Cyber Threats to Industrial IoT: A Survey on Attacks and Countermeasures

: In today’s Industrial Internet of Things (IIoT) environment, where different systems interact with the physical world, the state proposed by the Industry 4.0 standards can lead to escalating vulnerabilities, especially when these systems receive data streams from multiple intermediaries, requiring multilevel security approaches, in addition to link encryption. At the same time taking into account the heterogeneity of the systems included in the IIoT ecosystem and the non-institutionalized interoperability in terms of hardware and software, serious issues arise as to how to secure these systems. In this framework, given that the protection of industrial equipment is a requirement inextricably linked to technological developments and the use of the IoT, it is important to identify the major vulnerabilities and the associated risks and threats and to suggest the most appropriate countermeasures. In this context, this study provides a description of the attacks against IIoT systems, as well as a thorough analysis of the solutions for these attacks, as they have been proposed in the most recent literature.


Introduction
According to the Industry 4.0 standard [1], cyber-physical systems within partially structured smart factories play a central role in monitoring and supervising natural processes by taking autonomous and decentralized decisions in order to maximize the production process. An important factor for achieving this target is the IIoT operational network, where the logical systems communicate and collaborate in real time to implement all kinds of intelligent production solutions, organizational services, and operational processes, required to fulfil the production chain [2].
Specifically, IIoT refers to all interconnected sensors, instruments, and other devices, which in combination with industrial applications, including production and energy management, create a complex network of services, which allows the application of automation at a higher level (see Figure 1) [3].
This connectivity allows data collection, exchange, and analysis, as it facilitates the performance improvement across the production chain. It also enables the manufacturing sector to make huge innovative leaps, gain significant extroversion, and develop activities that were previously impossible.
It should be emphasized that the complete transformation of the supply chain into a truly integrated and fully automated process based on the IIoT presupposes the continuous and uninterrupted exchange of information from every stage of the production scale. For the implementation of this communication, IIoT systems are often combined in a IoT 2021, 2 164 multilevel architecture, in which at the hardware level are considered the physical systems (for instance sensors, actuators, control systems, security mechanisms, etc.), at the network level the physical networking media (wired and wireless), and finally at the upper layers the protocols that collect and transmit information from the communications stack. This connectivity allows data collection, exchange, and analysis, as it facilitates the performance improvement across the production chain. It also enables the manufacturing sector to make huge innovative leaps, gain significant extroversion, and develop activities that were previously impossible.
It should be emphasized that the complete transformation of the supply chain into a truly integrated and fully automated process based on the IIoT presupposes the continuous and uninterrupted exchange of information from every stage of the production scale. For the implementation of this communication, IIoT systems are often combined in a multilevel architecture, in which at the hardware level are considered the physical systems (for instance sensors, actuators, control systems, security mechanisms, etc.), at the network level the physical networking media (wired and wireless), and finally at the upper layers the protocols that collect and transmit information from the communications stack.
The continuous increase of connectivity and the use of standard communication protocols, which are implemented under Industry 4.0 standard, however, creates a strong need to protect critical industrial systems from cyber security threats [4]. The industrial systems that control the production process and the operation of the smart factories have constant access to the internet and the industrial networks, but in addition to the information and data of the company to which they belong. Common devices of this type are called industrial control systems (ICS) [5]. The most common ICS are SCADA (supervisory control and data acquisition) systems and sensors used in control loops to collect measurements and provide process automation [6]. These systems are interconnected within the IIoT network; they are active devices in real-time industrial networks, which allow the remote monitoring and control of processes, even when the devices are located in remote areas.
This networking and connectivity improve the operational efficiency of the system, but at the same time, they pose significant challenges for the means of securing the infrastructure [7] in terms of confidentiality, integrity, and availability. Another very important factor that further deteriorates systems' integrity is that both the machines and the devices in modern industrial facilities are designed initially to facilitate functionality and not to provide a secure environment, which makes them particularly vulnerable to cyber-attacks.
Exploiting the vulnerabilities of the communication protocols that are widely used in the Industrial IoT, as well as the vulnerabilities related to their operational control and The continuous increase of connectivity and the use of standard communication protocols, which are implemented under Industry 4.0 standard, however, creates a strong need to protect critical industrial systems from cyber security threats [4]. The industrial systems that control the production process and the operation of the smart factories have constant access to the internet and the industrial networks, but in addition to the information and data of the company to which they belong. Common devices of this type are called industrial control systems (ICS) [5]. The most common ICS are SCADA (supervisory control and data acquisition) systems and sensors used in control loops to collect measurements and provide process automation [6]. These systems are interconnected within the IIoT network; they are active devices in real-time industrial networks, which allow the remote monitoring and control of processes, even when the devices are located in remote areas.
This networking and connectivity improve the operational efficiency of the system, but at the same time, they pose significant challenges for the means of securing the infrastructure [7] in terms of confidentiality, integrity, and availability. Another very important factor that further deteriorates systems' integrity is that both the machines and the devices in modern industrial facilities are designed initially to facilitate functionality and not to provide a secure environment, which makes them particularly vulnerable to cyber-attacks.
Exploiting the vulnerabilities of the communication protocols that are widely used in the Industrial IoT, as well as the vulnerabilities related to their operational control and how to use them, may result in compromising the critical devices applications, the denial or non-availability of essential services, or even their partial or total destruction, with incalculable consequences [8].
Generally speaking, the most relevant studies conducted so far focus on the security risks in IoT systems. For the particular environment of the Industrial IoT systems, however, there is no available extensive research to our best of our knowledge. In addition, the existing studies fail to contribute substantially to the awareness and clear understanding of the risks associated with IIoT systems as well as the severity of the attacks against them, which in most cases results in great damage and even loss of human lives.
In this sense, this paper presents an extensive study of the most popular ways of attacking industrial applications, as well as the corresponding literature studies related to them, with the aim to provide a more effective, cyber-security-oriented approach and ultimately lead to a more resilient industrial environment.
The main contribution of this work is to provide researchers, but also organizations dealing with Industrial IoT technologies in general, with a comprehensive study on issues related to cyber threats on industrial equipment, as well as the latest countermeasures for the protection of the infrastructure in question, through a critical and benchmarking framework. In this context, the main difference from the other IIoT surveys is the provision of a complete, up to date, and valid reference framework for the identification and the assessment of the risks related to the ever-evolving industrial environment.
The study is organized as follows: Section 2 reviews related work, and Section 3 gives a detailed description of the main risks that can be found in the Industrial IoT environment, the ways they operate, and the associated effective solutions that have been proposed in the most recent literature. Section 4 presents the main results of our study, and finally the last section draws the conclusions and outlines future research directions.

Metasurvey
In this section a literature review on the surveys works on the threats associated with the industrial IoT systems. The main security risks are discussed, along with the suggested countermeasures. In particular, we discuss their contribution in the field, and we raise topics of interest that require further investigation and analysis.
Some of the modern attacks on critical infrastructure networks, such as power grids [9], are related to undermining actuators or sensors located in the physical layer, attacks against connections between different devices in the data-link layer, or more specialized attacks to compromise specific control systems such as SCADA devices [10].
SCADA devices are industrial automation control and telemetry systems, consisting of local controllers, which communicate through the industrial IoT network. In cases of advanced cyber-attacks [11], actuators or sensors isolation strategies are usually performed in order to falsify the normal values of the sensors and alter the mode of operation of the cyber-physical systems in an advanced industrial environment. For example, in a cyber-attack on a SCADA potable water disinfection system, the automations related to the treatment and production of clean water, the special flow meters, level, conductivity, and pH analysis, as well as the pumps that calculate the doses of chemicals, could be altered with devastating results for public health.
This study in particular simply lists the building blocks of a functional SCADA architecture, while an analysis of the attacks in the physical layer is completely superficial. In addition, the authors report five types of attacks and attack vectors (source code design and implementation, buffer overflow, SQL injection, cross site scripting (XSS), and effective patch management application), without providing information on the attacks against the software and without giving detailed explanations that could focus on specific methodological approaches on mitigation or prevention. Finally, regarding the communication layer of SCADA systems, the study is devoted to superficial references to the general ways of attacking communication systems and specifically to the unnecessary ports and services, communication channel vulnerabilities, and vulnerabilities of communication protocols. In summary, this study fails to contribute substantially to the awareness and clear understanding of the risks associated with SCADA systems as well as the severity of the attacks against them, which in most cases results in great damage and even loss of human lives.
A more careful approach to the threats related to the industrial IoT systems is presented in [8], where the authors provide a detailed list of possible attacks per layer of the five functional levels of the industrial IoT, with the first three being part of operational technology (OT), while the other two are part of information technology (IT) (see Figure 2). The first functional level includes systems that perform the physical processes of the IIoT, such as embedded devices, sensors, actuators, transmitters, and motors. Attacks aimed at this level require an excellent knowledge of the design of the IIoT system, and access to the specifications of active devices, engineering plans, and detailed information about their installation and operational functionality. The second functional level incorporates the specialized equipment, which communicates and controls the devices of the first level, such as distributed control systems (DCS), programmable logic control (PLCs) and gateways. Attacks at this level aim at preventing legitimate communication between the two levels IoT 2021, 2 166 and controlling the flow of communication. The third functional level is the SCADA and all related industrial automation control and telemetry systems, such as data acquisition devices, master stations, and human machine interfaces, which communicate via the IP protocol. Many of the attacks at the SCADA level rely on IP packet creation techniques with false attributes such as the source address, in order to disguise the identity of the sender of the packet, encouraging the recipient to think that it came from a legitimate network user. The fourth functional level includes business planning services, such as office applications, intranet, web, and mail services. Attacks targeted at this level exploit known or unknown vulnerabilities of these services and enter malicious code where the application expects legitimate data from the user in order to gain access with administrator privileges. level is the SCADA and all related industrial automation control and telemetry systems, such as data acquisition devices, master stations, and human machine interfaces, which communicate via the IP protocol. Many of the attacks at the SCADA level rely on IP packet creation techniques with false attributes such as the source address, in order to disguise the identity of the sender of the packet, encouraging the recipient to think that it came from a legitimate network user. The fourth functional level includes business planning services, such as office applications, intranet, web, and mail services. Attacks targeted at this level exploit known or unknown vulnerabilities of these services and enter malicious code where the application expects legitimate data from the user in order to gain access with administrator privileges.
The fifth functional level includes high level services such as analytics, data mining methods handled by the enterprise applications, and cloud computing services. Attacks at this level include a set of malicious actions like interception and deception, but also more advanced types such as adversarial attacks.
It should be noted that the authors of this study, between levels three and four, place a demilitarized zone that includes service servers to which users connect on untrusted networks.  The fifth functional level includes high level services such as analytics, data mining methods handled by the enterprise applications, and cloud computing services. Attacks at this level include a set of malicious actions like interception and deception, but also more advanced types such as adversarial attacks.
It should be noted that the authors of this study, between levels three and four, place a demilitarized zone that includes service servers to which users connect on untrusted networks.
Although this study provides a solid approach on how the IIoT works and the corresponding vulnerabilities associated with it, it is generally considered incomplete, as it does not provide examples of similar attacks, or techniques that could prevent them. It is rather a survey on the known types of attacks, which provides some minimal information that can be easily extracted by the literature.
A holistic approach based on the business planning and the standardization on security requirements designed by the standardization bodies Industrial Consortium and OpenFog Consortium is presented in [12]. Given the complex nature of the IIoT ecosystem, the paper examines the security requirements of industrial connection and communication protocols, based on a three-tier architecture and whether these protocols used at each level provide a certain level of security. In particular, it initially presents an abstract three-tier IIoT architecture, which includes the main components of most IIoT developments, categorizing it in a very clear way ( Figure 3).
The edge tier consists of end-points and edge-based gateway devices, composing a proximity network, which connects sensor devices, actuators, and control systems. The gateway devices provide a grouping point for the network, allowing internal inter-level communications, but also layered communications with the higher second level, the platform tier, where the connection is made as an access network for data transfer and control between the levels, which is implemented as connectivity via internet or mobile network. The platform tier contains service-based and middle-ware applications, such as analytics services, data transformation, data integration, etc. The interface with the third and higher level, which is called the enterprise tier, is done with a service network, which is mainly based on the Internet. Finally, the enterprise tier is used for high-level services, such as enterprise applications, cloud computing, domain services, hosting, etc. At this level, end users can interact with the network through specially designed interfaces. Based on this architecture, T. Gebremichael et al. proposed a set of connectivity protocols per level and the security features required for the secure device implementation in IIoT networks. The expansion of these implementation technologies also allows for the distribution of security requirements between the different areas of the network and creates embankments that could serve as backup protection in the event of wide scale breaches.

167
Although this study provides a solid approach on how the IIoT works and the corresponding vulnerabilities associated with it, it is generally considered incomplete, as it does not provide examples of similar attacks, or techniques that could prevent them. It is rather a survey on the known types of attacks, which provides some minimal information that can be easily extracted by the literature.
A holistic approach based on the business planning and the standardization on security requirements designed by the standardization bodies Industrial Consortium and OpenFog Consortium is presented in [12]. Given the complex nature of the IIoT ecosystem, the paper examines the security requirements of industrial connection and communication protocols, based on a three-tier architecture and whether these protocols used at each level provide a certain level of security. In particular, it initially presents an abstract three-tier IIoT architecture, which includes the main components of most IIoT developments, categorizing it in a very clear way ( Figure 3). The edge tier consists of end-points and edge-based gateway devices, composing a proximity network, which connects sensor devices, actuators, and control systems. The gateway devices provide a grouping point for the network, allowing internal inter-level communications, but also layered communications with the higher second level, the platform tier, where the connection is made as an access network for data transfer and control between the levels, which is implemented as connectivity via internet or mobile network. The platform tier contains service-based and middle-ware applications, such as analytics services, data transformation, data integration, etc. The interface with the third and higher level, which is called the enterprise tier, is done with a service network, which is mainly based on the Internet. Finally, the enterprise tier is used for high-level services, such as enterprise applications, cloud computing, domain services, hosting, etc. At this level, end users can interact with the network through specially designed interfaces. Based on this architecture, T. Gebremichael et al. proposed a set of connectivity protocols per level and the security features required for the secure device implementation in IIoT networks. The expansion of these implementation technologies also allows for the distribution of security requirements between the different areas of the network and creates embankments that could serve as backup protection in the event of wide scale breaches.
Finally, the authors of study [13] present a detailed study on SCADA attacks. SCADA Finally, the authors of study [13] present a detailed study on SCADA attacks. SCADA systems are the main hardware of the IIoT ecosystem, consist of various entities organized in a hierarchical structure, and are used to monitor the various industrial processes. They include techniques of integration of data acquisition systems, data transmission systems, and human-machine interface (HMI). HMI is a user interface that connects a person to a device, mainly used for data visualization and production time monitoring, while also visualizing machine input and output information. The general description of SCADA architecture includes the master station/terminal unit or master unit (MSU/MTU) which is the control center of a SCADA network, the sub-MSU/sub-MTU acting as a sub-control center, the remote station units/remote terminal units (RSUs/RTUs), acting as the intelligent end devices (IEDs), and the programmable logic controller (PLC), used to monitor or collect data from sensors and actuators. This study summarizes the most typical attacks against SCADA systems, the ways in which they occur, and the tools commonly used. More specific, the following modes of attack are presented.

1.
Passive or Active Eavesdropping. By accessing the wired or wireless network [14] between MTUs and sub-MTUs or RTUs, an attacker could install spyware [15] and proceed to exploitation [16].

2.
Man-in-the-Middle (MitM). In this type of attack, the attacker intercepts and monitors the network traffic, inputs manipulated data during transmission, and sends it to the receiver [17,18]. In the event of a successful breach, he takes over the session and maintains the connection from a spoofed IP to avoid detection [19,20].

3.
Masquerade. The attacker uses a fake identity and IP spoofing to pretend to be a legitimate network user in order to steal information from the system or network [21,22]. Then, by launching a brute force attack, stolen passwords can be used to gain unauthorized access to important information [23].

4.
Virus, Trojan Horse, and Worms. An attacker could send malicious code to MTU after launching a MitM or Masquerade attack [24][25][26]. Malicious code can either allow unauthorized users to access the infected system and use it to launch other attacks on other infrastructure, or it could spread to the network and infect MSU/MTU, often causing unstable behavior or even total system collapse [27,28].

6.
Fragmentation. This is a type of DoS attack where the attacker exploits the weaknesses of the network packet reassembly process, so when the size of the transmitted data is larger than the maximum transmission unit, the MSU/MTU fails to service and collapses [3,[35][36][37]. 7.
Cinderella. This attack occurs when a malicious user, after attacking and gaining access to a system, changes the internal clock of the network, resulting in the premature expiration of the security software, thus increasing the vulnerability of the network [38,39]. 8.
Doorknob Rattling. It is related to the preparatory actions used to prepare for an attack, including legitimate procedures for testing the system, for instance limited attempts to access the system with random criteria in order to evaluate the readiness and the responsiveness of security measures [40,41].
Given the complexity of the architectures associated with SCADA systems and related prototypes, Ghosh and S. Sampalli provide a comprehensive study of the current security standards (IEEE 1402, ISO 17799, ISO 15408, NERC security guidelines, NERC 1200, API 1164), the detection of SCADA mechanisms (including machine learning algorithms such as Naïve Bayes, Random Forest, Decision Tree Algorithm, etc.), and prevention of SCADA attacks which involve the adaptation of key management schemes such as cryptography (SCADA key establishment (SKE)), SCADA key management architecture (SKMA), and logical key hierarchy (LKH).

Cyber Threats and Its Countermeasures
Automation and remote control are today the most important methods by which critical infrastructures [42] improve the productivity and quality of their services. Under this spectrum, the efficient management of IIoT systems requires maximum accuracy, reliability, and security. The digital technologies that are part of the IIoT ecosystem undoubtedly improve the efficiency of critical infrastructures, but at the same time, they are associated with significant challenges related to the ongoing threats to the digital security of the infrastructures in question [43]. In this spirit, the protection of the IIoT is now paralleled with the general need to protect the critical infrastructure of a country, such as telecommunications, water and energy networks, government infrastructure, etc., as the systems emerged in these infrastructures are directly related to the IIoT environment, which is an ideal target for large-scale cyber-attacks.
In the following subsections, we classify the IIoT threats in five generic categories: phishing attacks, ransomwares, protocol, supply chain, and system attacks [44]. This separation enables a clear and comprehensive presentation of the security risks and the associated counter-measures as specialized in the Industrial IoT environment.

Phishing Attacks
This is a very popular type of attack often used to steal user sensitive data. It occurs when an attacker, pretending to be a trusted entity [45], misleads users into entering personal information into a fake website or downloading an attachment, which results in the installation of a malware or the disclosure of sensitive information. For critical infrastructures, specialized phishers use advanced techniques, called compromised attacks, that combine social engineering, aiming at both the lack of specialized active security measures by systems, and the lack of information or vigilance of users. The techniques include zero-days malware, link manipulation, filter evasion, obfuscating brand logos, website forgery, covert redirect, etc., aimed primarily at vendor/remote websites and then the breach of IIoT systems and in general the control of operation systems that linked to it. In general, the malicious user tries to enter or access the IIoT through a front-end level. He remains there for a period of reconnaissance and mapping of the general network, until the most appropriate time is found to start the extensive attack and then with pivoting (the action of moving from one system to another) to apply the appropriate exploits and compromise ICS systems.
In general, there are several papers that focus on malicious website crawling based on specialized techniques. Madhusudhanan et al. [46] propose a new technique called PHONEY, which automatically detects and analyzes phishing attacks. The main idea behind this technique is a web browser extension, which provides information on the quality of the sites, the security certificates they have, and information that they have been confirmed to contain malicious code or misleading URLs (see Figure 4). phishing attacks, ransomwares, protocol, supply chain, and system attacks [44]. This separation enables a clear and comprehensive presentation of the security risks and the associated counter-measures as specialized in the Industrial IoT environment.

Phishing Attacks
This is a very popular type of attack often used to steal user sensitive data. It occurs when an attacker, pretending to be a trusted entity [45], misleads users into entering personal information into a fake website or downloading an attachment, which results in the installation of a malware or the disclosure of sensitive information. For critical infrastructures, specialized phishers use advanced techniques, called compromised attacks, that combine social engineering, aiming at both the lack of specialized active security measures by systems, and the lack of information or vigilance of users. The techniques include zero-days malware, link manipulation, filter evasion, obfuscating brand logos, website forgery, covert redirect, etc., aimed primarily at vendor/remote websites and then the breach of IIoT systems and in general the control of operation systems that linked to it. In general, the malicious user tries to enter or access the IIoT through a front-end level. He remains there for a period of reconnaissance and mapping of the general network, until the most appropriate time is found to start the extensive attack and then with pivoting (the action of moving from one system to another) to apply the appropriate exploits and compromise ICS systems.
In general, there are several papers that focus on malicious website crawling based on specialized techniques. Madhusudhanan et al. [46] propose a new technique called PHONEY, which automatically detects and analyzes phishing attacks. The main idea behind this technique is a web browser extension, which provides information on the quality of the sites, the security certificates they have, and information that they have been confirmed to contain malicious code or misleading URLs (see Figure 4). McRae and Vaughn [47] introduced a new method to detect sites that contain phishing content using honey tokens. Accordingly, Ajlouni et al. [48] use a methodology McRae and Vaughn [47] introduced a new method to detect sites that contain phishing content using honey tokens. Accordingly, Ajlouni et al. [48] use a methodology based on association rules and the classification and detection of phishing sites. This algorithm generates correlations between objects and then creates correlation rules between objects, where each correlation rule signals the dependence of a set of objects on another set of objects, for the purpose of final ranking and locating content that indicates if a site is relevant with deceptive actions. It should be noted that the authors applied these algorithms to phishing data sets, and the obtained result was very accurate and surpassed more advanced algorithmic standardizations such as the SVM algorithm. Finally, Jain and Richariya [49] implemented a prototype web browser used as an agent to process data from phishing attacks. The user uses the web browser to open the email in a secure environment, and if an attack is detected, they will be notified and asked to delete the email.
An advanced machine learning technique is proposed by the work of [50] and specifically the intelligence web application firewall (IWAF) to critical infrastructure protection (CIP), an advanced phishing attacks detection system. It is an extremely innovative and fully automated active security tool, which uses an evolving Izhikevich spiking neuron model for the automated identification of phishing web sites and builds group policy objects (GPO) and pushes them into Windows domain. This system optimally implements a decision rule for the categorization and detection of phishing attacks, while at the same time, this knowledge is translated into firewall rules to enhance the active response capabilities of critical infrastructure.
In particular, IWAF initially receives network traffic between Industrial IoT devices as a PCAP (packet capture) file, from which the features of interest are extracted and are able to detect phishing attacks. The proposed Izhikevich spiking model algorithm uses the exported features and performs categorization to detect phishing attacks. When such an attack is detected, a list of indicators of compromise (IoCs) is created. IoCs are forensic data, such as data found in system logs or file logs, that detect potentially malicious activity on a system or network. IoCs are converted to group policy objects (GPOs). GPOs are a set of settings that determine what a system will look like and how it will behave for a defined group of users in the Windows environment. With a scheduled task, these policies are forwarded to specific organizational units (OUs) of Windows Active Directory and are applied to all users, effectively creating rules to prevent and limit phishing attacks.
A promising technique called URL embedding (UE) was introduced by Yan et al. [51]. This new algorithm is used to investigate the correlations between different domain names, in order to calculate correlation coefficients between different URLs. Obviously, this technique creates serious demands on computing resources, especially when analyzing domains with sparse representations, as URLs can be distributed over the Internet. In this case, the distributed representation is transformed into a small vector with the help of a neural network, and thus the mapping between the URLs and their distributed representations is stored without much trouble. An obvious disadvantage of the method is the complexity of the space, and it takes a lot of space to store the domain integration model, as many dimensional vectors have to be stored. To solve this problem, the authors suggest that malicious websites be treated as words and then use intelligent machine learning algorithms to locate the words in question in DNS queries, so that misleading malicious addresses are detected before they are even executed.
Gu et al. [52] proposed a method for detecting botnets by mapping a sequence model based on extracting URLs from spam mails. Additionally, Ma et al. [53] studied various machine learning methods for classifying sites based on their characteristics and the content they included. Features such as IP addresses, WHOIS records, and lexical features of phishing URLs have been analyzed by McGrath and Gupta in their work [54], with their findings constituting an index of heuristic methods for filtering phishing-related emails, but also more generally in detecting suspicious domain registrations. Xie et al. [55] focus on detecting spamming botnets by developing regular signatures based on expressions from a set of spam address data. Stalmans [56] proposed a technique for detecting and mitigating botnet infection on a network, using features from DNS queries such as multiple Address (A) and NS Records, IP ranges, Time-To-Leave (TTL), and alphanumeric characters from domains.
Finally, the work of [50] proposes the creation of an innovative protection system from fast-flux botnets, which use as communication points domain names created with the domain generation algorithm (DGA) technique. Unlike other techniques that have been proposed and focus on DNS traffic analysis, this system proposes the creation of a Smart URL Filter in a zone-based policy firewall for detecting algorithmically generated malicious domain names. It is a biologically inspired artificial intelligence computer security technique, as it uses the evolving spiking neural network (eSNN), which is the third and most advanced generation of neural networks, which simulates in the most realistic way the functioning of the human brain.
The superiority of the proposed method was demonstrated after a thorough comparison of the prediction accuracy and the ability to generalize to new data, with corresponding evolving and bio-inspired learning methods.

Ransomware Attacks
This type of attack inserts a malware into the IIoT system in order to cause denial of service (DoS) or access to personal files and demands the users pay a fee in order to regain access. In contrast with the conventional ransomwares, which are distributed massively, IIoT ransomwares are usually targeted, i.e., they focus on critical system entities in order to cause as much damage as possible. Due to this limitation, the research conducted on the common ransomwares cannot be considered as applicable in IIoT ransomwares. The authors of [57] offer a detailed and systematic analysis of the various threats imposed by IIoT ransomwares and recommend some potential countermeasures. Their analysis suggests that the IIoT edge gateways are very vulnerable to ransomware attacks in IIoT systems. In an industrial environment, the IIoT gateways have some common properties, despite their partial differences in functionality and architectures. A typical IIoT edge gateway acts as a bridge between the external world and the critical IIoT infrastructure, that is, program logic controllers (PLCs) or input/output (I/O) devices. When an attacker launches a successful ransomware attack against an IIoT gateway, it can take full access of it by replacing the gateway's password with a new one and then updating the existing firmware with a malicious one. Even if the user bypasses the locking, the attacker can still access and encrypt all user and data files, including those collected from the PLCs and I/O devices, and those exchanged between the cloud and the enterprise. Then the attacker can ask for ransom in order to decrypt the data, or threaten the victim to gradually delete the data if the ransom is not paid.
To analyze the vulnerabilities of IIoT edge systems, M. Al-Hawawreh et al. built an experimental testbed of an IIoT system, which follows the industrial internet reference architecture (IIRA) (see Figure 5) [26]. Their platform consists mainly of three parts: the IO devices (IoT sensors, controllers, and actuators), the cyber world entities (maintenance operators, mail and cloud servers for processing the collected IoT data, and SCADA web monitoring devices), and the IIoT gateways. Then they conducted proof of concept (PoC) ransomware attacks on this platform using python scripts resembling the well-known Erebus Linux Ransomware attack. This targeted IIoT ransomware attack affected a big number of web services and database and multimedia files of a web hosting company when launched [55]. According to Reference [58], the main steps of this attack include sniffing for data and system files in predefined directories of the IIoT edge gateway, data encryption and deletion of the original files, sending the stolen data as an attachment in a message to a fake email address via simple mail transfer protocol (SMTP), and eventually sending notification messages to the user that a ransom is requested. In the compromised IIoT edge gateway, M. Al-Hawawreh et al. collected and processed data related to the system's activities in terms of Their platform consists mainly of three parts: the IO devices (IoT sensors, controllers, and actuators), the cyber world entities (maintenance operators, mail and cloud servers for processing the collected IoT data, and SCADA web monitoring devices), and the IIoT gateways. Then they conducted proof of concept (PoC) ransomware attacks on this platform using python scripts resembling the well-known Erebus Linux Ransomware attack. This targeted IIoT ransomware attack affected a big number of web services and database and multimedia files of a web hosting company when launched [55]. According to Reference [58], the main steps of this attack include sniffing for data and system files in predefined directories of the IIoT edge gateway, data encryption and deletion of the original files, sending the stolen data as an attachment in a message to a fake email address via simple mail transfer protocol (SMTP), and eventually sending notification messages to the user that a ransom is requested. In the compromised IIoT edge gateway, M. Al-Hawawreh et al. collected and processed data related to the system's activities in terms of CPU, memory, and I/O device usage and CPU processing load, and they compared with the corresponding data collected by the system when no ransomware attack is carried out. Their results suggest that the targeted ransom attack at the IIoT edge gateway caused much higher usage and processing power of system resources in comparison with a similar ransom attack in a workstation. Based on these observations and measurements, the authors concluded that the monitoring of the kernel-related activity parameters can be a significant indicator of a crypto-ransomware attack launched towards IIoT edge gateways. Then M. Al-Hawawreh suggested some countermeasures that should be taken to protect more efficiently the IIoT infrastructure from these attacks, including the deployment of Next-Generation firewalls with improved traffic filtering capabilities, the employment of monitoring tools, such as intrusion detection systems (IDSs), for detecting attacks in the early stage, and the separation of the IIoT edge gateway from the other IIoT infrastructure, by placing the IIoT edge gateway in a specific trusted zone.
Apart from the conventional methods for identifying ransomware attacks, there are many studies that have utilized machine and deep learning techniques for ransomware detection. The authors of [59] introduced a detection model using dynamic machine learning techniques, such as conversation-based network traffic features, for consistent detection of windows ransomware network attacks. Their experiments demonstrated that the database created by these features achieves a high performance in terms of accuracy. The authors of [60] implemented a network-based intrusion detection system, by employing two independent classifiers operating in parallel on two different levels: packet and flow levels for detecting the Locky ransomware. Experimental evaluation of the proposed model found very efficient in tracking ransomware attacks with high detection accuracy.
Finally, the authors of [24] suggested a hybrid detection model combining classical auto-encoding (CAE) and variational auto-encoding (VAE) deep learning techniques to reduce data dimension and obtain a precise representation of the activities. The extracted features were combined to form a new vector used to train a deep neural network (DNN) classifier. The proposed model was compared with other models including random forest [61], decision trees [59], logistic regression (LR), support vector machine (SVM) [62], and DNN [63] and it was found that it achieves the best performance as measured by the detection rate (DR) and the false negative rate (FNR).

Protocols Attacks
The OSI networks structure consists of five layers for IoT: physical, data-link, network, transport, and application layer (see Figure 6) [64].
IoT 2021, 2 173 the database created by these features achieves a high performance in terms of accuracy. The authors of [60] implemented a network-based intrusion detection system, by employing two independent classifiers operating in parallel on two different levels: packet and flow levels for detecting the Locky ransomware. Experimental evaluation of the proposed model found very efficient in tracking ransomware attacks with high detection accuracy. Finally, the authors of [24] suggested a hybrid detection model combining classical auto-encoding (CAE) and variational auto-encoding (VAE) deep learning techniques to reduce data dimension and obtain a precise representation of the activities. The extracted features were combined to form a new vector used to train a deep neural network (DNN) classifier. The proposed model was compared with other models including random forest [61], decision trees [59], logistic regression (LR), support vector machine (SVM) [62], and DNN [63] and it was found that it achieves the best performance as measured by the detection rate (DR) and the false negative rate (FNR).

Protocols Attacks
The OSI networks structure consists of five layers for IoT: physical, data-link, network, transport, and application layer (see Figure 6) [64]  Figure 5). In our review, we provide a brief overview of the threats and countermeasures at the first four layers and focus on the fourth (application) layer, which is particularly applicable for the IIoT applications. UDP/TCP (see also Figure 5). In our review, we provide a brief overview of the threats and countermeasures at the first four layers and focus on the fourth (application) layer, which is particularly applicable for the IIoT applications.

Attacks in Physical, Data-Link, Network, and Transport Layers
There are many works devoted to the attacks towards the layers and suggest the appropriate countermeasures [64][65][66][67]. Amongst the most common threats in physical and data-link layers is the denial of service (DoS) attacks. In this type of threat, the malicious device degrades the processing ability of the nodes, to make the system unavailable. Jamming, collision, exhaustion, and unfairness are the three most important methods in DoS attacks [67] In jamming DoS attacks, the attacker jams the signal by transmitting at the same frequency, whereas in tampering, the attacker takes over the control of the sensor node by physical means, for instance by wiring on the electronic board, or by attaching cables to the circuit board. For the detection of jamming DoS attacks, the authors of [65,67,68] propose a cross-layer security detection mechanism and a jammed area mapping model (JAM), which avoids the jammed part of the wireless sensor network (WSN) by re-routing the packets to alternative routes. Tampering threats can be identified and prevented by physical checking of the WSN by eye or with the use of special equipment.
In collision DoS attacks, the malicious device starts transmitting packets on the victim's frequency, causing collisions and packet retransmissions. If the collision attack continues until the energy resources of the targeted node are exhausted [69], it is also known as an exhaustion attack. The unfairness attack is caused when the exhaustion attack results in degrading the system ability in the advantage of the malicious users. Efficient defense against jamming and collision attack involves the employment of frequency-hopping spread spectrum (FHSS) technique [70,71] Data transit attacks are very common in physical and data-link layers of the IoT systems involving wireless sensor networks (WSN) and RFID sensor networks (RRSN) and include packet sniffing and Man in the Middle (MitM) attacks. Countermeasures to this type of threat include applying data encryption algorithms, such as asymmetric encryption standard (AES) in IEEE 802.15.4 and 6LoWPAN networks [72], wired equivalent privacy (WEP), and Wi-Fi Protected Access II (WPA2) in Wi-Fi and LTE networks [73].
The most popular threats at the network layer of IoT systems include routing and DoS, data transit attacks, and the attacks at the neighbor discovery protocol (NDP) [65] In routing attacks, the malicious device forwards the ongoing messages to the wrong paths, while in DoS, it causes traffic congestion and resource exhaustion by injecting a big amount of data into the network. Effective countermeasures at these types of attack include egress filtering, authorization, and monitoring tools, such as intrusion detection system (IDS) solutions specifically adapted for IoTs like SVELTE [74] Data transit attacks affect data integrity and confidentiality. Countermeasures include the use of compressed transport protocols, for instance datagrams transport layer security (DTLS) [72]. The threats against the neighbor discovery protocol (NDP) are presented in [75]. In this work, a detailed description of the operation and the most common attacks towards NDP is performed. In addition, the protection mechanisms for NDP have been thoroughly analyzed in this work, including the tunneling (IPSec) and the secure neighbor discovery (SEND) protocols. The analysis results indicate that for NDP, SEND is the most efficient protection mechanism against DNP protocol attacks, but it still lacks good support levels by most of the operating systems.
The most popular IoT attacks at the transport layer include de-synchronization, SYNflooding, and message queue telemetry transport (MQTT) exploit attacks [65]. In desynchronization attacks, the intruder injects packets with fake sequence numbers of control flags that de-synchronize endpoints. Effective countermeasures include message authentication [76][77][78]. In SYN-flooding attacks, the malicious device sends a large volume of SYN packets to the victim. The victim responds with SYN-ACKs, but the spoofed device does not send acknowledgements (ACKs). As a result, the victim's queue is filled up and cannot receive and process legitimate SYN requests. Defense against SYN-flooding attacks involves interventions and optimizations on the transport protocols themselves, by making the memory and the queue management more efficient in handling of SYN packets and by hardening the network security with the employment of packet filtering and proxy techniques [79]. The deficiencies of the message queue telemetry transport (MQTT) protocol are presented by the authors of [80]. MQTT is a simple messaging protocol, which adapts the publish-and-subscribe messaging approach and is specifically designed for the remote control of devices with bandwidth constraints, such as the IoT applications. MQTT is, however, very vulnerable to attacks, since it does not provide by default any data encryption and authentication mechanism. Defense against MQTT exploit includes the adaption of scalable and robust security mechanisms, such as the secure MQTT protocol, which enforces the security features of the attribute based encryption (ABE) algorithm. ABE supports broadcast encryption for secure message delivery to multiple intended recipients, which is a desired feature in IoT applications [81]. Table 1 summarizes the most common protocol attacks in IIoT, the threats, and the proposed countermeasures.

Attacks in Application Layer
Among the most popular attacks towards the application layer of IIoT systems is related with the Modus protocol used by SCADA systems and is studied by the authors of [82]. In particular, they present a very specialized study, a model in the way of attacks against the sensors, used by the control loops for the collection of measurements in SCADA infrastructure in gas pipeline and water storage tank implementations. Sensors, which are active devices in the infrastructure network, are PLCs that are conveniently interconnected to allow remote monitoring and control of high-speed response processes, even in cases where the devices are distributed between different remote points. Communication (sending and receiving data) is achieved with the widely used SCADA Modbus messaging protocol, which provides client-server communication between devices connected to different types of bus or network, via serial lines.
In the simulation performed in this study, Modbus Masters devices request information on the transfer of discrete, or analog IO communication and the recording of data by a slave Modbus. A simple request-response scheme is used for all executed transactions, where the master device starts a request and the slave responds. The authors, considering that the implementation of the Modbus protocol contains many vulnerabilities, simulate these vulnerabilities, in a context of recording and evaluating the different types of attacks that can take place.
A vulnerability lies in protocol's inability to recognize a forged slave-master IP address in the SCADA network. An unauthorized, remote intruder performing a Man in the Middle (MitM) attack exploits this vulnerability, by sending queries containing invalid addresses, and then collects information about the network MSUs/MTUs from the returned messages.
Another vulnerability is the lack of adequate security checks and control of the physical identity/certification address to validate the communication between the Modbus master and slave devices. This defect allows remote intruders to issue arbitrary commands without authentication towards any slave device, via a Modbus master. The SCADA Modbus protocol is also vulnerable due to the protocol implementation errors when processing request messages and separate input read responses. Thus, an unauthorized, remote intruder can perform a DoS or DDoS attack on a SCADA network, by sending request or response parameters containing malicious values to select a data field on the system that contains a vulnerable Modbus application.
Finally, Modbus TCP is the protocol commonly used in SCADA networks for process control. Modbus limits the PDU size to 253 bytes to allow the package to be sent in serial RS-485 interface. Modbus TCP adds 7 bytes to the Modbus protocol header. This sets a limit on the legal package size. When an attacker creates a specially designed packet larger than 260 bytes and sends it to a Modbus master-slave, if the devices for rejecting such packets are not properly configured, it leads to a successful buffer overflow attack.
The most common security countermeasure is the use of intrusion detection and prevention systems with deep packet inspection capabilities or industrial firewalls that have the ability to detect and stop highly specialized attacks hidden deep in the communication flow [83]. For example, Liang et al. [84] propose an industrial network intrusion detection algorithm based on a multi feature data clustering optimization model. The novel features are twofold: to rapidly select a node with high-security coefficient as the cluster center, and match the multi feature data around the center into a cluster. The detection accuracy of abnormal data reaches 97.8%, and the fault positives of detection are decreased by 8.8%. Additionally, a novel network intrusion prevention system that exploits the benefits of incremental machine learning frameworks that utilizes a self-organizing incremental neural network along with a support vector machine is proposed by Constantinides et al. [85]. The results show that the proposed framework can achieve on-line updated incremental learning in a fast and efficient manner, making it suitable for efficient and scalable industrial applications. Moreover, intrusion detection methods are based on machine learning to access the Modbus TCP protocol development by Deng et al. [86]. It is a data preprocessing method based on the frequency of Modbus protocol function code and coil that appears in Modbus TCP traffic in order to detect the abnormal Modbus TCP traffic by a support vector machine model. On the other hand, cloud-based intrusion and prevention systems for industrial networks are promising solutions to secure these infrastructures. Brugman et al.) propose a highly accurate novel cloud based intrusion detection and prevention architecture to identify and prevent cybersecurity threats in industrial networks using software defined networking to route traffic to the cloud for inspection using network function virtualization and service function chaining. The proposed method uses Amazon Web Services to create a virtual private cloud for packet inspection that ensures scalability, resilience, and visibility.

Supply Chain Attacks
Supply chain attacks are particularly dangerous. The major challenge for IIoT integration in the Industry 4.0 supply chain is security. Hardware chips with embedded malicious code are hard to find, since this code has the ability to be executed without being easily noticed for a long period of time. One of the causes of security vulnerabilities in the IIoT environment is the involvement of many stakeholders. This means that there are different components of devices being manufactured by different vendors, everything getting assembled by another vendor, and finally being distributed by yet another one. This situation today, which is not easy to avoid, usually leads to security issues (backdoors installed) that can put an entire production line at risk (see Figure 7). In general, what is today called third party is gaining the attention of risk management more and more. M. Farooq, in their study [87], presents and highlights the supply chain threats, and they suggest approaches concerning the risk management procedures. They present and describe the IoT supply chain risk landscape, characterizing it as extremely diverse. environment, since they share a number of protocols. A vendor has the ability to embed backdoor channels in their devices, inject viruses, or provide faulty chips. The supply chain risks are hard to observe and hard to control. The risk propagates from one device to the other and gets amplified as the IoT ecosystem becomes more complex. Another issue is to dissect the supply chain links in IoT, meaning that the interactions between devices, between suppliers, and among them are always difficult to determine. Further, they highlight the IoT risk implications and consequences, and finally as a countermeasure, they propose to view the ecosystem from a supply chain viewpoint and then take appropriate measures to control the risks. They describe two approaches, the top-down approach, which is more centralized, and the bottom-up approach, which focuses on decentralization. This work gives a general understanding of the supply chain risks, but it does not provide technical countermeasures to deal with these types of attack for an environment that already faces this threat and does not have the ability to change the whole risk management approach.
Petar Randaliev [88], in their study, presents a dynamic and self-adapting supply chain system supported with artificial intelligence (AI), machine learning (ML), and realtime intelligence for predictive cyber risk analytics. This approach is used to develop a transformational roadmap for the Industrial Internet of Things in Industry 4.0 supply chains of small and medium enterprises (SMEs), because these types of companies usually lack the resources needed to effectively mitigate the high risks that the cyber threats are posing. One interesting point of discussion from the main findings is the weakness of existing cyber risk impact assessment models to calculate the impact of supply chain infrastructure. Additionally, there is an inconsistency in measuring the supply chain cyber risks, caused by the lack of understanding of supply chain operations in Industry 4.0.
Timothy Kieras et al. [89] presented in their study the RIoTS (risk analysis of IoT supply chain threats), which is risk analysis methodology in networked systems such as the IoT that emanate from the suppliers of individual components. They argue that risk analysis must shift from a vulnerability-centered approach to the modeling of suppliers and components as a system. They propose an adaptation of the attack tree techniques in order to include the risk associated from suppliers and supplier groupings. Their intention is to highlight and reveal hidden threats posed to the IoT ecosystem from potential supplier collusion. As we see, most studies focus on risk management approaches for supply chain attacks. This work may describe the IoT, but the situation is similar in the Industrial IoT environment, since they share a number of protocols. A vendor has the ability to embed backdoor channels in their devices, inject viruses, or provide faulty chips. The supply chain risks are hard to observe and hard to control. The risk propagates from one device to the other and gets amplified as the IoT ecosystem becomes more complex. Another issue is to dissect the supply chain links in IoT, meaning that the interactions between devices, between suppliers, and among them are always difficult to determine. Further, they highlight the IoT risk implications and consequences, and finally as a countermeasure, they propose to view the ecosystem from a supply chain viewpoint and then take appropriate measures to control the risks. They describe two approaches, the top-down approach, which is more centralized, and the bottom-up approach, which focuses on decentralization.
This work gives a general understanding of the supply chain risks, but it does not provide technical countermeasures to deal with these types of attack for an environment that already faces this threat and does not have the ability to change the whole risk management approach.
Petar Randaliev [88], in their study, presents a dynamic and self-adapting supply chain system supported with artificial intelligence (AI), machine learning (ML), and realtime intelligence for predictive cyber risk analytics. This approach is used to develop a transformational roadmap for the Industrial Internet of Things in Industry 4.0 supply chains of small and medium enterprises (SMEs), because these types of companies usually lack the resources needed to effectively mitigate the high risks that the cyber threats are posing. One interesting point of discussion from the main findings is the weakness of existing cyber risk impact assessment models to calculate the impact of supply chain infrastructure. Additionally, there is an inconsistency in measuring the supply chain cyber risks, caused by the lack of understanding of supply chain operations in Industry 4.0.
Timothy Kieras et al. [89] presented in their study the RIoTS (risk analysis of IoT supply chain threats), which is risk analysis methodology in networked systems such as the IoT that emanate from the suppliers of individual components. They argue that risk analysis must shift from a vulnerability-centered approach to the modeling of suppliers and components as a system. They propose an adaptation of the attack tree techniques in order to include the risk associated from suppliers and supplier groupings. Their intention is to highlight and reveal hidden threats posed to the IoT ecosystem from potential supplier collusion. As we see, most studies focus on risk management approaches for supply chain attacks.

Systems Attacks
One of the most common attacks on industrial infrastructure is related to SCADA systems, which due to their proliferation and usability are found in many industrial infrastructures worldwide. Given the complexity of the devices in question, the heterogeneity of industrial networks, and the seriousness of the implementations in which these systems are located, such as water, energy, etc., networks, ref. [90] presented a study of how to attack SCADA devices, while at the same time they studied, applied, and proposed a specialized solution for their timely and valid detection. They deal in particular with the case where the attacker is taking advantage of the fieldbus communication in the industrial EtherNet/IP protocol, after performing a Man-In-the-Middle (MitM) attack in an Ethernet ring using the device level ring (RLR) protocol, and finally they carry out a stealthy sensor attack. Fieldbus is an industrial network system for distributed real-time control. It operates on a network structure that typically allows daisy-chain, star, ring, branch, and tree network topologies. In fieldbus communication in the industrial EtherNet/IP protocol, devices use IO settings, messages that do not follow specific formats and sizes, as they are specified by the controller designer. Additionally, the analog sensor control signals are coded using 4-20 mA measurements. This means that the attacker must have, in addition to detailed knowledge of the system design, access to the specifications of the devices, engineering, and installation drawings in order to fully understand the information exchanged and rearrange the sensors to his advantage.
Wireless communication between sensors and control devices is performed via multicast EtherNet/IP connection over user datagram protocol (UDP). While only devices that subscribe to a specific multicast address will receive multicast packets, multicast is IP-level, so all UDP packets arriving at a specific destination address will be accepted. The IP version 4 (IPv4) multicast service uses Class D address space (224.0.0.0-239.255.255.255). The data transmission in IPv4 multicast is done without ensuring the accurate transmission of data to the information receivers, unlike what happens to the other datagrams of the Class A-Class C address spaces. As IPv4 multicast is organized, the data are transferred to UDP datagrams. Each address in the Class D address space represents the group of those who wish to receive the data. A host joins the group by sending a JOIN Internet Group Message Protocol (IGMP) message. He can then participate in the group without time restrictions (there is no concept of group ownership). Additionally, in order to send data to a group, it is not necessary to be a member of the group, or to monitor the transmitted information, so it is generally very easy to install an intruder as MItM.
After establishing MItM, the attacker launches a stealthy sensor attack. This attack configures the sensors and actuators settings, in order to change the operation of specific mechanisms, but this is not perceived by the monitoring mechanisms of the system. More specifically, in this attack, there is a raw water storage tank, which includes a water level sensor, a valve that opens when a sensor shows the level <0.5 m and closes when the level is >0.8 m, and a pump whose action depends on the UF process, in which forces such as pressure or concentration gradients lead to separation through a semipermeable membrane. If the water level in the tank is below 0.25 m, the pump is immediately switched off, which is interpreted as a safety mechanism. The attacker's goal is to exaggerate the water without being detected by a typical detection mechanism based on the detection of anomalies. This is achieved by modifying the sensor and actuator information by constructing appropriate packets, which are adapted so that the fieldbus communication can change the functionality of the devices.
F. Mercaldo, et al. operate in a very intelligent and simple way, as through a time logic and specifically taking advantage of high-level features related to SCADA infrastructure and modeling the system logs in a network of synchronous automata, they characterize the behavior of SCADA system, whether it accepts an attack or not. More specifically, the process initially involves distinguishing logs from SCADA system logs. The record values are associated with the actual measurements performed by the system operating personnel. The received distinguished values are then classified into three classes (up, basal, and low). The values in question are then entered into an automated system (The automated systems implement automata, i.e., mathematical objects that maintain abstract finite state machines for resolving complex problems. In an automated system, specific transitions are allowed among the states.). As the automaton sees an input symbol, it performs a transition to another state, depending on the transition function. For each discrete situation, an automatic is implemented, which is synchronized with a specific clock. For every status change, a status table is implemented, in which the system states are presented in time format. To detect overflow or underflow, the automatons are checked at random times, and if there is a deviation from the status table, then they are related to the attacks against the system.
Although various intelligent techniques have been proposed for the analysis of Internet traffic between IIoT devices and which have achieved very high success [91][92][93], a specialized standardization is proposed in the work blockchain security architecture for IIoT [94], which is based on deep learning smart contracts for the security and functionality of industrial applications, providing a decentralized, reliable, peer-to-peer network for communication between SCADA devices. In essence, this architecture is called upon to fill a key gap in the way IIoT operates, in the context of the convergence of heterogeneous infrastructures based on blockchain. More specifically, this system takes advantage of the functions of the blockchain network by implementing advanced anomaly recognition functions through the two-way, bilateral agreement provided by smart contracts, ensuring in the most efficient and intelligent way the secure network communication between the trading devices in the trading system. The proposed deep learning smart contract, which incorporates a sophisticated deep autoencoder into its code, provides an intelligent mechanism that can categorize with great precision the harmful irregularities in IIoT transactions, which in most cases involve advanced cyber-attacks.
Autoencoder is a neural network that is divided into a pair of two connected networks, one of which acts as an encoder and the other as a decoder. The encoder network takes in the data of the network traffic between master/slave devices and converts it into a smaller, denser representation, which can be used by the decoder's second network to convert it to the original input. Essentially, Autoencoder aims at the realistic representation of the inputs and outputs of the network, compressing the input to latent representation and then rebuilding the output from this representation.
In this way, it learns to compress the original data from the input layer into an abstract form, which it then decompresses, turning it into something that fits perfectly with the original data. This forces Autoencoder in addition to reducing the size of an initial problem and learning how to ignore noise and thus recognize any vulnerabilities associated with attacks in the SCADA Modbus protocol.
Attacks on industrial control systems (ICS) are aimed at mechanically controlling the dynamically rearranging centrifugation, or reprogramming the complex programmable logic controller (PLC) devices in order to speed up or slow down their operations, driving overall industrial equipment in its destruction or permanent damage. Such an attack scenario is described in [95], where the optimal power flow (OPF) algorithm is maliciously applied, which is widely used in power system control centers, in order to find the optimal power system control strategy, while minimizing the overall cost while ensuring security of the system.
Power system safety is usually defined by a set of lower and upper limits for various system parameters, such as power line power and minimum/maximum allowable power frequency 59.5-61 Hz (60 Hz is the rated power grid frequency in the US). The control strategy is essentially a set of control commands that the PLC sends to the actuators, e.g., output control points on the generators that determine the power to be generated by each generator, the margin of error to be ensured for system security, on/off commands, etc.
Luis et al. apply the OPF control algorithm to PLC, after making three malicious modifications: they removed the state that ensures that the system is within safe margins, replaced the cost minimization function with maximizing so that the hostile impact is maximized, and added predefined hidden conditions to ensure that malicious actions are not detected or detected by operators on local imaging devices as well as on the SCADA device overview website.
To solve behavioral deviations, abnormality detection techniques have been proposed in the literature, which can work even when the nature of the attack is new and therefore unknown, as they are based on a tactic of comparing the current situation with a model or more generally with a set of parameters that are considered to describe the normal operation of the system. To achieve these results, behavioral analysis related to basic network parameters such as operating specifications, average power per time window, etc., is widely used. Additionally, the detection of anomalies is related to other technical or heuristic forms of analysis, in order to identify patterns that help detect, identify, and predict their appearance, without leading to false alarms [96,97]. In general, types of anomalies are considered patterns that show different or deviant behavior from the expected and can be categorized into point anomalies, contextual anomalies, collective anomalies, protocol anomalies, etc. [98][99][100].
In cases of highly specialized attacks such as those simulated by Luis et al., a simple anomaly detection system is not enough, but it requires more sophisticated and obviously complex methods. On the contrary, the method proposed by [101] is an extremely simple and at the same time dynamic methodology, which as it turns out is able to detect with great precision advanced attacks like the one described. Specifically, the CUmulative SUM (CUSUM) algorithm is used, which works intuitively, based on the idea of adding the difference between a variable and the expected value over time. If this cumulative amount exceeds a certain threshold, then the decision is made that a change has been made. More specifically, CUSUM uses Equation (1) to detect a change, where S n represents the cumulative value in sample n, x n represents the value monitored in sample number n, and w n is the usual mean of the monitored value. A change is detected when S n rises above a predetermined threshold, which is a function of the relative magnitude of the change and the noise of x.
S 0 = 0, S n+1 = max(0, S n + x n − w n ) This anomaly detection algorithm is used and tested with great success in the detection of anomalies performed by the experiment of Luis et al., where x is a scan cycle execution time detector. Essentially, this simple change detection algorithm allows the monitoring of the execution time of the deterministic PLC control program in real time and implements alerts for changes, in order to detect early anomalies that are usually associated with cyberattacks. It is important to note that with very high percentages of correct alerts, almost all abnormalities were detected within seconds and within up to five minutes in the worst case, significantly limiting the attackers' ability to damage equipment. Finally, another important advantage of this algorithm is its simplicity, which reinforces the hypothesis that it can be integrated into PLCs that lack resources to provide stronger guarantees of the overall security of the IIoT ecosystem.

Discussion
The universal protection of the infrastructure and the reliability of the proposed solutions presented should not be taken for granted, because the cyber security of the IIoT ecosystem is a multifactorial problem, as described above [102].
In particular, due to the nature of the IIoT and the wide range of vulnerabilities that can arise from the complexity of the systems involved in it, important features related to complex patterns, systems, or processes are identified and maintained, which do not evolve in parallel with the overtime and which are potential vulnerabilities of the overall network [103]. More generally, the problem lies in the fact that in the particular high complexity environment under examination, while standardization systems are multivariate, high heterogeneity exists and is maintained, as this can be attributed to the age of systems that have not been upgraded, to the complex relationship that describes them, and the subtle differences that distinguish them [7]. An overview of the discussed cyber threats and countermeasures is presented in Table 2.  [46] Intelligence Web Application Firewall (IWAF) [104] URL Embedding (UE) [51] Detecting botnets by mapping a sequence model based on extracting URLs from spam mails [56] Smart URL Filter in a zone-based policy firewall for detecting algorithmically generated malicious domains names [50] 2 Ransomware attacks Type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid.

DoS attacks, data encryption
Next Generation firewalls with improved traffic filtering capabilities [57] Machine learning techniques [59] Intrusion detection system [60] Hybrid detection systems [105] 3 Protocols Attacks Any threat in protocol stack of IIoT Jamming DoS attacks Packets' rerouting to alternative routes [68] Collision/exhaustion/unfairness attacks FHSS techniques [70,71] Data transit attacks Data encryption algorithms [72,73] Routing and DoS Attacks Ingress filtering and IDS solutions [65,74] Data transit attacks Compressed transport protocols (for instance DTL) [72] Threats to neighbor discovery protocol (IPv4/IPv6) Use of IPsec, SEND protocols [75] Sending control flags that synchronize endpoints Message authentication [77] System flooding during the SYN handshaking phase Optimizations in transport layer apply network filtering [79] Data transit attacks, scalable key management Secure MQTT, ABE algorithm [81] SCADA modbus attacks Intrusion detection and prevention system [106,107] 4 Supply chain attacks A cyber-attack that seeks to damage an industry or organization by targeting less-secure elements in the supply chain.

Backdoors installation Very hard to detect
View the ecosystem from a supply chain viewpoint and control the risk [87] Self-adapting supply chain system with artificial intelligence (AI), machine learning (ML), and real-time intelligence for predictive cyber risk analytics [88] 5 Systems Attacks Unauthorized access into an industrial system in order to cause harm.
Man-in-the-Middle attacks Mechanically control the dynamically rearranging centrifugation, or reprogram the complex programmable logic controller (PLC) devices in order to speed up or slow down their operations System logs modelling [90] Deep learning smart contracts for the security and functionality of industrial applications, providing a decentralized, reliable, peer-to-peer network for communication between SCADA devices [90] Hybrid network anomaly and intrusion detection approach based on evolving spiking neural network classification [108] CUmulative SUM (CUSUM) algorithm [101] Among the threats discussed, the supply chain attacks are becoming a serious concern, because significant factors like complexity and stealth do not provide easy solutions [109]. To mitigate these types of attacks, usually risk management approaches are utilized. Another major drawback is the fact that older industrial systems, which in most cases do not have security as a prerequisite in their construction specifications, are turning points of the overall security of the system, significantly increasing the overall risk of attacks, even if access control or encryption techniques are added in them [110,111]. In addition, the standardization and harmonization procedures with the existing institutionalized standards raise serious concerns, as most of the existing IIoT systems have a high degree of dependence on their development company, which creates problems of rearrangement or adaptation of their mechanisms, such as functions that they include or can support [7].
Furthermore, due to the real-time operation and development of the IIoT [88,90,94], the management of data with time difference, taking into account correlations and interdependencies from other devices that may be included in the data flow sequence, creates additional requirements in the ways of ensuring accuracy and integrity of information. The encryption [102] and key management techniques that have been proposed and used in the IIoT environment, while providing strict specifications, lag behind in the implementation of mechanisms that will be executed quickly and without much complexity, so that they can be used by low-resource devices.
Finally, another important conclusion drawn from the use of most of the machine learning methods presented in this study is the fact that only statistics on the operation of devices or network traffic are used [96,104] with the result that smoothing is ineffective, as the parameters trained do not include a variety of elements from different usage or behavior parameters of the overall system. The problem stems from the erroneous assumption that the original model and all its updated replicates had similar feature distributions, and therefore the current statistics could be shared with all the intelligent learning inner loop updates. Obviously, this hypothesis is not correct. A better alternative, which was applied to the proposed method, is to store statistics during steps and to read the optimization parameters step by step for each of the internal loop iterations.

Conclusions
Given the growing complexity of threats in the ever-changing environment of the Industrial IoT and the parallel weakness of traditional security systems to detect serious threats of escalating depth and duration, it is necessary to acknowledge the risks that threaten the specific infrastructures and provide confidentiality of industrial information [110]. Similarly, while there is a risk that cybercriminals may gain access to the production process, with serious, perhaps incalculable consequences, most industrial companies seek security know-how in order to secure their infrastructure. It should be noted that IIoT architectures, and industrial systems in general [5,6,13,90], need a different kind of protection from standard networks, as conventional security solutions, such as virus scanners or conventional firewalls, do not meet industry standards and requirements.
In this study, a thorough description of attacks against Industrial IoT systems was carried out, taking into account the most important features and vulnerabilities that they incorporate, while at the same time a thorough analysis of indicative solutions against these vulnerabilities, as proposed in the most recent literature. In this context, it is a validated reference framework and an indicative scientific presumption for the identification and assessment of risks related to the ever-evolving industrial environment.
One element that could be considered in the direction of the future expansion of this research is the investigation of unconventional methods of attacks or advanced methods of combination methodology of unknown attacks such as zero-days attacks. Additionally, an important development in this study, concerns the bibliographic investigation of methods with possibilities of self-improvement and self-adaptation to new unknown threats in IIoT systems. Finally, the research could be expanded by the search for special protection techniques against