key: cord-336599-r8xgnz87
authors: Yaacoub, Jean-Paul A.; Salman, Ola; Noura, Hassan N.; Kaaniche, Nesrine; Chehab, Ali; Malli, Mohamad
title: Cyber-Physical Systems Security: Limitations, Issues and Future Trends
date: 2020-07-08
journal: Microprocess Microsyst
DOI: 10.1016/j.micpro.2020.103201
sha: 
doc_id: 336599
cord_uid: r8xgnz87

Typically, Cyber-Physical Systems (CPS) involve various interconnected systems, which can monitor and manipulate real objects and processes. They are closely related to Internet of Things (IoT) systems, except that CPS focuses on the interaction between physical, networking and computation processes. Their integration with IoT led to a new CPS aspect, the Internet of Cyber-Physical Things (IoCPT). The fast and significant evolution of CPS affects various aspects in people’s way of life and enables a wider range of services and applications including e-Health, smart homes, e-Commerce, etc. However, interconnecting the cyber and physical worlds gives rise to new dangerous security challenges. Consequently, CPS security has attracted the attention of both researchers and industries. This paper surveys the main aspects of CPS and the corresponding applications, technologies, and standards. Moreover, CPS security vulnerabilities, threats and attacks are reviewed, while the key issues and challenges are identified. Additionally, the existing security measures are presented and analyzed while identifying their main limitations. Finally, several suggestions and recommendations are proposed benefiting from the lessons learned throughout this comprehensive review.

Cyber Physical Systems (CPS) are designated as essential components of the Industrial Internet of Things (IIoT), and they are supposed to play a key role in Industry v4.0. CPS enables smart applications and services to operate accurately and in real-time. They are based on the integration of cyber and physical systems, which exchange various types of data and sensitive information in a real-time manner [1] . The development of CPS is being carried out by researchers and manufacturers alike [2] . Given that CPS and Industry v4.0 offer a significant economic potential [3] , the German gross value will be boosted by a cumulative of 267 billion Euros by 2025 upon the introduction of CPS into Industry v4.0 [4] .

A CPS is identified as a network of embedded systems that interact with physical input and output. In other words, CPS consists of the combination of various interconnected systems with the ability to monitor and manipulate real IoTrelated objects and processes. CPS includes three main central components: sensors, aggregators and actuators. Moreover, CPS systems can sense the surrounding environment, with the ability to adapt and control the physical world [5] . This is mainly attributed to their flexibility and capability to change the run-time of system(s) process(es) through the use of realtime computing [6] . In fact, CPS systems are being used in multiple domains (see Fig. 1 ), and embedded in different systems such as power transmission systems, communication systems, agricultural/ecological systems, military systems [7] , [8] , and autonomous systems (drones, robotics, autonomous cars, etc.) [9] , [10] . That, in addition to medical care domains to enhance the medical services [11] . Moreover, CPS can be used in supply chain management to enable echo-friendly, transient, cost efficient, and safe manufacturing process.

Despite their numerous advantages, CPS systems are prone to various cyber and/or physical security threats, attacks and challenges. This is due to their heterogeneous nature, their reliance on private and sensitive data, and their large scale deployment. As such, intentional or accidental exposures of these systems can result into catastrophic effects, which makes it critical to put in place robust security measures. However, this could lead to unacceptable network overhead, especially in terms of latency. Also, zero-day vulnerabilities should be minimized with constant software, applications and operating system updates.

Recently, several research works addressed the different security aspects of CPS: the different CPS security goals were listed and discussed in [12] , [13] , [14] , [15] ; maintaining CPS security was presented in [16] ; CPS security challenges and issues were presented in [17] , [18] ; some of the security issues were reviewed, including big data security [19] , [20] , IoT storage issues [21] , and Operating System vulnerabilities [22] ; several security and privacy solutions using cryptographic algorithms and protocols were discussed in [23] , [24] . However, none of the existing works presented a comprehensive view of CPS security in terms of threats, vulnerabilities, and attacks based on the targeted domain (cyber, physical, or hybrid). Hence, this paper presents a detailed overview of the existing cyber, physical and hybrid attacks, and their security solutions including cryptographic and non-cryptographic ones.

• Cyber-Physical Attacks are presented in relation to the targeted cyber and/or physical system/device, and the corresponding vulnerabilities of each such domain.

• Risk Assessment: a qualitative risk assessment method is presented to evaluate the risk and exposure levels for each CPS system, while proposing suitable security countermeasures.

• Security Measures and their limitations are discussed and analyzed, including recent cryptographic and noncryptographic solutions.

• Forensics solutions are also presented and discussed about securely extracting evidence and thus, to improve forensics investigations.

• Lessons: various lessons are learnt throughout this survey including how to protect real-time data/information communication among resource-constrained CPS devices, and how to achieve protection of CPS security goals such as confidentiality, integrity, availability and authentication.

• Suggestions & Recommendations are presented about how to mitigate and overcome various cyber, physical and hybrid threats, vulnerabilities, attacks, challenges and issues for a safe CPS environment.

Aside from the introduction, this paper is divided into six main sections as follows. Section II presents some background about CPS including their layers, components, and models. Section III discusses and details the key CPS threats, attacks and vulnerabilities in addition to listing and describing several real-case CPS attacks, and the main persistent challenges and issues. Section V assesses and evaluates the risks associated with CPS security attacks, especially in a qualitative risk assessment manner. Section V presents and analyzes the main CPS security solutions including cryptographic, noncryptographic, and forensics ones. Section VI highlights the lessons learnt throughout this study. Section VII provides key suggestions and recommendations for a safe and secure CPS environment. Section VIII concludes the presented work.

In this section, we present the CPS architecture, its main layers and components, as well as the main CPS models.

The architecture of CPS systems consists of different layers and components, which rely on different communication protocols and technologies to communicate among each other across the different layers.

1) CPS Layers: The CPS architecture consists of three main layers, the perception layer, transmission layer, and application layer, which are presented and described in Fig. 2 . The analysis of the security issues at the various CPS layers is based on the work in [25] .

• Perception Layer: It is also known as either the recognition or the sensing layer [26] . It includes equipment such as sensors, actuators, aggregators, Radio-Frequency IDentification (RFID) tags, Global Positioning Systems (GPS) along with various other devices. These devices collect real-time data in order to monitor, track and interpret the physical world [27] . Examples of such collected data include electrical consumption, heat, location, chemistry, and biology, in addition to sound and light signals [28] , depending on the sensors' type [29] . These sensors generate real-time data within wide and local network domains, before being aggregated and analyzed by the application layer. Moreover, securing actuators depends on authorized sources to ensure that both feedback and control commands are error-free and protected [30] . Generally, increasing the security level requires an endto-end encryption scheme at each layer [31] . Therefore, heavyweight computations and large memory requirements would be introduced [32] . In this context, there is a need for the design of efficient and lightweight security protocols, which take into consideration the devices capabilities and the security requirements.

• Transmission Layer: It is also known as the transport layer or network layer, and it is the second CPS layer [29] . This layer interchanges and processes data between the perception and application layers. Data transmission and interaction is achieved through the Internet For this purpose, various protocols are used to address the increase in the number of internet-connected devices, such as the Internet Protocol version 6 (IPv6) [33] . This layer also ensures data routing and transmission using cloud computing platforms, routing devices, switching and internet Gateways, firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) [34] , [35] . Before outsourcing data contents, it is essential to secure their transmission to prevent intrusions and malicious attacks including malware, malicious code injection [36] , Denial of Service/Distributed Denial of Service (DoS/DDoS), eavesdropping, and unauthorised access attacks [37] . This introduces a challenge, especially for resource-constrained devices due to the imposed overhead in terms of the required processing and power resources [38] .

• Application Layer: It is the third and most interactive layer. It processes the received information from the data transmission layer and issues commands, which are executed by the physical units including sensors and actuators [39] . This is done by implementing complex decision-making algorithms based on the aggregated data [40] . Moreover, this layer receives and processes information from the perception layer before determining the rightly invoked automated actions [29] . In fact, cloud computing, middleware, and data mining algorithms are used to manage the data at this layer [41] . Protecting and preserving privacy requires protecting private data from being leaked. The most known protective approaches include anonymization, data masking (camouflage) [42] , [43] , privacy-preserving, and secret sharing [31] . Moreover, this layer also requires a strong multi-factor authentication process to prevent unauthorised access and escalation of privilege [44] . Due to the increase in the number of Internet-connected devices, the size of the generated data has become a significant issue [21] . Therefore, securing big data calls for efficient protection techniques to process huge amounts of data in a timely and efficient manner [45] . 2) CPS Components: CPS components are used for sensing information [5] , or for controlling signals (Fig. 3) . In this regard, CPS components are classified into two main categories: Sensing Components (SC) that collect and sense information, and Controlling Components (CC) that monitor and control signals.

• Sensing Components: are primarily located at the perception layer and consist of sensors that collect data/information and forward them to aggregators. Then, this data/information is sent to the actuators for further analysis to ensure accurate decision making. In the following, we list the main CPS sensing components.

-Sensors: collect and record real-world data following a correlation process named "calibration", to assess the correctness of the collected data [46] . Sensing data is essential since the decisions that will be made are based on the analysis of this data. -Aggregators: are primarily located at the transmission layer (i.e routers, switches and gateways) to process the received data/information from sensors, before issuing the corresponding decision(s). In fact, data aggregation is based on the collected information about a specific target, where this information is gathered and summarized following a statistical analysis. Online Analytical Processing (OLAP) is a prime data aggregation type used as an online reporting mechanism for processing information [46] .

-Actuators: are located at the application layer to make the information visible to the surrounding environment based on the decisions made by the aggregators. Since actuators highly depend on other network nodes, then each action performed by the CPS relies on an earlier data aggregation sequence [5] . Also in terms of operations, actuators process electrical signals as input and generate physical actions as output [46] .

• Controlling Components: are used to control Signals and they play a key role in signal control, monitoring and management to achieve higher levels of accuracy and protection against malicious attacks or accidents, mainly signal jamming, noise and interference. As a result, the reliance on Programmable Logic Controllers (PLCs) and Distributed Control System (DCSs) along with their components (i.e Programmable Automation Controller (PAC) [47] , Operational Technology/Information Tech-nology (OT/IT) [48] , Control Loop/Server [49] , and Human-Machine Interface (HMI)/Graphical User Interface (GUI) [50] ) has become highly essential. Next, we list the different types of control systems that are used in CPS systems:

• Programmable Logic Controllers (PLC): were initially developed to replace hard-wired relays, and are considered as industrial digital computers that control the manufacturing processes such as robotic devices performance and/or fault diagnosis processing; hence achieving better flexibility and resiliency.

• Distributed Control Systems (DCS): are computerized control systems that allow the autonomous controllers' distribution throughout the system using a central operator supervisory control. As a result of the remote monitoring and supervision process, the DCS's reliability is increased, whilst its installation cost is reduced. In some cases, DCS can be similar to Supervisory Control and Data Acquisition (SCADA) systems.

• Remote Terminal Units (RTU): or "Remote Telemetry Unit" [51] , are electronic devices controlled by a microprocessor such as the Master Terminal Unit (MTU) [52] . Unlike the PLC, they do not support any control loop nor control algorithm(s). Thus, making them more suitable for wireless communications over wider geographical telemetry areas. RTU's main task is to interface SCADA to the physical object(s) using a supervisory messaging system that controls these objects through the system's transmission of telemetry data.

In fact, both RTUs and PLCs use a small computerized "artificial brain" (Central Processing Unit (CPU)) to process inputs and outputs from sensing devices and pumping equip-ment [53] ; hence using IEDs (Intelligent Electronic Devices) to transmit data flow or trigger an alarm in case of any intrusion. TABLE I presents a comparison of the common points and differences between PLCs and RTUs. Concerning the relation between components and layers, it can be seen that sensing components are mainly deployed at the perception and transmission layers, while the controlling components are deployed at the application layer.

CPS models can be divided into three main types:

• Timed Actor CPS: This model focuses on the functional aspects based on behaviour and correctness, along with the non-functional aspects that are based on performance and timing. A theory was introduced in [54] with a functional and classical refinement that restricts certain behaviour set, improving efficiency while reducing complexity. The main focus is on the refinement based on the "earlier-the-better" principle since it offers the ability to identify deterministic abstractions of non-deterministic systems [55] . In fact, these time-deterministic models are less prone to state explosion problems, with the ability to derive analytical bounds easier [56] .

• Event-Based CPS: In such models, an event must be sensed and detected by the proper CPS components, before the actuation decisions are made. However, individual component timing constraints vary depending on the non-deterministic system delay, which is caused by the different CPS actions including sensing, actuating, communication and computing [57] . In [58] , Hu et al. stated that time constraints can be handled through the use of an event-based approach, which uses CPS events to ensure the system's communication, computation, and control processes. This allows the CPS to be more suitable and more useful for spatio-temporal information.

• Lattice-Based Event Model In [59] , the CPS events are represented according to the event type, along with the internal and external event attributes. If these events are combined, they can be used to define a spatio-temporal property of any given event, while also identifying all the components that were observing the event.

• Hybrid-Based CPS Model Hybrid CPS systems are heterogeneous systems that are made up of two distinct interactive system types, continuous state (physical dynamic systems) and discrete-state (discrete computing systems) [60] , [61] . Both development and evolution depend on the response of discrete transient events represented by finite state machines, and the the dynamic behaviour represented by differential/difference equation(s) [62] . Unlike other CPS models, hybrid CPS is interconnected via a network, which makes it prone to delays. Moreover, hybrid CPS systems do not support any hierarchical modeling, and are not suitable for modeling concurrent systems. Hence, hybrid systems modeling challenges caused by CPS were discussed by Benveniste et al. in [63] . In fact, CPS system network latency issues were addressed and solved by Kumar et al. using a real-time hybrid authentication method [64] , while a configurable real-time hybrid structural testing for CPS was presented by Tidwell et al. in [65] . Finally, an event driven monitoring of CPS based on hybrid automata was presented by Jianhui in [66] .

In a similar manner to most networking systems, security services were not incorporated into CPS systems by design, leaving the door open for various vulnerabilities and threats to be leveraged by attackers to launch security attacks. This is also due to the heterogeneous nature of CPS devices since they operate in different IoT domains and communicate using different technologies and protocols.

CPS security threats can be classified as cyber or physical threats, as explained below, and if combined, these can result into cyber-physical threats.

1) Cyber Threats: The main attention on Industrial IoT security was highly focused on cyber threats rather than physical threats for many reasons, as cited in [18] . This includes the electrical grid evolution into an Advanced Metering Infrastructure (AMI), which resulted into the rise of newly unknown cyber threats aside from SCADA vulnerabilities [67] , [68] , [69] . Electronic attacks are now easier to launch from any device, unlike physical attacks that require physical presence and physical tools. Moreover, the smart meter interfacing and interconnection with other meters in the Near-me Area Network (NAN) and Home Area Network (HAN) increase its exposure to various remote threats. Finally, electronic attacks are difficult to mitigate and overcome in the absence of the right prevention and defensive countermeasures. For further details on cyber threat intelligence, a brief survey of CPS security approaches was presented in [14] . For further information about cyber security threats, more details can be found in [70] , [71] .

Since cyber security is not limited to a single aspect, it can be considered from different perspectives, such as:

• Centring Information: which requires protecting the data flow during the storage phase, transmission phase, and even the processing phase.

• Oriented Function: which requires integrating the cyberphysical components in the overall CPS.

• Oriented Threat: which impacts data confidentiality, integrity, availability, and accountability [70] . The above issues make CPS systems prone to:

• Wireless Exploitation: It requires knowledge of the system's structure and thus, exploiting its wireless capabilities to gain remote access or control over a system or possibly disrupt the system's operations. This causes collision and/or loss of control [72] .

• Jamming: In this case, attackers usually aim at changing the device's state and the expected operations to cause Sold with PLC-like features  Digital computers designed for output arrangements and multiple inputs Electronic device controlled by a microprocessor  Automates electro-mechanical processes  Interfaces SCADA physical objects  Physical media with process, relays, motion control and networking  Uses supervisory system messages to control objects  Does support control loops and algorithms Does not support control loops and algorithms Immune to electrical noise, resistant to vibration Low to null immunity against electrical noise and vibration Suitable for local geographical areas Suitable for wider geographical telemetry areas Mainly IEC Standards Wired/Wireless Communications damage by launching waves of de-authentication or wireless jamming signals, which would result into denial of device and system services [73] .

• Reconnaissance: An example of such a threat is where intelligence agencies continuously perform operations targeting a nation's Computational Intelligence (CI) and Industrial Control System (ICS) mainly through a malware spread [74] . This results in violating data confidentiality due to the limitation of traditional defenses [75] , [76] .

• Remote Access: This is mainly done by trying to gain remote access to the CPS infrastructure, for example, causing disturbances, financial losses, blackouts, as well as industrial data theft and industrial espionage [77] . Moreover, Havex Trojans are among the most dangerous malware against ICSs, as they can be weaponized and used as part of cyber-warfare campaign management against a nation's CPS [78] .

• Disclosure of Information: Hackers can disclose any private/personal information through the interception of communication traffic using wireless hacking tools [16] , violating both privacy and confidentiality [79] .

• Unauthorised Access: Attackers try to gain an unauthorized access through either a logical or physical network breach and to retrieve important data, leading to a privacy breach [80] .

• Interception: Hackers can intercept private conversations through the exploitation of already existing or new vulnerabilities leading to another type of privacy and confidentiality breach [72] .

• GPS Exploitation: Hackers can track a device or even a car by exploiting (GPS) navigation systems, resulting in a location privacy violation [81] , [72] .

• Information Gathering: software manufacturers covertly gather files and audit logs stored on any given device in order to sell this huge amount of personal information for marketing and commercial purposes in an illegal manner.

2) Physical Threats: CPS systems are recently evolving into the industrial domain by introducing an Advanced Metering Infrastructure (AMI), and Neighbourhood Area Networks (NANs), along with data meter management systems to maintain the robustness of CPS in industrial domains [82] . In fact, physical threats might be classified according to the following three factors: are well protected. This is due to the fact that these stations are well-manned and well-guarded based on the implementation of access controls, authorisation and authentication mechanisms such as usernames and passwords, access cards, biometrics and video surveillance. However, the main concern is related to the less protected power-generating sub-stations since transmission lines are vulnerable to sabotage attacks and disruption. In fact, smart meters are also vulnerable to a number of threats as explained in [83] . To address this problem, smart meters must be tamper-resistant by relying on outage detection or even host-based intrusion detection. However, it is almost impossible to prevent physical tampering or theft by adversaries (such as Advanced Persistent Threats (APTs)), except that it is possible to mitigate the risk and reduce its impact.

• Loss: the most worrying scenario is having more than a single substation failure caused by a malicious attacker. In case of a severe damage in the smart grid, a total blackout of major metropolitan areas may occur for several hours [84] . A real-case scenario includes the cascading blackout that managed to hit the U.S. on August 14th, 2003 [85] , caused by the People Liberation Army (PLA), which is a Chinese politically-motivated group [86] .

• Repair: it can be based on a self-healing process [87] , which is based on the ability to either sense faults or disruptions, whilst isolating the problem and sending alerts to the corresponding control system to automatically reconfigure the back-up resources in order to continuously provide the necessary service. The aim is to ensure a fast recovery in as short of a time as possible. However, critical components do suffer from either a lack or a limited backup capability. Therefore, self-healing can respond faster to a severe damage.

Some of the threats associated with CPS systems include:

• Spoofing: it consists of masquerading the identity of a trusted entity by a malicious unknown source. In this case, attackers are capable of spoofing sensors, for example, by sending misleading and/or false measurements to the control center.

• Sabotage: Sabotage consists of intercepting the legal communication traffic and redirecting it to malicious third party or disrupting the communication process. For example, attackers can sabotage physically exposed CPS components across the power grid, to cause a service disruption or even denial of service that leads to either total or partial blackout.

• Service Disruption or Denial: Attackers are capable of physically tampering with any device to disrupt a service or to change the configuration. This has serious effects, especially in the case of medical applications.

• Tracking: Since devices are physically exposed, an attacker can gain access to a given device, and/or even attach a malicious device or track the legal ones. In the following, we present the main CPS vulnerabilities that can be targeted by the above-mentioned threats.

A vulnerability is identified as a security gap that can be exploited for industrial espionage purposes (reconnaissance or active attacks). Hence, a vulnerability assessment includes the identification and analysis of the available CPS weaknesses, while also identifying appropriate corrective and preventive actions to reduce, mitigate or even eliminate any vulnerability [88] .

In fact, CPS vulnerabilities are divided into three main categories:

• Network Vulnerabilities: include weaknesses of the protective security measures, in addition to compromising open wired/wireless communication and connections, including man-in-the-middle, eavesdropping, replay, sniffing, spoofing and communication-stack (network/transport/application layer) [89] , back-doors [90] , DoS/DDoS and packet manipulation attacks [91] .

• Platform Vulnerabilities: include hardware, software, configuration, and database vulnerabilities [36] .

• Management Vulnerabilities: include lack of security guidelines, procedures and policies. Vulnerabilities occur due to many reasons. However, there are three main causes of vulnerabilities:

• Assumption and Isolation: It is based on the "security by obscurity" trend in most CPS designs. Therefore, the focus here is to design a reliable and safe system, taking into consideration the implementation of necessary security services, without assuming that systems are isolated from the outside world. • Heterogeneity: CPS systems include heterogeneous third party components which are integrated to build CPS applications. This has resulted in CPS becoming a multivendor system, where each product is prone to different security problems [93] .

• USB Usage: this is a main cause of CPS vulnerabilities, such as the case of the Stuxnet attack that targeted Iranian power plants, since the malware is inside the USB. Upon plugging it, the malware spread across several devices through exploitation and replication.

• Bad Practice: is primarily related to a bad coding/weak skills that lead to the code to execute infinite loops, or to become too easy to be modified by a given attacker.

• Spying: CPS systems are also prone to spying/surveillance attacks, mainly by using spyware (malware) types that gain a stealthy access and remain undetected for years with the main task to eavesdrop, steal and gather sensitive/confidential data and information.

• Homogeneity: similar cyber-physical system types suffer from the same vulnerabilities, which once exploited, can affect all the devices within their vicinity, a prime example is the Stuxnet worm attack on Iranian nuclear power plants [94] .

• Suspicious Employees: can intentionally or inadvertently damage or harm CPS devices, by sabotaging and modifying the coding language, or granting remote access to hackers through the opening of closed ports or plugging in an infected USB/device. Thus, CPS vulnerabilities can be of three types, including cyber, physical, and when combined, they result into a cyberphysical threat.

1) Cyber Vulnerabilities: Since ICS heavily relies on open standard protocols including Inter-Control Center Communications Protocol (ICCP) [95] and Transmission Control Protocol/Internet Protocol (TCP/IP) [96] , ICS applications are prone to security attacks. In fact, ICCP suffers from a critical buffer overflow vulnerability [89] and also lacks the basic security measures [97] . In fact, the Remote Procedure Call (RPC) protocol [98] and ICSs are prone to various vulnerabilities including the Stuxnet (1 & 2) [99] , [100] , [101] and Duqu malware (1.0, 1.5 & 2.0) attack types [102] , [103] , [104] , Gauss malware [105] , [106] , [102] , and RED October malware [107] , [108] , as well as Shamoon Malware (1, 2 & 3) [109] , [110] , [111] , Mahdi malware [112] , [113] , [114] , and Slammer Worm [115] .

Open/Non-secure wired/wireless communications such as Ethernet are vulnerable to interception, sniffing, eavesdropping, wiretapping and wardialing and wardriving attacks [116] , [117] , [118] and meet-in-the-middle attacks [119] . Short-range wireless communications are also vulnerable, since they can be captured, analysed, damaged, deleted or even manipulated by insiders [120] . Moreover, employees' connected devices to ICS wireless network, if not secure, are prone to botnet, remote access Trojan and rootkit attacks, where their devices will be remotely controlled by an attacker [121] . Long-range wireless communications are vulnerable to eavesdropping, replay attacks, and unauthorized access attacks. Yet, SQL injection remains the most Web-related vulnerability since attackers can access any server database without authorization through the injection of a malicious code that keeps on running endlessly once executed without the user's knowledge [122] .

Since many medical devices heavily rely on wireless communications, they are prone to a large number of wireless attacks including jamming, modification and replay attacks due to the lack of encryption. Moreover, GPS and the device's microphone are now becoming a tracking tool, allowing the identification of the target's location, or intercepting the in-car conversations through eavesdropping [13] . By default, ICS relies on Modbus and DNP3 protocols to monitor and send control commands to sensors and actuators. In [16] , Humayed et al. stated that the Modbus protocol lacks basic security measures such as encryption, authentication and authorization. This has made it prone to eavesdropping, wiretapping, and port-scan [123] , with the risk of the controller being spoofed through false data injection [124] . The DNP3 protocol is also prone to the same vulnerabilities and attacks, with one main difference which is the integration of Cyclic Redundancy Check (CRC) as an integrity measure [125] . Moreover, Windows Server Services were vulnerable to remote code execution [99] , with more attacks being achieved through the exploitation of buffer overflow vulnerabilities in any running Operating System (OS). Moreover, power system infrastructure of smart grids is prone to the same vulnerabilities as ICS, Modbus and DNP3, since they are based on the same protocols. As a result, IEC 61850 protocol was introduced in substations' communications, which lack security properties and are prone to eavesdropping attacks. Therefore, leading to interference attacks [126] , or false information injection attacks [127] . In [128] , Santamarta et al. analysed the available documentation of smart meters, and located a "factory login" account used to perform basic configurations. This gives the user full control over a smart meter and leads to power disruption, wrong decision making and targeting neighbouring smart meters within the same network. In addition, many devices are prone to battery exhausting attacks [73] .

Gollakota et al. [129] and Halperin et al. [130] exploited the Implantable Cardioverter Defibrillator (ICD) wireless vulnerabilities through injection attacks. The authors also showed that Smart cars are vulnerable to various attack types. In [131] , Radcliffe, revealed another vulnerability with Continuous Glucose Monitoring (CGM) devices being vulnerable to replay attacks. The CGM device was spoofed with the injection of incorrect values. This is due to the fact that security considerations were not made when the smart cars were designed [132] . In fact, the Controller Area Network (CAN) protocol suffers from many vulnerabilities, which if exploited could result in attacks against smart cars. This will increase the likelihood of a DoS attack [133] . A Tire-Pressure Monitoring System (TPMS) is also vulnerable to eavesdropping and spoofing due to the lack of encryption [134] . In addition, Adaptive Cruise Control (ACC), which forms a part of the CAN network can be directly exploited [13] . In fact, a well-equipped attacker is able to interrupt ACC sensors' operations by adding noise or spoofing. Thus, controlling the car by either reducing, increasing its speed or even causing collisions.

2) Physical Vulnerabilities: Physical tampering may result into misleading data in cyber-physical components. In fact, physical attacks with cyber impact were studied in [135] . The physical exposure of ICS components is classified as a vulnerability due to the insufficient physical security provided to these components. Thus, making them prone to physical tampering, alteration, modification or even sabotage. CPS field devices (i.e smart grids, power grids, supply chains etc.) are prone to the same ICS vulnerabilities since a large number of physical components is exposed without physical security, making them prone to physical destruction. Therefore, in [136] , Mo et al. stressed on detection and prevention solutions. In [16] , Humayed et al. stated that medical devices are vulnerable to physical access along with the possibility of installing malware into them, or even modifying the device's configurations, risking the patient's health. Moreover, a physical access to any medical device is also a vulnerability since an attacker can retrieve the device's serial number to launch targeted attacks [131] .

As listed above, CPS systems suffer from various vulnerabilities making them prone to different types of attacks, which are discussed next.

In this section, we present the different types of attacks that target the different aspects of CPS systems, including cyber and physical ones:

1) Physical Attacks: Physical attacks were more active in past years, especially against industrial CPS systems [137] , [138] . Many of these attacks were already presented in [139] . Nonetheless, this paper presents a broader range of physical attack types:

• Infected Items: this includes infected CDs, USBs, devices and drives such as the case of the Stuxnet worm [140] , which upon their insertion into a cyberphysical device, a covert malware is installed containing a malicious software.

• Abuse of Privilege: this attack occurs when rogue or unsatisfied employees access the server rooms and installation areas within the CPS domain. This allows them to insert a rogue USB for infection through the installation of malicious malware/code or as keystroke, or to capture confidential data.

• Wire Cuts/Taps/Dialing: since communication lines including telephony and Wi-Fi of many cyber-physical headquarters (HQs) are still physically visible, attackers can cut the wires or wiretap into them to intercept the communicated data [117] .

• Fake Identity: this attack occurs when attackers masquerade themselves as legitimate employees, with enough experience to fool the others. They mainly act as cleaners to gain an easier access and better interaction with other employees. A prime example of that is Australia's Maroochy Water Breach in 2000 [141] .

• Stalkers: these are usually legal employees who act curious (with malicious intents) by being on the shoulder of CPS administrators and engineers to acquire their credentials to blackmail or sell them to other competing CPS organisations.

• CCTV Camera Interception: this includes intercepting the footage of Closed-circuit television cameras that are securing entry and key points within CPS areas. This can be done by distorting the signals of cameras, cutting off the communication wires, deleting the footage, gaining access to the remote control and monitoring area, etc., before performing a physical attack in an undetected manner.

• Key-Card Hijacking: this includes cloning legitimate cards that are stolen from employees, or creating lookalike genuine copies to gain full/partial access and to compromise the CPS domain.

• Physical Breach: this attack requires gaining an illegal physical access to the system, mainly through a physical breach such as the case of the Springfield Pumping Station in 2011 [142] , a backdoor such as the case of US Georgia Water Treatment Plant in 2013 [143] , or an exploited security gap such as the case of the Canadian Telvent Company in 2012 [144] . This allows an attacker to damage and shut-down network-connected manufacturing systems and CPS devices, resulting into loss of availability and productivity.

• Malicious Third Party Software Provider: the main purpose of this attack is to target the company's CPS by compromising the legitimate "Industrial Control Systems" software, such as the case of the Georgia Nuclear Power Plant Shutdown in 2008 [145] . This includes replacing legitimate files in their repositories with a malware that will be installed to offer remote access functionalities to control or compromise a given system.

• Abuse of Privilege: is mainly led by insiders or "whistleblowers" to perform or help perform a (cyber)-attack from within. Such high privilege grants them the ability to conduct these attacks by exposing valuable knowledge on CPS systems' vulnerabilities and weaknesses. This abuse of privilege can take many forms.

-Physical Tampering: including gaining unauthorised or masqueraded authorised access to restricted areas to damage CPS systems, devices, modify their operational mode, inject malicious data/information or steal confidential documents. -Unauthorised Activities: are based on performing suspicious tasks, such as opening/closing pumping stations, increasing/decreasing power voltage, opening closed ports, communicating with an external entity, network traffic redirection or information leakage.

• Social Engineering: can take many deceptive forms [91] such as reverse engineering (impersonating a techysavvy), baiting (selling malicious USBs or software), tailgating (following authorised personnel) or Quid Pro Quo (impersonating technical support teams), and is based on the art of manipulating people (either mentally or emotionally) to reveal confidential information by manipulating their emotions to gain their trust to reveal sensitive information related to a CPS, PLC or ICS system.

Recently, CPS systems became the new target of hackers for espionage, sabotage, warfare, terrorism, and service theft [146] , mainly as part of cyber-warfare [147] , cybercrimes [148] , [149] , (cyber)-terrorism [150] , [151] , [152] , (cyber)-sabotage [153] (such as cyber-attacks against Estonia in 2007 [154] , and Georgia in 2008 [155] ), or (cyber)espionage [156] , [157] . The lack of (cyber)-security revealed a serious issue with possibly drastic effects [12] , especially in countries like Lebanon [158] , [159] .

2) Cyber Attacks: In recent years, there was a rise in the rate of cyber-attacks targeting CPS and IoCPT with very devastating consequences. According to current studies carried out by [160] , [161] , CPS is highly prone to malicious code injection attacks [162] and code-reuse attacks [163] , along with fake data injection attacks [164] , zero-control data attacks [165] , and finally Control-Flow Attestation (C-FLAT) attacks [160] . Such attacks can result into a total blackout targeting CPS industrial devices and systems as presented in TABLE II.

• Eavesdropping: eavesdropping includes the interception of non-secure CPS network traffic to obtain sensitive information (passwords, usernames, or any other CPS information). Eavesdropping can take two main forms:passive by listening to CPS network message transmission, and active by probing, scanning or tampering the message by claiming to be a legitimate source.

• Cross-Site Scripting: or XSS occurs when third-party web resources are used to run malicious scripts in the targeted victim's web browser (mainly a targeted CPS engineer, contractor, workers, etc. ) by injecting malicious Coding Script into a website's database. XSS can achieve session hijacking, and in some cases, can log key strokes along and remotely accesses a victim's machine.

• SQL Injection: or SQLi targets CPS database-driven websites to read and/or modify sensitive data, along possibly executing administrative operations such as database shutdown, especially when CPS systems are still relying on SQL for data management [166] .

• Password Cracking: aim to target the authenticity of CPS users [167] , [168] (mainly engineers and managers) by trying to crack their passwords using bruteforce [169] , dictionary [170] (mitigated by using key exchange [171] ), rainbow table [172] , birthday (mitigated by hashing) [173] or online/offline password guessing attacks [174] to gain access to the password database, or to the incoming/outgoing network traffic. Therefore, it is important to prevent such escalation from taking place [175] , [176] .

• Phishing: has many types such as e-mail phishing, vishing, spear phishing or whaling that target some or all CPS users (such as engineers, specialists, businessmen, Chief Executive Officers (CEOs), Chief Operations Officers (COO), or/and Chief Financial Officers (CFO)), through impersonation of business colleagues or service providers.

• Replay: includes intercepting transmitted/received packets between ICSs, RTUs, and PLCs through impersonation to cause delays that affect CPS's real-time operations and affect their availability. In some cases, these intercepted packets can be modified, which would seriously hinder normal operations.

• DoS/DDoS: DoS attacks target the cyber-physical system resources and are launched from a large number of locally infected devices. DDoS attacks are usually exploited by Botnets, whereby a large number of infected devices simultaneously launch a DDoS attack from different geo-graphical locations. DoS attacks can take many forms (i.e blackhole [177] , teardrop [178] ), while DDoS can take the following forms (i.e ping-of-death [179] , smurf [180] and Black Energy series (BE-1, BE-2 and BE-3 [181] , [182] , [183] ), all targeting CPS systems.

-TCP SYN Flood: exploits the TCP handshake process by constantly sending requests without responding back to the server, causing the server to constantly allocate space awaiting a reply [184] . This leads to a buffer overflow and causes the cyberphysical system to crash.

• Malicious Third Party: includes software that covertly exploit data aggregation network and compromises them, mainly using botnets, Trojans or worms to infiltrate information through a CPS encrypted channel from an internal system (i.e PLC, ICS or RTU) through the reliance on Trusted Third Party in disguise, to a botnet Commandand-Control server. Thus, targeting CPSs [185] and AMIs [186] .

• Watering-hole Attack: The attacker scans for any cyberphysical security weakness. Once a weakness is identified, the chosen CPS website will be manipulated by a "watering hole", where a malware will delivered by exploiting the targeted CPS system mainly through backdoor, rootkits or zero-day exploit [187] .

• Malware: is used to compromise CPS devices in order to steal/leak data, harm devices or bypass access control systems. The malware can take many forms, however, the main forms that target CPS are briefly listed and presented in the following.

-Botnets: this includes exploiting CPS devices vulnerabilities to turn them into bots or zombies, mainly to conduct hardly-traceable DDoS attacks (i.e Ramnit (2015) [188] , Mirai (2016) [189] , Smominru botnet (2017) [188] , Mootbot (2020) [190] , Wild-Pressure and VictoryGate (2020).) -Trojan: is a disguised malware that seems legitimate and tricks users to download it. Upon download, the Trojan infects the device and offers a remote access to steal data credentials and monitor users activities. This also includes Remote Access Trojans which in turn, can be used to turn a device into a bot (i.e Turla (2008) [191] , MiniPanzer/MegaPanzer (2009) [192] , Gh0st RAT (2009) [193] , Shylock (2011) [194] , Coreflood (2011) [195] , DarkCornet (2012) [196] , MEMZ (2016) [197] , TinyBanker (2016) [198] and Banking.BR Android Botnet (2020)). -Virus: it can replicate and spread to other devices through human/non-human intervention. Viruses spread by attaching themselves to other executable codes and programs to harm CPS devices and steal information. -Worms: spread by exploiting operating system vulnerabilities to harm host networks by carrying payloads to steal, modify and delete data, or overload to web-servers (aside Stuxnet, Flame and Duqu, i.e aCode Red/Code Red II (2001) [199] , Nimda (2001) [200] , Triton (2017 [201] )). -Rootkit: is designed to remotely and covertly access or control a computer to execute files, access/steal information or modify system configurations (i.e Moonlight Maze (1999) [202] , and Blackhole exploit kit (2012) [203] ). -Polymorphic Malware: constantly and frequently changes its identifiable to evade being detected to become unrecognizable against any pattern-matching detection technique. -Spyware: is a malicious software covertly installed on a device without the user or authorization knowledge, for spying purposes (e.g surveillance, reconnaissance, or scanning). In fact, they can be used for future cyber-attack purposes (i.e ProjectSauron (2011) [204] , Dark Caracal (2012) [205] , Red October (2013) [107] , WarriorPride (2014) [206] , Fin-Fisher (2014) [207] , and COVID-19 spyware.) -Ransomware: is a malicious software that holds and encrypts CPS data as a ransom by exploiting CPS vulnerabilities, targeting oil refineries, power grids [208] , manufacturing facilities, medical centers and encrypting all data-backups until a ransom has been paid. A prime example of that is the Siskey (2016) (2019) and Ekans (2020) ransomware [211] , [212] , [213] , [214] .

• Side-Channel: is based on the information gained from the implemented CPS system such as timing information, power consumption and electromagnetic leaks that can be exploited.

For this reason, some of the most infamous cyber-attacks deserve being mentioned (TABLE II) . Moreover, for further details, you can refer to [139] . In fact, Do et al. presented a much more detailed attack description as early as 1980s in [142] . However, this paper aims to classify the occurrence of these attacks as early as 2000 and based on, but not limited to, political, religious, and criminal motives.

After reviewing the main CPS attacks, it is essential to assess their associated risks to design the convenient countermeasures. In the next section, the risks associated with the different CPS security attacks are evaluated.

Given the different threats, attacks and vulnerabilities that the CPS domain suffers from, it is important to highlight the main failures than CPs systems suffer from. These failures can either be minor (limited damage) or major (severe damage). In fact, further details can be found in [222] , where Avizienis et al. presented a well-defined and detailed explanation in this regards.

• Content Failure: means that the content of the delivered information is inaccurate, which would result into some functional system failure. Content failure can be ei- ther numerical or non-numerical (i.e alphabets, graphics, sounds or colours).

• Timing Failure: means that the timing of information delivery (transmission/receiving) is delayed or interrupted (received/transmitted too early or too late). This would affect the decision making process and may cause data management issues.

• Sensors Failure: means that the sensors are no longer functioning properly, and would seriously hinder the decision making process due to misinformation, or bringing a CPS system to a sudden halt. A similar case occurred in 2005, at Taum Sauk Hydroelectric Power Station [216] .

• Silent Failure: occurs when there is no message sent or received in a distributed system.

• Babbling Failure: occurs when the information is delivered, causing the system to malfunction and to operate in a babbling manner.

• Budget Failure: occurs when the cost of implementing a cyber-physical system outweighs the budget set, before ever reaching the testing level. This is mainly caused by poor planning.

• Schedule Failure: occurs when the schedule set for planning, testing and evaluating a given CPS is not achieved due to further upgrades, additional testing, or inadequacy for users needs.

• Service Failure: occurs when having an error propagates through the service interface and affects its decision making or/and normal performance ability. This failure can either cause a partial or full CPS system failure either temporarily or permanently.

• Consistent/Inconsistent Failures: a consistent failure occurs when a given service is identically perceived by all CPS users. An inconsistent failure takes place when all CPS users differently perceive an incorrect service (i.e bohrbugs, mandelbugs, heisenbugs and Byzantine failures) [223] .

Evaluating risks is essential to assess the risk's economic impact of an attack on any CPS system, before managing it. Such management is based on assessing and analysing the risk before mitigating it, then deploying the right security measures according to the level of severity and risk impact (see Fig. 4 ).

Risk Management is implemented in order to identify, analyse, rank, evaluate, plan and monitor any possible risk through risk assessment.

• Identifying Risks: identification is based on uncovering and recognising risks that can negatively affect a project/project outcome and describing it [224] .

• Analysing Risks: risks likelihood and consequence must be determined once they are identified, to understand the nature of a risk.

• Ranking Risks: risks rank is evaluated according to the risk magnitude, based on the combination of both risk likelihood and consequence in case it occurred.

• Evaluating Risks: based on their ranks, risks are either deemed as acceptable or require serious treatment and urgent attention.

• Planning Risks Response: highest ranked risks are assessed to treat, modify and mitigate them to once again achieve an acceptable risk level. Therefore, risk mitigation strategies are created, along with the deployment of preventive and contingency plans.

• Monitoring and Reviewing Risks: risks are constantly monitored, tracked and reviewed. In case of any suspicious activity, these risks are mitigated before any serious threat occurs.

Risk Assessment is implemented to minimize the impact of a given attack [225] . In fact, risks are evaluated based on calculating the average loss in each occurring event [226] . Additionally, several risk assessment methods, as well as various techniques to secure CPS were revealed in [25] . In fact, since most studies are focused on securing enterprise systems in order to assess risks, security became an emerging issue that imposes a serious risk on CPS [227] . As a result in [228] , [229] , Lu et al. presented an adequate risk assessment method. The main security focus was based on transferring it from risk assessment, to Computer Risk Assessment (CRA), to Network Risk Assessment (NRA) with a heavy reliance on the internet [230] . Asset Identification: is also important, since it is a resource value that can either be tangible, or intangible that impacts daily transactions and services [231] . In fact, CPS assets can be divided between cyber assets, physical assets, and cyber-physical assets. Finally, since asset quantization is estimated from both direct and indirect economic losses [232] , it is important to determine the Asset Value (AV).

Risk is assessed based on its possible impact on CPS systems. It is divided into three main types:

• High Impact: in case the risk has occurred, this can result in devastating and damaging effects on CPS systems. It is used to evaluate and mitigate persistent advanced threats [233] .

• Medium Impact: in case of its occurrence, the impact is less severe. However, it also imposes a serious threat against CPS. It is used to evaluate and mitigate advanced threats [234] .

• Low Impact: in case this risk has occurred, its impact is not severe, nor has damaging effects. As a result, its impact is very limited and can be easily mitigated. It is used to evaluate and mitigate basic threats [235] .

Risk mitigation requires the adaptation and implementation of a well-built management strategy in addition to cyber and physical security in order to counter-espionage, theft, or/and terrorist attacks. Such a mitigation model also requires, data security and protection, as well as anti-counterfeit and supply chain risk management [236] . These models should also be supported by both forensic and recovery plans. This can help in analyzing cyber-attacks whilst coordinating and cooperating with the responsible agencies to identify external cyber-attack vectors [237] . Therefore, preventive, detective, repressive and corrective logical security measures can be adopted. As a result, a qualitative risk assessment table is presented (see TABLE III 

The cost of security attacks can take many forms, and the main ones are highlighted as follows:

• Delays: CPS systems may be prone to service delays, which may affect their performance and render them inactive (blackout, burnout) until the issue is sorted either through maintenance or back up.

• Affected Performance: system delays due to a malicious (cyber-attack)/non-malicious (accident) event can gradually affect the CPS performance and cause it to operate in an abnormal manner which can seriously affect the decision making process. • Additional Spending: may be required to tackle the advanced persistent threat attempts and zero-day attacks, which require additional spending in terms of security protection in a defense-in-depth manner.

• Loss of Life: can be the result of flooding, radioactivity, fire or electric shock due to hazardous or intentional acts.

• Disclosure of Information: can affect CPS businesses and business trades and put the privacy of users at risk of having their personal information being exposed. Before proceeding any further, it is important to classify CPS components as critical, moderate and non-critical, to identify the risk of an event occurrence (malicious/hazard) along its impact to define the proper security measures (basic, standard or advanced), as seen in Fig. 5 .

While adopting all possible security measures might be costly in all terms (i.e. complexity, financial cost, delay, etc.), risk management is key for selecting the convenient security solutions. In the next section, the different security solutions proposed to defend the security issues are reviewed. While these security solutions aim at preventing, detecting or correcting system damage, the CPS forensics aim at knowing the system issues causes, which help in reducing and preventing future attacks. Thus, the main CPS forensics solutions are also reviewed.

Securing CPS is not a straightforward task. For this reason, various existing solutions are mentioned and discussed in this section. Already existing testing tools are also introduced. All of these schemes are presented to protect CPS domains against attacks that target the confidentiality, integrity, availability, authentication and privacy of both data and systems as seen in Fig. 6 .

According to National Institute of Standards and Technology (NIST) guidelines [243] , [244] , ensuring trust between IoT and CPS, should consist of various multi-factors. This is due to both IoT and CPS systems relying on safety, security, privacy, consistency, dependability, resiliency, reliability, interaction and coordination, all of which are combined to form a well-designed and trustworthy system. If this condition is satisfied, a perfect CPS mechanism is achieved. As a result, several CPS testing tools were used to evaluate the security of Industrial Control devices upon their development (see TABLE IV) . For further details, these tools are explained in [245] . Moreover, several security certifications are also discussed, reviewed, analysed and compared according to their different aspects [245] (see TABLE V) .

In the following, the main CPS security requirements are defined and discussed. • Privacy: In CPS, a huge data collection process is constantly taking place, and this is what most people are not aware of [256] , [257] . Therefore, a person has the right to access his own data, along with being given the right to know what type of data is being collected about them by data collectors, and to whom these data is being given or sold to. However, this also requires preventing the illegal/unauthorised access to the user's personal data and their information disclosure [258] , [259] .

• Dependability: Intelligent Physical World (IPW) ensures that the CPS adaptive behaviour is achieved to bring a higher dependability and ensure the right Quality of Service (QoS) through the adoption of fault-tolerance mechanisms in a timely manner. Dependability includes two other qualities, safety and reliability. Safety is often an objective defined in terms of the organisation's [243] . This is due to the negative impact of cybersecurity risks, where vulnerabilities can be compromised and exploited by a hacker, or due to CPS failure. Hence, safety is of a high concern for IoT, CPS and (Internet of Cyber-Physical Things) IoCPT users alike. While reliability is based on the ability to adapt to changing conditions to overcome and recover from any possible disruption either based on cyber or/and physical attacks led by adversaries, in addition to natural disasters [243] . Physical systems rely on timing and proper functionality. However, in case of any possible mismatch, unreliability and uncertainty can cause problems and disruptions for CPS services. Therefore, maintaining a high reliability requires reducing the uncertainty levels. In fact, it is also recommended to implement error-correction algorithms to sort electronic components imperfect reliability [260] . As a result, Rajamaki et al. in [260] stated that CPS behaviour can be predictable through the implementation and use of artificial intelligence or/and even Machine Learning (ML) schemes. This allows the prediction of the so called "next-time system state".

• Resiliency: CPS must be resilient to overcome accidents and malicious attacks. Therefore, CPS logical and physical systems are prone to cyber security vulnerabilities from a security aspect. This included the demonstration of Carshark software tools that control a car in [133] , along with the successful design of a virus in 2010 which attacked Siemens plant-control systems [261] , along with how hackers broke into the United States Federal Aviation Administration (US FAA) air traffic control system in 2009 [262] . Resiliency is achieved by each CPS component in a Base Architecture (BA) presented in [263] , where each communication and physical connection path between elements is granted access by the BA's connectors. This requires the BA system to know and identify every possible path, while overcoming any connection disruption. Moreover, in case the elements were inconsistent, a multi-view editor will be deployed to make corrections.

• Interaction and Coordination: are essential to maintain an all-time operational CPS security. In [58] , Hu et al. stated that CPS interaction and coordination between cyber and physical system elements are a key aspect. In fact, the main physical world characteristics are based on the constant system change over time. However, the cyber world characteristics are based on sequence series with no temporal semantics. Moreover, two basic approaches are presented to study and analyse this problem. These approaches are based on the "cyberizing" the physical (CtP) aspect through the introduction of cyber-properties and interfaces into physical systems, and "physicalizing" the cyber (PtC) where cyber-software components are to be represented in real-time [264] .

• Operational Security (OpSec): Operational Security (OpSec) was introduced in 1988 to ensure physical security, information security, and personnel security [265] through careful planning, risk assessment and risk management [266] . Its primary task is to ensure operational effectiveness by denying any adversary access to public/private information; hence controlling information and observable actions about a given cyber-physical system, especially in hostile environments/areas [265] . One of its key benefits is providing means to develop cost-effective security measures to overcome a given threat. To achieve this task, OPSEC involves five main steps:

-Critical Information Identification: includes identifying which information, if targeted, can effectively degrade a CPS's operational effectiveness or place its potential organizational success at risk, and develop an initial plan to protect it. -Threat Analysis: includes determining an adversary's potential and capabilities to gather, process, analyze, and use the needed information. -Vulnerability Analysis: includes studying the weaknesses of a given cyber-physical system and the strengths of an adversary. Thus, building a possible view over how a potential adversary might exploit this security gap to perform a security breach. -Risk Assessment: risks are assessed based on the threat and vulnerability levels combined, depending on how high or how low these levels are. Risk assessment levels include evaluating the cost of implementing the right security measures by ensuring a trade-off between the effective cost and benefit balance. -Appropriate Application Countermeasures: once the trade-off is achieved in the earlier phase, the appropriate countermeasures are then developed to offer the best protection of CPS against these ongoing threats in terms of feasibility, cost, and effectiveness.

• System Hardening: System hardening can be used to defend a wider range of threats. Therefore, it is highly recommended to isolate critical applications that lack the proper security measures, from any OS that is not trusted in order to boost the IoCPT and CPT security. In [267] , Shepherd et al. analysed different trustcomputing technologies along with their applications in the CPS domain. According to [268] , such analysis included a Trusted Platform Module (TPM), Trusted Execution Environments (TEE), Secure Elements (SE), and Encrypted Execution Environment (E3), to increase the OS's integrity. Moreover, the authors' work in [269] has successfully achieved a higher security level in the presence of untrustworthy components. This allowed the improvement of CPS by enhancing system's integrity. However, if the Graph-based optimization was combined with parameters, it can provide a reasoning basis to ensure an overall system integrity [270] . Therefore, it is essential to set the right privileges (task-based, role-based, rulebased, etc..) and strong password complexity policies in order to enhance the security level. Moreover, this also includes getting rid of old unused accounts and open yet unused ports to reduce the exposure to remote wireless attacks. As a result, CPS nature must be considered before achieving any design. In [136] , Mo et al. presented a Cyber-Physical security by combining systems-theoretic with Cyber-Physical security controls.

The adoption of security measures has many benefits when it comes to protecting CPS components, layers and domains. However, despite these advantages, CPS systems are impacted by the application of these security measures, which can be summarized as follows:

• Reduced Performance: security measures can partially or fully affect the performance of a given CPS, in the absence of careful consideration for a balanced securityperformance trade-off. This can affect normal operations and requires more human interventions to manually assign services and domains.

• Higher Power Consumption: is a serious issue, especially for resource-constrained and battery-limited CPS end devices. A higher power consumption means a shorter lifespan and a higher cost to maintain their availability.

• Transmission Delays: transmitted/received data is prone to delays due to the additional encryption process that is being added to thwart passive/active eavesdropping and sniffing attacks. Despite the protective advantage that is offers, this is unacceptable in a real-time CPS systems.

• Higher Cost: higher security levels are associated with higher computational costs, which are not limited to the initial capital spending phase, but also include training, update, and operational phases.

• Compatibility Issues: some CPS systems are not compatible with the employed security measures and vice versa. This can be due to the software in-use, firmware, Operating System, etc.

• Operational Security Delays: upon the deployment of any security service, there is a training phase that precedes the full operational security mode, and during which the service is temporarily ineffective or basic and thus, prone to attacks.

Maintaining a secure CPS environment is not an easy task due to the constant increase of challenges, integration issues and limitation of the existing solutions including the lack of security, privacy and accuracy. Nonetheless, this can be mitigated through different means including cryptographic and non-cryptographic solutions as seen in Fig. 7 . • Safety Critical: in such a CPS type, an attack can lead to loss of life or to chronic deadly diseases, with significant damage to the environment such as fire, floods, radioactivity (e.g. Chernobyl in 1986 and Fukushima in 2011) incidents [271] , [272] .

• Mission Critical: for this type of CPS, an attack can result into a fatal/non-fatal, total/partial failure of a CPS to achieve its objectives [273] .

• Business Critical: in such a CPS type, an attack can result into huge financial and economic losses, damaged reputation and loss of CPS contractors and clients.

• Security Critical: for this type of CPS, an attack can result into a security breach of the cyber-physical system (security gap, exploitable vulnerability, rootkits, backdoors, etc.).

Cryptographic measures are mainly employed to secure the communication channel from active/passive attacks, along any unauthorized access and interception, especially in SCADA systems [274] . In fact, traditional cryptography approaches based on utilizing ciphers and hash function are not easily applied to CPS including IoCPT due to power and size constraints. As a result, the main focus should be limited to data security alone, instead it should maintain and ensure the efficiency of the overall system process along. Therefore, various solutions were presented. In [23] Kocabas et al. conducted their own survey which was dedicated to conventional and emerging encryption schemes which could be employed to offer secure data storage and sharing. In [24] , Lai et al. reviewed and discussed prominent cryptographic authentication and encryption methods [275] to secure Distributed Energy Resources (DER) systems, while providing recommendations on applying cryptography to DER systems. In [276] , Ding et al. presented an overview of recent advances on security control and attack detection of industrial CPS, especially against denial-of-service, replay, and deception attacks. In [15] , Sklavos et al. presented a tutorial that discusses the implementation efficiency of communications confidentiality, user authentication, data integrity and services availability, along attacks and modern threats with their countermeasures.

Many solutions were presented to maintain a secure CPS environment by fulfilling its main security goals. In [277] , Adam et. al. presented a novel framework to understand cyber-attacks and CPS risks. Their framework offers a novel approach to ensure a comprehensive study of CPS attack elements, including the attacker and his objectives, cyber exploitation, control-theoretic and physical system properties. In [232] , Stouffer et al. provided a comprehensive ICS security guideline that is related to technical controls including Intrusion Detection Systems (IDS), Access Controls (AC), firewalls, and operational controls including training, awareness and personnel security. In [97] , security experts were able to gain the employees' credentials due to their lack of awareness and training, using phishing and social engineering techniques through a simulated attack. In [34] , Sommestad et al. conducted a keyword mining comparison, and concluded that the main focus was either on operational controls, or technical controls only. In [278] , Sharma et al. presented a novel multi-level Network Security Evaluation Scheme (NSES) that represent five different levels of security. Therefore, providing a holistic view over whether NSES is suitable for Wireless Sensor Networks (WSN) security for IoT/CPS/IoCPT applications. NSES offers recommendation for network administrators on early design phases to achieve the right security needs. As a result, this paper classifies these solutions in terms of them fulfilling one of the following security goals:

• Confidentiality: securing CPS communication lines is essential. As a result, various cryptographic solutions were presented. In [279] , the authors presented a solution based on the use of compression techniques before being encrypted. Their solution reduces the overhead and mitigates the problem. Since, lightweight cryptography became the centre of attention with various lightweight block ciphers being presented by different authors, including an ultra-lightweight block cipher by Bogdanov et al. [280] and a low-latency block cipher for pervasive computing applications [281] . This was due to their lowcost and low-latency with the ability to provide cryptographic blocks for any resource constrained, normal, industrial, or even medical devices. In [282] , Shahzad, et al. suggested the installation of encryption-decryption modules at both ends of non-secure Modbus communication to protect its connection from confidentiality attacks. Thus, requiring an additional overhead to convert plaintexts into ciphertexts and vice versa. In [283] , The American Gas Association (AGA) presented its AGA-12 standard to provide "bump-in-the-wire" encryption services for CPS, but at the expense of large latency overheard [284] . In [ [296] . SSU is complementary to the existing SIEM architectures, and it can transparently intercept its communication control channels along with its physical process Input/Output lines to constantly assess both security and operational status of PLC or RTU. Another approach was also presented in [297] , by Asem et. al to overcome MITM, replay and command modification attacks by providing an encryption level for the transferred packets, along with the use of hardware cipher models. In [298] , Cao et al. presented a layered approach with the aim of protecting sensitive data. Their techniques relied on hash chains that provide a layered protection for both high and low security levels zones along with a lightweight key management mechanism. Thus, preventing attackers from intercepting data from a higher security level zone. Therefore, ICS applications vendors should work on releasing compatible versions of their applications to ensure that the ICS operators will not resort to older versions of vulnerable OS [22] . Their presented approach revealed the ineffectiveness of interception, injection and denial of service attacks, along with the ability of their OpenPLC project to overcome man-in-the-middle attacks through data encryption, without interfering with its own real-time characteristics.

• Authentication: authentication is the first line of defense that should be well-built, designed and maintained [302] , [303] , [259] , [304] . As a result, in [130] , Halperin et al. presented a public key-exchange authentication mechanism to prevent unauthorized parties from gaining access. Their mechanism relies on external radio frequency rather than batteries as an energy source. In fact, out-ofband authentication were deployed in certain wearable devices, where the authentication mechanism uses additional channels including audio and visual channels [73] .

On the other hand, Medical CPS (MCPS) biometrics, including mainly heart rates and blood pressure [305] , can possibly be used to generate a key to encrypt and secure the body sensor network communication [73] . In [ • Privacy Preserving Preserving the privacy of users' big data is not an easy task. As a result, various privacy preserving techniques were presented to solve this issue including differential privacy and homomorphic encryption.

-Differential Privacy: limits the disclosure of private real-time big-data and information during its transmission. in [311] , Keshk et al. studied the feature reduction role along privacy protection levels using Independent Component Analysis (ICA) as a technique on big power CPS data. Results revealed that ICA is more secure without breaching confidential data and offers a better privacy preservation and data utility. In [312] , J. Feng et al. presented a lightweight privacy-preserving high-order Bi-Lanczos scheme in integrated edge-fog-cloud architectural paradigm for big data processing. User's privacy is achieved using an homomorphic cryptosystem, while computation overheads are offloaded using privacy-preserving tensor protocols. In [313] , Ye et al. presented a secure and efficient outsourcing Differential Privacy (DP) scheme to solve data providers issues related to being vulnerable to privacy attacks. In [314] , Zhang et al. presented a practical lightweight identity-based proxy-oriented outsourcing with public auditing scheme in cloudbased MCPS, by using elliptic curve cryptography to achieve storage correctness guarantee and proxyoriented privacy-preserving property. -Homomorphic Encryption: for a better data confidentiality and privacy protection, homomorphic encryption techniques were adopted. In [315] , Zhang et al. presented a Secure Estimation based on Kalman Filtering (SEKF) using a multiplicative homomorphic encryption scheme with a modified decryption algorithm to reduce network overhead and enhance the confidentiality of the communicated data.

In [316] , Kim et al. a fully homomorphic encryption (FHE) as an advanced cryptographic scheme to directly enable arithmetic operations on the encrypted variables without decryption. Moreover, a tree-based computation of sequential matrix multiplication is introduced to slow down the decrease of the lifespan. In [317] , Min et al. presented a parallel fully homomorphic encryption algorithm that supports floatingpoint numbers to achieve an efficient ciphertext operation without decryption. Results revealed that the ability to limited application problems while meeting the efficient homomorphic encryption requirements in cloud computing environment.

Many noncryptographic solutions were also presented to mitigate and eliminate any possible cyber-attack or malicious event. This was done by implementing Intrusion Detection Systems (IDS), firewalls and honeypots. As a result, various solutions presented by various authors are mentioned and discussed.

Various IDS methodology types are available due to the availability of different network configurations [318] . Each IDS methodology is characterised by its own advantages and drawbacks when it comes to detection, configuration, cost, and their placement in the network.

In [268] , Almohri et al. stated that various research activities were implemented to detect attacks against the CPS. These attacks are split into two main models. Physics-Based model, which defines normal CPS operations in CPS through anomaly detection. Cyber-Based model which is used in order to recognize potential attacks as listed in [319] , [320] . In fact, existing approaches were mainly designed to detect specific attacks against specific applications, including Unmanned Aerial Vehicles (UAV) [321] , Industrial Control Processes [322] , and smart grids [323] . In [324] , Zimmer et al. exploited the possibility of a worst case execution time, through obtaining information using a static application analysis in order to detect malicious code injection attacks in CPS. In [325] , Mitchell et al. analysed a behaviour-rule specification-based technique to employ IDS mainly in Medical CPS. The authors also presented the transformation of behaviour rules in a state machine, which can detect any suspicious deviation initiated from any medical device behaviour specification.

-Intrusion Detection System Placement: IDS can be placed at the border router of any given IoT network, in one or many given hosts, or in every physical object to ensure the required detection of attacks. Simultaneously, IDS may be able to generate a communication overhead between the LLN (Low Power Lossy Networks) nodes and the border router due to the IDS ability to frequently query the network state. In fact in [326] , Zarpel at al. described three main IDS placement strategies (see Fig. 8 ): Fig. 8 : IDS Structure * Distributed IDS: D-IDSs are being employed in every physical LLN object, whilst being optimized in each resource-constrained node. Therefore, a lightweight distributed IDS was presented. In [327] , Oh et al. identified a lightweight algorithm matching the attack signatures, and the packet payloads, while suggesting other techniques that require less matching numbers to detect any possible attack. In [328] , Lee et al. suggested their own lightweight method that allows them to monitor a node's energy consumption by assigning nodes to monitor their neighbours in the distributed placement. These nodes are defined as "watchdogs". In [329] , Cervantes et al., presented a solution called "Intrusion detection of Sinkhole attacks on IPv6 over Low -Power Wireless Personal Area Networks (6LoWPAN) for IoT" (INTI), which combines their concepts of trust and reputation with the watchdogs nodes to mainly detect and mitigate sinkhole attacks. This included the node's role possibly changing every time a network is reconfigured or an attack event has occurred. * Centralized IDS: C-IDS is mainly deployed in centralized components. This allows all data to be gathered and transmitted by the LLN to the Internet across the border. Therefore, Centralised IDS can analyse all of the exchanged traffic between the LLN and the Internet. In fact, it is not enough to only detect attacks involving nodes within the LLN, since it is difficult to monitor each node during an occurring attack [330] . In [331] , Cho et al. presented their solution which is based on analysing all the packets that pass through the border router between physical and network domains. However, the main task is based on how to overcome a botnet attack. In [332] , [333] , Kasinathan et al. deployed a centralized placement that allows them to take into consideration the possibility of overcoming DoS attacks, where in case of a DoS attack, the IDS data transmission would not be affected. In [334] , Wallgren et al. employed their centralized approach which is placed in the border router to detect the attacks that target the physical domain. * Hybrid IDS: H-IDS utilizes both concepts of centralized and distributed placements, by combining their advantages and overcoming their drawbacks. The initial approach allows the network to be organised into clusters with the main node of each cluster being able to host an IDS instance before taking the responsibility for monitoring other neighbouring nodes. Therefore, Hybrid IDS placements can be designed in order to consume more resources than a distributed IDS placement. In [335] , Le et al. followed the same approach, through the use of a hybrid placement using a relatively small number of "watchdogs" nodes covering the network. This offered them the ability to sniff the communication of its surrounding neighbours in order to indicate whether a node was compromised or not. Therefore, reducing the communication overhead. In [336] , Le et al. also managed to organize the network into smaller clusters with a cluster head for each, using the same number of nodes. This allowed an IDS instance to be placed in each cluster head, with each cluster member reporting its own related information and other neighbours related information to the cluster head. In the second approach, IDS modules were placed in, both the border router and other network nodes with the presence of a central component. In [337] , Raza et al. presented their own IDS named as SVELTE, where the border router hosts are given the task of processing intensive IDS modules that are responsible for detecting any intrusion attempt by analysing the Routing Protocol Low-power and Lossy device's (RPL) network data. Based on Pongle et al.'s work [338] , network nodes were responsible for any detectable changes in their neighbourhood. Moreover, network nodes were also responsible for sending information about their surrounding neighbours to their centralized module which is deployed in the border router having the main assigned responsibility of storing and analysing data. Thus, making it easier to detect and intrusion while identifying attacks in their early stages.

In [339] , Thanigaivelan et al. presented an IDS, which allocates different responsibilities to the network nodes and also to the router's border. Thus, ensuring a cooperative combined work amongst them, with the IDS module monitoring neighbouring nodes, detecting any intrusion attempt, and sending notifications to the IDS modules.

-Intrusion Detection Methods: The four main IDS methods are signature-based, anomaly-based, behaviour-based and hybrid based. In fact in [326] , these methods were presented, while testing methods and techniques were classified into five main categories, depending on their detection mechanism . * Signature Based: Such a detection technique is very fast and easy to configure. However, it is only effective for detecting known threats. Thus, showing a high weakness against unknown threats mainly polymorphic malwares and crypting services. Despite its limited capability, Signature Based IDS is very accurate, and also very effective at detecting known threats, with an easy way to understand mechanism. However, this approach is ineffective against the detection of both new and variants of known attacks, due to their matching signature remaining unknown, and constantly updating its signature patches [340] , [341] . In [327] , Oh et al.'s aimed to reduce the computational cost by comparing attack signatures and packet payloads. In [342] , Liu et al. presented a signaturebased IDS that employs an "Artificial Immune System" (AIS) mechanism with detectors being modelled as immune cells with an ability to classify any datagram as malicious or non-malicious according to the matching signature. Such approach can evolve into the adaptation ability new conditions in new environments that are being monitored. In [332] , Kasinathan et al. integrated a signature-based IDS into the network framework, with the objective of being able to detect DoS Attacks against 6LoWPAN-based networks. This IDS was implemented through the adaptation of "Suricata4" used for 6LoWPAN networks, with the main objective of reducing the false alarm rate.

In [333] , Kasinathan et al. presented a signaturebased approach as an extension of their presented approach in [332] . * Behaviour Based: Behaviour Based can be classified as a set of rules and thresholds implemented to define the expected behaviour of the network's components including both nodes and protocols. This approach is capable of detecting any intrusion as soon as the network behaviour deviates from its original behaviour. Behaviour-based acts in the same way as the Anomaly-based detection with a slight difference from specification-based systems where a human expert is needed to manually define each specification rule. Thus, providing a lower false-positive rate than the anomaly based detection [343] , [344] . Therefore, there will be no need for any training phase, since they are implemented to operate instantly. However, such an approach is not fit for all scenarios, and may become time consuming and error prone. In [345] , Misra et al. presented their new approach to protect the IoT middleware from DDoS attacks, by triggering an alert whenever the request number exceeds the threshold line. In [335] , Le et al. presented a different specification-based approach, aimed at detecting RPL attacks [346] , by specifying the RPL behaviour through network monitoring operation and malicious action detection.

In [336] , Le et al.'s work was extended. Their experimentation resulted in a high true-positive rate, where false positive rates were low throughout their experimentation, whilst also causing an energy overhead compared to a typical RPL network as stated in [326] . In [347] , Amaral et al. presented a specification-based IDS that grants the network administrator the ability to create and maintain rules in order to detect any potential attack. Whenever the rule is violated, the IDS would right away send an alert to the Event Management System (EMS) that correlates these alerts for different available nodes in a given network. The success of Misra et al. [345] and Amaral et al. [347] approaches highly relied on the expertise of the network administrator, as well as his experience and skills combined. Therefore, in case of any wrong specifications, it will cause an excessively high false-positive rate and/or a high false-negative rate, leading to a possibly serious risk that threatens the network's security. * Anomaly Based: This type compares system's activities instantly with the ability to generate an alert whenever a deviation from normal behaviour is detected. However, such a detection method suffers from a high false positive rate [343] , [348] , [349] . In [331] , Cho et al. presented a botnet detection scheme using the anomaly-based method, by computing an average for each three metrics composing the normal behaviour profile. This was achieved before the system monitors the network's traffic and raises the alert whenever a metric violates the already defined computed averages. In [350] , Gupta et al. presented their own architecture for a wireless IDS, by applying the necessary Computational Intelligence algorithms which are used in order to a construct normal profile behaviour. Moreover, a distinct normal behaviour profile will be implemented for each different IP address being assigned. In [328] , Lee et al. suggested that energy consumption should be classified as parameter in order to be used in analyzing each node's behaviour. Thus, defining a regular energy consumption model for each mesh-under routing scheme and route-over routing scheme, where each node will monitor its own energy consumption. In case the node deviates, the IDS classifies the node as malicious and removes it.

In [351] , Summerville et al. successfully managed to develop a deep-packet anomaly detection approach aimed at reducing the run on resource constrained IoT devices, by using a bit-pattern matching technique which performs a feature selection. In their experimental evaluation, they used internet enabled devices against four main attack types (including SQLi, worms, etc..), and results have shown low false-positive rates. In [339] , Thanigaivelan et al. successfully introduced an IoT distributed internal anomaly detection system, that monitors the node's data rate and packet size. Moreover , in [338] Pongle and Chavan presented an IDS that is designed specifically in order to detect wormhole attacks in IoT devices, in addition to presenting three main algorithms to detect network anomalies. As a result, their experiment revealed that the system has achieved a true positive rate of 94% when tested against wormhole detection, whilst scoring an 87% when it came to detecting both, the attack, and the attacker launching it. In [352] , K. Demertzis et al. presented an advanced Spiking One-Class Anomaly Detection Framework (SOCCADF) based on the evolving Spiking Neural Network algorithm. This algorithm implements a One-class classification methodology in an innovative applicable way, due to it being exclusively trained with data to characterise normal ICS operations. Moreover, this algorithm can detect any divergence in behaviours and abnormalities that are associated with APT attacks. The authors stated that SOCCADF is highly suitable for difficult problems, and applications with a huge amount of data. According to their results, the authors stated that SOCCADF has a better performance at a very fast learning speed, with higher accuracy, reliability, and efficiency, and it outperforms the other approaches. * Radio-Frequency Based: In [353] , Stone et al. presented a Radio-frequency based anomaly detection method for programmable logic controllers in the critical infrastructure [354] . Their experimental results have demonstrated that the use of a single collected waveform response provides sufficient separability to enable the differentiation between anomalous and normal operational conditions. However, in case of using multi-time domain waveform response, their performance significantly degrades. To solve this problem, the authors presented anomaly detection method based on RF fingerprint feature retrieved from the waveform amplitude, phase, and frequency response to ensure a qualitative differentiation between an anomalous and normal operating conditions. In [355] , Stone et al. also presented an RF-based methodology to detect anomalous programmable logic controller behaviours with a superior timedomain RF emissions performance. The Cincinnati Bell Any Distance (CBAD) approach reached a Threat Agent Detection and Response (TADR) detection rate higher than 90% benchmark realised at an Signal Power Ratio (SNR) higher or equal to 0 dB. Despite these results, this approach is prone to RF noise, signal degradation and coding loops. In [356] , Stephen et al. presented a timing-based side channel analysis technique to help control system operators in detecting any firmware and ladder logic programs modification to the programmable logic controllers. This approach allows a field device to be fingerprinted upon deployment to create an supplicate baseline fingerprint. Various fingerprints of the device are taken and compared to the baseline in order to detect and alert operators of both intentional and unintentional modifications in programmable logic controllers. * Hybrid Based: It is based on using a specification-based techniques of signature-based, and anomaly-based detection in order to maximize their advantage whilst minimizing their drawbacks. In [337] , Raza et al. presented a hybrid IDS known as SVELTE which offers the right trade-off between storage cost of signature-based methods, and computational cost of anomalybased methods. In [357] , Krimmling et al. tested their anomaly and signature-based IDS using the IDS evaluation framework that they presented. Their results revealed the failure of each approach in detecting certain attacks alone. As a result, the authors combined these approaches to cover and detect a wider attack range. In [329] 

It is not enough to encrypt, detect and protect against passive and active attacks. In fact, aside from identifying the source of the attack, it is also important to know how the attack was performed despite of the challenges [372] . Hence, there an urgent need for the forensics domain to enhance the forensics tools and techniques to retrieve and analyze logs of events that took place before, during and after the incident. In fact, CPS forensic analysis is still in its early stages of development, due to the ICS specialized nature along with its proprietary and poorly documented protocols [373] . In [374] , Awad et al. surveyed the digital forensics applied to SCADA systems and covered the challenges that surround them. Therefore, presenting the current state-of-the-art device and networkspecific tools. In [375] , Grispos et al. presented a forensicby-design framework that ensure the integration of forensics principles and concepts in MCPS. In [376] , H. Al-Khateeb et al. shed a light on a new approach where a Blockchainbased Chain-of-Custody may be simultaneously established to the generated preidentified data (data of interest) by an IoT device. In [377] , Chan et al. described a novel security block method for detecting memory variable changes that may affect the integrity of programmable logic controllers and efficiently and effectively enhancing security and forensics. This is done by by adding monitoring and logging mechanisms to PLCs. Therefore, ensuring faster anomaly detection with higher accuracy, less overhead and adjustable impact.

In [378] , Ahmadi et al. presented a federated Blockchain (BC) model that achieves forensic-readiness by establishing a digital Chain-of-Custody (CoC) and a CPS collaborative environment to qualify as Digital Witnesses (DW) to support post-incident investigations. In [379] , Parry et al. presented a high speed hardware-software network forensics tool that was specifically designed for capturing and replaying data traffic in SCADA systems. Experimental results guaranteed preserving the original packet ordering with improvement in data capture and replay capabilities. In [380] , Cebe et al. presented a blockchain infrastructure by integrating a Vehicular Public Key Infrastructure (VPKI) to achieve membership establishment and privacy along a fragmented ledger related to detailed vehicular data. Moreover, identities pseudonyms were used to preserve users' privacy. In [381] , P. Taveras presented a high level software application that detects critical situations like abnormal changes of sensor reads and traffic over the communication channel, mainly. Therefore, helping by improving critical infrastructure protection and providing appropriate SCADA forensics tools for incident response and forensics analysis. In [382] , Ahmed et. al. presented a testbed of three IPPs (Industrial Physical Processes) using real-world industrial equipment including PLC. The authors stated that their presented testbed is useful in cyber-security, education (SCADA systems) and forensics research including PLC analysis and programming. Moreover, their testbed includes fully functional physical processes which are deemed very essential for both research and pedagogical efforts.

In [383] , Yau and Chow presented a novel methodology which logs relevant memory address values, that are being used by programmable logic controller programs, in addition to their timestamps. This methodology can be extremely valuable in a forensic investigation in case of an ICS incident. This is realized by applying machine learning techniques to the logged data in order to identify any anomalous programmable logic controller operation. In [384] Saman et. al. combined symbolic execution with model checking to analyse any malicious PLC code bound injection. Their combined approach can also be used for forensic purposes including the identification of the areas where the code injection took place, along with which part of the code caused its execution. In [385] , McMinn et al. presented a firmware verification tool used for the forensics analysis of trials of the altered firmware codes to gain unauthorised access over ICS networks. Such verification is achieved either though the analysis of the PLC's captured data to check whether the PLC's firmware is modified or not. In [386] , Kleinmann et al. presented an accurate IDS that utilizes a deterministic finite automaton that models the network traffic with a 99.26% accuracy, after analysing and observing the highly periodic network traffic of Siemens S7 PLC. In [387] , Saranyan et al. provided a comprehensive forensic analysis of network traffic generated by the PCCC (Programmable Controller Communication Commands) protocol, and also presented prototype tool that extracts updates of the programmable logic and crucial configuration information.

Authors also stated that their proof-of-concept tool, "Cutter", which is capable of parsing the content of PCCC messages, extracts and presents digital artifacts in a human-readable form such as Simple Mail Transfer Protocol (SMTP) configuration. Moreover, the SMTP configuration can be retrieved from the network log and can be parsed, too.

In [377] , Chan et. al. presented a novel security block method that enhances ICS security and forensics by adding monitoring and logging mechanisms to PLCs, and ICS's key components. Their results demonstrated that their approach increased the anomaly detection range, speed and accuracy with a slight performance impact and a reduced network overhead. Thus, ensuring a more enhanced, efficient and effective forensic investigation procedure. In [388] , Yua et al. described the design and implementation of a novel PLC logging system. To overcome the inadequacy of information in forensics investigations, their logging system is used to extract data from Siemens S7 communications protocol traffic. This logging system also helps in recording the evidence based on the exchanged data between the PLC and other network devices. Thus, providing key information about the attack source, actions and timelines. The choice of Simatic S7 PLC is due to their widespread use [389] and successful exploitation by insidious Stuxnet malware. In [390] , Chan et al. focused on the logging mechanism of a Siemens PLC, including the Siemens Total Integrated Automation Portal V13 program (Siemens TIA Portal, known as Siemens Step-7). The author's methodology performs an effective and practical forensics analysis of the PLC. Moreover, it focuses on Siemens PLC along with an installed computer workstation with the Siemens TIA Portal (previously targeted by Stuxnet).

During the evaluation and analysis of the existing presented security solutions, several limitations can be deduced, presented and discussed as follows:

• Asymmetric Cryptography: introduces overhead in terms of latency and resources. The asymmetric nature of certain cryptographic work [285] , [292] leaves CPS's real-time communication prone to network latency and overhead due to delays in the encryption/decryption process.

• Weak Device/User Authentication Scheme: many of the presented authentication techniques [130] , [73] , [306] , [308] are not very suitable for a secure appliance, due to the lack of multi-factor authentication schemes to protect CPS systems from unauthorised users and access.

• CPS Forensics Field: are still prone to many challenges including the lack of tools, skills and responses against any potential anti-forensics activity [372] , [373] .

• Inefficient Honeypot & Deception System: despite of the recently proposed techniques in [366] , [368] , [370] , [371] , there are no appropriate honeypot techniques that can be specifically adopted to protect CPS systems, especially in the wake of Industry v4.0.

• Lack of Firewall Protection: firewall solutions including [358] , [359] are not very applicable and suitable for employment into the CPS domain, nor they offer an effective protection. The best solution requires dynamic firewalls, as well as application and next generation firewall types.

• Inefficient Intrusion Detection Systems: despite the availability of various IDS types such as anomalybased [352] , behaviour-based [345] and signaturebased [333] , these are generally applied within IoT-based domains and not specifically designed to protect CPS systems.

To secure CPS, many lessons were learnt as how to maintain and achieve their required security goals. Among such lessons: 1) Maintaining Security Services: new lightweight cryptographic solutions are required to secure CPS and IoCPT in real-time operations but with minimum computational complexity. These cryptographic solutions can help ensure the following security services:

• Confidentiality: there is a need for a new class of lightweight block or stream cipher algorithms to secure CPS resource-constrained real-time communications. Recently, a new approach was presented, and it is based on the dynamic key-dependent cipher structure and it requires two or one iteration with few operations [391] , [392] , [393] , [394] . A set of these solutions can be applied at the physical layer [395] , [393] , [394] .

• Message/Device Integrity: this includes the protection of CPS data and devices' integrity from any physical/logical alteration(s). This can be done by ensuring that the Operating System, applications, and software are securely designed and without any flaws to prevent tampering, with strong cryptographic hash functions (SHA256, SHA384 and SHA512). In this end, a new lightweight hash function was presented in [396] and it requires a single round compared to the existing ones.

• Device/Data Availability: requires the need for computational resources along with verified backups, and a self-healing ability of CPS in such a way to recover immediately from availability attack types. Also, maintaining data availability is as necessary [397] , and this can be done by defining a multi-secure connection [398] - [403] . 2) Strong Device/user Authentication: An efficient device/user mutual multi-factor authentication scheme is necessary,along with enhancing verification and identification phases based on attribute access-control privileges (least-privilege) to ensure non-repudiation and stronger accountability. 3) Protecting Digital Evidences: this is highly important since most of the advanced attacks focus on eliminating any source of evidence that traces back to the attack source, such as the case of Shamoon, Duqu, Flame and Stuxnet malware types [404] , [109] , [75] . Furthermore, modern digital forensics solutions should define new countermeasures to preserve digital forensics logs. 4) Enhancing Security Policy: in many cases, CPS attacks occurred by insiders (by accident or on purpose). Accordingly, all employees must undergo a screening process before recruitment, and have their privileges suspended outside working hours and monitored their actions in the case of advanced tasks. This means that CPS security policy should be contain new rules to limit access and to reduce the potential damage. 5) Smart Cooperation with non-cryptographic solutions: Intrusion detection systems should be hybrid in all terms and should be coordinated in an efficient manner with firewalls and dynamic honeypot systems. 6) Enforcing Compliance: by respecting users' privacy through ensuring data access regulatory compliance that processes CPS's big data via clouds, especially when stored by utility providers (Trusted Third Party (TTP)) to prevent any data leakage and users privacy violations. Therefore, maintaining a suitable trade-off between users privacy and systems' security and performance, while also ensuring firmer accountability measures [405] , [406] . 7) Achieving Trade-Off: is essential for maintaining systems' availability, safety and security [407] , [408] . Therefore, such a trade-off must be achieved based on the combination of these three key requirements while taking into consideration available budget and cost requirements in terms of risk assessment:

• Availability & Safety: both features are linked together since issues related to the safety of a CPS system also affect its operational availability. To ensure this trade-off, verified back-ups of computational devices must always be considered in the planning phase, as a second line of defense to handle any sudden service/system disruption (power cuts, blackouts, pumping stoppage), or maintenance (updates, renovation, installation, etc. 

Different security measures could be adopted and enhanced to enhance the protection against various threats and attacks. These include:

• Prioritization & Classification: of critical CPS components and assets before assessing, managing and analysing risks to ensure the proper budget spending on the right choice of security measures (basic, standard or advanced) in accordance to their costs compared to the likelihood of the occurrence of a given incident and its impact.

• Careful Financial Planning & Management: must be conducted in terms of available budget and needed costs/resources to protect critical/non-critical CPS assets and components.

• Lightweight Dynamic Key Dependent Cryptographic Algorithms: These solutions can be used to to ensure several security services such as message confidentiality, integrity and authentication, which are mandatory during any secure CPS communications. This can be done by using new generation of cryptographic algorithms, which were presented in [392] , [409] , [410] . The advantage of these solutions that it can reach a good balance between security and performance level. The robustness against attacks were proved since a dynamic key is used per message (or a set of messages; depend of application constraints and requirements). Moreover, this dynamic key is used to produce a set of cryptographic primitives and update cryptographic primitives. This means different ciphertext can be obtained for the same plaintext since different cryptographic primitives are used. While, the effectiveness is validates since these algorithms require only one round iteration and uses simple operations in addition to avoid diffusion operation. The new generation of these cryptographic algorithms reduce the required latency, resources and computation overhead, which help CPS devices to preserve better their main functionalities.

• Defining Privileges: This should be considered as the most suitable access control policy, which assigns permissions and rights depending on the users' roles/tasks/attributes when it comes to accessing CPS, and removing these access rights upon completing the task or upon the employee's leave. This also includes the use of the least privilege policy. Therefore, the definition of privilege should be done based on Attribute Based Access Control (ABAC), where policies combined with attributes specify access authorizations. Note that ABAC makes access control decisions based on Boolean conditions of attribute values. It provides a high level of granularity, which is necessary to make CPS control access scheme more secure.

• Strong Entity Multi-Factor Authentication: Unfortunately, entity authentication schemes that are based on a single factor of authentication (you have, you know, you do or you are) are not resistant enough against authentication attacks, which are increasingly becoming more dangerous. The first line of defense in any system is the entity authentication scheme since any entity authentication attack can lead to confidentiality, integrity and/or availability attack. Recently, the concept of multi-factor authentication was applied by combining two or more factors: 1) "you are" which includes device fingerprint, user fingerprint, hand geometry, iris scan, retina scan, etc., and 2) "you have" which includes cryptographic keys to increase its robustness against authentication attacks such as the ones described in [411] , [412] . This mechanism should be an essential requirement in CPS systems, in addition to the use of the geographical location. The advantage of these solutions is their ability to reduce false positives, and to complicate the authentication attacks since several factors should be broken instead of one. Consequently, this limits the access only to authorised entities and personnel (devices/users).

• Strong Password & dynamic Hashing Process: Passwords are considered as the "you know" authentication factor. However, several attacks such as rainbow and hash table attacks can be applied. In order to prevent them from occurring, after a periodic interval, passwords must be re-hashed with a new dynamic Nonce for each user. Moreover, a secure cryptographic hash function should be used such as SHA-3 and SHA-2 (variant 512). This avoids birthday attacks and reduces rainbow/hash table attacks.

• Secure and Protected Audit: can be done by using an Audit manager system that collects and stores logs in a distributed system. A possible solution that can be applied in this context was presented recently in [413] . This limits any insider attempt against a cyber-physical system and it preserves the digital evidence of internal and external attacks to trace them back.

• Enhanced Non-Cryptographic Solutions: require the need for hybrid IDS/IPS systems or AI-based IDS/IPS (using Machine Learning algorithms), along with advanced firewalls (i.e Application and Next Generation Firewalls) [414] , and dynamic honeypots [415] to prevent any future security breach based on a vulnerability exploit. This can be done by employing lightweight IDS/IPS and especially the anomaly-based ones. In fact, one should select the anomaly detection algorithm according to the CPS device constraints, which can be statistical for limited ones or based on machine algorithm, such as random forest, for powerful CPS devices. On the other hand, signature-based techniques can be applied at the Gateway (GW) where all network traffic can be analyzed.

• Secure & Verified Backups: this is essential to maintain the CPS data availability and to avoid data destruction or alteration by ensuring robustness against DoS/DDoS and Ransowmare attacks, especially that such attacks may result in total blackouts as in the case of the US. This can be done by using lightweight data protection solutions such as the ones presented in [399] .

• Forensic Efforts: are essential to retrieve the traces of any occurring attack. Also, new solutions against antiforensic techniques should be introduced to preserve any digital evidence [413] . This is realized by recovering logs and monitoring network and system behaviour, which can successfully limit various reconnaissance attempts. However, the newly introduced forensics tools must be compatible with different CPS devices' software/hardware, especially resource constrained devices, and must also be resistant against anti-forensics attempts.

• Enhanced Incident Response: includes the ability to identify, alert and respond to a given incident. Moreover, incident recovery and incident investigation plans should be put in place to mitigate attacks. This provides protection against non-intentional technical and operational failures (power shortage, blackout) through backup plans, and from intentional failures (cyber-attacks), through CERT (Computer Emergency Response) [416] , CSIRT (Computer Security Incident Response) [417] , and IRCF (Incident Response And Computer Forensics) teams [418] , [419] . As such, CPS scientists and engineers must undergo further education and training to ensure an enhanced and efficient cyber, physical and computational environment with secure computing and communications.

• Real time Monitoring: running real-time systems using specialised forensics or non-forensics tools and methods is essential to prevent any cyber-physical system accidental or non-accidental failure. This enables constant checking and monitoring of CPS devices' behaviour and hence, the detection of any cyber-attack attempt in its early stages.

• Security Check: and employee screening must be done for each employee before and during the job to eliminate and contain any possible insider/whistle-blower attempt. Therefore, signing agreements [420] such as Non-Disclosure Agreement (NDA), Confidentiality Agreement (CA), Confidential Disclosure Agreement (CDA), Proprietary Information Agreement (PIA) or Secrecy Agreement (SA) is highly recommended. Such security checks are essential especially in critical areas such as nuclear power plants [421] .

• Periodic Employee Training: includes periodic awareness training of ICS and PLC employees on the best cyber-security practices based on their level and knowledge, with the ability to detect any suspicious behaviour or activity. Moreover, employees must be trained over various security threats and wrong practices such as avoiding the installation of any software update, how to counter social-engineering and phishing attempts, while also maintaining accountability in case of wrong doings.

• Periodic Pen Testing & Vulnerability Assessment: must be maintained in a periodic manner to enforce system auditing, detecting threats, and mitigating them in a real-time manner before they are discovered and exploited by an attacker under the zero-day exploit conditions.

• Periodic Risk Assessment: must also be enforced to study the likelihood and impact of a given risk against a critical/non-critical cyber-physical system based on a qualitative or/and quantitative risk assessment and a Cost-Benefit Analysis (CBA), to classify the risk based on acceptable/non-acceptable level and to mitigate it as early as possible.

• Up-to-Date Systems: cyber-physical systems must be kept up-to-date in terms of software, firmware and hardware through constant verified patches and updates [422] . Moreover, such systems must be secured at different levels of their implementations (layered protection), with the ability to mitigate and tackle a given attack to reduce its impact and prevent further escalation and damage. Furthermore, USB ports must be physically and logically removed to prevent any payload injection, and PLC systems behaviour and activities must be constantly monitored for any suspicious/abnormal behaviour [422] .

• AI Security Solutions: Artificial Intelligence is used in IDS/IPS anomaly detection schemes or in "you are" or "you do" entity authentication schemes. In fact, AI is now being considered as a game-changing solution against a variety of cyber-physical attacks targeting CPS systems, devices and communication points. Despite the time consuming process of training an AI system, the accuracy of detection and prevention are much higher than any human intervention. Recent advancements in machine learning, and especially in deep learning, can make CPS systems more secure, robust and resistant against cyber-physical attacks.

• Defense In-Depth: most of the existing solutions offer protection against a single attack aspect or a security requirement. Instead, there is need for a multi-purpose security solution that ensures the best protection at each operational layer (perception, transmission and application) of CPS. For example, the two most known international standards for functional safety in the automotive industry, the ISO 26262 [423] and IEC 61508/Edition2 [424] , [425] should be respected and applied. This ensures a safe CPS implementation based on the Functional safety, which includes the Safety Integrity Level (SIL) basics [426] which in turn, rely on the Probability of Failure on Demand (PoFoD) and the Risk Reduction Factor (RRF) to ensure a much more accurate and efficient Hazard and Risk Analysis (HRA) [426] , [424] , mainly in the Electronic Control Units (ECU) [427] , [428] ).

• CPS Security & Privacy Life-cycle: finally, to sum up this work, our paper presents a combined Operational and Functional Safety/Security (OFSS) life-cycle that ensures a successful and safe CPS employment as seen in Fig. 9 ). This framework is derived from ISO 26262 and IEC 61508/Edition2 protocols and their approach towards ensuring the CPS Functional safety/security. The framework consists of six main phases:

-Phase 1: Devising a plan to design a CPS system by following a well-defined time-table and schedule in accordance to the needed budget and corresponding costs. This also requires the assistance of humans (businessmen, engineers, workers, etc.) and nonhuman assets (vehicles, machines, etc.). -Phase 2: requires a careful risk and hazard analysis, which consists of a proper risk management and asset classification, as well as the mutual connection between the two to ensure an accurate decision-making over the adoption of the right security measures/counter-measures. -Phase 3: defines the right functional safety, security and dependability requirements along their key components/mechanisms that are essential to mitigate a risk/hazard and to reduce their likelihood and impact in case of their occurrence. -Phase 4: consists of evaluating the performance of CPS in terms of the recently introduced functional safety, security and dependability measures in an operational manner where a performance management and analysis will be conducted to ensure a proper/mutual security-performance, safetyperformance and dependability-performance tradeoffs. -Phase 5: once the performance is evaluated, the cyber-physical system is tested and validated to detect any remaining software/hardware bug, security gap, or performance issue to apply the required modifications before being commissioned. If the testing is unsuccessful, the process restarts again to find where the issue took place. If successful, the CPS will head towards further commissioning before being officially deployed. -Phase 6: upon successful testing, the deployed CPS system will undergo a trial phase to evaluate its operational status, while monitoring its behaviour and performance before becoming fully operational.

CPS systems are key components of Industry v4.0, and they are already transforming how humans interact with the physical environment by integrating it with the cyber world. The aim of implementing CPS systems, either within or outside IoT (IoCPT), is to enhance the products' quality and systems' availability and reliability. However, CPS systems suffer from various security and privacy issues that can degrade their reliability, safety, efficiency, and possibly hindering their wide deployment. In this paper, we first overview all components within CPS systems and their interconnections including IoT systems, and we focus on the main CPS security threats, vulnerabilities and attacks, as related to the components and communication protocols being used. Then, we discuss and analyze the recently available CPS security solutions, which can be categorized as cryptographic and non-cryptographic solutions. Next, we highlight the important lessons learnt throughout, and accordingly, we present suggestions and recommendations with respect to the various security aspects, services, and best practices that must be put in place to ensure resilient and secure CPS systems, while maintaining the required performance and quality of service.

ACKNOWLEDGEMENT This paper is supported with funds from the Maroun Semaan Faculty of Engineering and Architecture at the American University of Beirut. 

A cyber-physical systems architecture for industry 4.0-based manufacturing systems

Industry 4.0: A survey on technologies, applications and open research issues

Predictive manufacturing system-trends of next-generation production systems

Industry 4.0: Huge potential for value creation waiting to be tapped. Deutsche Bank Research

Cascading data corruption: About dependencies in cyber-physical systems: Poster

Ninth ieee international symposium on object and component-oriented real-time distributed computing

Autonomic computing technologies for cyber-physical systems

Smart monitoring of potato crop: a cyber-physical system architecture model in the field of precision agriculture

Industrial and medical cyber-physical systems: Tackling user requirements and challenges in robotics

Role of cyber security in drone technology

Securing internet of medical things systems: Limitations, issues and recommendations

Situation Management, and Impact Assessment II; and Visual Analytics for Homeland Defense and Security II

A survey of remote automotive attack surfaces. black hat USA

A brief survey of security approaches for cyberphysical systems

Cryptography and security in internet of things (iots): Models, schemes, and implementations

Cyberphysical systems security-a survey

Challenges and research directions for heterogeneous cyber-physical system based on iec 61850: Vulnerabilities, security requirements, and security architecture. Future generation computer systems

Cyber-physical systems and their security issues

A survey of security and privacy in big data

A survey of security and privacy in big data

A survey on internet of things: Security and privacy issues

Survey of scada security challenges and potential attack vectors

Emerging security mechanisms for medical cyber physical systems

Cryptography considerations for distributed energy resource systems

Cyber physical systems security: Analysis, challenges and solutions

Internet of things (iot) security: Current status, challenges and prospective measures

Securing physical processes against cyber attacks in cyber-physical systems

A survey on the internet of things security

Future internet: the internet of things architecture, possible applications and key challenges

Identity-based key agreement and encryption for wireless sensor networks

Security of the internet of things: perspectives and challenges

Security of distributed, ubiquitous, and embedded computing platforms. Wiley Handbook of Science and Technology for Homeland Security

Research on the architecture of internet of things

Scada system cyber security-a comparison of standards

Scada-specific intrusion detection/prevention systems: a survey and taxonomy

Cyber security in power systems

Protecting industrial control systems from electronic threats

Expanding gate level information flow tracking for multilevel security

The design of ics testbed based on emulation, physical, and simulation (eps-ics testbed)

Cyber 32 security for cyber physcial systems: A trust-based approach

Security architecture on the trusting internet of things

Camouflage: automated anonymization of field data

Data masking system and method

Cyber-physical systems: A security perspective

Lightweight security solutions for the internet of things

Internet of things (iot): A vision, architectural elements, and future directions. Future generation computer systems

Time synchronization of automation controllers for power applications

An open and flexible cybersecurity training laboratory in it/ot infrastructures

Method and apparatus providing remote reprogramming of programmable logic devices using embedded jtag physical layer and protocol

Sustainable and flexible industrial human machine interfaces to support adaptable applications in the industry 4.0 paradigm

Automated remote telemetry paging system

Guide to supervisory control and data acquisition (SCADA) and industrial control systems security. National institute of standards and technology

Remote terminal industrial control communication system

The earlier the better: a theory of timed actor interfaces

Bundle: A group-based programming abstraction for cyber-physical systems

Context-sensitive synthesis of executable functional models of cyber-physical systems

Co-simulation framework for design of time-triggered cyber physical systems

Robust cyber-physical systems: concept, models, and implementation. Future generation computer systems

A concept lattice-based event model for cyber-physical systems

The algorithmic analysis of hybrid systems

Hybrid system modeling and autonomous control systems

Cyber-physical systems modeling based on extended hybrid automata

Hybrid systems modeling challenges caused by cyberphysical systems

Anuradha Annaswamy, Kai Lampka, and Lothar Thiele. A hybrid approach to cyberphysical systems verification

Towards configurable real-time hybrid structural testing: a cyber-physical system approach

Event driven monitoring of cyber-physical systems based on hybrid automata

Vulnerability assessment of cybersecurity for scada systems

SCADA systems and their vulnerabilities within the Smart Grid: Can they be defended from a cyber attack

Vulnerability analysis of network scanning on scada systems

In Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the 21st Century

Smart grid security technology

Comprehensive experimental analyses of automotive attack surfaces

Sok: Security and privacy in implantable medical devices and body area networks

Leveraging information security and computational trust for cybersecurity

Deconstructing flame: the limitations of traditional defences

A survey scada of and critical infrastructure incidents

Security and privacy challenges in the smart grid

An evaluation of cyber threats to industrial control systems

Security and privacy for implantable medical devices

Challenges and research directions in medical cyber-physical systems

Automotive system security: challenges and state-of-the-art

Intelligent substation automation systems for robust operation of smart grids

IEEE Innovative Smart Grid Technologies-Asia (ISGT ASIA)

Petri net modeling of cyber-physical attacks on smart grid

Securing the electricity grid. The Bridge

blackout in the united states and canada: Causes and recommendations, us-canada power system outage task force

Cyberwar: Taking stock of security and warfare in the digital age

Realizing the smart grid imperative

Risk management and critical infrastructure protection: Assessing, integrating, and managing threats, vulnerabilities and consequences

A taxonomy of cyber attacks on scada systems

Backdoors and holes in network perimeters

Cyber security of water scada systems-part i: Analysis and experimentation of stealthy deception attacks

The myths and facts behind cyber security risks for industrial control systems

In quest of benchmarking security risks to cyber-physical systems

Cyber attack: A dull tool to shape foreign policy

Smart grid technologies: Communication technologies and standards

Transmission control protocol/internet protocol (tcp/ip) packet-centric wireless point to multi-point (ptmp) transmission system architecture

Scada security in the light of cyber-warfare

Rpc: Remote procedure call protocol specification version 2

Reliability of exploits and consequences for decision support

Stuxnet worm impact on industrial cyberphysical system security

Lessons from stuxnet

The cousins of stuxnet: Duqu, flame, and gauss

Duqu 2.0: A comparison to duqu

Duqu: A stuxnet-like malware found in the wild

Gauss malware: Nation-state cyber-espionage banking trojan related to flame, stuxnet

Stuxnet-risk & uncertainty in the first salvo of global cyber warfare. The SAIS

Red october and its reincarnation

Analysis and triage of advanced hacking groups targeting western countries critical national infrastructure: Apt28, red october, and regin

The middle east under malware attack dissecting cyber weapons

Saudi arabia's response to cyber conflict: A case study of the shamoon malware incident

Cybercrime and Analysis of Laws in Kingdom of Saudi Arabia

World war c: Understanding nation-state motives behind today's advanced cyber attacks

The role of malware in reported cyber espionage: a review of the impact and mechanism

The Trajectory of Iran's Nuclear Program

Inside the slammer worm

An ontology for network security attacks

Cyberattacks on scada systems

War, peace, or stalemate: Wargames, wardialing, wardriving, and the emerging market for hacker ethics

A meet-in-the-middle attack on 8-round aes

Integrating physical and cyber security resources to detect wireless threats to critical infrastructure

Wireless vulnerability of scada systems

Scada security: A new concerning issue of an inhouse egat-scada

An experimental investigation of malware attacks on scada systems

Rose Tsang. Cyberthreats, vulnerabilities and attacks on scada networks

Attack taxonomies for the modbus protocols

Evaluating electricity theft detectors in smart grid networks

Cyber security in the smart grid: Survey and challenges

Here be backdoors: A journey into the secrets of industrial firmware

They can hear your heartbeats: non-invasive security for implantable medical devices

Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses

Hacking medical devices for fun and insulin: Breaking the human scada system

Securing vehicles against cyber attacks

Experimental security analysis of a modern automobile

Security and privacy vulnerabilities of in-car wireless networks: A tire pressure monitoring system case study

Cyber/physical security vulnerability assessment integration

Cyber-physical security of a smart grid infrastructure

Cyber-physical attacks and defences in the smart grid: a survey

Secure estimation and control for cyber-physical systems under adversarial attacks

Cyber-security incidents: a review cases in cyber-physical systems

Stuxnet malware and natanz: Update of isis december 22

Lessons learned from the maroochy water breach

Security of scada systems against cyber-physical attacks. IEEE Aerospace and Electronic Systems Magazine

Fbi probes georgia water plant break-in on terror concern

Telvent hit by sophisticated cyber-attack, scada admin tool compromised

Cyber incident blamed for nuclear power plant shutdown

Securing the smart grid: next generation power grid security

Cyber-physical systems: An overview of design process, applications, and security

Cyber threats impacting critical infrastructures

Weapons against cyber-physical targets

Risk of terrorism to cyber-physical and organizational-societal infrastructures

Future of all technologies-the cloud and cyber physical systems

Cybercrime and risks for cyber physical systems: A review

An exceptional war that ended in victory for estonia or an ordinary e-disturbance? estonian narratives of the cyber-attacks in 2007. The Institute Ecole Supérieure en Informatique Electronique et Automatique

Cyber attacks on estonia: Short synopsis. Double Shot Security

Russian operational art in the russo-georgian war of

Malware classification for cyber physical system (cps) based on phylogenetics

Cybercrime and risks for cyber physical systems 2019

Does Lebanon possess the capabilities to defend itself from cyber-theats? Learning from Estonia's experience.(c2019)

Cyber warfare awareness in lebanon: Exploratory research

C-flat: control-flow attestation for embedded systems software

Towards automated dynamic analysis for linux-based embedded firmware

Code injection attacks on harvard-architecture devices

Return-oriented programming: Systems, languages, and applications

Targeted attacks on teleoperated surgical robots: Dynamic model-based detection and mitigation

Data-oriented programming: On the expressiveness of non-control data attacks

Data management issues in cyber-physical systems

Cyber-physical attacks: A growing invisible threat

Privilege escalation attacks on android

A study of passwords and methods used in brute-force ssh attacks

Fast dictionary attacks on passwords using time-space tradeoff

Extended password key exchange protocols immune to dictionary attack

Ioannis Papaefstathiou, and Charalampos Manifavas. Fast, fpga-based rainbow table creation for attacking encrypted mobile communications

Hash function balance and its impact on birthday attacks

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms

Preventing privilege escalation

Xmandroid: A new android evolution to mitigate privilege escalation attacks

Black hole attack in mobile ad hoc networks

Denial of service attack and classification techniques for attack detection

Analysis of ping of death dos and ddos attacks

Smurf-based distributed denial of service (ddos) attack amplification in internet

Threat analysis of blackenergy malware for synchrophasor based real-time control and monitoring in smart grid

Blackenergy-what we really know about the notorious cyber attacks

Blackenergy malware used in ukraine power grid attacks

Resisting syn flood dos attacks with a syn cache

Taking control: Design and implementation of botnets for cyber-physical attacks with cpsbot

Short-term risk assessment of botnet attacks on advanced metering infrastructure

Smart factories in industry 4.0: A review of the concept and of energy management approached in production based on the internet of things paradigm

Botnet protocol inference in the presence of encrypted traffic

Ddos in the iot: Mirai and other botnets

The social roles of bots: evaluating impact of bots on discussions in online communities

Regin, an old but sophisticated cyber espionage toolkit platform

Reconsidering human dignity in the new era

Building a gh0st malware experimentation environment

Anonymity vs. trust in cybersecurity collaboration

A coreflood investigation of nanofluid enhanced oil recovery

To catch a ratter: Monitoring the behavior of amateur darkcomet rat operators in the wild

How cybercriminals can abuse chat platform apis as c&c infrastructures

It threat evolution in q1 2016

Global routing instabilities triggered by code red ii and nimda worm attacks

Nimda worm analysis

Triton: The first ics cyber attack on safety instrument systems

Cyber Security: The Lifeline of Information and Communication Technology

Blackhole exploit kit: Rise & evolution. Malware Research Team Technical Paper

How port security has to evolve to address the cyber-physical security threat: Lessons from the sauron project

Cyber threat report

Big game hunting: The peculiarities in nation-state malware research

The smartphone who loved me: Finfisher goes mobile

How cyber-attacks in ukraine show the vulnerability of the us power grid

Jigsaw: An investigation and countermeasure for ransomware attacks

Current trend, challenges, and research directions

Ransomware in industrial control systems. what comes after wannacry and petya global attacks?

Comprehensive survey on petya ransomware attack

Protection model of pcs of subway from attacks type «wanna cry»,«petya» and «bad rabbit» iot

Ransomware attacks: detection, prevention and cure

Slammer worm crashed ohio nuke plant network

Overview of the taum sauk pumped storage power plant upper reservoir failure

Electricity grid in us penetrated by spies. The wall street journal

Infiltrating critical infrastructures with nextgeneration attacks. Fraunhofer Institute for Secure Information Technology (SIT)

Ukraine claims hackers caused christmas power outage

Challenges and threats of ukraine's national cyber security in hybrid war

The ransomware "Petya" as a challenge to the cybersecurity of Ukraine, main factors of spreading this virus in the focus of Ukraine, the steps taken by the authorities to combat this phenomenon and suggest ways to improve such activities using experience of other countries. PhD thesis, Victor Zhoghov The ransomware "Petya" as a challenge to the cybersecurity of

Basic concepts and taxonomy of dependable and secure computing

Fault-tolerant distributed cyber-physical systems: Two case studies

Challenges for securing cyber physical systems

Risk assessment of information and communication systems-analysis of some practices and methods in the electric power industry

Adaptive fault-tolerance faulttolerance for cyber-physical systems

Threat modeling for security assessment in cyberphysical systems

A new multilevel framework for cyber-physical system security

An analysis of cyber physical system security theories

Cyber-physical system risk assessment

An impact review on internet of things attacks

Guide to industrial control systems (ics) security. NIST special publication

The big four-what we did wrong in advanced persistent threat detection

Classification of security threats in information systems

Type of security threats and it's prevention

Stress test scenario: Sybil logic bomb cyber catastrophe. Cambridge Risk Framework series

Cyberphysical systems: the next computing revolution

A study on secure shell (ssh) protocol

Hardware designs for security in ultra-low-power iot systems: an overview and survey

New security perspectives around byod

Comments of the sierra club

Historical analysis of us onshore hazardous liquid pipeline accidents triggered by natural hazards

Cyber-physical systems in manufacturing

Analysis of cyber security for industrial control systems

Security testing methods and techniques of industrial control devices

Achilles -the world's first man-in-the-middle web security tool

Dark Reading. Breakingpoint unveils firestorm cyber tomography

Implementation of the canfd protocol in the fuzzing tool bestorm

Codenomicon defensics finds risks that lurk in your protocols

Mu studio performance suite

Peach fuzzing platform. Peach Fuzzer

Unraveling scada protocols: Using sulley fuzzer

An introduction to spike, the fuzzer creation kit. presentation slides)

exida certification -iec 61508, iec 61511, iec 62443, iso 26262

Isasecure -iec 62443-4-2 -edsa certification

Pu-abe: lightweight attribute-based encryption supporting access policy update for cloud assisted iot

Mohamed Mohamed, and Giovanni Russello. C-absc: cooperative attribute based signcryption scheme for internet of things applications

Information Security and Innovation; Guide to Secure Technology Innovation Initiatives

Data security and privacy preservation in cloud storage environments based on cryptographic mechanisms

Resilience of cyber-physical system: A case study of safe school environment

Virus attacks siemens plant-control systems

Hackers broke into faa air traffic control system

An architectural approach to the design and analysis of cyber-physical systems

State estimation in spatially distributed cyber-physical systems: Bounds on critical measurement drop rates

Operational security management in violent environments

Risk assessment and risk management: Review of recent advances on their foundation

Secure and trusted execution: Past, present, and future-a critical review in the context of the internet of things and cyber-physical systems

On threat modeling and mitigation of medical cyber-physical systems

Process authentication for high system assurance

Security optimization of dynamic networks with probabilistic graph modeling and linear programming

Environmental consequences of the chernobyl accident and their remediation: twenty years of experience. report of the chernobyl forum expert group 'environment' sti/pub/1239, 2006, international atomic energy agency

Radioactivity release from the fukushima accident and its consequences: A review

Ensuring safety, security, and sustainability of mission-critical cyber-physical systems

Cryptographic protection of scada communications part 1: Background, policies and test plan

Restricted authentication and encryption for cyber-physical systems

A survey on security control and attack detection for industrial cyber-physical systems

A multi-layered and kill-chain based security analysis framework for cyber-physical systems

Haytham Elmiligi, and Musfiq Rahman. Network security evaluation scheme for wsn in cyber-physical systems

Trustworthiness of medical devices and body area networks

Present: An ultra-lightweight block cipher

Prince-a low-latency block cipher for pervasive computing applications

Real time modbus transmissions and cryptography security designs and enhancements of protocol sensitive information

Aga-12, part 2 performance test results. Pacific Northwest National Laboratories

Revisiting a watermark-based detection scheme to handle cyber-physical attacks

Secure and efficient communication in cyber-physical systems through cryptography and complex event processing

Continuous analytics on geospatial data streams with wso2 complex event processor

Solving the grand challenge using an opensource cep engine

Logarithmic encryption scheme for cyber-physical systems employing fibonacci q-matrix

Vehicular ad hoc networks (vanets): status, results, and challenges

A comprehensive survey on vehicular ad hoc network

Lightweight attribute based encryption scheme for mobile cloud assisted cyberphysical systems

Secure pub-sub: Blockchain-based fair payment with reputation for reliable cyber physical systems

Postquantum enabled cyber physical systems

Design and implementation of a security framework for industrial control systems

Improving network security monitoring for industrial control systems

Sans scada and process control security survey

On plc network security

A layered encryption mechanism for networked critical infrastructures

On the interdependence of reliability and security in networked control systems

Attacks against process control systems: risk assessment, detection, and response

Embedding encryption and machine learning intrusion prevention systems on programmable logic controllers

Proud: verifiable privacy-preserving outsourced attribute based signcryption supporting access policy update for cloud assisted iot applications. Future Generation Computer Systems

Pcs, a privacy-preserving certification scheme

Cloud data storage security based on cryptographic mechanisms

Secure key-exchange protocol for implants using heartbeats

Physical layer security for wireless implantable medical devices

Multi-factor authentication in cyber physical system: A state of art survey

An authentication scheme with identity-based cryptography for m2m security in cyber-physical systems

Plc access control: a security analysis

Advanced key-management architecture for secure scada communications

Elena Sitnikova, and Benjamin Turnbull. Privacy-preserving big data analytics for cyber-physical systems

Practical privacypreserving high-order bi-lanczos in integrated edge-fog-cloud architecture for cyber-physical-social systems

Secure and efficient outsourcing differential privacy data release scheme in cyber-physical system

Identity-based proxy-oriented outsourcing with public auditing in cloud-based medical cyber-physical systems

Secure kalman filter state estimation by partially homomorphic encryption

Encrypting controller using fully homomorphic encryption for security of cyber-physical systems

A privacy protection-oriented parallel fully homomorphic encryption algorithm in cyber physical systems

Intrusion detection system and intrusion prevention system: A comparative study

Unearthing stealthy program attacks buried in extremely long execution paths

A sharper sense of self: Probabilistic reasoning of program behaviors for anomaly detection with context sensitivity

Adaptive intrusion detection of malicious unmanned air vehicles using behavior rule specifications

Limiting the impact of stealthy attacks on industrial control systems

Cyberphysical system security for the electric power grid

Time-based intrusion detection in cyber-physical systems

Behavior rule specification-based intrusion detection for safety critical medical cyber physical systems

A survey of intrusion detection in internet of things

A malicious pattern detection engine for embedded security systems in the internet of things

A lightweight intrusion detection scheme based on energy consumption analysis in 6lowpan

Detection of sinkhole attacks for supporting secure routing on 6lowpan for internet of things

Intrusion detection systems for wireless sensor networks: A survey

Management Enabling the Future Internet for Changing Business and New Computing Services: 12th Asia-Pacific Network Operations and Management Symposium

Denial-of-service detection in 6lowpan based internet of things

An ids framework for internet of things empowered by 6lowpan

Routing attacks and countermeasures in the rpl-based internet of things

Specification-based ids for securing rpl from topology attacks

A specification-based ids for detecting attacks on rpl-based network topology

Svelte: Realtime intrusion detection in the internet of things

Real time intrusion and wormhole attack detection in internet of things

Distributed internal anomaly detection system for internet-of-things

Intrusion detection system: A comprehensive review

Computer and information security handbook

Research on immunity-based intrusion detection technology for the internet of things

A survey of intrusion detection techniques for cyber-physical systems

A survey of intrusion detection systems in wireless sensor networks

A learning automata based solution for preventing distributed denial of service in internet of things

Internet of things: A survey on enabling technologies, protocols, and applications

Policy and network-based intrusion detection system for ipv6-enabled wireless sensor networks

An introduction to intrusion-detection systems

Guide to intrusion detection and prevention systems (idps). NIST special publication

Computational intelligence based intrusion detection systems for wireless communication and pervasive computing networks

Ultralightweight deep packet anomaly detection for internet of things devices

A spiking one-class anomaly detection framework for cyber-security on industrial control systems

Radio-frequency-based anomaly detection for programmable logic controllers in the critical infrastructure

Security for critical infrastructure scada systems. SANS Reading Room

Detecting anomalous programmable logic controller behavior using rf-based hilbert transform features and a correlation-based verification process

Using timing-based side channels for anomaly detection in industrial control systems

Integration and evaluation of intrusion detection for coap in smart city applications

Research of paired industrial firewalls in defense-in-depth architecture of integrated manufacturing or production system

On the use of open-source firewalls in ics/scada systems

Argus: An orthogonal defense framework to protect public infrastructure against cyber-physical attacks

Real time failure prediction of load balancers and firewalls

A partition-driven integrated security architecture for cyber-physical systems

The use of deception techniques: Honeypots and decoys. Handbook of Information Security

Towards high-interaction virtual ics honeypots-in-a-box

Rethinking the honeypot for cyber-physical systems

Honeybot: A honeypot for robotic systems

Investigation of cyber crime conducted by abusing weak or default passwords with a medium interaction honeypot

Defense strategies against network attacks in cyber-physical systems with analysis cost constraint based on honeypot game model

Conceal: A strategy composition for resilient cyber deception-framework, metrics and deployment

A novel architecture for cyber-physical security in industrial control networks

Deception-as-defense framework for cyber-physical systems

Scada systems: challenges for forensic investigators

Programmable logic controller forensics

Tools, techniques, and methodologies: A survey of digital forensics for scada systems

Medical cyber-physical systems development: A forensicsdriven approach

Blockchain for modern digital forensics: The chain-of-custody as a distributed ledger

Enhancing the security and forensic capabilities of programmable logic controllers

Federated blockchain-based tracking and liability attribution framework for employees and cyber-physical objects in a smart workplace

A network forensics tool for precise data packet capture and replay in cyberphysical systems

Block4forensic: An integrated lightweight blockchain framework for forensics applications of connected vehicles

Scada live forensics: real time data acquisition process to detect, prevent or evaluate critical situations

A scada system testbed for cybersecurity and forensic research and pedagogy

Detecting anomalous programmable logic controller events using machine learning

Detecting industrial control malware using automated plc code analytics

A firmware verification tool for programmable logic controllers

Accurate modeling of the siemens s7 scada protocol for intrusion detection and digital forensics

Scada network forensics of the pccc protocol

A forensic logging system for siemens programmable logic controllers

Exploiting siemens simatic s7 plcs

Forensic analysis of a siemens programmable logic controller

Lightweight, dynamic and efficient image encryption scheme

One round cipher algorithm for multimedia IoT devices. Multimedia Tools and Applications

A physical encryption scheme for low-power wireless M2M devices: a dynamic key approach. Mobile Networks and Applications

An efficient OFDM-based encryption scheme using a dynamic key approach

A survey on OFDM physical layer security

Erdia: An efficient and robust data integrity algorithm for mobile and wireless networks

An efficient secure storage scheme based on information fragmentation

ERSS-RLNC: efficient and robust secure scheme for random linear network coding

Preserving data security in distributed fog computing

Secure and resilient scheme for data protection in unattended wireless sensor networks

Additively homomorphic encryption and fragmentation scheme for data aggregation inside unattended wireless sensor networks

A simple approach for securing iot data transmitted over multi-rats

Design and realization of efficient & secure multi-homed systems based on random linear network coding

On the feasibility of online malware detection with performance counters

Idbased user-centric data usage auditing scheme for distributed environments

Security sla based monitoring in clouds

Aligning cyber-physical system safety and security

Security analysis on cyber-physical system using attack tree

Efficient & secure cipher scheme with dynamic key-dependent mode of operation

Lightweight stream cipher scheme for resource-constrained iot devices

Lightweight multifactor mutual authentication protocol for IoT devices

Secure and lightweight mutual multi-factor authentication for IoT communication systems

Distlog: A distributed logging scheme for iot forensics

Improving network security: next generation firewalls and advanced packet inspection devices

A dynamic honeypot design for intrusion detection

The human and computer as a team in emergency management information systems

Computer security incident response team development and evolution

Guide to integrating forensic techniques into incident response

Incident response & computer forensics

The importance of having a non-disclosure agreement

How to measure employee reliability

Plc code-level vulnerabilities

Assessing automotive functional safety microprocessor with iso 26262 hardware requirements

Introduction and revision of iec 61508

Introduction to iec 61508

Assessing and computing the safety integrity level (sil) for turbo machinery protection

Electronic control unit

US Patent 9,036,026. declare the following financial interests/personal relationships which may be considered as potential competing interests: Jean-Paul Yaacoub is a Master student in the department of Electrical and

Lebanon. Hassan Noura is a research associate in the department of Electrical and Computer Engineering at the American University of Beirut (AUB), Lebanon. Nesrine Kaaniche is Lecturer in Cybersecurity and expert in cryptographic solutions at the University of Salford, School of Computing

Ali Chehab is a professor in the department of Electrical and