Search Results (559)

The rise of capture-the-flag (CTF) competitions and offensive security training requires the deployment of systems that are, by design, flawed. This creates a unique architectural paradox: how does one host a system intended to be compromised without compromising the host itself? This paper classifies the security principles of “range engineering”—the discipline of engineering the environment. This research study synthesizes evidence across the cyber-range, honeypot, ICS/OT testbed, and cloud-isolation literature to derive a containment-focused classification of threat planes, security invariants, boundary mechanisms and properties, and operational controls for intentionally vulnerable environments used in education, training, and research. Five security invariants are derived under the assumption of expected compromise and mapped to boundary families and measurable operational objectives. The analysis further identifies under-evidenced areas, particularly control-plane isolation, corrective controls for cross-tenant failures, and systematic validation of externalization defenses. Full article

Industrial automation systems are increasingly cyber-physical, interconnected, and software-dependent, which expands both their operational capability and their cybersecurity exposure. This article reports a systematic literature review, conducted following the PRISMA 2020 guidelines, of cybersecurity requirements and certification standards in industrial automation, with emphasis on Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLCs), and Industry 4.0 contexts. From 3570 records identified across five academic databases, 75 studies were retained after duplicate removal, title and abstract screening, and full-text eligibility assessment. The included studies were analyzed along three dimensions: cybersecurity requirements, standards and certification, and application context. Quantitative synthesis shows that network segmentation, intrusion detection, secure communication, access control, lifecycle security, and safety–security coordination are the six most frequently emphasized requirement categories, and that ISA/IEC 62443, ISO/IEC 27001, NIST SP 800-82, and NERC-CIP are the four dominant certification frameworks. The review identifies four critical gaps between technical cybersecurity requirements and certification practice and proposes an integrated mapping framework linking requirement categories, standards, and application contexts. The findings indicate that effective industrial cybersecurity assurance depends on a layered compliance architecture rather than on dependence on any single framework. Full article

This paper presents a Threat Analysis and Risk Assessment (TARA) of the takeover request (TOR) component in Advanced Driver Assistance Systems (ADAS) for SAE Level 2–3 automation. A TOR prompts the human driver to retake control when the system approaches its Operational Design Domain limits or when risk increases; late, false, or muted requests directly impact safety. The study models the TOR pipeline (perception, driver monitoring, decision logic, in-vehicle networks, and Human–Machine Interface) as assets and data flows, applies STRIDE-based threat identification using Microsoft Threat Modeling Tool and Ansys Medini Analyze, and rates risks under ISO/SAE 21434 with traceability to ISO 26262, ISO 21448, and UNECE R155/R157. The assessment produces 165 threat rows, with an initial risk distribution of 1 Critical, 113 High, 34 Medium, and 17 Low. Results show that tampering, denial of service, and spoofing dominate the TOR threat landscape, with the central processing unit, sensor-to-CPU links, and HMI channels as primary trust anchors. After applying mitigation measures including secure boot, message authentication, intrusion detection, redundancy checks, and encrypted communication, the residual post-mitigation security levels were reduced to 0 Critical, 0 High, 13 Medium, 101 Low, and 51 Negligible. Unlike other ADAS TARA studies, this TOR-focused analysis shows that cybersecurity risk is shaped by the interaction between cyber compromise, driver-readiness estimation, HMI delivery, fallback execution, and the limited handover time budget. The results support a defence-in-depth mitigation strategy for secure TOR operation in SAE Level 2–3 vehicles. Full article

Deep learning is increasingly used in cybersecurity to detect, classify, prioritize, and explain evidence from network traffic, logs, binaries, graphs, text, code, and multimodal telemetry. However, the literature remains fragmented across tasks, datasets, architectures, trustworthiness properties, and deployment settings, making it difficult to judge whether benchmark performance transfers to operational cyber defense workflows. This paper presents a structured narrative review with an evidence-oriented synthesis, not a Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA)-counted systematic review. The synthesis uses a de-duplicated cited-source bibliography of 115 references as an evidence-mapping corpus; this corpus is reported for transparency and is not presented as a PRISMA final-inclusion set. The evidence map is organized through a five-axis framework: security task, data modality, model family, trustworthiness property, and deployment environment. In response to methodological and scope concerns common in broad survey work, the revision narrows the claims to a transparent cited-source synthesis, defines explicit inclusion boundaries, adds a data-charting codebook, reports non-exclusive coded emphasis matrices, and introduces practical tables for dataset selection, split protocols, deployment-reporting targets, and large language model (LLM)-enabled security operations center (SOC) risk controls. Across application areas, the reviewed literature indicates that benchmark accuracy is necessary but insufficient. Deployment readiness also depends on adversarial robustness, privacy protection, explainability, uncertainty calibration, drift handling, reproducibility, resource-aware resilience, and computational feasibility. The review identifies persistent gaps in temporal validation, cross-dataset testing, analyst-centered explanation, secure learning pipelines, agentic-LLM safety, and edge-aware deployment. The resulting research agenda emphasizes accurate, resilient, privacy-aware, explainable, reproducible, and deployable cybersecurity artificial intelligence systems. Full article

Internet of Things (IoT), sensor-network, and cyber-physical system (CPS) software increasingly relies on large language models (LLMs) and autonomous agents for code generation, maintenance, and vulnerability repair. However, LLM-generated edge services, telemetry APIs, configuration handlers, and data-aggregation routines can introduce SQL injection, path traversal, command injection, hard-coded credentials, and unsafe device-control logic, which may compromise sensing data integrity and system safety. Existing approaches largely rely on static post hoc analysis and lack a unified modeling of the generation process, making it difficult to achieve a principled trade-off between functionality and security. To address this challenge, we propose SafeCodeRL, a framework that integrates multi-agent collaboration with constrained reinforcement learning for trustworthy LLM-generated IoT/CPS software. SafeCodeRL models code generation as a security-aware sequential decision process, where Planner, Code, Security, Test, and Critic agents jointly optimize task decomposition, code synthesis, vulnerability auditing, and sandbox-based validation. We design a constraint-aware policy based on Proximal Policy Optimization, augmented with a Lagrangian mechanism and a shielding strategy to explicitly enforce security constraints. Experiments on real-world engineering and security benchmarks, including SWE-bench, SecurityEval, and CyberSecEval, show that SafeCodeRL reduces high-risk vulnerabilities by over 60% while maintaining high functional correctness. A scenario-level IoT/CPS case study further demonstrates that SafeCodeRL substantially improves secure pass rates for sensor telemetry, edge gateway, configuration-management, and data-aggregation tasks, providing a practical path toward trustworthy AI-assisted software development for sensor-driven systems. Full article

The convergence of the Internet of Things (IoT), edge computing, and artificial intelligence (AI) is reshaping cyber defense in distributed cyber–physical environments. IoT-edge systems expose heterogeneous, resource-constrained, and intermittently connected devices to threats that unfold close to sensing and control processes, making purely signature-based or rule-based defenses increasingly insufficient. This article presents a structured review of AI for cybersecurity in IoT-edge systems from a systems-oriented perspective. Rather than surveying AI for IoT security in general, it organizes the literature around four practical lenses: AI methods, datasets and benchmarks, evaluation practice, and deployment constraints. The review reconstructs a workspace-verifiable corpus of 96 references, emphasizes literature published between January 2023 and April 2026 while retaining foundational benchmark papers, and uses a conservative 26-paper empirical subset for paper-level gap coding. Because this subset was purposively sampled and the original retrieval logs were not preserved, coded counts are interpreted as recoverable reporting signals and comparability indicators rather than field-level prevalence estimates. The revised synthesis further stratifies the coded evidence by task, model family, dataset, application scenario, metric type, and deployment signal, and translates deployment feasibility into a minimum reporting checklist and edge-hardware decision matrix. Within this evidence boundary, recent work remains dominated by intrusion and anomaly detection, with continued use of traditional machine learning, deep learning, federated learning, explainable AI, and graph-based approaches. However, experimentation remains concentrated around a small set of public benchmarks, while latency, memory, energy, communication overhead, operational robustness, and reproducibility are reported inconsistently. The field is therefore constrained less by classifier novelty than by benchmark concentration, weak deployment reporting, limited response-and-mitigation analysis, undercoverage of authentication, access-control, and trust-management tasks, and limited reproducible edge-aware evaluation. Full article

Critical infrastructures are increasingly Internet-connected cyber–physical systems whose recovery after cyber incidents must satisfy safety, timing, regulatory, and interdependency constraints. Yet, the use of large language models (LLMs) for generating recovery plans remains fragmented across cybersecurity, industrial control, digital twins, and AI assurance research. This review synthesizes that emerging field through a structured critical survey of studies on LLMs in incident response, OT/ICS resilience, and cyber–physical recovery, with a focused perspective on grounding, trust, and assurance mechanisms relevant to recovery-plan generation. It develops an architecture-centric taxonomy spanning prompt-only assistants, retrieval-augmented copilots, graph-aware planners, multi-agent systems, and hybrid verification/simulation pipelines; maps realistic applications across energy, water, manufacturing, transportation, healthcare, and telecommunications; and organizes limitations into technical, security, governance, and human-factor categories. Based on this synthesis, the paper proposes the Grounded Recovery Planning Stack as a reference architecture and outlines a staged roadmap from human-in-the-loop copilots to bounded orchestration. The main conclusion is that near-term value lies in grounded, auditable, compliance-aware copilots, whereas autonomous recovery execution remains premature without stronger validation, state-aware grounding, sector-specific benchmarks, and formal safeguards. Full article

Modern cybersecurity challenges span multiple layers, from human behavior and identity management to network communication and device security. This paper proposes a unified multi-layered security framework that integrates human-centric, identity-centric, and communication-centric defenses into a coherent architecture. Drawing on insights from diverse domains (industrial control systems, IoT, healthcare, blockchain, and quantum communications), we identify common defense-in-depth principles and interdependencies across layers. The study highlights the persistent gaps in current research, which often focuses on isolated layers or domain-specific models, and addresses these gaps by synthesizing a cross-domain framework. We develop a mixed-method methodology to compare and integrate multi-layer security mechanisms, and we implement a proof-of-concept risk assessment engine to evaluate the framework’s effectiveness. Preliminary results from this implementation demonstrate that combining layers yields significantly improved detection performance and resilience compared to single-layer baselines. The framework’s contributions include a comprehensive literature-driven model, an operational validation in a simulated environment, and guidelines for deploying multi-layer defenses in complex, interconnected infrastructures. Empirical findings confirm that an integrated multi-layer approach can adapt to varied threat scenarios and reduce vulnerabilities, underscoring the value of coordinated controls across technical and human factors. The proposed framework lays a foundation for future work on scalable, cross-layer cybersecurity architectures that better protect contemporary cyber–physical systems. Full article

Modern electrical grids face growing stability risks from customer-owned generators, especially at points of common couplings (PCCs). Disruptive behavior from power-electronic sources can cause protective relays to isolate problematic generators, making measurement integrity critical. This article presents a distributed ledger technology (DLT) approach that uses smart contracts to evaluate PCC voltage measurements and trigger backup breaker operations. The approach is framed as a verifiable, multi-organization attestation and audit layer, not as a real-time control security mechanism. In the proposed architecture, voltage measurements from a hardware protective relay are anchored on a DLT through the Cyber Grid Guard (CGG) system for attestation by both the grid utility and customer-owned generator. A Voltage Service Limits (VSLs) smart contract evaluates the on-chain measurements against allowable phase-voltage limits derived from the ANSI C84.1 standard. The framework is validated in a hardware-relay-in-the-loop test bed under sustained-undervoltage, sustained-overvoltage, and transient line-to-line fault scenarios. The results show that the VSL smart contract can process these measurements and issue backup breaker actions consistent with the defined service-limit criteria, demonstrating the DLT potential as a verifiable audit layer at the PCC that complements primary protection. Full article

Operational Technology (OT) and Industrial Control Systems (ICSs) along the NATO-EU eastern flank face escalating hybrid threats, yet existing cyber-resilience metrics remain IT-centric, lacking OT-specific constraints and geopolitical exposure dimensions. This paper presents a Design Science Research contribution: the development and simulation-based feasibility demonstration of two interconnected artefacts. The first is the AI-enabled Cyber-Resilience Index (ACRI)—a composite 0–100 metric operationalized through 16 indicators across four domains (detection performance, operational continuity, governance maturity, supply-chain risk), aggregated as a three-term convex combination of capability domains with a linear subtractive supply-chain exposure penalty, weighted via AHP-based illustrative sector-reference profiles. The second is the Unified Compliance Framework (UCF), a structured R → C → E → SLO mapping linking 47 atomic regulatory requirements (NIS2, DORA, CER, AI Act, CRA) to standards (IEC 62443, ISO/IEC 27001) and auditable evidence artifacts, with a Continuous Assurance Loop operationalizing continuous control monitoring. Feasibility is demonstrated through digital twin simulation under three OT-representative threat scenarios (energy SCADA APT, railway supply-chain compromise, manufacturing ransomware). Results in simulated environments show ACRI improvement from Moderate-Risk baselines (45–61) to Adequate-Resilience thresholds (65–73); the proposed federated autoencoder–LSTM detector attains a composite $D_{perf}$ of 0.883 versus 0.510 for a static ±3$\sigma$ threshold baseline (a 73% relative improvement at the domain level). Sensitivity analysis confirms classification robustness ($\pm 7.3\%$ weight perturbation; coefficient of variation below 9.1% across 10,000 Monte Carlo iterations). Critical limitations are explicit: simulation-only evidence ($n=12$ scenario instances), illustrative (non-empirical) AHP weights, no operational field validation, and limited inferential statistical power. instances), illustrative (non-empirical) AHP weights, no operational field validation, and limited inferential statistical power. The contribution is positioned as a proof-of-concept design artifact establishing methodological foundations for OT-centric resilience assessment and compliance-to-engineering traceability, not as a field-validated operational system. Full article

Cybersecurity testing laboratories must produce auditable conformity evidence while operating with rapidly changing toolchains, conditional requirements, and qualitative PASS/FAIL/INCONCLUSIVE outcomes. ISO/IEC 17025:2017 is widely used to demonstrate laboratory competence, yet its operationalisation in cybersecurity testing remains under-specified for software- and tool-driven security assessments. This paper separates an architectural contribution from an empirical contribution. The architectural contribution is a digitalized quality-management framework and automation-ready compliance architecture that translate ISO/IEC 17025 clauses into cybersecurity-specific artefacts, decision rules, controlled toolchains, evidence bundles, and review workflows. The empirical contribution is an exploratory single-laboratory case study based on unpublished, anonymised, and confidentiality-constrained laboratory artefacts: an ETSI TS 103 701 workbook with 68 provision-level test groups, including 41 claimed/applicable rows for ambiguity analysis; an IEC 62443 corrective-action plan; and ISO/IEC 17025 governance records. Within this case, structured decision rules and evidence traceability reduced the Conformity Statement Ambiguity Index from 0.976 to 0.049 and converted 37 previously INCONCLUSIVE provisions into PASS determinations. These results are reported as descriptive within-case evidence only; they do not establish predictive validity or cross-laboratory generalisability. The study contributes a clause-to-artefact crosswalk, a concrete evidence-traceability architecture, and candidate cyber-maintenance indicators for future multi-laboratory validation. Full article

Autonomous mobile robots (AMRs) are increasingly used in warehouse intralogistics to improve material flow, flexibility, productivity, and operational continuity. However, selecting an appropriate AMR is no longer limited to mechanical performance or acquisition cost, since modern warehouse robots operate as networked cyber-physical systems that must interact with enterprise software, fleet management platforms, communication infrastructures, and cybersecurity mechanisms. This study proposes an integrated Pythagorean fuzzy multi-criteria decision-making (MCDM) framework for evaluating AMR alternatives in warehouse operations by jointly considering economic, technical, physical, software-related, integration-oriented, and security-related criteria. Expert judgments obtained from eight specialists, including four academics and four private-sector professionals, were modeled using Pythagorean fuzzy numbers to capture uncertainty and hesitation in linguistic assessments. The Pythagorean Fuzzy Indifference Threshold-Based Attribute Ratio Analysis (PF-ITARA) method was employed to determine criterion weights based on threshold-sensitive discrimination among alternatives, while Pythagorean Fuzzy VIšekriterijumsko KOmpromisno Rangiranje (PF-VIKOR) was used to rank four AMR alternatives according to a compromise solution logic. The results show that investment cost, maneuverability, total cost of ownership, integration and validation requirements, and ease of programming and commissioning are the most influential criteria. Cybersecurity-related criteria, particularly data confidentiality, system integrity, monitoring and incident response readiness, authentication control, and role-based access control, also received notable importance levels. Among the evaluated alternatives, MiR250 achieved the best overall performance and emerged as the most suitable compromise solution, followed by OMRON LD-250, HIKROBOT Forklift AGV, and KUKA KMP 600-S diffDrive. The proposed framework provides a transparent and practically applicable decision-support tool for AMR procurement by integrating operational performance, digital interoperability, and cybersecurity readiness into a unified evaluation structure. Full article

Ensuring resilient controllability and observability in SCADA-based smart grids under coordinated cyberattacks remains a critical and unresolved challenge in modern cyber-physical power systems. This paper investigates the impact of coordinated cyberattacks on the stability and monitoring capabilities of SCADA-based smart-grid systems within a controlled cyber-physical environment. An active cyber-physical testbed representing a multi-bus power system was created to analyze how attacks targeting communication channels affect controllability and observability. Several attack scenarios were implemented, including remote access attacks via Secure Shell (SSH), Modbus/TCP flooding, and ICMP-based attacks, to monitor their impact on control actions, communication reliability, and system responsiveness. To address these vulnerabilities, a SCADA-based cybersecurity monitoring system was implemented within the controlled testbed environment. The system analyzes SCADA operational logs from smart grid devices while packet-level network traffic is captured and examined using monitoring tools such as Wireshark. A central monitoring layer coordinates system-wide attack detection and response. System resilience was evaluated using controllability and observability matrix rank analysis, together with dynamic stability metrics during attack conditions. Experimental and simulation results show that coordinated cyberattacks significantly degrade system performance, with the average delay rising from 12 ms to 210 ms, the packet loss rate increasing to 15.5%, and the command execution error rate reaching 40%. Furthermore, the ranks of the controllability and observability matrices dropped from 4 to 2, indicating a critical partial loss of the system’s control and monitoring capabilities. In this work, the federated-learning-based component is explored as a distributed, privacy-preserving cybersecurity monitoring framework for anomaly detection and observability enhancement using SCADA-derived datasets, rather than as a fully integrated real-time SCADA operational control mechanism. At the same time, the attack’s impact on electrical properties remained limited to less than 2%. Full article

Connected and autonomous vehicles (CAVs) increasingly rely on vehicle-to-everything (V2X) communication and distributed sensing infrastructures to support cooperative driving and intelligent transportation services. While these capabilities improve traffic efficiency and safety, they also expand the attack surface of vehicular networks and expose in-vehicle communication systems such as the Controller Area Network (CAN) bus to a wide range of cyber threats. Machine learning-based anomaly detection has emerged as a promising approach for identifying malicious CAN traffic patterns; however, conventional centralized learning requires large-scale data aggregation from vehicles, which raises privacy and scalability concerns. Federated learning (FL) enables collaborative model training across distributed vehicles without requiring the exchange of raw in-vehicle data, making it attractive for privacy-preserving vehicular security applications. Nevertheless, FL systems remain vulnerable to adversarial participants that manipulate local training data or model updates to poison the global model during aggregation. In this work, we present a systematic robustness evaluation of federated anomaly detection in connected vehicular networks under adversarial conditions. The study compares six aggregation strategies, including Federated Averaging (FedAvg), coordinate-wise Median, Trimmed Mean, Krum, Multi-Krum, and Geometric Median (GeoMed), within a non-IID federated CAN bus anomaly detection setting. The evaluation covers label-flipping attacks, gradient-scaling attacks, and a feature-triggered backdoor attack. In addition, the analysis examines malicious client participation, attack-strength variation, learning-rate sensitivity, Trimmed Mean beta sensitivity, multi-seed reliability, and server-side aggregation time. The results show that FedAvg is vulnerable under strong adversarial manipulation, while Trimmed Mean is sensitive to the selected trimming fraction. Median and GeoMed provide strong robustness against gradient-scaling attacks, whereas Multi-Krum achieves the strongest resistance to label-flipping and backdoor attacks. These findings demonstrate that no single aggregation strategy is optimal across all threat models. Instead, robust aggregation for federated CAV anomaly detection should be selected according to the expected attack type, reliability requirement, and computational overhead. Full article

Artificial intelligence is increasingly embedded in cyber–physical systems that coordinate sensing, computation, communication, and control across critical and semi-critical physical environments. Within the European Union, however, its adoption is shaped not only by technological maturity and economic value, but also by an increasingly dense regulatory landscape governing data processing, cybersecurity, product security, accountability, traceability, interoperability, and safety-relevant deployment. A PRISMA ScR-informed scoping review is used to examine how European Union regulation influences artificial intelligence adoption across four representative domains: energy and smart grids, smart buildings, mobility and transport systems, and industrial and manufacturing environments. The analysis draws on primary legal sources, the peer-reviewed literature, and policy and standards-related materials, and is structured around three dimensions: regulatory barriers, technological and architectural challenges, and cross-sector implications for governance, innovation, and competitiveness. The results show that regulation functions simultaneously as a constraint and an enabling condition. It increases compliance burden, raises integration complexity, and slows deployment in higher risk settings, while promoting trustworthy artificial intelligence, stronger cybersecurity, lifecycle governance, clearer accountability, and more interoperable digital infrastructures. The central finding is that regulation is not external to artificial intelligence adoption in cyber–physical systems, but actively shapes the design space within which such systems can be developed, integrated, validated, and scaled. Future progress therefore depends on regulation-aware systems engineering, stronger implementation guidance, and cross-sector reference architectures capable of aligning legal compliance with technical architecture and operational value creation. Full article