Security Modelling for Cyber-Physical Systems: A Systematic Literature Review
Shaofei Huang, Christopher M. Poskitt, Lwin Khin Shar
TL;DR
Cyber-physical systems (CPS) face evolving, high-stakes cybersecurity threats that span cyber and physical domains. The paper conducts a systematic literature review to map existing threat and attack modelling approaches in CPS, identifies gaps such as IT-centric bias and lack of dynamic, CPS-aware models, and proposes an iterative, unified security modelling framework that integrates threat modelling, attack modelling, and security monitoring across the CPS life cycle. Its case study on solar power systems illustrates how a CPS security framework can guide asset identification, threat/attack modelling, and risk assessment with industry standards like IEC 62443 and NIST CSF. The work highlights practical implications for risk management, governance, lifecycle management, cross-domain collaboration, and training, while outlining challenges in dynamic modelling, threat intelligence integration, legacy-ecosystem constraints, and validation needs. Overall, the recommended framework aims to enhance CPS resilience by accommodating evolving threats and CPS-specific consequences through continuous updates and monitoring.
Abstract
Cyber-physical systems are at the intersection of digital technology and engineering domains, rendering them high-value targets of sophisticated and well-funded cybersecurity threat actors. Prominent cybersecurity attacks on CPS have brought attention to the vulnerability of these systems and the inherent weaknesses of critical infrastructure reliant on them. Security modelling for CPS is an important mechanism to systematically identify and assess vulnerabilities, threats, and risks throughout system life cycles, and to ultimately ensure system resilience, safety, and reliability. This survey delves into state-of-the-art research on CPS security modelling, encompassing both threat and attack modelling. While these terms are sometimes used interchangeably, they are different concepts. This paper elaborates on the differences between threat and attack modelling, examining their implications for CPS security. We conducted a systematic search that yielded 449 papers, from which 32 were selected and categorised into three clusters: those focused on threat modelling methods, attack modelling methods, and literature reviews. Specifically, we sought to examine what security modelling methods exist today, and how they address real-world cybersecurity threats and CPS-specific attacker capabilities throughout the life cycle of CPS, which typically span longer durations compared to traditional IT systems. This paper also highlights several limitations in existing research, wherein security models adopt simplistic approaches that do not adequately consider the dynamic, multi-layer, multi-path, and multi-agent characteristics of real-world cyber-physical attacks.