparative analysis, enhances transparency in systematic reviews, and provides actionable guidance for strengthening the cybersecurity of energy infrastructures in practice.

Author Contributions

Methodology, H.M.R.-C., D.M. and J.M.M.V.; Formal analysis, H.M.R.-C., D.M. and J.M.M.V.; Investigation, H.M.R.-C., D.M. and J.M.M.V. All authors have read and agreed to the published version of the manuscript.

Funding

This research was supported by the Universidad Nacional Mayor de San Marcos—RR N° 005446-2025-R/UNMSM and project number C25201251.

Data Availability Statement

The original contributions presented in the study are included in the article, further inquiries can be directed to the corresponding author.

Acknowledgments

The authors thank the reviewers for their valuable comments, which helped to improve the article.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Studies Included in the Review

Table A1 presents the basic information and identification of the 52 selected articles. Additionally, it displays the correspondence between article identification codes and their respective numerical reference citations.
Table A1. Selected articles.
Table A1. Selected articles.
Id.ReferenceRCId.ReferenceRCId.ReferenceRC
[R01]Wazid, et al. (2024)[29][R19]Figueroa-Lorenzo, et al. (2020)[41][R37]Salvi, et al. (2022)[9]
[R02]Ghadi, et al. (2024)[30][R20]Al-Hawawreh, et al. (2021)[42][R38]Muna, et al. (2023)[53]
[R03]Mengara, et al. (2024)[31][R21]Shalaginov, et al. (2021)[43][R39]Cvitic, et al. (2022)[11]
[R04]Clark, et al. (2024)[32][R22]Chehri, et al. (2021)[7][R40]Shtayat, et al. (2023)[54]
[R05]Verma, et al. (2024)[33][R23]Calabrese, et al. (2023)[44][R41]Laskurain-Iturbe, et al. (2021)[55]
[R06]Jithish, J et al. (2023)[34][R24]Raval, et al. (2024)[45][R42]Imran, et al. (2024)[56]
[R07]Bhardwaj, et al. (2024)[35][R25]Sarker, et al. (2020)[46][R43]Laghari, et al. (2021)[57]
[R08]Ahakonye, et al. (2024)[13][R26]Yamin, et al. (2021)[47][R44]Payne, et al. (2019)[58]
[R09]Gueye, et al. (2023)[36][R27]Schmitt, (2023)[4][R45]Alzahrani & Aldhyani, (2023)[19]
[R10]Sulaiman, et al. (2023)[14][R28]Mezzina, et al. (2021)[10][R46]Motwakel, et. al. (2023)[59]
[R11]Salvi, et al. (2022)[9][R29]Khosravy, et al. (2024)[48][R47]Falco, et al. (2018)[18]
[R12]Houmb, et al. (2023)[37][R30]Salam, et al. (2023)[49][R48]Zhu, et al. (2019)[12]
[R13]Bouramdane, (2023)[38][R31]Shalaginov, et al. (2021)[28][R49]Mahmoodi, et al. (2023)[60]
[R14]Dari, et al. (2023)[39][R32]Bhandari, et al. (2023)[50][R50]Bhardwaj, et al. (2020)[61]
[R15]Gaskova, et al. (2023)[8][R33]Ahmad, et al. (2022)[15][R51]Oliveira, et al. (2023) [62]
[R16]Mall, et al. (2023)[5][R34]Mogollón-Gutiérrez, et al. 2023[51][R52]Maghrabi, et al. (2023)[16]
[R17]Santoso, et al. (2024)[40][R35]Tareq, et al. (2022)[52]
[R18]Zolanvari, et al. (2023)[6][R36]Abir, et al. (2021)[17]
Table A2. Details of the complete search strings for each database.
Table A2. Details of the complete search strings for each database.
Id.SourceSearch string
1ScopusTITLE-ABS-KEY ((model OR “operational Technology”) AND cybersecurity AND “artificial intelligence”) AND PUBYEAR > 2014 AND PUBYEAR < 2025 AND LIMIT-TO (DOCTYPE, “ar”)
2WoSTOPIC: (model OR ‘operational Technology’) AND cybersecurity AND ‘artificial intelligence’
3IEEE XploreALL: (model OR “operational Technology”) AND cybersecurity AND “artificial intelligence” AND “critical infrastructure”
4MDPITitle/Keyword: (model OR “operational technology”) AND cybersecurity AND “artificial intelligence”

References

  1. Leszczyna, R. Cybersecurity in the Electricity Sector: Managing Critical Infrastructure; Springer Nature: Cham, Switzerland, 2019. [Google Scholar] [CrossRef]
  2. ESET. ESET Security Report 2023: El Panorama de la Seguridad en las Empresas de América Latina. 2023. Available online: https://www.welivesecurity.com/es/informes/eset-security-report-2023-seguridad-empresas-america-latina/ (accessed on 9 September 2025).
  3. Deloitte & Fortinet. Cybersecurity in Critical Infrastructures: Risks, Strategies, and Solutions. 2020. Available online: https://www.deloitte.com/global/en/services/risk-advisory/perspectives/cybersecurity-insights-budgets-benchmarks-financial-services-institutions.html (accessed on 9 September 2025).
  4. Schmitt, M. Securing the digital world: Protecting smart infrastructures and digital industries with artificial intelligence (AI)-enabled malware and intrusion detection. J. Ind. Inf. Integr. 2023, 36, 100520. [Google Scholar] [CrossRef]
  5. Mall, R.; Abhishek, K.; Manimurugan, S.; Shankar, A.; Kumar, A. Stacking ensemble approach for DDoS attack detection in software-defined cyber–physical systems. Comput. Electr. Eng. 2023, 107, 108635. [Google Scholar] [CrossRef]
  6. Zolanvari, M.; Yang, Z.; Khan, K.; Jain, R.; Meskin, N. TRUST XAI: Model-agnostic explanations for AI with a case study on IIoT security. IEEE Internet Things J. 2023, 10, 2967–2978. [Google Scholar] [CrossRef]
  7. Chehri, A.; Fofana, I.; Yang, X. Security risk modeling in smart grid critical infrastructures in the era of big data and artificial intelligence. Sustainability 2021, 13, 3196. [Google Scholar] [CrossRef]
  8. Gaskova, D.; Galperova, E. Decision support in the analysis of cyber situational awareness of energy facilities. Eng. Proc. 2023, 33, 31. [Google Scholar] [CrossRef]
  9. Salvi, A.; Spagnoletti, P.; Noori, N.S. Cyber-resilience of critical cyber infrastructures: Integrating digital twins in the electric power ecosystem. Comput. Secur. 2022, 112, 102507. [Google Scholar] [CrossRef]
  10. Mezzina, G.; Annese, V.F.; De Venuto, D. A cybersecure P300-based brain-to-computer interface against noise-based and fake P300 cyberattacks. Sensors 2021, 21, 8280. [Google Scholar] [CrossRef]
  11. Cvitic, I.; Perakovic, D.; Gupta, B.B.; Choo, K.K.R. Boosting-based DDoS detection in Internet of Things systems. IEEE Internet Things J. 2022, 9, 2109–2123. [Google Scholar] [CrossRef]
  12. Zhu, Q.; Qin, Y.; Zhou, C.; Fei, L. Hierarchical flow model-based impact assessment of cyberattacks for critical infrastructures. IEEE Syst. J. 2019, 13, 3944–3955. [Google Scholar] [CrossRef]
  13. Ahakonye, L.A.C.; Nwakanma, C.I.; Lee, J.M.; Kim, D.-S. Machine learning explainability for intrusion detection in the industrial internet of things. IEEE Internet Things Mag. 2024, 7, 68–74. [Google Scholar] [CrossRef]
  14. Sulaiman, A.; Nagu, B.; Kaur, G.; Karuppaiah, P.; Alshahrani, H.; Al Reshan, M.S.; AlYami, S.; Shaikh, A. Artificial intelligence-based secured power grid protocol for smart city. Sensors 2023, 23, 8016. [Google Scholar] [CrossRef] [PubMed]
  15. Ahmad, W.; Rasool, A.; Javed, A.R.; Baker, T.; Jalil, Z. Cyber security in IoT-based cloud computing: A comprehensive survey. Electronics 2022, 11, 16. [Google Scholar] [CrossRef]
  16. Maghrabi, L.A.; Alzahrani, I.R.; Alsalman, D.; AlKubaisy, Z.M.; Hamed, D.; Ragab, M. Golden jackal optimization with a deep learning-based cybersecurity solution in industrial internet of things systems. Electronics 2023, 12, 4091. [Google Scholar] [CrossRef]
  17. Abir, S.M.A.A.; Anwar, A.; Choi, J.; Kayes, A.S.M. IoT-enabled smart energy grid: Applications and challenges. IEEE Access 2021, 9, 50961–50981. [Google Scholar] [CrossRef]
  18. Falco, G.J. Cybersecurity for Urban Critical Infrastructure. Ph.D. Dissertation, Massachusetts Institute of Technology, Cambridge, MA, USA, 2018. Available online: http://hdl.handle.net/1721.1/118226 (accessed on 9 September 2025).
  19. Alzahrani, A.; Aldhyani, T.H.H. Design of efficient based artificial intelligence approaches for sustainable cyber security in smart industrial control system. Sustainability 2023, 15, 8076. [Google Scholar] [CrossRef]
  20. ISO/IEC 27001:2017; Information Technology—Security Techniques—Information Security Management Systems—Requirements. ISO/IEC: Geneva, Switzerland, 2017. Available online: https://www.iso.org/standard/54534.html (accessed on 9 September 2025).
  21. ENISA. Good Practices for Security of Internet of Things in the Context of Critical Information Infrastructures. European Union Agency for Cybersecurity (ENISA). 2018. Available online: https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot (accessed on 9 September 2025).
  22. Bravo, S.; Mauricio, D. Systematic review of aspects of DDoS attacks detection. Indones. J. Electr. Eng. Comput. Sci. 2019, 14, 155–168. [Google Scholar] [CrossRef]
  23. Cybersecurity; Infrastructure Security Agency [CISA]. Cybersecurity Best Practices for Control Centers. U.S. Department of Homeland Security. 2024. Available online: https://www.cisa.gov/topics/cybersecurity-best-practices (accessed on 12 February 2025).
  24. Kheddar, H.; Himeur, Y.; Awad, A.I. Deep transfer learning for intrusion detection in industrial control networks: A comprehensive review. J. Netw. Comput. Appl. 2023, 220, 103760. [Google Scholar] [CrossRef]
  25. Liu, Y.; Li, S.; Wang, X.; Xu, L. A review of hybrid cyber threats modelling and detection using artificial intelligence in iiot. Comput. Model. Eng. Sci. 2024, 140, 1233–1261. [Google Scholar] [CrossRef]
  26. Mohan, P.V.; Dixit, S.; Gyaneshwar, A.; Chadha, U.; Srinivasan, K.; Seo, J.T. Leveraging computational intelligence techniques for defensive deception: A review, recent advances, open problems and future directions. Sensors 2022, 22, 2194. [Google Scholar] [CrossRef]
  27. Pavon, W.; Jaramillo, M.; Vasquez, J.C. A review of modern computational techniques and their role in power system stability and control. Energies 2024, 17, 177. [Google Scholar] [CrossRef]
  28. Stocker, A.; de Meer, H. A Tutorial on Resilience in Smart Grids. arXiv 2023, arXiv:2308.15923. [Google Scholar] [CrossRef]
  29. Wazid, M.; Singh, J.; Das, A.K.; Rodrigues, J.J.P.C. An ensemble-based machine learning-envisioned intrusion detection in industry 5.0-driven healthcare applications. IEEE Trans. Consum. Electron. 2024, 70, 1903–1912. [Google Scholar] [CrossRef]
  30. Yasin Ghadi, Y.; Mazhar, T.; Aurangzeb, K.; Haq, I.; Shahzad, T.; Ali Laghari, A.; Shahid Anwar, M. Security risk models against attacks in smart grid using big data and artificial intelligence. PeerJ Comput. Sci. 2024, 10, e1840. [Google Scholar] [CrossRef] [PubMed]
  31. Mengara, A.G.M.; Yoo, Y.; Leung, V.C.M. IoTSecUT: Uncertainty-based hybrid deep learning approach for superior IoT security amidst evolving cyber threats. IEEE Internet Things J. 2024, 11, 27715–27731. [Google Scholar] [CrossRef]
  32. Clark, G.W.; Andel, T.R.; McDonald, J.T.; Johnsten, T.; Thomas, T. Detection and defense of cyberattacks on the machine learning control of robotic systems. J. Def. Model. Simul. 2024, 21, 181–203. [Google Scholar] [CrossRef]
  33. Verma, P.; Breslin, J.G.; O’Shea, D.; Mehta, N.; Bharot, N.; Vidyarthi, A. Leveraging gametic heredity in oversampling techniques to handle class imbalance for efficient cyberthreat detection in IIoT. IEEE Trans. Consum. Electron. 2024, 70, 1940–1951. [Google Scholar] [CrossRef]
  34. Jithish, J.; Alangot, B.; Mahalingam, N.; Yeo, K.S. Distributed anomaly detection in smart grids: A federated learning-based approach. IEEE Access 2023, 11, 7157–7179. [Google Scholar] [CrossRef]
  35. Bhardwaj, S.; Dave, M. Attack detection and mitigation using Intelligent attack graph model for Forensic in IoT Networks. Telecommun. Syst. 2024, 85, 601–621. [Google Scholar] [CrossRef]
  36. Gueye, T.; Wang, Y.; Rehman, M.; Mushtaq, R.T.; Zahoor, S. A novel method to detect cyber-attacks in IoT/IIoT devices on the modbus protocol using deep learning. Clust. Comput. 2023, 26, 2947–2973. [Google Scholar] [CrossRef]
  37. Houmb, S.H.; Iversen, F.; Ewald, R.; Færaas, E. Intelligent risk-based cybersecurity protection for industrial systems control—A feasibility study. SPE J. 2023, 28, 3272–3279. [Google Scholar] [CrossRef]
  38. Bouramdane, A.-A. Cyberattacks in smart grids: Challenges and solving the multi-criteria decision-making for cybersecurity options, including ones that incorporate artificial intelligence, using an analytical hierarchy process. J. Cybersecur. Priv. 2023, 3, 662–705. [Google Scholar] [CrossRef]
  39. Dari, S.S.; Thool, K.U.; Deshpande, Y.D.; Aush, M.G.; Patil, V.D.; Bendale, S.P. Neural networks and cyber resilience: Deep insights into AI architectures for robust security framework. J. Electr. Syst. 2023, 19, 78–95. [Google Scholar] [CrossRef]
  40. Santoso, F.; Finn, A. An in-depth examination of artificial intelligence-enhanced cybersecurity in robotics, autonomous systems, and critical infrastructures. IEEE Trans. Serv. Comput. 2024, 17, 1293–1310. [Google Scholar] [CrossRef]
  41. Figueroa-Lorenzo, S.; Añorga, J.; Arrizabalaga, S. A survey of IIoT protocols: A measure of vulnerability risk analysis based on CVSS. ACM Comput. Surv. 2020, 53, 44. [Google Scholar] [CrossRef]
  42. Al-Hawawreh, M.; Moustafa, N.; Garg, S.; Hossain, M.S. Deep learning-enabled threat intelligence scheme in the Internet of Things networks. IEEE Trans. Netw. Sci. Eng. 2021, 8, 2968–2981. [Google Scholar] [CrossRef]
  43. Shalaginov, A.; Azad, M.A. Securing resource-constrained IoT nodes: Towards intelligent microcontroller-based attack detection in distributed smart applications. Future Internet 2021, 13, 272. [Google Scholar] [CrossRef]
  44. Calabrese, A.; Costa, R.; Tiburzi, L.; Brem, A. Merging two revolutions: A human-artificial intelligence method to study how sustainability and Industry 4.0 are intertwined. Technol. Forecast. Soc. Change 2023, 188, 122265. [Google Scholar] [CrossRef]
  45. Raval, K.J.; Jadav, N.K.; Rathod, T.; Tanwar, S.; Vimal, V.; Yamsani, N. A survey on safeguarding critical infrastructures: Attacks, AI security, and future directions. Int. J. Crit. Infrastruct. Prot. 2024, 44, 100647. [Google Scholar] [CrossRef]
  46. Sarker, I.H.; Abushark, Y.B.; Alsolami, F.; Khan, A.I. IntruDTree: A machine learning based cyber security intrusion detection model. Symmetry 2020, 12, 754. [Google Scholar] [CrossRef]
  47. Yamin, M.M.; Ullah, M.; Ullah, H.; Katt, B. Weaponized AI for cyber attacks. J. Inf. Secur. Appl. 2021, 57, 102722. [Google Scholar] [CrossRef]
  48. Khosravy, M.; Gupta, N.; Pasquali, A.; Dey, N.; Crespo, R.G.; Witkowski, O. Human-collaborative artificial intelligence along with social values in Industry 5.0: A survey of the state-of-the-art. IEEE Trans. Cogn. Dev. Syst. 2024, 16, 165–176. [Google Scholar] [CrossRef]
  49. Salam, A.; Ullah, F.; Amin, F.; Abrar, M. Deep learning techniques for web-based attack detection in Industry 5.0: A novel approach. Technologies 2023, 11, 107. [Google Scholar] [CrossRef]
  50. Bhandari, G.; Lyth, A.; Shalaginov, A.; Gronli, T.-M. Distributed deep neural-network-based middleware for cyber-attacks detection in smart IoT ecosystem: A novel framework and performance evaluation approach. Electronics 2023, 12, 298. [Google Scholar] [CrossRef]
  51. Mogollón-Gutiérrez, O.; Núñez, J.C.S.; Vegas, M.A.; Lindo, A.C. A novel ensemble learning system for cyberattack classification. Intell. Autom. Soft Comput. 2023, 37, 1691–1709. [Google Scholar] [CrossRef]
  52. Tareq, I.; Elbagoury, B.M.; El-Regaily, S.; El-Horbaty, E.S.M. Analysis of ToN-IoT, UNW-NB15, and Edge-IIoT datasets using DL in cybersecurity for IoT. Appl. Sci. 2022, 12, 9572. [Google Scholar] [CrossRef]
  53. Muna, R.K.; Hossain, M.I.; Alam, M.G.R.; Hassan, M.M.; Ianni, M.; Fortino, G. Demystifying machine learning models of massive IoT attack detection with Explainable AI for sustainable and secure future smart cities. Internet Things 2023, 24, 100919. [Google Scholar] [CrossRef]
  54. Shtayat, M.M.; Hasan, M.K.; Sulaiman, R.; Islam, S.; Khan, A.U.R. An explainable ensemble deep learning approach for intrusion detection in Industrial Internet of Things. IEEE Access 2023, 11, 115047–115061. [Google Scholar] [CrossRef]
  55. Laskurain-Iturbe, I.; Arana-Landín, G.; Landeta-Manzano, B.; Uriarte-Gallastegi, N. Exploring the influence of industry 4.0 technologies on the circular economy. J. Clean. Prod. 2021, 321, 128944. [Google Scholar] [CrossRef]
  56. Imran, M.; Appice, A.; Malerba, D. Evaluating realistic adversarial attacks against machine learning models for Windows PE malware detection. Future Internet 2024, 16, 168. [Google Scholar] [CrossRef]
  57. Laghari, S.U.A.; Manickam, S.; Al-Ani, A.K.; Ul Rehman, S.; Karuppayah, S. SECS/GEMsec: A mechanism for detection and prevention of cyber-attacks on SECS/GEM communications in Industry 4.0 landscape. IEEE Access 2021, 9, 154380–154394. [Google Scholar] [CrossRef]
  58. Payne, E.K.; Qian, W.; Lu, S.L.; Wu, L.C. Technical risk synthesis and mitigation strategies of distributed energy resources integration with wireless sensor networks and internet of things—Review. J. Eng.-JOE 2019, 2019, 4830–4835. [Google Scholar] [CrossRef]
  59. Motwakel, A.; Alrowais, F.; Tarmissi, K.; Marzouk, R.; Mohamed, A.; Zamani, A.S.; Yaseen, I.; Eldesouki, M.I. Enhanced crow search with deep learning-based cyberattack detection in SDN-IoT environment. Intell. Autom. Soft Comput. 2023, 36, 3157–3173. [Google Scholar] [CrossRef]
  60. Mahmoodi, A.B.Z.; Sheikhi, S.; Peltonen, E.; Kostakos, P. Autonomous federated learning for distributed intrusion detection systems in public networks. IEEE Access 2023, 11, 121325–121339. [Google Scholar] [CrossRef]
  61. Bhardwaj, A.; Al-Turjman, F.; Kumar, M.; Stephan, T.; Mostarda, L. Capturing-the-invisible (CTI): Behavior-based attacks recognition in IoT-oriented industrial control systems. IEEE Access 2020, 8, 104956–104966. [Google Scholar] [CrossRef]
  62. Oliveira, M.; Chauhan, S.; Pereira, F.; Felgueiras, C.; Carvalho, D. Blockchain protocols and edge computing targeting industry 5.0 needs. Sensors 2023, 23, 9174. [Google Scholar] [CrossRef]
  63. International Energy Agency [IEA]. Electricity Generation and Electricity Transmission and Distribution. 2024. Available online: https://www.iea.org/ (accessed on 12 February 2025).
  64. National Association of Regulatory Utility Commissioners [NARUC]. Smart Grids and Energy Distribution. Publications. 2024. Available online: https://www.naruc.org/ (accessed on 12 February 2025).
  65. U.S. Department of Energy [DOE]. Energy Storage. Office of Energy Efficiency & Renewable Energy. 2024. Available online: https://www.energy.gov/ (accessed on 9 September 2025).
  66. Lawrence Berkeley National Laboratory [LBNL]. Demand Response. 2024. Available online: https://buildings.lbl.gov/demand-response (accessed on 12 February 2025).
  67. Moura, J.; Hutchison, D. Resilience Enhancement at Edge Cloud Systems. arXiv 2022, arXiv:2205.08997. [Google Scholar] [CrossRef]
  68. Institute of Electrical and Electronics Engineers [IEEE]. Smart Metering and Cybersecurity. 2024. Available online: https://ieeexplore.ieee.org/Xplore/home.jsp (accessed on 12 February 2025).
  69. Federal Emergency Management Agency [FEMA]. Emergency Energy Backup Systems. U.S. Department of Homeland Security. 2024. Available online: https://www.fema.gov/ (accessed on 12 February 2025).
  70. Jain, S.; Lakshmi, V.; Srivathsa, R. IoT and OT Security Handbook: Assess Risks, Manage Vulnerabilities, and Monitor Threats with Microsoft Defender for IoT; Packt Publishing: Birmingham, UK, 2023; Available online: https://books.google.com.pe/books?id=39qzEAAAQBAJ (accessed on 9 September 2025).
  71. Industrial Cybersecurity Center [CCI]. Cybersecurity Risks in Refining and Energy Processing Plants. 2024. Available online: https://www.cci-es.org/ (accessed on 12 February 2025).
Figure 1. Key Dimensions of Cybersecurity in Critical Energy Infrastructures.
Figure 1. Key Dimensions of Cybersecurity in Critical Energy Infrastructures.
Energies 18 05163 g001
Figure 2. Flowchart of the article selection process.
Figure 2. Flowchart of the article selection process.
Energies 18 05163 g002
Figure 3. Temporal perspective of publications on CEI cybersecurity models.
Figure 3. Temporal perspective of publications on CEI cybersecurity models.
Energies 18 05163 g003
Figure 4. Articles by Journal.
Figure 4. Articles by Journal.
Energies 18 05163 g004
Figure 5. Articles by Quality Factor.
Figure 5. Articles by Quality Factor.
Energies 18 05163 g005
Figure 6. Evolution of services in CEIC models. * until June.
Figure 6. Evolution of services in CEIC models. * until June.
Energies 18 05163 g006
Figure 7. Evolution of technical means in CEIC models. * until June.
Figure 7. Evolution of technical means in CEIC models. * until June.
Energies 18 05163 g007
Figure 8. Evolution of facilities in CEIC models. * until June.
Figure 8. Evolution of facilities in CEIC models. * until June.
Energies 18 05163 g008
Figure 9. Evolution of algorithms in CEIC models. * until June.
Figure 9. Evolution of algorithms in CEIC models. * until June.
Energies 18 05163 g009
Figure 10. Systemic integration of functional and defensive components in an IT-OT cybersecurity model for CEIC.
Figure 10. Systemic integration of functional and defensive components in an IT-OT cybersecurity model for CEIC.
Energies 18 05163 g010
Table 1. Inclusion and exclusion criteria.
Table 1. Inclusion and exclusion criteria.
Selection CriteriaExclusion Criteria
Primary research articles
Address at least one of the research questions
Document type: Article
Language: English
Publication period: 2015–2024
Studies related to sectors other than energy, such as healthcare, education, finance, agriculture, or tourism.
Studies that do not apply AI techniques, such as machine learning or neural networks.
Studies that address cybersecurity in a general manner without focusing on critical infrastructures.
Studies on IoT, big data, blockchain, virtual reality, or quantum computing that do not involve critical infrastructure protection.
Table 2. Number of potentially eligible studies and selected studies.
Table 2. Number of potentially eligible studies and selected studies.
Source# Potentially Eligible Studies# Selected StudiesIdentification Codes
Scopus119521[R01]–[R21]
WoS38225[R22]–[R46]
IEEE Xplore6504[R47]–[R50]
MDPI5102[R51]–[R52]
Total169352[R01]–[R52]
# indicates the quantity.
Table 3. Classification of studies in the systematic literature review according to the key dimensions of an integrated IT-OT model for CEIs.
Table 3. Classification of studies in the systematic literature review according to the key dimensions of an integrated IT-OT model for CEIs.
RQDimensionScopusWoSIEEEMDPITotal
RQ1IT-OT models[R1]–[R2], [R6], [R10], [R19]–[R21][R37], [R41][R47]–[R48] 11
RQ2Services[R3]-[R4], [R11][R22]–[R23], [R26]–[R27], [R30], [R40], [R42][R49]–[R50] 12
RQ3Technical means[R5], [R8], [R16][R24]–[R25], [R28], [R31]–[R32], [R36], [R40], [R42], [R46] 12
RQ4Facilities[R7], [R9], [R12], [R18][R33], [R38]–[R39], [R42]–[R44][R48], [R50] 12
RQ5Algorithms[R13]–[R15], [R17][R25], [R29], [R34]-[R35], [R42], [R45][R50][R51]–[R52]13
Total (without duplication)212542
Table 4. Taxonomy of cybersecurity models for Critical Energy Infrastructures (CEIs).
Table 4. Taxonomy of cybersecurity models for Critical Energy Infrastructures (CEIs).
CategoryDescriptionSubcategoryDescriptionSelected Studies
Detection, prediction, and explanationUse of AI and ML to detect, predict, and explain threats in real time, optimizing OT security.Intrusion detectionIdentification of unauthorized access in OT networks using IDS/IPS techniques.Wazid et al. (2024) [R01], Gueye et al. (2023) [R09], Sulaiman et al. (2023) [R10]
Anomaly detectionIdentification of atypical patterns in ICS behavior using ML/DL.Mall et al. (2023) [R16], Mezzina et al. (2021) [R28], Maghrabi et al. (2023) [R52]
Threat predictionUse of time series models and neural networks to forecast attacks.Raval et al. (2024) [R24], Zolanvari et al. (2023) [R18], Ahmad et al. (2022) [R33]
Decision explanationApplication of Explainable AI (XAI) to interpret detection results.Ahakonye et al. (2024) [R08], Shtayat et al. (2023) [R40], Falco et al. (2018) [R47]
Risk managementAssessment and mitigation of risks in critical infrastructures using probabilistic models and standards.Probability-based assessmentRisk quantification through statistical and simulation models.Figueroa-Lorenzo et al. (2020) [R19], Tareq et al. (2022) [R35], Laghari et al. (2021) [R43]
Risk management frameworksImplementation of NIST, ISO 27001, and IEC 62443 in critical systems.Ahmad et al. (2022) [R33], Alzahrani & Aldhyani (2023) [R45], Mahmoodi et al. (2023) [R49]
Scenario-based risk analysisModeling of attack scenarios to evaluate impact on OT systems.Schmitt (2023) [R27], Calabrese et al. (2023) [R23], Zhu et al. (2019) [R48]
Standards-based modelsEnsure compliance with frameworks such as IEC 62443 and NIST, improving operational security.Regulatory complianceAdaptation of critical infrastructures to standards such as NERC CIP.Imran et al. (2024) [R42], Dari et al. (2023) [R14], Gaskova et al. (2023) [R15]
ICS securityApplication of IEC 62443 in SCADA and PLC systems.Santoso et al. (2024) [R17], Oliveira et al. (2023) [R51], Bhardwaj et al. (2024) [R50]
Collaborative and information sharing modelsFacilitate the sharing of threat intelligence using STIX/TAXII, ISACs, and peer-to-peer platforms.Threat intelligenceUse of STIX/TAXII to exchange real-time cyber threat data.Chehri et al. (2021) [R22], Sarker et al. (2020) [R25], Motwakel et al. (2023) [R46]
Data exchange platformsUse of ISACs and P2P networks for OT cybersecurity collaboration.Houmb et al. (2023) [R12], Salam et al. (2023) [R30], Bhandari et al. (2023) [R32]
Incident response and recoveryAutomate incident response and optimize recovery using digital twins and contingency plans.Incident responseImplementation of automated strategies to mitigate attacks in real time.Al-Hawawreh et al. (2021) [R20], Payne et al. (2019) [R44], Bhardwaj et al. (2020) [R50]
Infrastructure recoveryUse of digital twins to simulate post-attack recovery scenarios.Laskurain-Iturbe et al. (2021) [R41], Mezzina et al. (2021) [R28], Maghrabi et al. (2023) [R52]
System architecture-based protectionIntegrate OT security through segmentation, micro-segmentation, and blockchain for critical networks.SCADA and IoT securityDesign of secure networks using segmentation and micro-segmentation.Mahmoodi et al. (2023) [R49], Mogollón-Gutiérrez et al. (2023) [R34], Verma et al. (2024) [R05]
Blockchain for OTUse of blockchain to ensure data integrity in energy networks.Cvitic et al. (2022) [R39], Maghrabi et al. (2023) [R52], Abir et al. (2021) [R36]
Simulation and testingSimulate attacks and validate defense strategies in ICS and critical energy networks.Attack simulationTesting environments to validate defense mechanisms in ICS.Clark et al. (2024) [R04], Yamin et al. (2021) [R26], Ghadi et al. (2024) [R02]
Resilience testingEvaluation of infrastructure robustness against cyberattacks.Mengara et al. (2024) [R03], Falco et al. (2018) [R47], Schmitt (2023) [R27]
Table 5. CEI cybersecurity models for detection, prediction, and explanation.
Table 5. CEI cybersecurity models for detection, prediction, and explanation.
SubcategoryIDModelDescriptionApplications (Selected Studies)
Intrusion detectionM01Deep Learning Intrusion Detection System (DL-IDS)Deep learning for detecting intrusions in OT networks.Protection in SCADA [R10], Substation monitoring [R18], IIoT security [R25, R30]
M02Hybrid IDS Based on Machine LearningSupervised/unsupervised ML for unauthorized access detection.Detection in PLCs [R5], OT network security [R12, R20], SCADA traffic analysis [R38]
M03Behavior-Based Detection ModelReal-time pattern analysis in OT environments.OT access monitoring [R7], Industrial traffic analysis [R24], Unauthorized access prevention [R35, R50]
M04Federated Learning Intrusion Detection System (FL-IDS)Distributed detection using federated learning.Distributed detection in IoT [R6], Smart grid security [R14], Decentralized OT analysis [R33, R49]
Anomaly detectionM05Autoencoder Anomaly Detection SystemAutoencoders for detecting anomalies in SCADA.Industrial network anomalies [R8], Energy plant security [R15], IIoT traffic analysis [R28, R40]
M06Explainable Anomaly Detection (XAI-AD)XAI for improving anomaly detection.OT behavior analysis [R13], Real-time monitoring [R19], Fault prediction [R26, R42]
M07Anomaly Detection with One-Class SVMOne-Class SVM for detecting anomalies in OT.Substation monitoring [R9], Industrial network protection [R21], Unusual event detection [R34, R46]
M08Deep Autoencoder for Energy SystemsDeep autoencoders for OT energy systems.Consumption data analysis [R11], Industrial IoT security [R22], OT risk assessment [R29, R47]
Threat predictionM09Time Series-Based Threat PredictionTime series models for cyberattack forecasting.Attack prediction in OT networks [R3], Threat modeling in SCADA [R17], IIoT risk assessment [R31, R44]
M10Recurrent Neural Networks (RNN) for Threat PredictionRNNs for anticipating threats in OT.Early malware detection [R4], Cyberattack pattern analysis [R16], Predictive energy security [R27, R39]
M11Hybrid Predictive Model with Bayesian NetworksHybrid model using ML and Bayesian networks.OT vulnerability assessment [R2], Malicious pattern analysis [R23], Critical IoT security [R32, R45]
M12Deep Learning-Based Attack ForecastingDeep learning for anticipating attacks in OT.SCADA attack prevention [R1], Cyberattack scenario modeling [R20], Resilience in critical infrastructures [R36, R48]
Decision explanationM13Explainable AI for OT Security (XAI-OT)XAI for justifying cybersecurity decisions in OT environments.IDS alert interpretation [R7], Prediction justification in IIoT [R18], Attack detection transparency [R30, R41]
M14SHAP-Based Intrusion Detection ExplanationSHAP to explain intrusion detection decisions.OT risk analysis [R12], Anomaly pattern interpretation [R25], Cyber defense explainability [R38, R50]
M15LIME for Cybersecurity Decision-MakingLIME to support decisions in cybersecurity contexts.Security event explanation [R6], Predictive model interpretation [R14], AI transparency in OT [R33, R49]
M16Feature Importance Analysis for Threat DetectionFeature importance analysis to improve threat detection.IDS accuracy enhancement [R5], OT security evaluation [R19], Security decision justification [R28, R43]
Table 6. CEI cybersecurity risk management models.
Table 6. CEI cybersecurity risk management models.
SubcategoryIDModelDescriptionApplications (Selected Studies)
Probability-based assessmentM17Probabilistic Risk Assessment (PRA)Probabilistic evaluation to quantify risks in OT environments.Power grid analysis [R2], SCADA security [R16], OT failure estimation [R27]
M18Bayesian networks for risk analysisBayesian networks to model uncertainty in OT cybersecurity.Vulnerability assessment [R4], OT incident modeling [R19], Impact prediction [R33]
Risk management frameworksM19NIST risk management frameworkNIST-based structured framework for OT risk management.SCADA implementation [R6], Smart grid deployment [R14], Industrial IoT assessment [R30]
M20ISO/IEC 27001 risk frameworkISO/IEC 27001-based approach for OT risk mitigation.Energy systems protection [R9], Critical infrastructure security [R21], IIoT control [R35]
Scenario-based risk analysisM21Scenario-based risk analysisRisk modeling through OT attack scenario simulations.Smart grid evaluation [R11], Cyberattack simulation [R25], SCADA system analysis [R40]
M22Cybersecurity threat modelingModeling of threats to anticipate attacks in OT systems.Attack vector identification [R8], OT network analysis [R22], Energy impact evaluation [R36]
Table 7. CEI cybersecurity models based on standards and compliance.
Table 7. CEI cybersecurity models based on standards and compliance.
SubcategoryIDModelDescriptionApplications (Selected Studies)
Regulatory complianceM23NIST cybersecurity frameworkNIST-based model to protect OT critical infrastructures.Power grid implementation [R2], SCADA security [R12], OT compliance evaluation [R25]
M24ISO/IEC 27001 standardsInternational standards for OT security management.Critical infrastructure security [R6], IIoT implementation [R18], Smart grid protection [R30]
M25COBIT frameworkModel integrating risk management and corporate governance in OT.SCADA control [R9], Industrial network assessment [R21], Control systems application [R35]
ICS system securityM26IEC 62443 standardsModel for securing industrial control systems (ICS).SCADA network protection [R11], Substation security [R22], PLC evaluation [R40]
M27Industry 4.0 cybersecurity standardsStandards applied to cybersecurity in industrial environments.IIoT security [R8], Smart factory protection [R19], OT monitoring system evaluation [R33]
Table 8. Collaborative and information sharing models for CEI cybersecurity.
Table 8. Collaborative and information sharing models for CEI cybersecurity.
SubcategoryIDModelDescriptionApplications (Selected Studies)
Threat intelligenceM28STIX/TAXII-based threat intelligenceModel based on STIX/TAXII for real-time threat intelligence sharing.Exchange in critical infrastructures [R3], SCADA prevention [R12], Smart grid coordination [R25]
M29AI-driven cyber threat intelligenceUse of AI to analyze and exchange cyber threat information in OT environments.Predictive analysis in IIoT [R7], Attack pattern detection [R16], Industrial network security [R29]
M30Collaborative threat sharing networkInteragency collaboration network for sharing cyber threat intelligence.Shared monitoring in smart grids [R10], Early warning in ICS [R22], SCADA system protection [R37]
Data exchange platformsM31ISACs for critical infrastructure securityModel based on Information Sharing and Analysis Centers (ISACs) for OT security.Electrical infrastructure protection [5], IIoT network coordination [R14], SCADA system security [R30]
M32P2P cybersecurity data exchangeDecentralized peer-to-peer data exchange on cyber threats in OT.Distributed monitoring in OT [R9], Incident response in ICS [R18], Detection in industrial networks [R33]
Table 9. CEI cybersecurity models for incident response and recovery.
Table 9. CEI cybersecurity models for incident response and recovery.
SubcategoryIDModelDescriptionApplications (Selected Studies)
Incident
response
M33Automated incident response systemAutomates cyberattack mitigation in critical infrastructures.SCADA mitigation [R3], IIoT incident response [R10]
M34AI-based intrusion response frameworkUses AI for adaptive and automatic responses to attacks.Industrial network protection [R7], Malware response in OT [R29]
Infrastructure recoveryM35Digital twin for cyber resilienceDigital twins to simulate and recover OT systems after attacks.Damage assessment in smart grids [R5], SCADA recovery simulation [R14], IIoT resilience [R25]
M36Blockchain-enhanced recovery mechanismsBlockchain for ensuring data integrity post-attack.Record protection in ICS [R9], Restoration in energy networks [R22]
M37Self-healing networks for critical systemsSelf-repairing networks to ensure operational continuity.Post-attack reconfiguration in OT [11]
Table 10. CEI cybersecurity models for system architecture-based protection.
Table 10. CEI cybersecurity models for system architecture-based protection.
SubcategoryIDModelDescriptionApplications (Selected Studies)
SCADA and IoT securityM38SCADA security frameworksModels designed to protect SCADA systems from cyber threats.SCADA network protection [R2], PLC controller security [R10], Industrial network deployment [R20, R28]
M39IoT/IIoT secure architectureSecurity design for IoT and IIoT devices in CEIs.Industrial IIoT security [R7], Smart grid protection [R15], SCADA system evaluation [R30, R39]
M40Microsegmentation techniquesMicrosegmentation to minimize attack impact and contain breaches.OT network segmentation [R5], Smart grid protection [R18], SCADA environment deployment [R26]
Blockchain for OTM41Blockchain-integrated security modelsBlockchain-based models to ensure data integrity in OT systems.Data validation in SCADA [R9], Energy system security [R22], Critical infrastructure protection [R37, R42]
M42Decentralized ledger for critical systemsDistributed ledger to secure transactions in OT networks.Industrial network authentication [R11], Record protection in IIoT [R24], Critical data center applications [R35]
Table 11. CEI cybersecurity models for simulation and testing.
Table 11. CEI cybersecurity models for simulation and testing.
SubcategoryIDModelDescriptionApplications (Selected Studies)
Attack simulationM43Cyber attack simulation platformsPlatforms for simulating cyberattacks in OT environments.SCADA network assessment [R3], Smart grid simulations [R12], IIoT testing [R25, R31], ICS attack scenarios [R38]
M44AI-powered cyber range environmentsAI-based testing environments to evaluate OT resilience.Critical infrastructure testing [R7], Data center evaluation [R16], PLC attack simulations [R29, R40]
M45Threat emulation for OT systemsEmulation of attack tactics in OT settings.Energy distribution system evaluation [R10], APT simulation in smart grids [R22]
Resilience testingM46Resilience testing with digital twinsUse of digital twins for testing OT recovery capabilities.Energy system evaluation [R5], Smart grid simulations [R14], Industrial network testing [R25]
M47Automated stress testing for OT securityAutomated stress testing of OT environments.IIoT evaluation [R9], Resilience in industrial networks [R22]
M48Hybrid simulation frameworks for cyber-physical systemsHybrid simulation models for evaluating resilience.ICS attack analysis [R11], Critical infrastructure response evaluation [R24]
M49Self-healing networks simulationSimulation of self-healing network behavior in OT systems.Smart grid simulation [R15]
Table 12. Energy services covered by CEI cybersecurity models.
Table 12. Energy services covered by CEI cybersecurity models.
IDEnergy ServicesDescriptionApplied CEI Models
S01Power generationElectricity production through hydroelectric, thermal, nuclear, and renewable sources [63]M01, M03, M04, M12, M19
S02Energy transmissionTransport of electricity from power plants via high-voltage networks [63]M02, M05, M06, M08, M17
S03Energy distribution and smart gridsDelivery of electricity to end-users and implementation of smart grids for advanced management [64]M07, M09, M10, M14, M38
S04Energy storageTechnologies for energy storage such as batteries and pumped hydro systems [65]M11, M13, M15, M25
S05Demand management and energy efficiencySystems that dynamically adjust energy consumption based on supply and demand [66]M16, M18, M22, M35
S06Support and control infrastructureControl and monitoring infrastructure, including SCADA, IoT, and telecommunications [28]M03, M17, M21, M24, M40
S07Energy cybersecurityProtection strategies against digital threats to critical energy systems [23]M20, M26, M27, M35, M41
S08Service resilience and continuityBackup plans, recovery protocols, and contingency strategies after an attack [67]M23, M28, M30, M46, M45
S09Network maintenanceInspection, upgrading, and repair of energy infrastructure [68]M27, M29, M39, M47
S10Emergency response and recoveryStrategies for restoring energy services after cyberattacks or disasters [69]M30, M31, M36, M43
Table 13. Technical means addressed by CEI cybersecurity models.
Table 13. Technical means addressed by CEI cybersecurity models.
IDTechnical Means in CEIsDescriptionApplied CEI Models
MT1Control and supervisory systemsIncludes SCADA and ICS for remote monitoring and control of critical energy processes [28]M01, M03, M04, M12
MT2Communication and network systemsCommunication infrastructure enabling secure data transmission in industrial environments, including protocols like DNP3, IEC 61850, and Modbus [6]M02, M05, M06, M08, M17
MT3Physical protection and resilience systemsMeasures to protect energy infrastructure against physical and cyber threats, including backup and contingency systems [67]M07, M09, M10, M14, M38
MT4Cybersecurity systemsPlatforms and tools for protection against cyberattacks, including IDS/IPS, Zero Trust, Blockchain, and access control [23]M11, M13, M15, M25, M20
MT5Data intelligence and threat predictionAdvanced data analytics through Big Data and AI to detect anomalies and predict threats in critical infrastructures [8]M16, M18, M22, M23, M28
MT6Energy integration and management technologiesSystems for optimizing smart grids, energy storage, and demand-side management, enhancing operational efficiency and security [70]M27, M29, M39, M35, M41
Table 14. Facilities addressed by CEI cybersecurity models.
Table 14. Facilities addressed by CEI cybersecurity models.
IDCEI FacilitiesDescriptionApplied CEI Models
I01Power generation plantsFacilities for electricity production (hydro, thermal, nuclear, renewable), exposed to SCADA and process control attacks [63]M01, M03, M04, M12
I02Transmission and distribution substationsKey infrastructure for voltage transformation and power distribution, vulnerable to physical and cyberattacks [63]M02, M05, M06, M08, M17
I03High-voltage transmission networksInfrastructure transporting electricity from generation plants to substations, susceptible to sabotage and DDoS attacks [28]M07, M09, M10, M14, M38
I04Distribution networks and smart gridsElectric grids with sensors and monitoring platforms, exposed to data manipulation and targeted cyberattacks [64]M11, M13, M15, M25, M20
I05Operations control centersFacilities for real-time monitoring and operation of energy infrastructure, frequent targets of APT and ransomware attacks [23]M16, M18, M22, M23, M28
I06Energy storage infrastructureBattery and pumped hydro systems vulnerable to manipulation in charge/discharge management [65]M27, M29, M39, M35, M41
I07Oil and gas pipelinesInfrastructure for transporting oil and gas, exposed to remote control system attacks [67]M31, M36, M43, M46
I08Energy refining and processing plantsCritical facilities for fuel transformation, vulnerable to attacks affecting production and distribution [71]M30, M32, M44, M47
I09Backup and emergency infrastructureContingency systems such as microgrids and generators, essential for maintaining operations during failures or attacks [69]M23, M40, M45
I10Smart metering and billing systemsDigital platforms and meters for consumption analysis, exposed to fraud and data manipulation [68]M26, M33, M42
Table 15. Algorithms in CEI models and their applications in services, technical means, and facilities.
Table 15. Algorithms in CEI models and their applications in services, technical means, and facilities.
Algorithms in CEI CybersecurityApplications in CEI Systems
Applications in Energy ServicesApplications in Technical MeansApplications in CEI Facilities
CNNS01 [R11], S03 [R07], S02 [R05]MT1 [R12], MT2 [R10]I01 [R05], I03 [R07]
RNNS06 [R12], S08 [R10]MT4 [R15], MT3 [R09]I06 [R12], I05 [R10]
LSTMS06 [R12], S08 [R10]MT4 [R15], MT3 [R09]I06 [R12], I05 [R10]
RFS09 [R03], S05 [R14]MT6 [R22], MT5 [R27]I09 [R14], I07 [R20]
DTS09 [R03], S05 [R14]MT6 [R22], MT5 [R27]I09 [R14], I07 [R20]
AES03 [R07], S02 [R05]MT1 [R12], MT2 [R10]I03 [R07], I02 [R05]
GAS07 [R09], S08 [R15]MT3 [R14], MT4 [R18]I08 [R09], I06 [R15]
XAI (SHAP, LIME)S04 [R08], S10 [R18]MT5 [R17], MT6 [R20]I04 [R08], I10 [R18]
NTAS02 [R06], S09 [R20]MT2 [R16], MT1 [R21]I02 [R06], I09 [R20]
BC (PoW, PoS)S05 [R22], S08 [R30]MT4 [R24], MT5 [R29]I07 [R22], I08 [R30]
DRLS07 [R25], S06 [R28]MT3 [R31], MT2 [R33]I06 [R25], I05 [R28]
BNS03 [R27], S02 [R26]MT1 [R30], MT5 [R35]I03 [R27], I02 [R26]
GB (XGBoost, LightGBM)S05 [R31], S04 [R35]MT2 [R37], MT4 [R40]I07 [R31], I04 [R35]
FLS02 [R29], S08 [R33]MT5 [R39], MT1 [R41]I02 [R29], I08 [R33]
TMS06 [R40]MT6 [R45]I05 [R40]
Legend of algorithms, CNN: Convolutional Neural Network; RNN: Recurrent Neural Network; LSTM: Long Short-Term Memor; RF: Random Forest; DT: Decision Trees; AE: Autoencoders; GA: Genetic Algorithms; XAI: Explainable AI; NTA: Network Traffic Analysis; BC: Blockchain; DRL: Deep Reinforcement Learning; BN: Bayesian Networks; GB: Gradient Boosting; FL: Federated Learning; TM: Transformer-based Models.
Table 16. CEI cybersecurity models used in energy services, technical means, facilities, and algorithms.
Table 16. CEI cybersecurity models used in energy services, technical means, facilities, and algorithms.
AspectCEI ModelsAspectCEI Models
ServicesS01M01, M03, M04, M12, M19Technical meansI01M01, M03, M04, M12
S02M02, M05, M06, M08, M17I02M02, M05, M06, M08, M17
S03M07, M09, M10, M14, M38I03M07, M09, M10, M14, M38
S04M11, M13, M15, M25I04M11, M13, M15, M25, M20
S05M16, M18, M22, M35I05M16, M18, M22, M23, M28
S06M03, M17, M21, M24, M40I06M27, M29, M39, M35, M41
S07M20, M26, M27, M35, M41I07M31, M36, M43, M46
S08M23, M28, M30, M46, M45I08M30, M32, M44, M47
S09M27, M29, M39, M47I09M23, M40, M45
S10M30, M31, M36, M43I10M26, M33, M42
FacilitiesMT1M01, M03, M04, M12AlgorithmsCNNM01, M16, M36
MT2M02, M05, M06, M08, M17RNNM02, M17, M37
MT3M07, M09, M10, M14, M38LSTMM03, M18, M38
MT4M11, M13, M15, M25, M20RFM04, M19, M39
MT5M16, M18, M22, M23, M28DTM05, M26, M34, M46
MT6M27, M29, M39, M35, M41AEM06
GAM07, M27, M35, M47
XAI (SHAP, LIME)M04, M08, M20, M30, M40
NTAM09, M28, M48
BC (PoW, PoS)M09, M10, M24, M25, M33, M45
DRLM11, M24, M31, M32, M44
BNM12, M21, M41
GB (XGBoost, LightGBM)M12, M13, M22, M42
FLM14, M23, M30, M31, M43
TMM15, M29, M49
Table 17. Models and their services, technical means, facilities, and algorithms for protection in CEIC.
Table 17. Models and their services, technical means, facilities, and algorithms for protection in CEIC.
CategorySubcategoriesCEIC ModelsServicesTechnical MeansFacilitiesAlgorithms
Detection, prediction, and explanationIntrusion detectionM01S01, S03MT1, MT2I01, I03CNN
M02S02, S06MT4, MT3I06, I05RNN, LSTM
M03S03, S07MT4, MT3I06, I05LSTM
M04S04, S08MT6, MT5I09, I07RF, XAI
Anomaly detectionM05S05, S09MT6, MT5I09, I07DT
M06S06, S10MT1, MT2I03, I02AE
M07S07, S02MT3, MT4I08, I06GA
M08S08, S04MT5, MT6I04, I10XAI
Threat predictionM09S09, S01MT2, MT1I02, I09NTA, BC
M10S10, S03MT4, MT5I07, I08BC
M11S01, S06MT3, MT2I06, I05DRL
M12S02, S08MT1, MT5I03, I02BN, GB
Decision explanationM13S03, S09MT2, MT4I07, I04GB
M14S04, S10MT5, MT1I02, I08FL
M15S05, S07MT6, MT2I09, I03TM
M16S06, S02MT1, MT4I06, I07CNN
Risk managementProbability-based risk assessmentM17S07, S08MT3, MT5I05, I04RNN
M18S08, S10MT2, MT6I08, I02LSTM
Risk management frameworksM19S09, S01MT1, MT3I07, I05RF
M20S10, S04MT4, MT5I03, I06XAI
Scenario-based risk analysisM21S01, S05MT6, MT1I01, I04BN
M22S02, S07MT3, MT2I06, I09GB
Standards-based modelsRegulatory complianceM23S03, S08MT5, MT4I07, I02FL
M24S04, S09MT2, MT3I03, I08DRL, BC
M25S05, S10MT1, MT6I09, I06BC
ICS securityM26S06, S01MT4, MT3I04, I07DT
M27S07, S03MT2, MT5I02, I05GA
Collaborative or information-sharing modelsThreat intelligenceM28S08, S05MT6, MT4I08, I01NTA
M29S09, S07MT1, MT2I05, I07TM
M30S10, S09MT3, MT6I06, I03XAI, FL
Data sharing platformsM31S01, S06MT5, MT1I04, I09FL, DRL
M32S02, S08MT2, MT6I07, I06DRL
Response and recoveryIncident responseM33S03, S09MT4, MT5I05, I04BC
M34S04, S10MT6, MT1I08, I02DT
Infrastructure recoveryM35S05, S07MT3, MT2I07, I05GA
M36S06, S02MT5, MT4I03, I06CNN
M37S07, S08MT2, MT3I01, I04RNN
Architecture-based protectionSCADA and IoT securityM38S08, S10MT1, MT6I06, I09LSTM
M39S09, S01MT4, MT3I07, I02RF
M40S10, S04MT2, MT5I03, I08XAI
Blockchain for OTM41S01, S05MT6, MT4I09, I06BN
M42S02, S07MT1, MT2I04, I07GB
Simulation and testingAttack simulationM43S03, S08MT3, MT6I02, I05FL
M44S04, S09MT5, MT1I08, I01DRL
M45S05, S10MT2, MT6I05, I07BC
Resilience testingM46S06, S01MT4, MT5I06, I03DT
M47S07, S03MT6, MT1I04, I09GA
M48S08, S05MT3, MT2I07, I06NTA
M49S09, S07MT5, MT4I05, I04TM
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Rodriguez-Casavilca, H.M.; Mauricio, D.; Villanueva, J.M.M. Evolution of Artificial Intelligence-Based OT Cybersecurity Models in Energy Infrastructures: Services, Technical Means, Facilities and Algorithms. Energies 2025, 18, 5163. https://doi.org/10.3390/en18195163

AMA Style

Rodriguez-Casavilca HM, Mauricio D, Villanueva JMM. Evolution of Artificial Intelligence-Based OT Cybersecurity Models in Energy Infrastructures: Services, Technical Means, Facilities and Algorithms. Energies. 2025; 18(19):5163. https://doi.org/10.3390/en18195163

Chicago/Turabian Style

Rodriguez-Casavilca, Hipolito M., David Mauricio, and Juan M. Mauricio Villanueva. 2025. "Evolution of Artificial Intelligence-Based OT Cybersecurity Models in Energy Infrastructures: Services, Technical Means, Facilities and Algorithms" Energies 18, no. 19: 5163. https://doi.org/10.3390/en18195163

APA Style

Rodriguez-Casavilca, H. M., Mauricio, D., & Villanueva, J. M. M. (2025). Evolution of Artificial Intelligence-Based OT Cybersecurity Models in Energy Infrastructures: Services, Technical Means, Facilities and Algorithms. Energies, 18(19), 5163. https://doi.org/10.3390/en18195163

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop