Search Results (154)

Large-scale smart city Internet of Things (IoT) infrastructures must simultaneously provide strong cybersecurity protection, real-time anomaly detection, and energy-efficient operation despite the strict resource limitations of sensing devices. The current body of research typically addresses secure data management, edge intelligence, or energy optimization in isolation, leaving a practical gap in unified frameworks that jointly optimize these objectives. This paper proposes a jointly co-designed energy-aware cybersecurity framework that integrates lightweight secure sensing, hybrid edge-based anomaly detection, Practical Byzantine Fault Tolerance (PBFT)-enabled blockchain integrity, and Grey Wolf Optimization (GWO)-driven edge deployment within a single end-to-end architecture. The practical contribution of the proposed framework lies in enabling tamper-evident trusted sensing, real-time detection of both data and energy anomalies, and communication-efficient operation suitable for scalable smart city deployments. The simulation results demonstrate that the proposed method achieves strong operational efficiency, reaching up to 234.6 transactions per second while maintaining end-to-end latency of approximately 140–194 ms and reducing total energy consumption to about 1.68 J under high-load conditions. In addition, the hybrid anomaly detection mechanism achieves an F1-score of 0.985 and ROC-AUC of 0.992, confirming strong detection capability under realistic sensing and attack scenarios. Full article

This article presents the potential for maliciously influencing a control system by interfering with the program code of an industrial controller, using a temperature control system for a heating process based on resistive electric heating as an example. The presented attack scenarios are crucial for the energy efficiency of electric heating systems, which is related to the issue of cybersecurity in the area of energy security. The aim of this research was to demonstrate that a cyberattack involving the malicious manipulation of the setpoint can be carried out in a manner invisible to the heating process operator and be difficult to detect using classical time-domain control quality indicators (time-response specifications). The first involves incorporating proportional elements with mutually inverted gains into the input and output of a closed-loop system. The second method is based on adding an additional transfer function G_m(s) in parallel to the control system. The difference between the correct and manipulated setpoints is introduced into the input, and the output signal is added to the actual (hidden) value of the controlled variable. In the first method, at the moment of starting the control system, there is a difference between the apparent (falsified) value and the ambient temperature. In the second method, the inclusion of an additional G_m(s) ensures that the apparent (falsified) value of the controlled variable matches the temperature at the moment of starting the system. PID control enables achieving satisfactory control quality in heating processes, which are characterized by high inertia and time delays. Compared to classical PID regulation, advanced control methods can, under certain conditions, provide better performance in terms of quality indicators. However, due to their high computational complexity and sensitivity to model uncertainty—particularly in methods relying on accurate system identification—PID controllers continue to be widely used in industrial practice. For this reason, the present study focuses on a control system based on a PID controller as a practical solution. Based on the results, it was found that the most effective manipulation occurred within the range from 0.9 to 1.1 of the actual setpoint value for both the first and second method, using a model with $T_m$ between 5 s and 30 s. In these cases, the quality indicators referenced to the nominal values, determined for the falsified control system responses to a step change in the setpoint, were as follows: overshoot—0.97 and 1.30 (method 1), and 0.90 and 1.10 (method 2 for 5 s), 0.75 and 1.30 (method 2 for 30 s); settling time—1.06 (method 1), and 0.98 and 1.17 (method 2 for 5 s), 0.85 and 1.14 (method 2 for 30 s). The settling times determined for the system’s response to a disturbance were: 1.00 and 1.15 (method 1), and 1.13 and 1.16 (method 2 for 5 s), 1.12 and 1.02 (method 2 for 30 s). Based on the conducted analysis, it was demonstrated that the relatively simple setpoint manipulation methods presented can effectively mask the impact of malicious interference on the temperature value in the control system of a heating process. Full article

Rapid expansion of electric vehicle adoption has led to increased dependence on a charging infrastructure that is tightly integrated with energy distribution systems and digital communication networks. As electric vehicle charging stations evolve into complex cyber–physical systems, cybersecurity risks pose a growing threat to grid reliability and user trust. This paper presents a hybrid decision-support framework for cybersecurity risk assessment in EV charging infrastructure that advances beyond prior multi-criteria decision-making approaches by combining interpretability with data-driven validation. Specifically, the framework integrates the Analytic Hierarchy Process (AHP) for expert-driven weighting of cybersecurity attributes with PROMETHEE for flexible threat prioritization, enabling transparent and auditable risk rankings. The framework categorizes cybersecurity criteria across four infrastructure layers—transmission, distribution, consumer, and electric vehicle charging stations—and assigns relative weights through expert-driven pairwise comparisons. PROMETHEE is then applied to rank potential cyber threats based on these weights, allowing for flexible prioritization of cybersecurity interventions. The methodology is validated using the real-world WUSTL-IIoT-2018 SCADA dataset, which includes simulated reconnaissance (network scanning), device identification, and exploitation attacks. While this dataset does not natively include OCPP 2.0 or ISO 15118 protocols, the experimental results demonstrate strong discrimination power (AUC = 0.99, recall = 95%) and provide a basis for extension to modern EVSE communication standards. The results identify critical metrics such as anomalous source packet behavior and encryption reliability as key vulnerability markers, aligning with documented EV charging attack scenarios. By bridging expert judgment with empirical traffic data, the proposed framework offers both technical robustness and explainability, supporting grid operators, SOC teams, and infrastructure planners in systematically assessing risks, allocating resources, and enhancing the resilience of EV charging ecosystems against evolving cyber threats. Full article

This study presents a practical methodology for executing Man-in-the-Middle (MitM) attacks on industrial control systems that utilize PROFINET I/O—a communication layer that remains largely underexplored in ICS cybersecurity research. A hybrid digital-twin-based testbed is developed by integrating Siemens S7-1500 and S7-1200 PLCs with a process replica implemented in PCSimu, together with a malicious application that modifies specific process data before it is delivered through the PROFINET I/O channel, enabling controlled falsification of process information in real time. The attacker operates through a Modbus TCP control channel while injecting the manipulated values into the 40-byte Real-Time Class 1 (RTC1) cyclic process-data payload while preserving frame integrity and protocol-level validity indicators. Experimental results show that SDU-level modifications on the 2-ms RTC1 cycle produced deterministic and fully reproducible effects on PLC-level behavior, including forced actuator confirmations and falsified process states, demonstrating the feasibility of both DI- and DO-level manipulation scenarios. Network captures and MSSQL-based event logs provide bit-level correlation between the injected SDU modifications and their impact on the automation sequence, confirming the reliability of the proposed manipulation mechanism. The testbed also supports the systematic generation of labeled datasets for training and evaluating machine-learning-based intrusion and anomaly-detection methods, and offers direct applicability to research, education, and operator-training activities in industrial cybersecurity. Overall, the proposed platform offers a secure, reproducible, and practically applicable environment for vulnerability assessment, attack simulation, and the development of detection techniques in industrial PROFINET networks. Full article

LoRaWAN’s role in global maritime logistics has allowed for efficient monitoring of ships and cargo, but it also comes with critical cybersecurity vulnerabilities. Experimental validation of three attack vectors—replay attacks, narrowband jamming and metadata inference—is conducted using a reproducible digital-twin LoRaWAN dataset reflecting Rotterdam port-like operational patterns (N = 20,000 baseline transmissions). Using controlled simulations and Kolmogorov–Smirnov statistical analysis, we show that: (1) replay attacks are feasible under Activation by Personalization (ABP) configurations lacking enforced frame-counter validation and exhibit no univariate separation from legitimate traffic under Kolmogorov–Smirnov analysis (p > 0.46 for all evaluated radio features); (2) narrowband jamming leads to significant SNR degradation (p = 2.36 × 10⁻⁵) on targeted channels without inducing broad distributional anomalies across other radio features; and (3) metadata-only analysis supports elevated metadata-based re-identification susceptibility (median $R_d=0.834$), indicating high predictability under passive observation which can reveal operationally relevant signals even when AES-128 is employed. Our proposed layered mitigation framework consists of mandatory Over-the-Air Activation (OTAA), cryptographic key rotation, channel diversity incorporating Adaptive Data Rate (ADR), gateway hardening, and protocol-level enforcement considerations, customized for maritime LPWAN scenarios. We provide experiment-backed evidence and actionable recommendations to connect academic LPWAN security research to that of industrial maritime practice. Full article

Cybersecurity operations in IoT and edge environments require fast, evidence-grounded decisions under strict resource and trust constraints. While large language models can support triage and incident analysis, their parametric knowledge may be outdated and prone to hallucination. Retrieval-augmented generation (RAG) improves grounding by conditioning responses on retrieved evidence, but also introduces new risks such as knowledge-base poisoning, indirect prompt injection, and embedding leakage. Federated learning enables collaborative adaptation without centralizing sensitive data, motivating federated RAG (FedRAG) architectures for distributed cybersecurity deployments. This study presents a deployment-oriented scoping review of FedRAG for cybersecurity. The review follows PRISMA-ScR reporting guidance and synthesizes 82 studies published between 2020 and 2026, identified through keyword search and citation snowballing over OpenAlex, arXiv, and Crossref. We develop a taxonomy that clarifies the components of federated systems, deployment locations, trust boundaries, and protected assets. We further map the combined RAG+FL attack surface, summarize practical defenses and system patterns, and distill actionable guidance for secure, privacy-preserving, and efficient FedRAG deployment in real-world IoT and edge scenarios. Our synthesis highlights recurring trade-offs among robustness, privacy, latency, communication overhead, and maintainability, and identifies open research priorities in benchmark design, governance mechanisms, and cross-silo evaluation protocols for practical deployment. Full article

Industrial Control Systems (ICSs) are the backbone of modern critical infrastructure, such as electric power, water treatment, oil and gas distribution, and manufacturing operations. While the convergence of IT and OT has greatly increased efficiency and observability, it has also greatly expanded the attack surface of these once-isolated systems. High-profile cyber-physical attacks, including Stuxnet (2010), TRITON (2017), and the Colonial Pipeline ransomware attack (2021), have shown that ICS-targeted cyberattacks can cause physical damage, disrupt economic stability, and put public safety at risk. Despite the growing prevalence and intensity of such threats, ICS-based cybersecurity education remains largely under-resourced and underfunded. Traditional ICS training laboratories require highly specialized hardware, vendor-specific tools, and expensive licensing that significantly raise barriers to entry. Traditional labs typically require on-site participation and pose physical safety concerns when cyber-physical attack scenarios are performed. These barriers leave students unable to get necessary security training for ICSs. Therefore, this paper introduces ${\mathrm{AE}}^3$GIS: Agile Emulated Educational Environment for Guided Industrial Security—a fully virtual, lightweight, open-source platform designed to democratize ICS cybersecurity education. Based on the GNS3 network simulation tool, ${\mathrm{AE}}^3$GIS enables rapid deployment of comprehensive ICS environments containing IT and OT systems, industrial communication protocols, control logic, and diverse security tools. ${\mathrm{AE}}^3$GIS is designed to provide practical training for students using realistic ICS cybersecurity scenarios through a local or remote training platform without the cost, safety, or accessibility limitations of hardware-based labs. Full article

The emergence of quantum computing poses a significant threat to the security of traditional encryption methods employed in satellite communication. To mitigate this vulnerability and enhance cybersecurity in the next generation of communication systems, a novel physical-layer solution is presented. This approach centers on enhancing satellite link security through the analysis of stochastic atmospheric scintillation, facilitated by machine learning (ML). The proposed method safeguards ground stations against Machine-in-the-Middle (MITM) attacks perpetrated from aerial platforms (AP) such as drones or Unmanned Aerial Vehicles (UAVs). The underlying principle leverages the distinct statistical parameters inherent to received signals. These parameters are contingent upon the specific propagation channel, which is influenced by rapid tropospheric scintillation. As signals from legitimate satellites and malicious drones traverse separate spatial paths within the dynamic atmosphere, they exhibit demonstrably divergent scintillation statistics. Wavelet filtering is employed to extract these statistics from the incoming signal. The extracted data is subsequently processed through an ML algorithm, enabling the differentiation between satellite signals and potential spoofing signals emanating from drones. Extensive simulations have been conducted, illustrating the efficacy and robustness of the proposed architecture, consistently achieving an authentication rate exceeding 98% across diverse scenarios. Additionally, experimental results obtained from measurement data collected from Nilesat and Eutelsat satellites at a ground station in Israel provide empirical validation for this innovative approach. Full article

The Internet of Medical Things (IoMT) transforms healthcare through interconnected medical devices but faces significant cybersecurity threats, particularly intrusion and exfiltration attacks. Centralized intrusion detection systems (IDSs) require data aggregation, presenting privacy and scalability risks. This paper proposes FedEnsemble-DP, a privacy-aware Federated Learning (FL) framework for decentralized intrusion detection in IoMT networks. The framework integrates three data balancing scenarios (Raw Imbalanced, Local SMOTE, Centralized SMOTE) with Differential Privacy (DP) and Secure Aggregation mechanisms. Extensive experiments on WUSTL-EHMS-2020 and CIC-IoMT-2024 datasets under non-IID settings (Dirichlet $\alpha$ = 0.3) demonstrate that models with strong privacy guarantees ($\epsilon$ = 3.0) frequently match or exceed non-private baselines. Key findings show Local SMOTE with $\epsilon$ = 3.0 achieved 94.60% accuracy and 0.9598 AUC, while Raw Imbalanced with $\epsilon$ = 3.0 attained 94.50% accuracy and 0.9494 AUC. Even with strict privacy ($\epsilon$ = 3.0), these results surpassed the non-private baseline (93.20% accuracy) in the raw scenario. Centralized SMOTE showed effectiveness but introduced training instability. These results indicate that local data balancing combined with calibrated DP noise can yield high detection performance while preserving privacy, effectively bridging security-performance and data confidentiality requirements in distributed healthcare networks. Full article

Water Distribution Networks (WDNs) are critical infrastructure for delivering clean and safe drinking water. As modern WDNs increasingly integrate cyber technologies, they evolve into complex cyber–physical systems (CPSs). This connectivity, however, introduces new vulnerabilities, including cyberattacks. Cybersecurity protects systems from unauthorized access, attacks, and data breaches. In this systematic review, we adopted the PRISMA 2020 reporting guideline. Predefined keyword strings were designed to extract relevant articles from Scopus and Web of Science during the period of 2014–2025. In total, 32 peer-reviewed studies were included for narrative synthesis following duplication and eligibility screening. The review protocol was not registered. This review provides a unified perspective on how Artificial Intelligence (AI) contributes to WDNs resilience. The literature is evaluated in terms of detection tasks, data modalities, learning paradigms, and model architecture. The results highlight three key findings: (a) data bias, reflected in significant reliance on specific synthetic datasets and limited use of real-world utility network data; (b) performance, with deep learning architecture, such as long-short-term memory models, achieving commendable levels of accuracy in intrusion detection, however, overall comparison with other models remain scenario-dependent; and (c) future directions, synthesized through an AI-centered perspective that emphasizes resilience and identifies research gaps in adaptive online learning, attack prediction, interpretability, federated learning and topology localization. This study concludes with recommendations for the broader integration of AI tools to support resilient WDN operation. Full article

This study presents an edge-based intrusion detection methodology designed to enhance cybersecurity in Internet of Things environments, which remain highly vulnerable to complex attacks. The approach employs an Auxiliary Classifier Generative Adversarial Network capable of classifying network traffic in real-time while simultaneously generating high-fidelity synthetic data within a unified framework. The model is implemented in TensorFlow and deployed on the energy-efficient NVIDIA Jetson Orin Nano, demonstrating the feasibility of executing advanced deep learning models at the edge. Training is conducted on network traffic collected from diverse IoT devices, with preprocessing focused on TCP-based threats. The integration of an auxiliary classifier enables the generation of labeled synthetic samples that mitigate data scarcity and improve supervised learning under imbalanced conditions. Experimental results demonstrate strong detection performance, achieving a precision of 0.89 and a recall of 0.97 using the standard 0.5 decision threshold inherent to the sigmoid-based binary classifier, indicating an effective balance between intrusion detection capability and false-positive reduction, which is critical for reliable operation in IoT scenarios. The generative component enhances data augmentation, robustness, and generalization. These results show that combining generative adversarial learning with edge computing provides a scalable and effective approach for IoT security. Future work will focus on stabilizing training procedures and refining hyperparameters to improve detection performance while maintaining high precision. Full article

This article presents the design and implementation of a Virtual Cyber-Physical Testbed (VCPT) for transportation systems, featuring an automated level-crossing process. The proposed design improves network fidelity while keeping the platform lightweight. Key components include the Programmable Logic Controller (PLC), sensors, actuators, the Supervisory Control and Data Acquisition (SCADA) system, and OPNsense. Guided by NIST SP 800-115, penetration testing revealed several vulnerabilities and weaknesses that can be exploited and mitigated. Six attack scenarios—enumeration, brute force, remote code execution, ARP poisoning, DoS, and command injection—were executed, demonstrating realistic impacts on process safety and availability. Mitigation strategies using custom firewall and Intrusion Detection and Prevention System (IDPS) rules contributed to improving the security posture of VCPT. Educational evaluation with 41 cybersecurity students showed a 24% increase in average scores and a significant rise in top performers, further supported by positive feedback on engagement and realism. These results validate the VCPT as an effective platform for cybersecurity research, training, and experiential learning. Full article

Detecting anomalous events in high-dimensional behavioral data is a fundamental challenge in modern cybersecurity, particularly in scenarios involving stealthy advanced persistent threats (APTs). Traditional anomaly detection techniques rely on heuristic notions of distance or density yet rarely offer a mathematically coherent description of how sparse events can be formally empirically separated from the dominant behavioral structure. This study introduces a density–metric geometric space framework that unifies geometric, topological, and density-based perspectives into a single analytical model. Behavioral events are embedded in a five-dimensional Euclidean geometric space equipped with a neighborhood-based density operator. Anomalies are formally defined as points whose local density falls below a fixed threshold, and we show that such points occupy empirically distinct low-density regions of the induced metric space. The theoretical foundations are supported by experiments conducted on openly available cybersecurity datasets, including ADFA-LD and UNSW-NB15, where we demonstrate that low-density behavioral patterns correspond to structurally rare attack configurations. The proposed framework provides a mathematically grounded framework with empirical validation for why APT-like behaviors naturally emerge as sparse and weakly coherent regions in high-dimensional space. These results offer a principled basis for high-dimensional anomaly detection and open new directions for leveraging geometric learning in cybersecurity. Full article

Software-defined (SD) honeypots, as dynamic cybersecurity technologies, enhance defense efficiency through flexible resource allocation. However, traditional SD honeypots face latency and jitter issues under network fluctuations, while balancing adjustment costs with defense benefits remains challenging. This paper proposes a DPU-accelerated SD honeypot security service deployment method, leveraging DPU hardware acceleration to optimize network traffic processing and protocol parsing, thereby significantly improving honeypot environment construction efficiency and response real-time performance. For dynamic attack–defense scenarios, we design an adaptive adjustment strategy combining Stackelberg game theory with deep reinforcement learning (AASGRL). By calculating the expected defense benefits and adjustment costs of optimal honeypot deployment strategies, the approach dynamically determines the timing and scope of honeypot adjustments. Simulation experiments demonstrate that the mechanism requires no adjustments in 80% of interaction rounds, while achieving enhanced defense benefits in 20% of rounds with controlled adjustment costs. Compared to traditional methods, the AASGRL mechanism maintains stable defense benefits in long-term interactions, verifying its effectiveness in balancing low costs and high benefits against dynamic attacks. This work provides critical technical support for building adaptive proactive network defense systems. Full article

The growing demand for digital content protection has significantly increased the importance of image watermarking, particularly in light of the rising vulnerability of multimedia content to unauthorized modifications. In recent years, research has increasingly focused on leveraging deep learning architectures to enhance watermarking performance, addressing challenges related to transparency, robustness, and payload capacity. Numerous deep learning-based watermarking methods have demonstrated superior effectiveness compared to traditional approaches, particularly those based on Convolutional Neural Networks (CNNs), Generative Adversarial Networks (GANs), Transformers, and diffusion models. This paper presents a comprehensive survey of recent developments in both conventional and deep learning-based image watermarking techniques. While traditional methods remain prevalent, deep learning approaches offer notable improvements in embedding and extraction efficiency, particularly when facing complex attacks, including those generated by advanced AI models. Applications in areas such as deepfake detection, cybersecurity, and Internet of Things (IoT) systems highlight the practical significance of these advancements. Despite substantial progress, challenges remain in achieving an optimal balance between invisibility, robustness, and capacity, particularly in high-resolution and real-time scenarios. This study concludes by outlining future research directions toward develop robust, scalable, and efficient deep learning-based watermarking systems capable of addressing emerging threats in digital media environments. Full article