Search Results (619)

This article presents a generalized observer scheme for dynamic structures designed to estimate the dynamic behavior of various types of attacks, such as Denial of Service (DoS) attacks, False Data Injection (FDIA), and Random Data Injection (RDI). These attacks employ a Markovian distribution logic to alter the behavior of actuators and sensors in a cyber-physical system. A three-tank interconnected system is used to demonstrate the effectiveness in estimating these attacks, modeled under the Takagi–Sugeno representation. This approach allows for precise detection and diagnosis of the attacks, which is essential for the design of controllers that ensure the security and integrity of cyber-physical systems. Moreover, it lays the foundation for developing an attack-tolerant controller based on observers, offering a comprehensive and robust solution to address security challenges. Full article

Intrusion detection in industrial cyber-physical systems is constrained by small labelled-attack corpora and by the subtler signal of physical-process attacks compared with classical IT-network intrusions, motivating renewed interest in foundation-model-based detectors; classical detectors are typically trained per dataset and degrade under the distribution shift that is common in operational technology, where attack repertoires evolve faster than retraining cycles. Two foundation-model families are now plausible candidates: open-source Large Language Models (LLMs) and recent tabular foundation models (TabPFN, TabICL) pre-trained for in-context tabular inference. We compare the two families head-to-head, alongside Random Forest and XGBoost classical anchors, across three established industrial security benchmarks (SWaT, HAI, WUSTL-IIoT-2021) under a controlled multi-seed full-holdout protocol with paired McNemar and cross-seed Mann–Whitney tests. The empirical picture is dataset-dependent rather than universal: tabular foundation models establish a strong, previously unreported baseline that is competitive with or superior to classical anchors on every dataset evaluated, while LLMs are complementary detectors with a specific advantage on schemas that carry process-engineering semantics (such as SWaT’s named sensor channels). A per-class analysis on the WUSTL five-class attack taxonomy shows that the two families have structurally different strengths: tabular methods dominate traffic-rich attacks (Denial-of-Service, Reconnaissance), whereas LLMs are competitive on rare attack types (Backdoor, Command Injection). A confidence-gated cascade that escalates only low-confidence tabular decisions to an LLM exceeds either detector alone at a small query budget, and a leave-one-attack-type-out analysis shows that foundation-model detectors generalise to unseen attack families substantially better than the classical anchors. The appropriate detector choice in industrial cyber-physical security is therefore informed by the dataset’s feature schema, the attack-type mix, and the operational cost envelope, rather than by a specific performance metric. Full article

The Internet of Vehicles (IoV) is reshaping intelligent transportation through pervasive connectivity, real-time data exchange, cooperative perception, and vehicle–edge–cloud services, while also expanding cybersecurity and privacy risks across heterogeneous cyber–physical environments. This paper presents a PRISMA 2020-informed systematic review of IoV security and privacy protection research. A cross-layer and lifecycle-oriented analytical framework is developed by integrating a four-layer IoV architecture—sensing layer, network access layer, coordinative computing layer, and application layer—with a five-stage data lifecycle covering data collection, transmission, storage, usage, and disposal. Based on this framework, the paper examines representative threat surfaces, vehicle-to-everything (V2X) communication security, public key infrastructure (PKI) based authentication, trust management, privacy-preserving data sharing, intrusion detection, active defense, and AI-assisted security analytics. Privacy-preserving mechanisms, including differential privacy, federated learning, blockchain, homomorphic encryption, and secure multi-party computation, are further compared in terms of deployment layer, lifecycle stage, real-time suitability, and representative performance evidence. In addition, the review discusses the engineering relevance of UNECE WP.29 R155/R156, ISO/SAE 21434, and related national standards, with emphasis on compliance evidence, over-the-air (OTA) governance, supply-chain coordination, and lifecycle cybersecurity management. The review shows that no single protection mechanism can simultaneously satisfy the requirements of real-time performance, scalability, privacy preservation, trustworthiness, and regulatory compliance in dynamic IoV environments. Future research should emphasize lightweight and adaptive protection, cross-layer trust coordination, privacy–utility co-optimization, trustworthy AI-assisted security operations, and evidence-based lifecycle governance. This review provides a structured reference for researchers and a practical basis for secure and privacy-aware IoV system design. Full article

Safety-critical Industrial Internet of Things (IIoT) sensor networks deployed in disaster scenarios require intelligent routing mechanisms that prioritize mission-critical packets without relying on centralized coordination. Federated learning on resource-constrained edge nodes presents three primary challenges: the absence of an interpretable supervisory signal, the inability to act conservatively based on per-inference confidence, and vulnerability to partial node availability. The proposed FedCARE framework addresses these issues by employing a Mamdani Fuzzy Inference System to generate traceable criticality labels from multi-modal sensor telemetry, a dropout-aware aggregation protocol that normalizes over only reachable nodes, and a confidence-gated resolver that defers to symbolic fuzzy classification when model confidence is insufficient, otherwise applying an auditable maximization rule to prevent under-prioritization of safety-critical data. Evaluation on 50-, 100-, and 200-node Watts–Strogatz topologies under fault rates up to 50%, using the Edge-IIoTset and WUSTL-IIoT-2021 benchmarks, demonstrates 99.00% critical recall and up to $1.8\times$ higher overall-packet delivery compared to RPL-RP under severe fault conditions. Routing improvements are primarily attributed to fuzzy criticality labeling and multi-path replication. These findings indicate that fuzzy-supervised federated inference offers a practical and interpretable solution for safety-critical IIoT routing, with an observed energy overhead of 7.8% per delivered packet. Full article

The increasing deployment of IoT-enabled electric-vehicle charging networks has created a rapidly evolving cyber–physical environment in which security mechanisms must operate amid ever-changing data patterns and resource constraints. In these environments, static Machine Learning (ML) pipelines are often insufficient because they struggle to adapt to concept drift issues, emerging attacks, and real-time operational requirements. We analyzed cybersecurity vulnerabilities, challenges of conventional ML approaches, and the possibilities of AI-powered, adaptive security measures. This paper examines Online AutoML and its advantages, including automated adaptation to streaming data, reduced human intervention, and privacy-preserving, resource-aware learning. Furthermore, this paper discusses adversarial attacks and defences in Online AutoML systems, highlighting the need for frameworks that jointly address concept drift, scalability, privacy, and adversarial threats. Finally, this study emphasizes the importance of establishing comprehensive public benchmarks for Online AutoML research. Full article

The security of Controller Area Network (CAN) systems is critical for modern automotive safety, as their lack of built-in security mechanisms makes them vulnerable to cyberattacks. In this work, we propose CAN-TEMPO, an unsupervised anomaly detection framework that explicitly models the multi-periodic structure of CAN traffic. The proposed approach leverages a Temporal Multi-Periodic Oscillation (TEMPO) block, which uses frequency-domain analysis to transform one-dimensional CAN sequences into multi-scale two-dimensional representations. This design enables the model to capture both intra-period correlations and inter-period temporal variations. We evaluate CAN-TEMPO on multiple public CAN intrusion detection benchmarks under diverse attack scenarios and generalization settings. Experimental results show that CAN-TEMPO consistently outperforms state-of-the-art methods in terms of AUC-ROC and F1-score, while maintaining lower false positive rates and improved robustness across different vehicles and attack types. These findings demonstrate that explicitly modeling periodic structures enables more reliable and generalizable anomaly detection in automotive networks. Full article

Cyber-physical systems (CPSs) based on the Internet of Things (IoT) form the backbone of modern smart infrastructures, including smart cities, healthcare monitoring, industrial automation, and intelligent transportation. However, connecting many resource-limited IoT devices makes them more vulnerable to cyber threats, particularly quantum attacks. This review comprehensively examines quantum-secure communication (QSC) frameworks for IoT-enabled CPS, focusing on Quantum Key Distribution (QKD), post-quantum cryptographic (PQC) algorithms, and hybrid quantum–classical security models suitable for constrained devices. A PRISMA-guided search of the Scopus and Google Scholar database was conducted in January 2026 using three keyword groups related to hybrid security, artificial intelligence, and cyber-physical systems. Based on the evaluation, 6008 publications have been identified between 2001 and 2026. The first-round screening was performed for 4948 articles, after excluding duplicates. During the screening stage, 348 articles were selected for abstract scrutiny, 115 records were excluded due to no direct focus on CPS/IoT applications, 52 studies were excluded because these papers relied on traditional security models, 25 studies were excluded due to insufficient relevance to the review objectives, and 15 additional non-English studies were removed. Following the screening stage, 141 studies were selected for full-text eligibility. Out of those, 86 studies were removed due to a lack of specific evaluation metrics or not being published in a peer-reviewed venue. Furthermore, the publications are classified as QKD-based secure CPS and QSC for industrial IoT, AI-Assisted Secure Communication for CPS Networks, and hybrid PQC-QKD models for CPS/IoT devices. This article investigates recent advancements in secure data transmission, verified protocols, and AI-driven anomaly detection customized to CPS/IoT environments. In addition, operational hurdles, interaction with open innovations, real-time deployment, and secure edge-cloud integration are highlighted. By analyzing recent developments and identifying research gaps, this review provides a structured roadmap for designing secure, scalable, and quantum-safe IoT-based CPS frameworks capable of withstanding next-generation cyber threats. This systematic review was performed and reported according to the PRISMA 2020 guidelines. Full article

Cyber-physical systems (CPSs) integrate physical processes and information components through communication networks and are therefore vulnerable to cyber attacks. Opacity is a security property that prevents an adversary from inferring sensitive information from observations, and it has been studied mainly for discrete-event systems. In this paper, we extend this concept to discrete-time piecewise affine (DT-PWA) systems, which constitute an important class of hybrid systems used to model CPSs. In conventional opacity analysis, the result is typically binary, i.e., a system is either opaque or not. For systems with continuous dynamics, however, such a binary characterization may be insufficient, and it is desirable to evaluate the degree of security. To address this issue, we introduce a notion of opacity that incorporates security levels. We first formulate opacity for DT-PWA systems and then derive a necessary and sufficient condition for opacity. Based on this condition, we present a verification method using polytope computations and discuss the interpretation of the proposed notion. Finally, a numerical example is provided to illustrate the effectiveness of the proposed method. Full article

The escalating frequency of extreme weather events poses severe threats to power system security, often resulting in catastrophic economic and societal consequences. As modern information and communication technologies (ICTs) integrate deeply with power grids, post-disaster communication failures and electrical faults become increasingly interdependent, complicating the restoration of distribution cyber–physical systems (CPSs). To bridge the gap where conventional Unmanned Aerial Vehicle (UAV)-enabled emergency communication ignores coordination with power system restoration, this paper proposes a coordinated recovery method featuring a two-stage UAV deployment strategy. First, a coupled cyber–physical model is established to characterize the cross-layer interaction mechanisms. On this basis, a bi-level optimization framework is developed: the upper level formulates a dynamic two-stage UAV deployment strategy to minimize the mobilization of resources, while the lower level executes network topology reconfiguration to maximize weighted load restoration, constrained by the recovered communication coverage. Simulation results on a modified IEEE 33-bus system demonstrate that the proposed method significantly enhances restoration efficiency. Compared with conventional schemes, the cumulative load loss rate is reduced by 15.75% and 2.42% across different scenarios; the two-stage UAV deployment method achieves a time reduction of 67.23%, 21.40% and 71.56%, validating the superior performance of the coordinated recovery strategy in disaster-stricken CPS. Full article

Industrial automation systems are increasingly cyber-physical, interconnected, and software-dependent, which expands both their operational capability and their cybersecurity exposure. This article reports a systematic literature review, conducted following the PRISMA 2020 guidelines, of cybersecurity requirements and certification standards in industrial automation, with emphasis on Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLCs), and Industry 4.0 contexts. From 3570 records identified across five academic databases, 75 studies were retained after duplicate removal, title and abstract screening, and full-text eligibility assessment. The included studies were analyzed along three dimensions: cybersecurity requirements, standards and certification, and application context. Quantitative synthesis shows that network segmentation, intrusion detection, secure communication, access control, lifecycle security, and safety–security coordination are the six most frequently emphasized requirement categories, and that ISA/IEC 62443, ISO/IEC 27001, NIST SP 800-82, and NERC-CIP are the four dominant certification frameworks. The review identifies four critical gaps between technical cybersecurity requirements and certification practice and proposes an integrated mapping framework linking requirement categories, standards, and application contexts. The findings indicate that effective industrial cybersecurity assurance depends on a layered compliance architecture rather than on dependence on any single framework. Full article

Critical infrastructures (CI) are essential to modern society, providing vital services such as energy, water, and transportation. However, these systems are increasingly targeted by sophisticated cyberattacks, exploiting vulnerabilities in both IT (Information Technology) and OT (Operational Technology) environments, posing significant risks to safety, economic stability, and national security. Despite advancements, current anomaly detection models for CI often cannot effectively integrate diverse data sources or provide detailed attack classifications. To address these challenges, we propose a novel Graph Convolutional Network (GCN) model integrated with Long Short-Term Memory (LSTM) layers for effective anomaly detection and attack classification in CI. The model leverages Cyber Threat Intelligence (CTI) and MITRE ATT&CK techniques, integrating network traffic and physical device data to enhance detection of sophisticated threats. Unlike approaches using binary classification, our model performs multiclass classification to recognize specific attack types, bridging the gap in understanding complex attack patterns within CI. By incorporating Indicators of Compromise (IoCs) from MISP (Malware Information Sharing Platform) with the SWAT (Secure Water Treatment) dataset, we developed a graph-based data structure where nodes represent entities like SCADA tags and IP addresses. The model processes this dynamic graph using convolutional layers for spatial feature extraction and LSTM layers for temporal dependencies. Results indicate a significant improvement over existing solutions, achieving a test accuracy of 99.04% and a macro F1-score of 0.9151. The integration of multiple data sources enhances the model’s capacity to handle evolving cyber threats, making it well-suited for protecting CI. Full article

Internet of Things (IoT), sensor-network, and cyber-physical system (CPS) software increasingly relies on large language models (LLMs) and autonomous agents for code generation, maintenance, and vulnerability repair. However, LLM-generated edge services, telemetry APIs, configuration handlers, and data-aggregation routines can introduce SQL injection, path traversal, command injection, hard-coded credentials, and unsafe device-control logic, which may compromise sensing data integrity and system safety. Existing approaches largely rely on static post hoc analysis and lack a unified modeling of the generation process, making it difficult to achieve a principled trade-off between functionality and security. To address this challenge, we propose SafeCodeRL, a framework that integrates multi-agent collaboration with constrained reinforcement learning for trustworthy LLM-generated IoT/CPS software. SafeCodeRL models code generation as a security-aware sequential decision process, where Planner, Code, Security, Test, and Critic agents jointly optimize task decomposition, code synthesis, vulnerability auditing, and sandbox-based validation. We design a constraint-aware policy based on Proximal Policy Optimization, augmented with a Lagrangian mechanism and a shielding strategy to explicitly enforce security constraints. Experiments on real-world engineering and security benchmarks, including SWE-bench, SecurityEval, and CyberSecEval, show that SafeCodeRL reduces high-risk vulnerabilities by over 60% while maintaining high functional correctness. A scenario-level IoT/CPS case study further demonstrates that SafeCodeRL substantially improves secure pass rates for sensor telemetry, edge gateway, configuration-management, and data-aggregation tasks, providing a practical path toward trustworthy AI-assisted software development for sensor-driven systems. Full article

The convergence of the Internet of Things (IoT), edge computing, and artificial intelligence (AI) is reshaping cyber defense in distributed cyber–physical environments. IoT-edge systems expose heterogeneous, resource-constrained, and intermittently connected devices to threats that unfold close to sensing and control processes, making purely signature-based or rule-based defenses increasingly insufficient. This article presents a structured review of AI for cybersecurity in IoT-edge systems from a systems-oriented perspective. Rather than surveying AI for IoT security in general, it organizes the literature around four practical lenses: AI methods, datasets and benchmarks, evaluation practice, and deployment constraints. The review reconstructs a workspace-verifiable corpus of 96 references, emphasizes literature published between January 2023 and April 2026 while retaining foundational benchmark papers, and uses a conservative 26-paper empirical subset for paper-level gap coding. Because this subset was purposively sampled and the original retrieval logs were not preserved, coded counts are interpreted as recoverable reporting signals and comparability indicators rather than field-level prevalence estimates. The revised synthesis further stratifies the coded evidence by task, model family, dataset, application scenario, metric type, and deployment signal, and translates deployment feasibility into a minimum reporting checklist and edge-hardware decision matrix. Within this evidence boundary, recent work remains dominated by intrusion and anomaly detection, with continued use of traditional machine learning, deep learning, federated learning, explainable AI, and graph-based approaches. However, experimentation remains concentrated around a small set of public benchmarks, while latency, memory, energy, communication overhead, operational robustness, and reproducibility are reported inconsistently. The field is therefore constrained less by classifier novelty than by benchmark concentration, weak deployment reporting, limited response-and-mitigation analysis, undercoverage of authentication, access-control, and trust-management tasks, and limited reproducible edge-aware evaluation. Full article

Airport systems rely on tightly connected digital and physical components, so cyber disruptions can affect both service performance and passenger movement. Existing airport simulation studies often focus on either queue-based passenger processing or pedestrian movement but rarely combine both in a framework suited for cyber-resilience analysis. This paper presents a hybrid simulation framework that integrates discrete-event simulation (DES), JuPedSim-based microscopic pedestrian modeling, and structured large language model (LLM) decision support to examine how cyber disruptions propagate through passenger-facing airport operations. The DES layer models service processes such as check-in, information desks, and security screening, while the pedestrian layer models movement, congestion, route choice, and spatial occupancy. Under degraded display or guidance conditions, the LLM generates structured passenger-level post-security decisions, such as going directly to the gate, checking a display, asking staff, waiting, visiting optional activity areas, or first moving to a wrong intermediate area. The framework is evaluated through a 500-passenger terminal case study with one baseline case and four disruption cases. Results show that check-in and security degradation produce the largest throughput loss, queue growth, and completion-time increase, while guidance degradation mainly affects post-security behavior. Spatial heatmaps further show where bottlenecks emerge and how congestion shifts across the terminal. Additional Rotterdam checkpoint validation, Palma benchmark analysis, and LLM ablation results support the framework’s ability to reproduce plausible queue, timing, throughput, and behavior-sensitive disruption patterns. The study provides a practical methodology for exploratory airport cyber-resilience assessment under coupled service, movement, and degraded-guidance conditions. Full article

Critical infrastructures are increasingly Internet-connected cyber–physical systems whose recovery after cyber incidents must satisfy safety, timing, regulatory, and interdependency constraints. Yet, the use of large language models (LLMs) for generating recovery plans remains fragmented across cybersecurity, industrial control, digital twins, and AI assurance research. This review synthesizes that emerging field through a structured critical survey of studies on LLMs in incident response, OT/ICS resilience, and cyber–physical recovery, with a focused perspective on grounding, trust, and assurance mechanisms relevant to recovery-plan generation. It develops an architecture-centric taxonomy spanning prompt-only assistants, retrieval-augmented copilots, graph-aware planners, multi-agent systems, and hybrid verification/simulation pipelines; maps realistic applications across energy, water, manufacturing, transportation, healthcare, and telecommunications; and organizes limitations into technical, security, governance, and human-factor categories. Based on this synthesis, the paper proposes the Grounded Recovery Planning Stack as a reference architecture and outlines a staged roadmap from human-in-the-loop copilots to bounded orchestration. The main conclusion is that near-term value lies in grounded, auditable, compliance-aware copilots, whereas autonomous recovery execution remains premature without stronger validation, state-aware grounding, sector-specific benchmarks, and formal safeguards. Full article