Next Article in Journal
Survey on Biometric Authentication for Decentralized Identity Management: Trends, Challenges, and Future Directions
Previous Article in Journal
Lightweight AI-Based Attack Detection for LED VLC in Multi-Channel Airborne Radar Systems
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Future Internet
Volume 18
Issue 3
10.3390/fi18030125
futureinternet-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Systematic Review

Cybersecurity of Cyber-Physical Systems in the Quantum Era: A Systematic Literature Review-Based Approach

by
Siler Amador
1,*,
César Pardo
1,* and
Raúl Mazo
2
1
GTI Research Group, Departamento de Sistemas, Facultad de Ingeniería Electrónica y Telecomunicaciones, Universidad del Cauca, Popayán 190003, Colombia
2
Lab-STICC, UMR CNRS 6285, UFR des Sciences de l’Information et de l’Informatique, Ecole Nationale Supérieure de Techniques Avancées (ENSTA), 2 rue François Verny, CEDEX 9, 29806 Brest, France
*
Authors to whom correspondence should be addressed.
Future Internet 2026, 18(3), 125; https://doi.org/10.3390/fi18030125
Submission received: 21 January 2026 / Revised: 17 February 2026 / Accepted: 21 February 2026 / Published: 28 February 2026
(This article belongs to the Section Cybersecurity)
Browse Figures
Versions Notes

Abstract

The convergence of cyber-physical systems (CPSs), operational technologies (OTs), industrial control systems (ICSs), and quantum computing poses unprecedented challenges for the security and resilience of critical infrastructures (CIs). As quantum capabilities progress, classical cryptographic mechanisms such as RSA and ECC face increasing risks from quantum algorithms (Shor and Grover), while CPS and OT remain constrained by long life cycles, heterogeneity, and limited upgrade capabilities. This study conducts a systematic literature review (SLR) following a GQM-PICO-PRISMA methodological framework to examine 66 primary studies, selected from 1.522 records identified in seven scientific databases and published between 2005 and 2025. The review identifies dominant research domains, ranging from IoT/IIoT security to machine learning-based intrusion detection in CPS/OT environments, and synthesizes key challenges. Findings reveal significant fragmentation in CPS taxonomies, limited integration of post-quantum cryptography (PQC) into OT/ICS protocols, a scarcity of real-world datasets, and insufficient quantum threat modeling (QTM). This work consolidates and structures prior evidence into a literature-derived classification of quantum-era CPS/OT cybersecurity topics and distills a prioritized research agenda for advancing quantum-resilient architectures.

Graphical Abstract

1. Introduction

Cyber-physical systems (CPSs), operational technologies (OTs), and industrial control systems (ICSs/SCADA) form the backbone of modern critical infrastructures (CIs), enabling the automation and supervision of physical processes at a national scale. Their integration with IoT devices, distributed energy resources (DERs), and satellite links has increased operational efficiency but has also significantly expanded the attack surface. Numerous studies demonstrate that current CPS architectures exhibit structural vulnerabilities arising from legacy protocols, weak authentication, deterministic timing dependencies, and the difficulty of patching devices with long operational lifecycles [1,2,3].
The emergence of quantum computing amplifies these challenges dramatically. Algorithms such as Shor’s, capable of factoring integers and solving discrete logarithms in polynomial time, and Grover’s, which quadratically accelerates brute-force searches, pose existential risks to the classical cryptographic mechanisms (RSA, ECC, and AES) on which OT depends. Leading cryptographers emphasize that these primitives will not withstand adversaries equipped with scalable quantum devices [4,5]. Moreover, recent threat modeling highlights unique risks for CI due to “harvest-now–decrypt-later” (HNDL) strategies, where adversaries store encrypted telemetry today for future decryption [6,7]. Consequently, mechanisms such as post-quantum cryptography (PQC) [8] and Quantum Key Distribution (QKD) [9] must be investigated not merely as cryptographic abstractions, but as deployable solutions within the strict timing and bandwidth constraints of industrial networks.
Despite these risks, the intersection of CPS security and quantum threats remains fragmented. Preliminary analyses indicate that sectors such as smart grids and healthcare are highly sensitive to latency, making brute-force migrations to heavier PQC algorithms problematic without robust benchmarking [10,11]. Furthermore, governance frameworks, such as NIST SP 800-207 [12] and IEC 62443-1-1 [13], have yet to fully assimilate quantum readiness, leaving a gap in standardized guidance for operators [14].

1.1. Contribution and Scope

To address these challenges, this study conducts a systematic literature review (SLR) grounded in established guidelines (PICO and PRISMA). We examined 66 primary studies published between 2005 and 2025, selected from 1.522 records across seven scientific databases. Detailed protocol artifacts (search strings, selection logs, and extraction sheets) are provided as supplementary open materials in our Zenodo repositories.
Beyond aggregating prior work, our contribution is to convert fragmented evidence into a decision-oriented synthesis: (i) an eight-topic classification grounded in the primary studies, (ii) cross-topic gaps that are expressed as measurable needs (e.g., PQC-in-OT benchmarking, quantum-readiness metrics, and dataset/benchmark availability), and (iii) a prioritized research agenda that can inform both technical migration planning and governance discussions in critical infrastructures.
  • Synthesizing evidence on how quantum computing disrupts CPS/OT ecosystems, with emphasis on structural vulnerabilities in long-lived operational assets.
  • Deriving an eight-topic classification that organizes the fragmented literature (e.g., PQC in OT protocols, QKD links, quantum-aware IDS, and governance readiness).
  • Mapping recurring gaps (e.g., limited PQC validation under OT constraints, scarcity of real-world datasets, and missing quantum-readiness metrics) into a targeted research agenda.

1.2. Paper Structure

The remainder of this paper is structured as follows. Section 2 details a comparative analysis between related works and primary studies. Section 3 presents the 4 stages of the protocol applied to the SLR. Section 4 describes the main contributions of this study to the fields of research and innovation through the analysis of the results. Section 5 presents the discussion, while Section 6 reports the conclusions. Finally, it compiles the bibliographic references that support and substantiate the development of this systematic review.

2. Related Work

Research on the cybersecurity of cyber-physical devices (CPDs) and critical infrastructures in the quantum era has evolved along several converging lines, reflecting both technological disruption and methodological refinement. In alignment with Search Goal 1 (SG1), as detailed in Table 1 (each Search Goal has its own keyword, domain question, and respective research questions), the systematic review conducted, covering 66 definitive primary studies, reveals clear patterns regarding current research trends, existing gaps, and the urgent need to transition toward quantum-resilient mechanisms.

2.1. Foundational Trends and Emerging Threats (SG1)

Studies responding to SG1, as shown in Table 1 and Stage 1 of Amador et al. [15] (p. 2), consistently identify that quantum computing threatens the long-term viability of classical cryptographic mechanisms. This is particularly acute in CPD and OT environments, where device life cycles often exceed 20 years, making cryptographic agility non-trivial [16,17,18,19,20,21,22,23,24,25,26,27]. This concern mirrors broader discussions in the cryptographic community, where canonical works by Mosca [4] and Bernstein et al. [5] stress the strategic risks associated with delayed post-quantum cryptography (PQC) migration. Unlike general IT environments, the primary studies highlight that CPD operates in complex, interconnected sectors—such as smart grids and satellite communications—where cascading failures are plausible [22,28,29,30,31,32,33,34,35,36]. This extends earlier surveys by Giraldo et al. [3] and Mo et al. [10] by explicitly incorporating quantum-era threat models.

2.2. Operational Security and Resilience Management (SG2)

Research aligned with Search Goal 2 (SG2), as shown in Table 1 and Stage 1 of Amador et al. [15] (p. 2), documents a wide array of management approaches, ranging from secure-by-design principles to risk management and anomaly detection [19,34,37,38,39,40,41,42,43,44,45,46,47,48,49,50]. These contributions resonate with foundational work on industrial incident analysis [1,2]. However, while earlier literature focused on classical threats, the current body of knowledge broadens the scope to include quantum-capable adversaries, supporting a long-term shift toward cryptographic agility and updated governance mechanisms.

2.3. Methodological Contributions and Experimental Validation (SG3)

This section addresses Search Goal 3 (SG3) as shown in Table 1 and Stage 1 of Amador et al. [15] (p. 2), which aims to identify the methodological approaches and experimental validation techniques employed in the field. A key finding of this review is the shift from theory to practice. Many primary studies propose advanced testbeds, simulation platforms, and evaluation frameworks [20,25,29,31,32,35,36,38,39,41,44,45,46,49,50,51,52,53,54,55,56]. This focus on reproducibility complements theoretical advances in Quantum Key Distribution (QKD) and quantum networks [9,57]. Furthermore, empirical evaluations of PQC on embedded devices [36,43,44,50,56,58] reinforce benchmarking studies by Chung et al. [11], identifying performance trade-offs in resource-constrained OT environments.

2.4. Strategic Justification (SG4)

Finally, regarding Search Goal 4 (SG4) as detailed in Table 1 and Stage 1 of Amador et al. [15] (p. 2), the selected studies argue that the convergence of quantum computing and hyper-connected infrastructures disrupts fundamental assumptions about confidentiality and availability [19,25,30,31,32,35,36,47,49]. In this context, contemporary quantum threat modeling frameworks [6] provide the necessary conceptual basis for evaluating these risks.

2.5. Comparative Analysis

To contextualize the contributions of this review within the broader scientific landscape, Table 2 contrasts the selected primary studies with publications of related works [1,2,3,4,5,6,7,9,10,11,12,14,57,59]. This comparison highlights that while canonical references often adopt theoretical or standardization-driven approaches, the studies analyzed in this SLR predominantly emphasize applied solutions for CPS and OT ecosystems. Compared to foundational CPS/ICS security surveys and strategic quantum risk papers, the definitive studies in this SLR place stronger emphasis on applied validation in OT/CPS environments (e.g., smart grids, satellites, and industrial protocols). This comparative view clarifies where prior works remain conceptual (standardization and threat framing) versus where empirical constraints (latency, patchability, device lifecycles, and governance) dominate in the primary evidence, motivating the need for crypto-agility and sector-aware migration paths.

3. Materials and Methods

For transparency and replicability, the protocol follows four staged activities (Section 3.1, Section 3.2, Section 3.3 and Section 3.4) and is documented through open artifacts. All artifacts and supplementary materials are available in Zenodo (CERN, Geneva, Switzerland), including the final search strings, selection logs, and extraction sheets. Across seven scientific databases, we executed the searches over the 2005–2025 window, removed duplicates, screened titles/abstracts, and applied explicit inclusion/exclusion criteria and a structured quality assessment before evidence synthesis.
This systematic literature review (SLR) was conducted following the guidelines for software engineering reviews by Kitchenham & Charters [71] and adheres to the PRISMA 2020 statement (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) [72], as illustrated in Figure 1. To ensure transparency, reproducibility, and rigorous data management, the methodological pipeline was divided into four documented stages, with full datasets and protocols available in the associated open repositories in https://zenodo.org [15,70,73,74].

3.1. Stage 1: Apply Goal-Question-Metric (GQM) Approach

The research scope was defined using the Goal-Question-Metric (GQM) approach [75]. As detailed in our Stage 1 protocol [15], we established four high-level Search Goals (SG), as detailed in Table 1, to guide the review:
  • SG1 (Knowledge): Identify emerging threats and the impact of quantum computing on CPS/OT.
  • SG2 (Scope): Analyze management practices and resilience strategies.
  • SG3 (Management): Examine testbeds, simulation frameworks, and experimental validation.
  • SG4 (Use): Justify the research domain and identify gaps.
Based on these goals, specific research questions (RQs) were formulated, as detailed in Table 1, and validated using a set of twelve quality criteria (clarity, relevance, specificity, focalization, consistency, feasibility, importance in the scientific community, originality, ease of testing, previous literature review, feedback, and settings), as documented in our Quality Criteria Report in [76] (pp. 1–2). Stage 1 is presented in detail in a repository on Zenodo through the following link accessed on 20 February 2026: https://doi.org/10.5281/zenodo.17613862.

3.2. Stage 2: Search and Selection Strategy (PICO & PRISMA)

The search and selection process, detailed in Stage 2 in [73], employed a structured string construction based on the PICO criteria as shown in Table 3.
Search strings combined CPS/OT and industrial protocol terminology with quantum and security terms (e.g., (“cyber-physical system” OR CPS OR OT OR SCADA) AND (quantum OR post-quantum OR PQC OR QKD) AND (security OR cybersecurity OR intrusion detection)). Database-specific syntax variations and the full set of strings are provided in the Stage 2 is presented in detail in a repository on Zenodo through the following link accessed on 20 February 2026: https://doi.org/10.5281/zenodo.17429827.
During the selection process, a total of 1.522 records were initially identified. Following the PRISMA flow, as depicted in Figure 2, duplicates were removed, and titles and abstracts were screened. The remaining articles underwent a full-text review based on inclusion criteria (IC), as shown in Table 4, focusing on peer-reviewed studies published between 2005 and 2025, and exclusion criteria (EC), as detailed in Table 5, filtering out non-English papers or purely theoretical physics papers without CPS application. The studies excluded during the selection phase, as shown in Figure 2, were based on the following three criteria: Criterion 1:107 studies removed based on an evaluation of thematic relevance, methodological rigor, results, and conclusions to select the most important ones. Criterion 2:20 studies removed based on an evaluation of the criteria of clarity, credibility, relevance, and rigor; and, finally, Criterion 3:5 studies removed based on an evaluation of the answers to the final research questions.
To ensure the scientific rigor and relevance of the evidence synthesized, specific inclusion criteria (IC) were established as part of the selection protocol. These criteria, detailed in Table 4, prioritize high-quality peer-reviewed contributions that directly address the intersection of cyber-physical systems and quantum threats, ensuring that the analysis captures the evolution of the field over the last two decades.
Conversely, to minimize bias and guarantee the methodological consistency of the review, a set of exclusion criteria (EC) was applied during the screening phase. As outlined in Table 5, these criteria served to filter out duplicate records, grey literature lacking formal peer review (such as theses or unverified reports), and studies that failed to provide sufficient technical depth or accessibility to answer the research questions.

3.3. Stage 3: Data Review, Synthesis, and Quality Assessment

When applying criterion 1, 107 studies were eliminated based on an assessment of thematic relevance, methodological rigor, results, and conclusions to select the most important ones, leaving 91 studies. After applying criterion 2, the extracted studies underwent a rigorous quality assessment using the CCRR framework (clarity, credibility, relevance, and rigor), evaluating each study on a scale of 0 to 4 points. The criteria for clarity, credibility, and relevance were scored with values of 0 (No), 0.5 (Partially), or 1 (Yes), while rigor was evaluated on a binary basis (0 or 1). Quality categories were established: Moderate (≤50%), Medium (51–79%), and High (≥80%). To ensure scientific robustness, only studies surpassing the 50% threshold were selected; 20 studies were excluded, resulting initially in 71 primary studies. Subsequently, criterion 3 was applied based on the ability to answer the research questions (RQ), discarding 5 additional studies and consolidating a total of 66 definitive primary studies for the final synthesis [70].

3.4. Stage 4: Reporting and Evidence Synthesis

To ensure interpretative rigor and mitigate subjectivity in the categorization of findings, the data synthesis process followed the Thematic Analysis framework proposed by Braun & Clarke [77]. This inductive approach allowed for the themes to emerge directly from the evidence extracted from the 66 primary studies [70], rather than being pre-imposed. The process followed a systematic six-phase workflow:
  • Familiarization with the data: This involved deep reading of the selected articles and reviewing technical extraction notes to identify recurring patterns.
  • Generating initial codes: Using a structured extraction matrix (developed in Microsoft Excel), key technical concepts, performance metrics, and research gaps were systematically coded from each study.
  • Searching for themes: The initial codes were grouped into preliminary categories based on commonalities in vulnerabilities, mitigation technologies, and application contexts (e.g., smart grids and PQC latency).
  • Reviewing potential themes: The categories were validated against the entire dataset to ensure they accurately represented the evidence and that no critical findings were overlooked.
  • Defining and naming themes: This phase resulted in the consolidation of the 8 final themes that structure the results of this study (as presented in Table 6).
  • Report production: The themes were finally mapped onto the Technology-Organization-Environment (TOE) framework to provide the high-level strategic synthesis discussed in Section 5.

4. Results: Synthesis and Characterization of Finding

This section presents the results of the systematic literature review (SLR) conducted on the 66 definitive primary studies. The findings move beyond a descriptive summary, providing a structured analysis of the quantum-era CPS cybersecurity landscape through quality metrics, evidence mapping, and thematic characterization.

4.1. Study Quality Assessment (CCRR)

The 66 definitive primary studies were evaluated using the clarity, credibility, relevance, and rigor (CCRR) criteria to ensure the scientific reliability of the synthesized data. According to the quality assessment matrix, 92% of the selected studies [70] achieved a “High Rigor” rating (scores ≥ 88%), while 8% were classified as “Medium” (scores ≥ 75%). Studies such as [35,44,63,78] reached the maximum score (100%), demonstrating exceptional methodological rigor and relevance to critical infrastructure protection. This high-quality threshold ensures that the strategic insights derived in this study are based on peer-reviewed, architecturally sound research.

4.2. Evidence Mapping by Research Question

To analyze the distribution of research efforts, the primary studies were mapped against the eight research questions (RQ) defined in the protocol. This mapping reveals the thematic density and identifies which aspects of the quantum-era CPS have received the most academic attention.
As shown in Table 7, the highest concentration of research is found in RQ6 (62 studies) and RQ7 (61 studies). This indicates a robust consensus on the need to define the technical characteristics and management frameworks required for the quantum transition.

4.3. Synthesis of Findings

The inductive thematic analysis led to the identification of eight core topics. Table 6 provides a self-contained synthesis that maps these themes to the evidence and identifies the critical gaps addressed in the strategic agenda.

4.4. Temporal and Sectoral Trends

The temporal analysis reveals an accelerated interest in quantum-resilient CPS, with over 75% of the selected studies published between 2023 and 2025. This trend correlates with the final stages of the NIST PQC standardization process and the increasing real-world feasibility of quantum computing. Sectorally, the evidence is highly concentrated in smart grids and Energy Systems, where the protection of time-critical protocols such as GOOSE (Generic Object-Oriented Substation Event) and SVs (Sampled Values) represents the most significant technical challenge for the implementation of post-quantum cryptography.

5. Discussion

To provide a holistic interpretation of the findings, this study adopts the Technology-Organization-Environment (TOE) framework, originally proposed by Tornatzky and Fleischer [85]. The TOE framework is particularly suited for analyzing the adoption and impact of complex technological shifts, such as the transition of cyber-physical systems (CPS) to quantum-resistant architectures. By categorizing the 66 primary studies [70] into these three dimensions, we move beyond a descriptive summary toward a multi-dimensional analysis of the challenges and opportunities in the quantum era.
While Section 4.1, Section 4.2 and Section 4.3 provide descriptive and statistical summaries of the evidence base, this discussion reconnects those results to the review’s objectives (Section 1.1) and to the SG/RQ structure (Table 1). Specifically, we interpret what the eight-topic classification implies for (i) quantum-readiness of OT/ICS assets, (ii) practical migration constraints (latency, patchability, and certification), and (iii) governance decisions under HNDL risk.
We also distill the findings into actionable implications for three stakeholder groups: CI operators (what to inventory and prioritize), standards bodies (what metrics and guidance remain missing), and researchers (what to benchmark and publish to improve comparability).
This systematic review confirms that the convergence of quantum computing, and critical infrastructures (CI) creates a “Resilience Paradox”: while theoretical quantum attacks (Shor’s algorithm) are well-understood in the cryptographic community [4,5], the operational mechanisms to protect cyber-physical systems (CPS) are still in an initial stage. This section interprets these findings, contrasting the “ideal” academic scenarios with the “real-world” constraints identified in the primary studies.

5.1. The Technological Dimension: Balancing Quantum Security and Real-Time Constraints

The technological dimension of the analyzed studies reveals a critical tension between the high computational demands of quantum-resistant solutions and the operational limitations of CPS. While NIST has successfully standardized post-quantum cryptography (PQC) algorithms such as ML-KEM [59], identifying them as the most scalable approach for legacy systems, our analysis reveals a critical disconnect in their practical application to operational technology (OT). Theoretical works often assume modern computing power [5]; however, primary studies such as [44,56] demonstrate that implementing lattice-based PQC on legacy SCADA devices—such as Remote Terminal Units (RTUs) with limited processing power—introduces unacceptable latency for real-time control loops, which typically require response times of less than 10 ms. This highlights a significant gap in real-world performance benchmarks, as most studies focus on algorithmic efficiency in IT-centric scenarios while overlooking these strict industrial control systems (ICSs) requirements.
This “technological debt” is further exacerbated by the lack of cryptographic agility within the sector. Although the literature emphasizes the necessity of agility [62], evidence from studies like [54,82] indicates that most industrial controllers rely on hard-coded cryptographic primitives and hardware roots of trust that cannot be patched remotely. This confirms that the migration path for critical infrastructure (CI) is significantly slower and more expensive than for the IT sector, as CPS devices with limited memory struggle to support both advanced PQC signatures and real-time AI-based monitoring. Furthermore, while the integration of Quantum Key Distribution (QKD) offers information-theoretic security, it remains constrained by hardware costs and distance limitations, making it a niche solution for backbone infrastructures rather than edge devices. Consequently, the role of machine learning (ML) and Intrusion Detection Systems (IDSs) emerges as a vital compensatory layer. Ultimately, ‘quantum-readiness’ at the device level is currently hindered by a profound hardware-software mismatch that requires further optimization of lightweight cryptographic primitives.

5.2. The Organizational Dimension: The Roadmap to Quantum Readiness

From an organizational perspective, the transition to quantum-safe architectures is currently hindered by a lack of structured migration roadmaps and a “decision-making vacuum.” Our synthesis indicates that while governance and risk management frameworks are beginning to acknowledge quantum threats, they often remain at a theoretical level [78]. Organizations operating critical infrastructures face a significant challenge: balancing the risk of “harvest now, decrypt later” attacks against the inherent costs of premature hardware overhauls.
As suggested in [48], the “Quantum Readiness” of an organization is not merely a technical update but a strategic capability. However, a primary gap identified in this dimension is the scarcity of crypto-agility as a formal organizational policy. Most entities continue to view cybersecurity as a static implementation rather than a dynamic process [49,62]. Furthermore, the “human factor” emerges as a critical bottleneck; the evidence from studies such as [54] points to a severe shortage of personnel capable of bridging the gap between quantum cryptography and industrial operations. This creates an organizational risk that transcends technical vulnerabilities, suggesting that effective readiness requires a fundamental shift in how long-lived asset lifecycles are managed within the corporate structure.

5.3. The Environmental Dimension: Regulatory Pressure and Sectoral Specificity

The environmental dimension is characterized by a top-down pressure from international standard-setting bodies, primarily led by the NIST post-quantum cryptography (PQC) standardization process [5,59]. Our findings show that regulatory environments in sectors like smart grids and healthcare are the primary drivers for quantum adoption [86,87,88]. However, a “sectoral misalignment” is clearly observed: standards are often developed with a “one-size-fits-all” approach that does not account for the heterogeneous and legacy-heavy nature of industrial IoT (IIoT) [89].
In the energy sector, for instance, the long lifecycle of infrastructure—often exceeding 20 years—creates a context where current regulations and environmental pressures lag the rapid pace of quantum development [56,66,90,91,92]. The analysis suggests that the environmental push for quantum security is currently fragmented; while some jurisdictions are moving toward mandatory quantum-resistant standards for critical infrastructure, others lack the legislative framework to enforce such updates. This creates a global landscape of uneven security levels, where interconnected CPS networks remain as vulnerable as their least-regulated node. Therefore, the “environmental” dimension highlights the urgent need for harmonized international policies that translate IT-centric quantum standards into actionable OT-specific requirements.

5.4. Threats to Validity

The validity of this study was ensured by following a rigorous protocol; however, as with any secondary study, there are potential threats that must be acknowledged. We have categorized these threats according to the phase of the review in which they may occur: biases in research questions, search strings, study selection, and data extraction [15,17,18,19,20,23,24,25,26,27].
  • Biases in research questions: The formulation of research questions (RQs) can inherently limit the scope of the review if they are too narrow or biased toward a specific technology or outcome. To mitigate this, the RQs were defined iteratively and reviewed to ensure they were broad enough to cover the SLR landscape but specific enough to provide actionable insights. We aligned the questions with the PICO criteria to ensure neutrality and completeness.
  • Biases in the search string: A poorly constructed search string is a major threat to internal validity, potentially leading to the exclusion of relevant studies (low recall) or an unmanageable amount of noise (low precision). This risk was minimized by:
    • Conducting pilot searches to refine the keywords and synonyms.
    • Include terms related to both “cyber-physical” and “cyber physical system” to account for terminological differences between communities.
    • Adapting the logical operators (AND/OR) specifically for the syntax of each data source (IEEE Xplore, Scopus, Web of Science, ScienceDirect, SpringerLink, ACM Digital Library, and Google Scholar) to avoid syntax errors that could omit results.
  • Biases in study selection: Selection bias occurs when the decision to include or exclude a study is influenced by the researcher’s subjectivity. To mitigate this, we defined strict and explicit inclusion and exclusion criteria prior to the search. After applying the inclusion and exclusion criteria, the selection process was carried out using three criteria (Criterion 1: studies were eliminated based on an assessment of thematic relevance, methodological rigor, results, and conclusions to select the most important ones. Criterion 2: studies were eliminated based on an assessment of clarity, credibility, relevance, and rigor; and finally, Criterion 3: studies were eliminated based on an assessment of the answers to the final research questions).
  • Biases in data extraction: There is a risk of inaccuracy or subjectivity when extracting complex information from the primary studies, specifically when classifying qualitative data. To mitigate this, a standardized data extraction form was designed in Excel to guide the process. During the extraction phase, ambiguous cases were discussed among the authors until a consensus was reached. This ensured that the classification of studies was consistent throughout the review.
  • Publication Bias: The search was limited to English-language studies, potentially overlooking relevant developments in national-level CI research (from non-English-speaking nations active in quantum research).

5.5. Explaining Persistent Gaps Through a TOE Lens

Beyond listing gaps, we interpret why they persist using the Technology-Organization-Environment (TOE) lens, which connects technical barriers with operational and regulatory realities in CPS/OT.
Technology factors: OT constraints (tight latency budgets, limited CPU/memory, and hardware roots of trust) slow adoption of PQC and make crypto-agility difficult to retrofit; this explains why many studies remain at the simulation/testbed level and why protocol-compatible deployments are concentrated in a few sectors (e.g., smart grids).
Organization factors: long asset lifecycles, safety certification processes, and maintenance windows create high switching costs; consequently, operators favor incremental overlay architectures, while security governance often prioritizes compliance over forward-looking quantum-readiness metrics.
Environmental factors: regulation and standards lag the threat timeline (HNDL), and data-sharing constraints (confidentiality of infrastructure telemetry, vendor NDAs) inhibit the creation of representative open datasets. These factors jointly explain the observed scarcity of real-world benchmarks and the limited translation of PQC/QKD proposals into operational guidance.
This TOE-based interpretation directly informs the research agenda in Section 6.1 by prioritizing benchmarks, migration patterns, and measurable readiness criteria that are feasible under CPS/OT constraints.

6. Conclusions and Future Research Agenda

The transition toward a quantum-resilient ecosystem for cyber-physical systems (CPS) is no longer a theoretical debate but a strategic necessity for critical infrastructure protection. This systematic review of 66 primary studies has characterized the landscape of threats, solutions, and management frameworks, leading to the following conclusions.

6.1. Conclusions

Firstly, the “Harvest Now, Decrypt Later” (HNDL) strategy poses an immediate risk to sectors with long-life-cycle assets, such as energy and maritime transport. The evidence indicates that current cryptographic standards in OT are insufficient for the post-quantum era. Secondly, a critical tension exists between security and operational availability; post-quantum algorithms (PQC) introduce computational overheads that challenge the strict real-time requirements (3 ms–10 ms) of industrial protocols like GOOSE and Sampled Values (SVs). Finally, the prevalence of hard-coded cryptographic primitives in legacy hardware remains the most significant physical barrier to achieving true cryptographic agility, necessitating a shift from simple firmware updates to comprehensive hardware replacement strategies.

6.2. Future Research Agenda

Based on the critical gaps identified in this study (see Table 6), we propose four priority lines for future research:
  • Hardware-Efficient PQC for Edge Devices: Research must focus on optimizing lattice-based or isogeny-based algorithms specifically for low-power microcontrollers and industrial IoT devices, minimizing the “computational debt” without compromising security.
  • Quantum-Safe Real-Time Frameworks: There is an urgent need to develop hybrid security architectures that can authenticate time-critical substation communications (IEC 61850) within sub-10 ms windows, possibly through hardware acceleration or pre-computation of signatures.
  • Cross-Sectoral Migration Playbooks: Future work should transition from theoretical models to practical “Migration Playbooks.” These should include step-by-step risk estimation methodologies (following Yesina et al., [8]) tailored to specific critical infrastructure sectors.
  • AI-Driven Cryptographic Agility: Integrating machine learning to automate the detection of vulnerable classical primitives and facilitate the modular replacement of algorithms in software-defined industrial networks.

Author Contributions

Conceptualization, S.A., C.P., and R.M.; methodology, C.P.; software, S.A.; validation, S.A.; formal analysis, S.A.; investigation, S.A.; resources, S.A.; data curation, S.A.; writing—original draft preparation, S.A.; writing—review and editing, C.P. and R.M.; visualization, S.A.; supervision, C.P.; project administration, C.P.; funding acquisition, S.A. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported in part by the foundation for the future of Colombia—COLFUTURO, using the financial resource granted by No. 909 of 2021 of the additional bank of financiable—Cohort No. 2. Resolution 0608-2022.

Data Availability Statement

The data presented in this study are available on request from the corresponding author. The datasets supporting this study (SLR protocol artifacts, Stage 1–4: GQM definition, search strings, selection logs, extraction sheets, and the review report) are openly available in Zenodo (CERN, Geneva, Switzerland) at: https://doi.org/10.5281/zenodo.17613862 (reference number 17613862); https://doi.org/10.5281/zenodo.17429827 (reference number 17429827); https://doi.org/10.5281/zenodo.17675874 (reference number 17675874); https://doi.org/10.5281/zenodo.17725590 (reference number 17725590); https://doi.org/10.5281/zenodo.17350724 (reference number 17350724) (accessed on 20 February 2026). Additional materials not included in these datasets are available from the corresponding author upon reasonable request.

Acknowledgments

The authors, S.A. and C.P., extend their gratitude to the research group GTI from the Universidad del Cauca. Similarly, R.M. acknowledges the support of the research group Lab-STICC from the Ecole Nationale Supérieure de Techniques Avancées (ENSTA). Likewise, during the preparation of this study, the authors used the GenAI models, such as Gemini version 3, were also used to synthesize the project’s original information, providing summarized information with a coherent narrative. The authors have reviewed and edited the output and assume full responsibility for the content of this publication.

Conflicts of Interest

The authors declare no conflicts of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.

Abbreviations

The following abbreviations are used in this manuscript:
AESAdvanced Encryption Standard
AI/MLArtificial Intelligence/Machine Learning
C2M2Cybersecurity Capability Maturity Model
CICritical Infrastructure
CPDsCyber-Physical Devices
CPSsCyber-Physical Systems
CRYSTALSCRYptographic SuiTe for Algebraic LatticeS
CV-QKDContinuous-Variable Quantum Key Distribution
DERsDistributed Energy Resources
DV-QKDDiscrete-Variable Quantum Key Distribution
DNP3Distributed Network Protocol version 3
ECExclusion Criteria
ECCElliptic Curve Cryptography
GOOSEGeneric Object-Oriented Substation Event
GQMGoal Question Metric
HNDLHarvest Now, Decrypt Later
ICInclusion Criteria
ICSsIndustrial Control Systems
IDSIntrusion Detection System
IECInternational Electrotechnical Commission
IIoTsIndustrial Internet of Things
IoMTsInternet of Medical Things
IoTsInternet of Things
ML-KEMModule-Lattice-based Key-Encapsulation Mechanism
NIST CSFNational Institute of Standards and Technology Cybersecurity Framework
OTOperational Technology
PICOPopulation, Intervention, Comparison and Outcome
PLCProgrammable Logic Controller
PQCPost-Quantum Cryptography
PRISMAPreferred Reporting Items for Systematic Reviews and Meta-Analyses
QKDQuantum Key Distribution
QTMQuantum Threat Modeling
RQResearch Question
RSARivest, Shamir & Adleman Encryption Algorithm
RTURemote Terminal Unit
SCADASupervisory Control And Data Acquisition
SGSearch Goal
SLRSystematic Literature Review
SVsSampled Values
ZTAsZero Trust Architectures

References

  1. Karnouskos, S. Stuxnet Worm Impact on Industrial Cyber-Physical System Security. In Proceedings of the IECON 2011—37th Annual Conference of the IEEE Industrial Electronics Society, Melbourne, VIC, Australia, 7–10 November 2011; IEEE: Piscataway, NJ, USA, 2011; pp. 4490–4494. [Google Scholar] [CrossRef]
  2. Mitchell, R.; Chen, I.-R. A Survey of Intrusion Detection Techniques for Cyber-Physical Systems. ACM Comput. Surv. 2014, 46, 1–29. [Google Scholar] [CrossRef]
  3. Giraldo, J.; Urbina, D.; Cárdenas, A.; Valente, J.; Faisal, M.; Ruths, J.; Tippenhauer, N.O.; Sandberg, H.; Candell, R. A Survey of Physics-Based Attack Detection in Cyber-Physical Systems. ACM Comput. Surv. 2018, 51, 1–36. [Google Scholar] [CrossRef]
  4. Mosca, M. Cybersecurity in an Era with Quantum Computers: Will We Be Ready? IEEE Secur. Priv. 2018, 16, 38–41. [Google Scholar] [CrossRef]
  5. Bernstein, D.J.; Lange, T.; Schwabe, P. Post-Quantum Cryptography: State of the Art. IEEE Secur. Priv. 2015, 13, 22–27. [Google Scholar] [CrossRef]
  6. Taylor, M.G. An Introduction to Quantum Threat Modeling. Commun. ACM 2023, 66, 38–46. [Google Scholar] [CrossRef]
  7. Pirandola, S.; Andersen, U.L.; Banchi, L.; Berta, M.; Bunandar, D.; Colbeck, R.; Englund, D.; Gehring, T.; Lupo, C.; Ottaviani, C.; et al. Advances in quantum cryptography. Adv. Opt. Photonics 2020, 12, 1012. [Google Scholar] [CrossRef]
  8. Yesina, M.V.; Ostrianska, Y.V.; Gorbenko, I.D. Status report on the third round of the NIST post-quantum cryptography standardization process. Radiotekhnika 2022, 3, 75–86. [Google Scholar] [CrossRef]
  9. Lo, H.-K.; Curty, M.; Tamaki, K. Secure Quantum Key Distribution. Nat. Photonics 2014, 8, 595–604. [Google Scholar] [CrossRef]
  10. Mo, Y.; Kim, T.H.J.; Brancik, K.; Dickinson, D.; Lee, H.; Perrig, A.; Sinopoli, B. Cyber–Physical Security of a Smart Grid Infrastructure. Proc. IEEE 2012, 100, 195–209. [Google Scholar] [CrossRef]
  11. Chung, C.-C.; Pai, C.-C.; Ching, F.-S.; Wang, C.; Chen, L.-J. When Post-Quantum Cryptography Meets the Internet of Things: An Empirical Study. In Proceedings of the 20th Annual International Conference on Mobile Systems, Applications and Services (MobiSys ’22); Association for Computing Machinery: New York, NY, USA, 2022; pp. 525–526. [Google Scholar] [CrossRef]
  12. Rose, S.; Borchert, O.; Mitchell, S.; Connelly, S. Zero Trust Architecture; NIST: Gaithersburg, MD, USA, 2020. [Google Scholar] [CrossRef]
  13. IEC 62443-1-1:2018; Security for Industrial Automation and Control Systems—Part 1-1: Terminology, Concepts and Models. International Electrotechnical Commission: Geneva, Switzerland, 2018.
  14. Jiang, Y.; Jeusfeld, M.A.; Mosaad, M.; Oo, N. Enterprise architecture modeling for cybersecurity analysis in critical infrastructures—A systematic literature review. Int. J. Crit. Infrastruct. Prot. 2024, 46, 100700. [Google Scholar] [CrossRef]
  15. Donado, S.A.; Calvache, C.J.P.; Mazo, R. Stage 1. Apply Goal Question Metric Approach to Target Questions; Zenodo: Geneva, Switzerland, 2025. [Google Scholar] [CrossRef]
  16. Cook, A.; Nicholson, A.; Janicke, H.; Maglaras, L.; Smith, R. Attribution of Cyber Attacks on Industrial Control Systems. EAI Endorsed Trans. Ind. Netw. Intell. Syst. 2016, 3, 151158. [Google Scholar] [CrossRef]
  17. Homay, A.; Chrysoulas, C.; El Boudani, B.; de Sousa, M.; Wollschlaeger, M. A security and authentication layer for SCADA/DCS applications. Microprocess. Microsyst. 2021, 87, 103479. [Google Scholar] [CrossRef]
  18. Mohammad, A. Development of the concept of electronic government construction in the conditions of synergetic threats. Technol. Audit. Prod. Reserves 2020, 3, 42–46. [Google Scholar] [CrossRef]
  19. Alshowkan, M.; Evans, P.G.; Starke, M.; Earl, D.; Peters, N.A. Authentication of smart grid communications using quantum key distribution. Sci. Rep. 2022, 12, 12731. [Google Scholar] [CrossRef]
  20. Poustourli, A. Research in Security Standardisation [Έρευνα στην Τυποποίηση και τα Πρότυπα Aσφάλειας]. In Proceedings of SafeEvros 2016: New Technologies at the Service of Civil Protection, Alexandroupolis, Greece, 22–25 June 2016; Democritus University of Thrace: Komotini, Greece, 2017; pp. 30–32. ISBN 978-960-89345-7-3. [Google Scholar]
  21. Shahzad, A.; Musa, S.; Aborujilah, A.; Irfan, M. The security survey and anaylsis on supervisory control and data acquisition communication. J. Comput. Sci. 2014, 10, 2006–2019. [Google Scholar] [CrossRef]
  22. Sundararajan, A.; Chavan, A.; Saleem, D.; Sarwat, A. A Survey of Protocol-Level Challenges and Solutions for Distributed Energy Resource Cyber-Physical Security. Energies 2018, 11, 2360. [Google Scholar] [CrossRef]
  23. Tomlinson, A.; Parkin, S.; Shaikh, S.A. Drivers and barriers for secure hardware adoption across ecosystem stakeholders. J. Cybersecur. 2022, 8, tyac009. [Google Scholar] [CrossRef]
  24. Yang, W.; Peisong, Y.; Qianchuan, Z. Industry Trusted Network Communication Based on Quantum Encryption. In Proceedings of the 2019 Chinese Control Conference (CCC), Guangzhou, China, 27–30 July 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 7016–7022. [Google Scholar] [CrossRef]
  25. Saha, S.S.; Rahman, S.; Ahmed, M.U.; Aditya, S.K. Ensuring Cybersecure Telemetry and Telecommand in Small Satellites: Recent Trends and Empirical Propositions. IEEE Aerosp. Electron. Syst. Mag. 2019, 34, 34–49. [Google Scholar] [CrossRef]
  26. Mamun, A.A.; Abrar, A.; Rahman, M.; Salek, M.S.; Chowdhury, M. Enhancing Transportation Cyber-Physical Systems Security: A Shift to Post-Quantum Cryptography. arXiv 2024, arXiv:2411.13023. [Google Scholar] [CrossRef]
  27. Khan, M.A.; Javaid, S.; Mohsan, S.A.H.; Tanveer, M.; Ullah, I. Future-proofing security for UAVs with post-quantum cryptography: A review. IEEE Open J. Commun. Soc. 2024, 5, 6849–6871. [Google Scholar] [CrossRef]
  28. Pöyhönen, J. Cyber Security of an Electric Power System in Critical Infrastructure. In Cyber Security. Computational Methods in Applied Sciences; Springer: Cham, Switzerland, 2022; pp. 217–239. [Google Scholar] [CrossRef]
  29. Kumar, P.; Lin, Y.; Bai, G.; Paverd, A.; Dong, J.S.; Martin, A. Smart Grid Metering Networks: A Survey on Security, Privacy and Open Research Issues. IEEE Commun. Surv. Tutor. 2019, 21, 2886–2927. [Google Scholar] [CrossRef]
  30. Hussain, S.; Meraj, M.; Abughalwa, M.; Shikfa, A. Smart Grid Cybersecurity: Standards and Technical Countermeasures. In Proceedings of the 2018 International Conference on Computer and Applications (ICCA), Beirut, Lebanon, 25–26 August 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 136–140. [Google Scholar] [CrossRef]
  31. Alguliyev, R.; Imamverdiyev, Y.; Sukhostat, L. Cyber-physical systems and their security issues. Comput. Ind. 2018, 100, 212–223. [Google Scholar] [CrossRef]
  32. Yaacoub, J.P.A.J.-P.A.; Salman, O.; Noura, H.N.H.N.; Kaaniche, N.; Chehab, A.; Malli, M. Cyber-physical systems security: Limitations, issues and future trends. Microprocess. Microsyst. 2020, 77, 103201. [Google Scholar] [CrossRef] [PubMed]
  33. Jasiūnas, J.; Lund, P.D.; Mikkola, J. Energy system resilience—A review. Renew. Sustain. Energy Rev. 2021, 150, 111476. [Google Scholar] [CrossRef]
  34. Khoei, T.T.; Slimane, H.O.; Kaabouch, N. A Comprehensive Survey on the Cyber-Security of Smart Grids: Cyber-Attacks, Detection, Countermeasure Techniques, and Future Directions. arXiv 2022, arXiv:2207.07738. [Google Scholar] [CrossRef]
  35. Tedeschi, P.; Sciancalepore, S.; Di Pietro, R. Satellite-based communications security: A survey of threats, solutions, and research challenges. Comput. Netw. 2022, 216, 109246. [Google Scholar] [CrossRef]
  36. Thomasian, N.M.; Adashi, E.Y. Cybersecurity in the Internet of Medical Things. Health Policy Technol. 2021, 10, 100549. [Google Scholar] [CrossRef]
  37. Choi, M.K.; Yeun, C.Y.; Seong, P.H. A Novel Monitoring System for the Data Integrity of Reactor Protection System Using Blockchain Technology. IEEE Access 2020, 8, 118732–118740. [Google Scholar] [CrossRef]
  38. Alimi, O.A.; Ouahada, K.; Abu-Mahfouz, A.M.; Rimer, S.; Alimi, K.O.A. A Review of Research Works on Supervised Learning Algorithms for SCADA Intrusion Detection and Classification. Sustainability 2021, 13, 9597. [Google Scholar] [CrossRef]
  39. Kong, P.-Y. A Review of Quantum Key Distribution Protocols in the Perspective of Smart Grid Communication Security. IEEE Syst. J. 2022, 16, 41–54. [Google Scholar] [CrossRef]
  40. Syafrizal, M.; Selamat, S.R.; Zakaria, N.A. Analysis of Cybersecurity Standard and Framework Components. Int. J. Commun. Netw. Inf. Secur. 2022, 12, 417–432. [Google Scholar] [CrossRef]
  41. Maynard, P.; McLaughlin, K. Towards Understanding Man-on-the-Side Attacks (MotS) in SCADA Networks. In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications, Paris, France, 8–10 July 2020; SCITEPRESS-Science and Technology Publications: Setúbal, Portugal, 2020; pp. 287–294. [Google Scholar] [CrossRef]
  42. Rajeh, W. An Integrated Authentication Scheme for Supervisory Control and Data Acquisition System Based on Quantum Key Distribution. In Proceedings of the 2022 2nd International Conference on Computing and Information Technology (ICCIT), Tabuk, Saudi Arabia, 25–27 January 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 374–378. [Google Scholar] [CrossRef]
  43. Wang, W.; Harrou, F.; Bouyeddou, B.; Senouci, S.-M.; Sun, Y. Cyber-attacks detection in industrial systems using artificial intelligence-driven methods. Int. J. Crit. Infrastruct. Prot. 2022, 38, 100542. [Google Scholar] [CrossRef]
  44. Xu, W.; Tao, Y.; Yang, C.; Chen, H. MSICST: Multiple-Scenario Industrial Control System Testbed for Security Research. Comput. Mater. Contin. 2019, 60, 691–705. [Google Scholar] [CrossRef]
  45. Tao, Y.; Xu, W.; Li, H.; Ji, S. Experience and Lessons in Building an ICS Security Testbed. In Proceedings of the 2019 1st International Conference on Industrial Artificial Intelligence (IAI), Shenyang, China, 23–27 July 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 1–6. [Google Scholar] [CrossRef]
  46. Lee, C.C.; Tan, T.G.; Sharma, V.; Zhou, J. Quantum Computing Threat Modelling on a Generic CPS Setup. In Applied Cryptography and Network Security Workshops; 12809 LNCS; Zhou, J., Ahmed, C.M., Batina, L., Chattopadhyay, S., Eds.; Springer Nature: Cham, Switzerland, 2021; pp. 171–190. [Google Scholar] [CrossRef]
  47. Saeed, S.; Gull, H.; Aldossary, M.M.; Altamimi, A.F.; Alshahrani, M.S.; Saqib, M.; Iqbal, S.Z.; Almuhaideb, A.M. Digital Transformation in Energy Sector: Cybersecurity Challenges and Implications. Information 2024, 15, 764. [Google Scholar] [CrossRef]
  48. Yigit, Y.; Ferrag, M.A.; Ghanem, M.C.; Sarker, I.H.; Maglaras, L.A.; Chrysoulas, C.; Moradpoor, N.; Tihanyi, N.; Janicke, H. Generative ai and llms for critical infrastructure protection: Evaluation benchmarks, agentic ai, challenges, and opportunities. Sensors 2025, 25, 1666. [Google Scholar] [CrossRef] [PubMed]
  49. AlEnezi, A. Risk Assessment in OT Environments: Safeguarding Kuwait’s Critical Infrastructure. researchgate.net. Available online: https://www.researchgate.net/profile/Ali-Alenezi-4/publication/383870626_Risk_Assessment_in_OT_Environments_Safeguarding_Kuwait’s_Critical_Infrastructure/links/66debdfef84dd1716cde0a95/Risk-Assessment-in-OT-Environments-Safeguarding-Kuwaits-Critical-Infra (accessed on 17 January 2026).
  50. Singh, N.; Buyya, R.; Kim, H. Securing cloud-based internet of things: Challenges and mitigations. Sensors 2024, 25, 79. [Google Scholar] [CrossRef]
  51. Chen, D.; Peng, Y.; Wang, H. Development of a Testbed for Process Control System Cybersecurity Research. In Proceedings of the 3rd International Conference on Electric and Electronics, Hong Kong, China, 24–25 December 2013; pp. 158–161. [Google Scholar] [CrossRef]
  52. Hussain; Mohamed, A.; Razali, S. A Review on Cybersecurity: Challenges & Emerging Threats. In Proceedings of the 3rd International Conference on Networking, Information Systems & Security, Marrakech, Morocco, 31 March–2 April 2020; ACM: New York, NY, USA, 2020. [Google Scholar] [CrossRef]
  53. Negi, R.; Shukla, S.K. Building India’s First Cyber-Security Test-Bed for CI. In Cyber Security in India: Education, Research and Training; Shukla, S.K., Agrawal, M., Eds.; Chapter 1; Springer: Singapore, 2020; pp. 1–15. [Google Scholar] [CrossRef]
  54. Mukhopadhyay, D. Hardware Security in India: The Journey so Far. In Cyber Security in India: Education, Research and Training; Shukla, S.K., Agrawal, M., Eds.; Chapter 8; Springer: Singapore, 2020; pp. 71–96. [Google Scholar] [CrossRef]
  55. Sahin, M.E.; Tawalbeh, L.; Muheidat, F. The Security Concerns On Cyber-Physical Systems And Potential Risks Analysis Using Machine Learning. Procedia Comput. Sci. 2022, 201, 527–534. [Google Scholar] [CrossRef]
  56. Yang, M.; Qu, Y.; Ranbaduge, T.; Thapa, C.; Sultan, N.H.; Ding, M.; Suzuki, H.; Ni, W.; Abuadbba, S.; Smith, D.; et al. From 5g to 6g: A survey on security, privacy, and standardization pathways. ACM Comput. Surv. 2026, 58, 1–38. [Google Scholar] [CrossRef]
  57. Wehner, S.; Elkouss, D.; Hanson, R. Quantum Internet: A Vision for the Road Ahead. Science 2018, 362, eaam9288. [Google Scholar] [CrossRef]
  58. Sikiru, A.; Kora, A.D.; Ezin, E.C.; Imoize, A.L.; Li, C.T. Hybridization of Learning Techniques and Quantum Mechanism for IIoT Security: Applications, Challenges, and Prospects. Electronics 2024, 13, 4153. [Google Scholar] [CrossRef]
  59. NIST. Module-Lattice-Based Key-Encapsulation Mechanism Standard; NIST: Gaithersburg, MD, USA, 2024. [CrossRef]
  60. Gonzalez-Granadillo, G.; Dubus, S.; Motzek, A.; Garcia-Alfaro, J.; Alvarez, E.; Merialdo, M.; Papillon, S.; Debar, H. Dynamic risk management response system to handle cyber threats. Future Gener. Comput. Syst. 2018, 83, 535–552. [Google Scholar] [CrossRef]
  61. Evans, P.G.; Alshowkan, M.; Earl, D.; Mulkey, D.D.; Newell, R.; Peterson, G.; Safi, C.; Tripp, J.L.; Peters, N.A. Trusted Node QKD at an Electrical Utility. IEEE Access 2021, 9, 105220–105229. [Google Scholar] [CrossRef]
  62. Paul, S.; Niethammer, M. On the importance of cryptographic agility for industrial automation. at-Automatisierungstechnik 2019, 67, 402–416. [Google Scholar] [CrossRef]
  63. Tan, T.G.; Szalachowski, P.; Zhou, J. Challenges of post-quantum digital signing in real-world applications: A survey. Int. J. Inf. Secur. 2022, 21, 937–952. [Google Scholar] [CrossRef]
  64. Tuinema, B.W.; Torres, J.L.R.; Stefanov, A.I.; Gonzalez-Longatt, F.M.; van der Meijden, M.A.M.M. Cyber-physical system modeling for assessment and enhancement of power grid cyber security, resilience, and reliability. In Probabilistic Reliability Analysis of Power Systems; Springer: Cham, Switzerland, 2020. [Google Scholar] [CrossRef]
  65. Sharkov, G. Assessing the Maturity of National Cybersecurity and Resilience. Connect. Q. J. 2020, 19, 5–24. [Google Scholar] [CrossRef]
  66. Gholami, M.M.; Kassaee, M.; Arabsorkhi, A. A Novel Maturity Model for MSSP Assessment. Int. J. Inf. Commun. Technol. Res. 2019, 11, 57–70. [Google Scholar]
  67. Khou, S.; Mailloux, L.O.; Pecarina, J.M.; Mcevilley, M. A Customizable Framework for Prioritizing Systems Security Engineering Processes, Activities, and Tasks. IEEE Access 2017, 5, 12878–12894. [Google Scholar] [CrossRef]
  68. Syed, N.F.; Shah, S.W.; Shaghaghi, A.; Anwar, A.; Baig, Z.; Doss, R. Zero Trust Architecture (ZTA): A Comprehensive Survey. IEEE Access 2022, 10, 57143–57179. [Google Scholar] [CrossRef]
  69. Ahmadi, N. A Comprehensive Cybersecurity Framework For Afghanistan’s Cyberspace. Int. J. Eng. Appl. Sci. Technol. 2021, 6, 213–230. [Google Scholar] [CrossRef]
  70. Donado, S.A.; Calvache, C.J.P.; Mazo, R. Stage 3. Perform Data Review and Synthesis; Zenodo: Geneva, Switzerland, 2025. [Google Scholar] [CrossRef]
  71. Kitchenham, B.; Charters, S. Guidelines for Performing Systematic Literature Reviews in Software Engineering; Keele University: Keele, UK; Durham University: Durham, UK, 2007. [Google Scholar]
  72. Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. BMJ 2021, 372, n71. [Google Scholar] [CrossRef]
  73. Donado, S.A.; Calvache, C.J.P.; Mazo, R. Stage 2. Define Search and Selection Strategies; Zenodo: Geneva, Switzerland, 2025. [Google Scholar] [CrossRef]
  74. Donado, S.A.; Calvache, C.J.P.; Mazo, R. Stage 4. Perform Review Report; Zenodo: Geneva, Switzerland, 2025. [Google Scholar] [CrossRef]
  75. Basili, V.; Trendowicz, A.; Kowalczyk, M.; Heidrich, J.; Seaman, C.; Münch, J.; Rombach, D. Aligning Organizations Through Measurement. In The Fraunhofer IESE Series on Software and Systems Engineering; Springer International Publishing: Cham, Switzerland, 2014. [Google Scholar] [CrossRef]
  76. Donado, S.A.; Calvache, C.J.P.; Mazo, R. Quality Criteria for Evaluating Research Questions in Systematic Literature Reviews; Zenodo: Geneva, Switzerland, 2025. [Google Scholar] [CrossRef]
  77. Braun, V.; Clarke, V. Using thematic analysis in psychology. Qual. Res. Psychol. 2006, 3, 77–101. [Google Scholar] [CrossRef]
  78. Yigit, Y.; Ferrag, M.A.; Sarker, I.H.; Maglaras, L.A.; Chrysoulas, C.; Moradpoor, N.; Janicke, H. Critical infrastructure protection: Generative AI, challenges, and opportunities. arXiv 2024, arXiv:2405.04874. [Google Scholar] [CrossRef]
  79. Wang, J.; Feng, T. OTS-Based SCADA Control Command Sequential Logic Authentication Scheme; Faversham House Group Ltd.: East Grinstead, UK, 2021; Available online: http://www.converter-magazine.info/index.php/converter/article/view/584 (accessed on 17 January 2026).
  80. Sun, N.; Li, C.-T.; Chan, H.; Le, B.D.; Islam, Z.; Zhang, L.Y.; Islam, R.; Armstrong, W. Defining Security Requirements With the Common Criteria: Applications, Adoptions, and Challenges. IEEE Access 2022, 10, 44756–44777. [Google Scholar] [CrossRef]
  81. Haney, M. Leveraging Cyber-Physical System Honeypots to Enhance Threat Intelligence. In IFIP Advances in Information and Communication Technology (570 IFIP); Springer International Publishing: Cham, Switzerland, 2019; pp. 209–233. [Google Scholar] [CrossRef]
  82. Shmatko, O.; Balakireva, S.; Vlasov, A.; Zagorodna, N.; Korol, O.; Milov, O.; Petrov, O.; Pohasii, S.; Rzayev, K.; Khvostenko, V. Development of methodological foundations for designing a classifier of threats to cyberphysical systems. East.-Eur. J. Enterp. Technol. 2020, 3, 6–19. [Google Scholar] [CrossRef]
  83. Simonov, M.; Bertone, F.; Goga, K.; Terzo, O. Cyber Kill Chain Defender for Smart Meters. Complex Intell. Softw. Intensive Syst. 2019, 993, 386–397. [Google Scholar] [CrossRef]
  84. Zhou, I.; Makhdoom, I.; Shariati, N.; Raza, M.A.; Keshavarz, R.; Lipman, J.; Abolhasan, M.; Jamalipour, A. Internet of Things 2.0: Concepts, Applications, and Future Directions. IEEE Access 2021, 9, 70961–71012. [Google Scholar] [CrossRef]
  85. Tornatzky, L.G.; Fleischer, M. The Processes of Technological Innovation; Lexington Books: Lexington, MA, USA, 1990. [Google Scholar]
  86. Islam, S.N.; Baig, Z.; Zeadally, S. Physical Layer Security for the Smart Grid: Vulnerabilities, Threats, and Countermeasures. IEEE Trans. Industr. Inform. 2019, 15, 6522–6530. [Google Scholar] [CrossRef]
  87. Hemminghaus, C.; Bauer, J.; Wolsing, K. SIGMAR: Ensuring Integrity and Authenticity of Maritime Systems using Digital Signatures. In Proceedings of the 2021 International Symposium on Networks, Computers and Communications (ISNCC), Dubai, United Arab Emirates, 31 October–2 November 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 1–6. [Google Scholar] [CrossRef]
  88. Sandeepa, C.; Siniarski, B.; Kourtellis, N.; Wang, S.; Liyanage, M. A Survey on Privacy for B5G/6G: New Privacy Goals, Challenges, and Research Directions. arXiv 2022, arXiv:2203.04264. [Google Scholar] [CrossRef]
  89. Vaidyan, V.M.; Tyagi, A. Towards Quantum Artificial Intelligence Electromagnetic Prediction Models for Ladder Logic Bombs and Faults in Programmable Logic Controllers. In Proceedings of the 2022 International Conference on Electronic Systems and Intelligent Computing, ICESIC 2022, Chennai, India, 22–23 April 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 1–6. [Google Scholar] [CrossRef]
  90. Pipyros, K.; Mitrou, L.; Gritzalis, D. Evaluating the Effects of Cyber-Attacks on Critical Infrastructures in the Context of Tallinn Manual; Information Security & Critical Infracture Protection (INFOSEC): Athens, Greece, 2017; p. 5. Available online: https://www.infosec.aueb.gr/Publications/NATO-NMIOTC-2017-Cyber_attacks_Tallinn_manual.pdf (accessed on 17 January 2026).
  91. Parvin, S.; Hussain, F.K.; Hussain, O.K.; Thein, T.; Park, J.S. Multi-cyber framework for availability enhancement of cyber physical systems. Computing 2013, 95, 927–948. [Google Scholar] [CrossRef]
  92. Sharma, M.; Elmiligi, H.; Gebali, F. Network Security and Privacy Evaluation Scheme for Cyber Physical Systems (CPS). In Handbook of Big Data Privacy; Springer International Publishing: Cham, Switzerland, 2020; pp. 191–217. [Google Scholar] [CrossRef]
Futureinternet 18 00125 g001
Figure 1. SLR protocol. Overview of activities carried out by each of the 4 stages. Summary of the systematic review workflow integrating GQM-based planning (orange), definition of search and selection strategies (blue), PRISMA-based study selection and synthesis (green), and review reporting (purple). The arrows indicate the direction of the process and the flow of data between steps. The vertical arrows in the upper boxes indicate which domains/guidance criteria (e.g., PICOC/PICO, CI/EC, CCRR) apply to the corresponding step. The return arrows represent iterative refinement/feedback between stages.
Figure 1. SLR protocol. Overview of activities carried out by each of the 4 stages. Summary of the systematic review workflow integrating GQM-based planning (orange), definition of search and selection strategies (blue), PRISMA-based study selection and synthesis (green), and review reporting (purple). The arrows indicate the direction of the process and the flow of data between steps. The vertical arrows in the upper boxes indicate which domains/guidance criteria (e.g., PICOC/PICO, CI/EC, CCRR) apply to the corresponding step. The return arrows represent iterative refinement/feedback between stages.
Futureinternet 18 00125 g001
Futureinternet 18 00125 g002
Figure 2. PRISMA 2020 flowchart.
Figure 2. PRISMA 2020 flowchart.
Futureinternet 18 00125 g002
Table 1. Search goals (4) and respective research questions (8).
Table 1. Search goals (4) and respective research questions (8).
Search GoalsKeywordsDomain QuestionResearch Question (RQ)
SG1
(Foundational trends and emerging threads)		KnowledgeWhat knowledge has been expressed in the field of research?RQ1: What cybersecurity techniques will be compromised with the advent of the quantum era in CPD?
RQ2: What kind of CPD will be compromised by cybersecurity threats in the quantum era?
RQ3: How vulnerable will CPD cybersecurity be in the quantum era?
SG2 (Operational Security and Resilience Management)ScopeWhat is the scope of research expressed?RQ4: Under what conditions are the threats of the quantum era real risks for CPD?
RQ5: What are the most effective strategies for protecting CPD against network attacks in the quantum era?
RQ6: What characteristics should be considered when developing cybersecurity solutions for CPD in the quantum era?
SG3 (Methodological Contributions and Experimental Validation)ManagementHow to characterize cybersecurity management in the research domain?RQ7: How to manage the cybersecurity of CPD used in critical infrastructure in the quantum era?
SG4 (Strategic Justification)UseWhy use the research domain?RQ8: Why is critical infrastructure seeing compromised CPD cybersecurity in the quantum era?
SG = Search Goal, RQ = Research Question, CPD = Cyber-Physical Device.
Table 2. Comparative analysis of primary studies vs. related work.
Table 2. Comparative analysis of primary studies vs. related work.
ReferenceMethodologyScope/FocusSector/DomainQuantum/Related TechniqueKey Differences & Alignment with This SLR
Karnouskos (2011) [1]Case analysisStuxnet/ICS securityICS/OTNoneHistorical context. Complementary to: [16,41,45,60,61]
Mitchell & Chen (2014) [2]SurveyIDS in CPSCPSNoneClassical IDS. Extended by: [22,29,31,33,34,38,43,44,55]
Giraldo et al. (2018) [3]Deep surveyPhysics-based detectionIndustrial CPSNone (pre-quantum)Classical baseline. Extended by: [22,31,41,44,51]
Mosca (2018) [4]Strategic analysisGlobal quantum riskGeneralPQC (strategic)Macro-level view. Aligned with: [16,17,18,19,24,26,27,46]
Bernstein et al. (2015) [5]Technical reviewPQC State of the ArtCryptographyPQC algorithmsTheoretical focus. Aligned with: [19,26,27,39,42,62,63]
Taylor (2023) [6]FrameworkThreat modelingQuantum securityQTMTheoretical model. Applied in: [27,46,48]
Pirandola et al. (2020) [7]Extensive reviewAdvanced quantum cryptoQuantum securityCV/DV-QKDTheoretical focus. Applied in: [19,24,25,39,46,61]
Lo et al. (2014) [9]ReviewQKD protocolsTelecomQKDTheoretical QKD. Applied in: [19,24,25,27,39,42,61]
Mo et al. (2017) [10]SurveySmart grid securityEnergyNoneLacks quantum aspect. Extended by: [22,28,29,30,33,34,35,64]
Chung et al. (2022) [11]BenchmarkingPQC on IoTIoT/EmbeddedPQC performancePerformance baseline. Validated by: [36,43,44,50,56,58]
NIST SP 800-207 (2020) [12]FrameworkZero trust architecture.GeneralNoneGovernance model. Adapted in: [40,49,54,65,66,67,68]
Jiang (2024) [14]Systematic reviewCI * cybersecurityCI *NoneHigh-level CI review. Extended by: All Primary Studies [69,70]
Wehner et al. (2018) [57]Scientific perspectiveQuantum Internet visionQuantum networksEntanglement, repeatersMacro-level vision. Applied in: [19,24,25,27,39,61]
NIST FIPS 203 (2024) [59]StandardLattice-based KEMGeneralPQC (ML-KEM)Standardization. Adoption in: [19,26,27,39,42,62,63]
* Critical Infrastructure.
Table 3. PICO model application.
Table 3. PICO model application.
PopulationInterventionComparisonOutcome
(CPS/OT) *Cyber-attacksNot applicableEffectiveness of cybersecurity measures.
Resilience.
Quantum computingQuantum applications to enhance or threaten cybersecurity.
* Cyber-physical systems/operational technology.
Table 4. Inclusion criteria (IC).
Table 4. Inclusion criteria (IC).
CriteriaDescription
IC1Studies that have been peer-reviewed and published in journals, congresses, and proceedings addressing the main topic of cybersecurity of cyber-physical devices in critical infrastructures in the advent of the quantum era.
IC2Studies within the period 2005–2025.
Table 5. Exclusion criteria (EC).
Table 5. Exclusion criteria (EC).
CriteriaDescription
EC1Duplicate studies (considering only the most complete and recent that can be evidenced).
EC2Studies that do not address the cybersecurity of cyber-physical devices in critical infrastructures in the advent of the quantum era or do so in a superficial manner.
EC3Studies that are reports, theses, books, or book chapters.
EC4Studies in languages other than English.
EC5Studies whose content is not accessible.
Table 6. Synthesis of findings: mapping themes, evidence, and research gaps.
Table 6. Synthesis of findings: mapping themes, evidence, and research gaps.
Theme IDResearch ThemeKey Evidence & FindingsRepresentative StudiesCritical Gap Detected
T1Quantum Information SecurityQuantum algorithms (Shor/Grover) render current RSA/ECC obsolete. Risk of “Harvest Now, Decrypt Later” for long-term CI data.[16,17,19,23,24,25,39,42]Lack of specific “Quantum Risk Assessment” tools for operational technology (OT) environments.
T2Cyber-Physical Systems & OTCPS/OT are vulnerable due to long lifecycles (20+ years) and limited hardware resources (CPU/RAM) for heavy PQC signatures.[16,17,28,29,30,31,32,35,45,51]Most PQC studies ignore jitter requirements in industrial control loops.
T3Critical Infrastructure (CI)Focus on high-availability sectors: energy, water, and maritime. Ransomware combined with quantum threats is a growing concern.[17,22,33,34,41,42,49,60,78,79,80]Absence of unified intersectoral resilience frameworks for the quantum transition at a national level.
T4ML & Intrusion DetectionAI/ML acts as a compensatory security layer. Generative AI and LLMs are being explored for automated vulnerability patching.[29,38,43,48,51,55,58,78,81,82]Computational debt”: Edge devices cannot run ML models and PQC primitives simultaneously.
T5Smart Grids & EnergyProtection of GOOSE and SV protocols. PQC integration in smart meters and DER is a priority for grid stability.[22,29,30,34,35,47,64,83]PQC packet overhead exceeds the 3 ms–10 ms window required to prevent cascading failures.
T6IIoT & Edge SecurityMigration toward “Quantum-ready” edge computing. High interest in secure quantum tunnels for industrial 5G/6G networks.[25,35,36,50,56,58,83,84]Non-existence of official certification systems for quantum-secure IIoT devices.
T7Governance & ModelsThe NIST process is the primary reference [8]. Emergence of “Quantum Readiness” maturity models for organizations.[18,20,40,49,54,65,66,67,68,78]Frameworks remain theoretical; there is a lack of practical “Migration Playbooks” for legacy technology environments.
T8PQC & Crypto-AgilityPreference for lattice-based algorithms (ML-KEM/Kyber). Emphasis on modular architectures to enable rapid algorithm changes.[18,26,27,62,63]Industrial controllers have “hard-coded” primitives, making “Agility” impossible without hardware replacement.
Table 7. Evidence mapping by research question.
Table 7. Evidence mapping by research question.
Research Question (RQ)Core Focus (Description from Protocol)Supporting
Studies (Count)
RQ1: Compromised TechniquesIdentify cybersecurity techniques compromised by the advent of the quantum era in CPD.49
RQ2: Compromised CPDIdentify the types of Cyber-Physical Devices (CPD) compromised by quantum threats.48
RQ3: Vulnerability LevelAssess the degree of vulnerability in CPD cybersecurity during the quantum era.51
RQ4: Risk ConditionsDetermine the conditions under which quantum threats become real risks for CPD.51
RQ5: Protection StrategiesIdentify the most effective strategies for protecting CPD against network attacks.58
RQ6: Solution CharacteristicsDefine essential characteristics for developing quantum-resilient cybersecurity solutions.62
RQ7: Cybersecurity ManagementEstablish how to manage the cybersecurity of CPD used in critical infrastructure.61
RQ8: Strategic JustificationAnalyze why critical infrastructure faces compromised cybersecurity in the quantum era.58
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Amador, S.; Pardo, C.; Mazo, R. Cybersecurity of Cyber-Physical Systems in the Quantum Era: A Systematic Literature Review-Based Approach. Future Internet 2026, 18, 125. https://doi.org/10.3390/fi18030125

AMA Style

Amador S, Pardo C, Mazo R. Cybersecurity of Cyber-Physical Systems in the Quantum Era: A Systematic Literature Review-Based Approach. Future Internet. 2026; 18(3):125. https://doi.org/10.3390/fi18030125

Chicago/Turabian Style

Amador, Siler, César Pardo, and Raúl Mazo. 2026. "Cybersecurity of Cyber-Physical Systems in the Quantum Era: A Systematic Literature Review-Based Approach" Future Internet 18, no. 3: 125. https://doi.org/10.3390/fi18030125

APA Style

Amador, S., Pardo, C., & Mazo, R. (2026). Cybersecurity of Cyber-Physical Systems in the Quantum Era: A Systematic Literature Review-Based Approach. Future Internet, 18(3), 125. https://doi.org/10.3390/fi18030125

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop