Search Results (529)

Industrial control systems (ICSs) are cyber–physical environments in which physical process data and network communication data are generated simultaneously. Existing studies have mainly focused on either sensor-based or network-based anomaly detection, making it difficult to capture diverse attack indicators and motivating the use of multimodal methods that can leverage complementary information from both modalities. In this paper, we propose an unsupervised multimodal anomaly detection framework for ICSs that jointly uses sensor and network modalities. For each modality, autoencoder-based single-modality models are trained in an unsupervised manner, and their anomaly scores and latent feature vectors are extracted. These outputs are temporally aligned to construct a time-aligned multimodal table, which is then used to implement and compare two fusion strategies: anomaly score fusion and latent feature fusion. In latent feature fusion, aligned modality-specific latent features are combined with canonical correlation analysis (CCA)-derived cross-modal correlation features. The experimental results showed that latent feature fusion achieved stable performance across multiple sensor–network encoder combinations. In particular, the gated recurrent unit–convolutional neural network (GRU–CNN) combination achieved the best F1-score of 0.9166 and ROC-AUC of 0.9795. In addition, the complementarity analysis showed that latent feature fusion recovered some missed detections by integrating complementary sensor and network evidence. These results demonstrate that latent feature fusion is an effective multimodal strategy for ICS anomaly detection. Full article

The increasing deployment of IoT-enabled electric-vehicle charging networks has created a rapidly evolving cyber–physical environment in which security mechanisms must operate amid ever-changing data patterns and resource constraints. In these environments, static Machine Learning (ML) pipelines are often insufficient because they struggle to adapt to concept drift issues, emerging attacks, and real-time operational requirements. We analyzed cybersecurity vulnerabilities, challenges of conventional ML approaches, and the possibilities of AI-powered, adaptive security measures. This paper examines Online AutoML and its advantages, including automated adaptation to streaming data, reduced human intervention, and privacy-preserving, resource-aware learning. Furthermore, this paper discusses adversarial attacks and defences in Online AutoML systems, highlighting the need for frameworks that jointly address concept drift, scalability, privacy, and adversarial threats. Finally, this study emphasizes the importance of establishing comprehensive public benchmarks for Online AutoML research. Full article

Cyber-physical systems (CPSs) based on the Internet of Things (IoT) form the backbone of modern smart infrastructures, including smart cities, healthcare monitoring, industrial automation, and intelligent transportation. However, connecting many resource-limited IoT devices makes them more vulnerable to cyber threats, particularly quantum attacks. This review comprehensively examines quantum-secure communication (QSC) frameworks for IoT-enabled CPS, focusing on Quantum Key Distribution (QKD), post-quantum cryptographic (PQC) algorithms, and hybrid quantum–classical security models suitable for constrained devices. A PRISMA-guided search of the Scopus and Google Scholar database was conducted in January 2026 using three keyword groups related to hybrid security, artificial intelligence, and cyber-physical systems. Based on the evaluation, 6008 publications have been identified between 2001 and 2026. The first-round screening was performed for 4948 articles, after excluding duplicates. During the screening stage, 348 articles were selected for abstract scrutiny, 115 records were excluded due to no direct focus on CPS/IoT applications, 52 studies were excluded because these papers relied on traditional security models, 25 studies were excluded due to insufficient relevance to the review objectives, and 15 additional non-English studies were removed. Following the screening stage, 141 studies were selected for full-text eligibility. Out of those, 86 studies were removed due to a lack of specific evaluation metrics or not being published in a peer-reviewed venue. Furthermore, the publications are classified as QKD-based secure CPS and QSC for industrial IoT, AI-Assisted Secure Communication for CPS Networks, and hybrid PQC-QKD models for CPS/IoT devices. This article investigates recent advancements in secure data transmission, verified protocols, and AI-driven anomaly detection customized to CPS/IoT environments. In addition, operational hurdles, interaction with open innovations, real-time deployment, and secure edge-cloud integration are highlighted. By analyzing recent developments and identifying research gaps, this review provides a structured roadmap for designing secure, scalable, and quantum-safe IoT-based CPS frameworks capable of withstanding next-generation cyber threats. This systematic review was performed and reported according to the PRISMA 2020 guidelines. Full article

Cyber–Physical Systems (CPSs) are increasingly vulnerable to Distributed Denial-of-Service (DDoS) attacks, which can disrupt critical operations and compromise system safety. Although deep learning (DL) techniques are widely adopted for cyberattack detection, conventional DL-based classifiers often struggle to handle the uncertainty and ambiguity inherent in network traffic data. To address this limitation, this paper proposes an AI-driven hybrid framework, termed LSTM–Fuzzy–CPS, for adaptive DDoS detection in CPS environments. Unlike prior LSTM–Fuzzy approaches that are primarily restricted to SDN settings, the proposed framework is adapted for CPS environments and introduces continuous risk scoring, reduced false positives for safety-critical operation, and proportional mitigation mechanisms. The framework consists of a detection module and a conceptual mitigation module. The detection module, named LSTM–Fuzzy–Detector, integrates an LSTM network with a Mamdani-type fuzzy inference system that maps LSTM outputs into a continuous risk score using triangular membership functions (Low, Medium, High) and centroid defuzzification. The mitigation module is designed as a rule-based conceptual framework that translates risk levels into adaptive response actions; however, its experimental implementation is left for future work. The proposed detector is evaluated on the CICIoT2023 dataset and achieves an accuracy of 99.83% with a false-positive rate of 0.12%, demonstrating strong robustness against complex and evolving attack patterns. These results indicate that the proposed framework provides an effective, interpretable, and scalable solution for intelligent threat detection in CPS environments. Full article

Cyber-physical systems (CPSs) integrate physical processes and information components through communication networks and are therefore vulnerable to cyber attacks. Opacity is a security property that prevents an adversary from inferring sensitive information from observations, and it has been studied mainly for discrete-event systems. In this paper, we extend this concept to discrete-time piecewise affine (DT-PWA) systems, which constitute an important class of hybrid systems used to model CPSs. In conventional opacity analysis, the result is typically binary, i.e., a system is either opaque or not. For systems with continuous dynamics, however, such a binary characterization may be insufficient, and it is desirable to evaluate the degree of security. To address this issue, we introduce a notion of opacity that incorporates security levels. We first formulate opacity for DT-PWA systems and then derive a necessary and sufficient condition for opacity. Based on this condition, we present a verification method using polytope computations and discuss the interpretation of the proposed notion. Finally, a numerical example is provided to illustrate the effectiveness of the proposed method. Full article

This paper investigates the tracking control problem for a class of networked nonlinear systems in a non-ideal communication environment, where both internal communication constraints (delays and packet dropouts) and external random deception attacks are taken into account. From a symmetry perspective, the backward and forward channels constitute a paired sensing–actuation structure, and channel-dependent imperfections may destroy their functional coordination. To compensate for the resulting sensing–actuation mismatch, a data-driven sliding-mode predictive tracking control scheme is developed without relying on an explicit system model. First, an equivalent dynamic linearization is adopted to represent the input–output behavior using a data-dependent incremental model. Then, using delayed measurements together with historical input–output data, an online estimator is constructed to update the pseudo partial derivative (PPD). Based on the estimated PPD, a multi-step predictor is further designed to generate the predicted outputs, and a data-driven sliding-mode predictive tracking controller is proposed by imposing a discrete reaching law on the predicted outputs. Rigorous analysis is provided to ensure the stability of the closed-loop system and to guarantee that the tracking error remains bounded, together with an explicit bound that reveals the influence of the delay horizon, estimation mismatch, and attack amplitudes. Finally, numerical simulations under square-wave and sinusoidal references validate the effectiveness and robustness of the proposed approach. Full article

Critical infrastructure cybersecurity increasingly needs frameworks that move beyond recovery toward bounded improvement under disruption, but empirically grounded theories for operational technology remain limited. This paper develops a Theory of Antifragility (AFT) for critical infrastructure (CI) cybersecurity, anchored in a five-state Resilient System Model and a bounded mathematical definition built around Jensen gain and post-disruption gain. A two-layer empirical design pairs a CI-relevant subset of the CISSM Cyber Events Database with the HAI hardware-in-the-loop industrial control dataset and tests three confirmatory hypotheses and one exploratory proposition. OT-adjacent sectors show significantly higher shares of disruptive or mixed events than comparison sectors (65.3% versus 46.8%, p < 0.001) and a heavier concentration of physical-attack and data-attack subtypes. In HAI, attack-labeled observations were 7.43 times more likely than normal observations to exceed the 95th percentile of baseline deviation (p < 0.001). Across successive attack windows, mean process-state deviation declined significantly (Spearman ρ = −0.688, p = 0.007), providing evidence of measurable response variation rather than proof of adaptive gain. Together, the findings establish the following two prerequisites for future antifragility testing: differentiated fragility burden and process-level perturbation observability. Full article

Critical infrastructures (CI) are essential to modern society, providing vital services such as energy, water, and transportation. However, these systems are increasingly targeted by sophisticated cyberattacks, exploiting vulnerabilities in both IT (Information Technology) and OT (Operational Technology) environments, posing significant risks to safety, economic stability, and national security. Despite advancements, current anomaly detection models for CI often cannot effectively integrate diverse data sources or provide detailed attack classifications. To address these challenges, we propose a novel Graph Convolutional Network (GCN) model integrated with Long Short-Term Memory (LSTM) layers for effective anomaly detection and attack classification in CI. The model leverages Cyber Threat Intelligence (CTI) and MITRE ATT&CK techniques, integrating network traffic and physical device data to enhance detection of sophisticated threats. Unlike approaches using binary classification, our model performs multiclass classification to recognize specific attack types, bridging the gap in understanding complex attack patterns within CI. By incorporating Indicators of Compromise (IoCs) from MISP (Malware Information Sharing Platform) with the SWAT (Secure Water Treatment) dataset, we developed a graph-based data structure where nodes represent entities like SCADA tags and IP addresses. The model processes this dynamic graph using convolutional layers for spatial feature extraction and LSTM layers for temporal dependencies. Results indicate a significant improvement over existing solutions, achieving a test accuracy of 99.04% and a macro F1-score of 0.9151. The integration of multiple data sources enhances the model’s capacity to handle evolving cyber threats, making it well-suited for protecting CI. Full article

In this work, we explore resilient cooperative localisation for electric vehicles subject to the hybrid attack of gradual global navigation satellite system (GNSS) drag-off spoofing along with received signal strength indicator (RSSI) jamming. In order to mitigate such attacks, a deep learning-based physical-layer security approach is presented. The presented approach includes a long short-term memory (LSTM) detector for attack detection, a regression-based RSSI signal purifier, and a cooperative fusion scheme, which decreases the dependence on the GNSS branch in case of attack detection. The proposed approach is validated via the Berlin Vehicle-to-Everything (V2X) dataset with respect to six scenarios, including benign GNSS-only and cooperative localisation, attacked localisation without defence, and attacked localisation with physical-layer security support. According to the experimental evaluation results, the considered hybrid attack significantly impacts the localisation accuracy, leading to an increase in the GNSS-only localisation error to root mean square error (RMSE) = 149.93 m, mean absolute error (MAE) = 129.81 m, and maximum error = 259.62 m. At the same time, the proposed cooperative localisation with physical-layer security decreases the attacked cooperative localisation error to RMSE = 4.00 m, MAE = 3.51 m, and maximum error = 12.01 m. Full article

Modern vehicles rely on in-vehicle network protocols such as Controller Area Network (CAN) protocol, but these protocols were designed without encryption or authentication. Therefore, the vehicles are exposed to cyber attacks. Motion-based Intrusion Detection Systems (MIDSs) exploit correlation between physically related signals to detect attacks. However, we show that MIDSs are vulnerable, because correlation coefficient is invariant to positive linear scaling. Hence, an adversary may manipulate a signal while keeping its correlation high. In this paper, we propose a Correlation Scaling Attack (CSA) that forges wheel speed signals by scaling their original value while keeping the temporal trend consistent with the other signal. We analyze that correlation coefficient remains unchanged when the signal is forged. Consequently, the CSA evades conventional MIDSs. To mitigate this limitation of MIDS, we exploit covariance between two signals as a complementary indicator, since covariance provides magnitude information. We evaluate the proposed attack and defense mechanism using CAN log data collected from a real vehicle. Experimental results verify the effectiveness of CSA, and we demonstrate that CSA can be detected by observing covariance between two signals. Our research not only indicates that the CSA is a significant threat to cars, but provides a feasible mitigation exploiting the covariance. Full article

IEC 61850 digital substations depend on communication services whose compromise can affect protection, supervision, and control. Existing work has advanced substation threat modeling, cyber-physical testbeds, and intrusion detection, but the relation between structured threat priority and operational observability remains under-characterized. This article examines that relation in a smart grid simulator (SGSim)-based IEC 61850 digital-substation environment. DFD-guided STRIDE analysis, CVSS v3.1 scoring, likelihood–impact prioritization, and ATT&CK for ICS mapping produce a 47-threat inventory. Three high-priority scenarios are then validated using packet-capture evidence and SCADA/HMI observations: a volumetric denial-of-service (DoS) attack against the IEC 60870-5-104 supervisory path, a TCP SYN flood targeting the same service endpoint, and a GOOSE false data injection (FDI) attack targeting event communication. The analysis distinguishes risk priority, operational observability, and operational consequence, and evaluates each attack across network, service, and operator planes. The results show that, in the studied environment, the validated high-priority attacks do not disclose their severity through a common visibility pattern. The volumetric DoS case is strongly visible and primarily compromises communication availability; the SYN flood weakens control recoverability while remaining weakly visible at the operator plane; and the GOOSE FDI case preserves communication continuity while falsifying the represented operational state. These findings indicate that visible disruption alone is insufficient for interpreting cyber-physical severity in the studied SGSim-based digital substation. Full article

Ensuring resilient controllability and observability in SCADA-based smart grids under coordinated cyberattacks remains a critical and unresolved challenge in modern cyber-physical power systems. This paper investigates the impact of coordinated cyberattacks on the stability and monitoring capabilities of SCADA-based smart-grid systems within a controlled cyber-physical environment. An active cyber-physical testbed representing a multi-bus power system was created to analyze how attacks targeting communication channels affect controllability and observability. Several attack scenarios were implemented, including remote access attacks via Secure Shell (SSH), Modbus/TCP flooding, and ICMP-based attacks, to monitor their impact on control actions, communication reliability, and system responsiveness. To address these vulnerabilities, a SCADA-based cybersecurity monitoring system was implemented within the controlled testbed environment. The system analyzes SCADA operational logs from smart grid devices while packet-level network traffic is captured and examined using monitoring tools such as Wireshark. A central monitoring layer coordinates system-wide attack detection and response. System resilience was evaluated using controllability and observability matrix rank analysis, together with dynamic stability metrics during attack conditions. Experimental and simulation results show that coordinated cyberattacks significantly degrade system performance, with the average delay rising from 12 ms to 210 ms, the packet loss rate increasing to 15.5%, and the command execution error rate reaching 40%. Furthermore, the ranks of the controllability and observability matrices dropped from 4 to 2, indicating a critical partial loss of the system’s control and monitoring capabilities. In this work, the federated-learning-based component is explored as a distributed, privacy-preserving cybersecurity monitoring framework for anomaly detection and observability enhancement using SCADA-derived datasets, rather than as a fully integrated real-time SCADA operational control mechanism. At the same time, the attack’s impact on electrical properties remained limited to less than 2%. Full article

Addressing the challenge of effectively detecting data tampering attacks in cyber-physical systems, this paper proposes an attack detection method based on prior information for the identification of a class of Hammerstein nonlinear systems measured by binary sensors. This method leverages the periodic structure of the system inputs and the statistical properties of the binary observation data to characterize the asymptotic properties of the parameter estimators; furthermore, by incorporating prior information regarding the system parameters, it constructs a detection criterion that enables the effective identification of attack behaviors. To enhance the computational efficiency of the algorithm in practical applications, a Multilayer Perceptron (MLP) is employed to approximate the implicit nonlinear inverse mapping, thereby circumventing the numerical difficulties associated with directly solving systems of nonlinear equations. On a theoretical level, the asymptotic distributions of the detection algorithm’s false alarm rate and missed detection rate are derived, and a systematic analysis is conducted on how detection performance is affected by factors such as system input period, prior information scope, and data length. Numerical simulations validate the efficacy of the proposed method; the results demonstrate that as the data length increases, both the false alarm rate and the missed detection rate of the algorithm decrease. Moreover, a broader scope of prior information leads to a lower false alarm rate but a higher missed detection rate, thereby illustrating the “double-edged sword” effect of prior information in the context of attack detection. This study provides a theoretical foundation and technical support for attack detection in nonlinear systems operating under conditions of data constraints and security threats. Full article

Smart grids increasingly rely on digital communication, expanding the attack surface beyond the reach of conventional network intrusion-detection systems. Physics-based monitoring can detect anomalies that bypass traffic inspection, but most prior methods only provide binary detection and do not identify attackers or describe associated network behaviour. This paper presents a two-stage cyber–physical detection and attribution pipeline for the IEEE 14-bus smart grid. In Stage 1, a four-layer GATv2 model analyses sliding windows of PLC sensor data and operates as a binary anomaly detector (Benign vs. Attack), achieving $96.39\pm 1.26\%$ accuracy, macro-F1 $0.949\pm 0.019$, recall $0.992\pm 0.007$, and ROC-AUC $0.994\pm 0.005$ (mean ± std, 5 seeds, tuned configuration). GATv2 achieves the highest recall among all tested binary classifiers (Random Forest: $0.970$; SVM: $0.860$; KNN: $0.988$ at low AUC $0.759$), the primary metric in safety-critical intrusion detection where a missed attack is more dangerous than a false alarm. A Welch t-test across five independent seeds confirms that GATv2 and RF are statistically equivalent in accuracy ($t=-2.030$, $p=0.096$). A six-class ablation study reveals that Backdoor is physically near-invisible (F1 $=0.238$, lowest among all classes), motivating the network attribution stage. In Stage 2, triggered only after anomaly detection, a LightGBM model trained on 27 network-traffic features attributes the attack campaign, reaching $83.05\pm 0.00\%$ accuracy and macro-F1 $0.819\pm 0.002$ across all six cyber classes. A final enrichment stage correlates anomaly windows with network events to extract attacker IP and MAC information, suspicious ports, Modbus manipulation signals, and connection-rate anomalies, producing a structured forensic report. Ablations and visual analyses show that graph-based physical sensing and statistical network attribution are complementary. To the best of our knowledge, this is the first work to combine topology-aware GNN physical detection, multi-class cyber attribution, and automated forensic enrichment in a single pipeline evaluated on this dataset. Full article

Cyberworthiness extends the concept of cybersecurity by evaluating whether systems and networks can perform their intended functions securely while maintaining protection against cyber threats. In corporate environments, cyberworthiness aims to ensure security, operational resilience, and trustworthiness across interconnected business processes and digital infrastructures. Modern organisations increasingly rely on complex cyber–physical and information systems, where vulnerabilities in software, networks, and devices can introduce significant operational and security risks. Cyberworthiness, therefore, encompasses security controls, risk management practices, and compliance with recognised cybersecurity standards and governance frameworks. It supports the assessment of information technology components and their exposure to both known and emerging cyber attacks, enabling organisations to evaluate system robustness and operational continuity. While cyberworthiness has historical foundations in system assurance and dependability, it also provides a conceptual basis for contemporary cyber resilience strategies. This paper discusses the concept of cyberworthiness in corporate organisations and identifies potential pathways for its practical implementation. It analyses existing cybersecurity standards and governance frameworks to support structured cyberworthiness assessment. This study presents a structured comparative review of fifteen cyberworthiness-relevant standards, supported by a Source Quality Appraisal Framework, a Framework Selection Guide specifying when each standard should be preferred and where conflicts arise, and a five-dimensional Cyberworthiness Assessment Readiness Model (CARM), a directional self-assessment instrument. The Efficient Automatic Safety and Security Assurance (EASSA) concept is proposed as a direction for future research, not a validated deployed system. Ensuring cyberworthiness remains challenging due to automation limitations in all reviewed standards, evolving threat landscapes, and governance complexity, requiring organisations to adopt integrated and measurable approaches to safeguard their digital assets and operational systems. Full article