Microprocessors and Microsystems 77 (2020) 103201

Contents lists available at ScienceDirect

Microprocessors and Microsystems

journal homepage: www.elsevier.com/locate/micpro

Cyber-physical systems security: Limitations, issues and future trends

Jean-Paul A. Yaacoub a, Ola Salman b,∗, Hassan N. Noura a, Nesrine Kaaniche c, Ali Chehab b,
Mohamad Malli a
a
Arab Open University, Department of Computer Sciences, Beirut, Lebanon
b
American University of Beirut, Electrical And Computer Engineering, Lebanon
c
University of Sheffield, Department of Computer Science, United Kingdom

a r t i c l e i n f o a b s t r a c t

Article history: Typically, Cyber-Physical Systems (CPS) involve various interconnected systems, which can monitor and
Received 1 November 2019 manipulate real objects and processes. They are closely related to Internet of Things (IoT) systems, ex-
Revised 30 April 2020
cept that CPS focuses on the interaction between physical, networking and computation processes. Their
Accepted 2 July 2020
integration with IoT led to a new CPS aspect, the Internet of Cyber-Physical Things (IoCPT). The fast and
Available online 8 July 2020
significant evolution of CPS affects various aspects in people’s way of life and enables a wider range of
Keywords: services and applications including e-Health, smart homes, e-Commerce, etc. However, interconnecting
Cyber-physical systems the cyber and physical worlds gives rise to new dangerous security challenges. Consequently, CPS secu-
Cyber-security threats rity has attracted the attention of both researchers and industries. This paper surveys the main aspects of
attacks and issues CPS and the corresponding applications, technologies, and standards. Moreover, CPS security vulnerabili-
Cyber-physical vulnerabilities and ties, threats and attacks are reviewed, while the key issues and challenges are identified. Additionally, the
challenges
existing security measures are presented and analyzed while identifying their main limitations. Finally,
Security
privacy and forensics solutions
several suggestions and recommendations are proposed benefiting from the lessons learned throughout
Security and performance analysis this comprehensive review.
© 2020 Elsevier B.V. All rights reserved.

1. Introduction the physical world [5]. This is mainly attributed to their flexibil-
ity and capability to change the run-time of system(s) process(es)
Cyber Physical Systems (CPS) are designated as essential com- through the use of real-time computing [6]. In fact, CPS systems
ponents of the Industrial Internet of Things (IIoT), and they are are being used in multiple domains (see Fig. 1), and embedded
supposed to play a key role in Industry v4.0. CPS enables smart in different systems such as power transmission systems, com-
applications and services to operate accurately and in real-time. munication systems, agricultural/ecological systems, military sys-
They are based on the integration of cyber and physical systems, tems [7,8], and autonomous systems (drones, robotics, autonomous
which exchange various types of data and sensitive information in cars, etc.) [9,10]. That, in addition to medical care domains to en-
a real-time manner [1]. The development of CPS is being carried hance the medical services [11]. Moreover, CPS can be used in sup-
out by researchers and manufacturers alike [2]. Given that CPS and ply chain management to enable echo-friendly, transient, cost effi-
Industry v4.0 offer a significant economic potential [3], the German cient, and safe manufacturing process.
gross value will be boosted by a cumulative of 267 billion Euros by
2025 upon the introduction of CPS into Industry v4.0 [4]. 1.1. Problem formulation
A CPS is identified as a network of embedded systems that in-
teract with physical input and output. In other words, CPS con- Despite their numerous advantages, CPS systems are prone to
sists of the combination of various interconnected systems with various cyber and/or physical security threats, attacks and chal-
the ability to monitor and manipulate real IoT-related objects and lenges. This is due to their heterogeneous nature, their reliance
processes. CPS includes three main central components: sensors, on private and sensitive data, and their large scale deployment. As
aggregators and actuators. Moreover, CPS systems can sense the such, intentional or accidental exposures of these systems can re-
surrounding environment, with the ability to adapt and control sult into catastrophic effects, which makes it critical to put in place
robust security measures. However, this could lead to unacceptable
network overhead, especially in terms of latency. Also, zero-day
∗
Corresponding author. vulnerabilities should be minimized with constant software, appli-
E-mail address: [email protected] (O. Salman). cations and operating system updates.

https://doi.org/10.1016/j.micpro.2020.103201
0141-9331/© 2020 Elsevier B.V. All rights reserved.
2 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

Fig. 1. CPS description & classification.

1.2. Related work can be targeted to conduct dangerous attacks against such systems.
Different security aspects can be targeted including confidentiality,
Recently, several research works addressed the different secu- integrity, and availability. In order to enable the wide adoption and
rity aspects of CPS: the different CPS security goals were listed deployment of CPS systems and to leverage their benefits, it is es-
and discussed in Chen [12], Miller and Valasek [13], Bou-Harb sential to secure these systems from any possible attack, internal
[14], Sklavos and Zaharakis [15]; maintaining CPS security was pre- or/and external, passive or active.
sented in Humayed et al. [16]; CPS security challenges and is- The main motivation of this work is to identify the main CPS
sues were presented in Yoo and Shon [17], Alguliyev et al. [18]; security threats, vulnerabilities and attacks, and to discuss the ad-
some of the security issues were reviewed, including big data se- vantages and limitations of the existing security solutions, with the
curity [19,20], IoT storage issues [21], and Operating System vulner- aim to identify the requirements for a secure, accurate, reliable, ef-
abilities [22]; several security and privacy solutions using crypto- ficient and safe CPS environment. Moreover, the security solutions
graphic algorithms and protocols were discussed in Kocabas et al. are analyzed in terms of the associated computational complexity.
[23], Lai et al. [24]. However, none of the existing works presented Note that CPS systems require innovative security solutions that
a comprehensive view of CPS security in terms of threats, vulnera- can strike a good balance between security level and system per-
bilities, and attacks based on the targeted domain (cyber, physical, formance.
or hybrid). Hence, this paper presents a detailed overview of the
existing cyber, physical and hybrid attacks, and their security so- 1.4. Contributions
lutions including cryptographic and non-cryptographic ones. More-
over, for the first time, CPS forensics are discussed as an essen- In this work, we conduct a comprehensive overview and analy-
tial requirement for the investigation of the causes of CPS-related sis of the different cyber-physical security aspects of CPS. The con-
crimes and attacks. tributions entail the following:
• General Background about CPS including their main layers,
1.3. Motivation components and model types.
• Cyber-Physical Attacks are presented in relation to the tar-
CPS systems have been integrated into critical infrastructures geted cyber and/or physical system/device, and the correspond-
(smart grid, industry, supply chain, healthcare, military, agriculture, ing vulnerabilities of each such domain.
etc.), which makes them an attractive target for security attacks • Risk Assessment: a qualitative risk assessment method is pre-
for various purposes including economical, criminal, military, espi- sented to evaluate the risk and exposure levels for each CPS
onage, political and terrorism as well. Thus, any CPS vulnerability system, while proposing suitable security countermeasures.
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 3

• Security Measures and their limitations are discussed and an- at the various CPS layers is based on the work in Ashibani and
alyzed, including recent cryptographic and non-cryptographic Mahmoud [25].
solutions.
• Forensics solutions are also presented and discussed about se- • Perception Layer: It is also known as either the recogni-
curely extracting evidence and thus, to improve forensics inves- tion or the sensing layer [26]. It includes equipment such as
tigations. sensors, actuators, aggregators, Radio-Frequency IDentification
• Lessons: various lessons are learnt throughout this survey in- (RFID) tags, Global Positioning Systems (GPS) along with var-
cluding how to protect real-time data/information communi- ious other devices. These devices collect real-time data in or-
cation among resource-constrained CPS devices, and how to der to monitor, track and interpret the physical world [27]. Ex-
achieve protection of CPS security goals such as confidentiality, amples of such collected data include electrical consumption,
integrity, availability and authentication. heat, location, chemistry, and biology, in addition to sound and
• Suggestions & Recommendations are presented about how light signals [28], depending on the sensors’ type [29]. These
to mitigate and overcome various cyber, physical and hybrid sensors generate real-time data within wide and local network
threats, vulnerabilities, attacks, challenges and issues for a safe domains, before being aggregated and analyzed by the appli-
CPS environment. cation layer. Moreover, securing actuators depends on autho-
rized sources to ensure that both feedback and control com-
mands are error-free and protected [30]. Generally, increasing
1.5. Organization
the security level requires an end-to-end encryption scheme at
each layer [31]. Therefore, heavyweight computations and large
Aside from the introduction, this paper is divided into six main
memory requirements would be introduced [32]. In this con-
sections as follows. Section 2 presents some background about
text, there is a need for the design of efficient and lightweight
CPS including their layers, components, and models. Section 3 dis-
security protocols, which take into consideration the devices ca-
cusses and details the key CPS threats, attacks and vulnerabilities
pabilities and the security requirements.
in addition to listing and describing several real-case CPS attacks,
• Transmission Layer: It is also known as the transport layer
and the main persistent challenges and issues. Section 5 assesses
or network layer, and it is the second CPS layer [29]. This
and evaluates the risks associated with CPS security attacks, espe-
layer interchanges and processes data between the percep-
cially in a qualitative risk assessment manner. Section 5 presents
tion and application layers. Data transmission and interaction
and analyzes the main CPS security solutions including crypto-
is achieved through the Internet using Local Area Networks
graphic, non-cryptographic, and forensics ones. Section 6 highlights
(LANs) and communication protocols including Bluetooth, 4G
the lessons learnt throughout this study. Section 7 provides key
and 5G, InfraRed (IR) and ZigBee, Wi-Fi, Long Term Evolution
suggestions and recommendations for a safe and secure CPS envi-
(LTE), along with other technologies. For this purpose, various
ronment. Section 8 concludes the presented work.
protocols are used to address the increase in the number of
internet-connected devices, such as the Internet Protocol ver-
2. CPS - background
sion 6 (IPv6) [33]. This layer also ensures data routing and
transmission using cloud computing platforms, routing devices,
In this section, we present the CPS architecture, its main layers
switching and internet Gateways, firewalls and Intrusion De-
and components, as well as the main CPS models.
tection/Prevention Systems (IDS/IPS) [34,35]. Before outsourcing
data contents, it is essential to secure their transmission to pre-
2.1. CPS layers & components vent intrusions and malicious attacks including malware, mali-
cious code injection [36], Denial of Service/Distributed Denial of
The architecture of CPS systems consists of different layers and Service (DoS/DDoS), eavesdropping, and unauthorised access at-
components, which rely on different communication protocols and tacks [37]. This introduces a challenge, especially for resource-
technologies to communicate among each other across the differ- constrained devices due to the imposed overhead in terms of
ent layers. the required processing and power resources [38].
• Application Layer: It is the third and most interactive layer. It
2.1.1. CPS layers processes the received information from the data transmission
The CPS architecture consists of three main layers, the percep- layer and issues commands, which are executed by the physical
tion layer, transmission layer, and application layer, which are pre- units including sensors and actuators [39]. This is done by im-
sented and described in Fig. 2. The analysis of the security issues plementing complex decision-making algorithms based on the

Fig. 2. CPS layers.

4 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

Fig. 3. Infrastructure of CPS.

aggregated data [40]. Moreover, this layer receives and pro- − Actuators: are located at the application layer to make the
cesses information from the perception layer before determin- information visible to the surrounding environment based
ing the rightly invoked automated actions [29]. In fact, cloud on the decisions made by the aggregators. Since actuators
computing, middleware, and data mining algorithms are used highly depend on other network nodes, then each action
to manage the data at this layer [41]. Protecting and preserv- performed by the CPS relies on an earlier data aggregation
ing privacy requires protecting private data from being leaked. sequence [5]. Also in terms of operations, actuators process
The most known protective approaches include anonymization, electrical signals as input and generate physical actions as
data masking (camouflage) [42,43], privacy-preserving, and se- output [46].
cret sharing [31]. Moreover, this layer also requires a strong • Controlling Components: are used to control Signals and they
multi-factor authentication process to prevent unauthorised ac- play a key role in signal control, monitoring and management
cess and escalation of privilege [44]. Due to the increase in the to achieve higher levels of accuracy and protection against ma-
number of Internet-connected devices, the size of the gener- licious attacks or accidents, mainly signal jamming, noise and
ated data has become a significant issue [21]. Therefore, secur- interference. As a result, the reliance on Programmable Logic
ing big data calls for efficient protection techniques to process Controllers (PLCs) and Distributed Control System (DCSs) along
huge amounts of data in a timely and efficient manner [45]. with their components (i.e Programmable Automation Con-
troller (PAC) [47], Operational Technology/Information Technol-
ogy (OT/IT) [48], Control Loop/Server [49], and Human-Machine
2.1.2. CPS components Interface (HMI)/Graphical User Interface (GUI) [50]) has become
CPS components are used for sensing information [5], or for highly essential. Next, we list the different types of control sys-
controlling signals (Fig. 3). In this regard, CPS components are clas- tems that are used in CPS systems:
sified into two main categories: Sensing Components (SC) that
• Programmable Logic Controllers (PLC): were initially devel-
collect and sense information, and Controlling Components (CC)
oped to replace hard-wired relays, and are considered as indus-
that monitor and control signals.
trial digital computers that control the manufacturing processes
such as robotic devices performance and/or fault diagnosis pro-
• Sensing Components: are primarily located at the perception
cessing; hence achieving better flexibility and resiliency.
layer and consist of sensors that collect data/information and
• Distributed Control Systems (DCS): are computerized control
forward them to aggregators. Then, this data/information is sent
systems that allow the autonomous controllers’ distribution
to the actuators for further analysis to ensure accurate decision
throughout the system using a central operator supervisory
making. In the following, we list the main CPS sensing compo-
control. As a result of the remote monitoring and supervision
nents.
process, the DCS’s reliability is increased, whilst its installation
− Sensors: collect and record real-world data following a cor-
cost is reduced. In some cases, DCS can be similar to Supervi-
relation process named “calibration”, to assess the correct-
sory Control and Data Acquisition (SCADA) systems.
ness of the collected data [46]. Sensing data is essential
• Remote Terminal Units (RTU): or “Remote Telemetry Unit”
since the decisions that will be made are based on the anal-
[51], are electronic devices controlled by a microprocessor such
ysis of this data.
as the Master Terminal Unit (MTU) [52]. Unlike the PLC, they
− Aggregators: are primarily located at the transmission layer
do not support any control loop nor control algorithm(s). Thus,
(i.e routers, switches and gateways) to process the received
making them more suitable for wireless communications over
data/information from sensors, before issuing the corre-
wider geographical telemetry areas. RTU’s main task is to inter-
sponding decision(s). In fact, data aggregation is based on
face SCADA to the physical object(s) using a supervisory mes-
the collected information about a specific target, where this
saging system that controls these objects through the system’s
information is gathered and summarized following a statis-
transmission of telemetry data.
tical analysis. Online Analytical Processing (OLAP) is a prime
data aggregation type used as an online reporting mecha- In fact, both RTUs and PLCs use a small computerized “artifi-
nism for processing information [46]. cial brain” (Central Processing Unit (CPU)) to process inputs and
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 5

Table 1
PLC vs. RTU.

PLC (Programmable Logic Controller) RTU (Remote Terminal/Telemetry Units)

Sold with RTU like features Sold with PLC-like features

Digital computers designed for output arrangements and multiple inputs Electronic device controlled by a microprocessor
Automates electro-mechanical processes Interfaces SCADA physical objects
Physical media with process, relays, motion control and networking Uses supervisory system messages to control objects
Does support control loops and algorithms Does not support control loops and algorithms
Immune to electrical noise, resistant to vibration Low to null immunity against electrical noise and vibration
Suitable for local geographical areas Suitable for wider geographical telemetry areas
Mainly IEC Standards Wired/Wireless Communications

outputs from sensing devices and pumping equipment [53]; hence latency issues were addressed and solved by Kumar et al. using
using IEDs (Intelligent Electronic Devices) to transmit data flow or a real-time hybrid authentication method [64], while a config-
trigger an alarm in case of any intrusion. Table 1 a comparison urable real-time hybrid structural testing for CPS was presented
of the common points and differences between PLCs and RTUs. by Tidwell et al. [65]. Finally, an event driven monitoring of CPS
Concerning the relation between components and layers, it can be based on hybrid automata was presented by Jianhui [66].
seen that sensing components are mainly deployed at the percep-
tion and transmission layers, while the controlling components are 3. CPS vulnerabilities, threats, attacks & failures
deployed at the application layer.
In a similar manner to most networking systems, security ser-
2.2. CPS model types vices were not incorporated into CPS systems by design, leaving
the door open for various vulnerabilities and threats to be lever-
CPS models can be divided into three main types: aged by attackers to launch security attacks. This is also due to
the heterogeneous nature of CPS devices since they operate in dif-
• Timed Actor CPS: This model focuses on the functional as- ferent IoT domains and communicate using different technologies
pects based on behaviour and correctness, along with the non- and protocols.
functional aspects that are based on performance and timing.
A theory was introduced in Geilen et al. [54] with a functional 3.1. CPS security threats
and classical refinement that restricts certain behaviour set, im-
proving efficiency while reducing complexity. The main focus CPS security threats can be classified as cyber or physical
is on the refinement based on the “earlier-the-better” princi- threats, as explained below, and if combined, these can result into
ple since it offers the ability to identify deterministic abstrac- cyber-physical threats.
tions of non-deterministic systems [55]. In fact, these time-
deterministic models are less prone to state explosion prob- 3.1.1. Cyber threats
lems, with the ability to derive analytical bounds easier [56]. The main attention on Industrial IoT security was highly fo-
• Event-Based CPS: In such models, an event must be sensed cused on cyber threats rather than physical threats for many rea-
and detected by the proper CPS components, before the actu- sons, as cited in Alguliyev et al. [18]. This includes the electri-
ation decisions are made. However, individual component tim- cal grid evolution into an Advanced Metering Infrastructure (AMI),
ing constraints vary depending on the non-deterministic system which resulted into the rise of newly unknown cyber threats aside
delay, which is caused by the different CPS actions including from SCADA vulnerabilities [67–69]. Electronic attacks are now
sensing, actuating, communication and computing [57]. In [58], easier to launch from any device, unlike physical attacks that re-
Hu et al. stated that time constraints can be handled through quire physical presence and physical tools. Moreover, the smart
the use of an event-based approach, which uses CPS events to meter interfacing and interconnection with other meters in the
ensure the system’s communication, computation, and control Near-me Area Network (NAN) and Home Area Network (HAN) in-
processes. This allows the CPS to be more suitable and more crease its exposure to various remote threats. Finally, electronic at-
useful for spatio-temporal information. tacks are difficult to mitigate and overcome in the absence of the
• Lattice-Based Event Model In [59], the CPS events are repre- right prevention and defensive countermeasures. For further de-
sented according to the event type, along with the internal and tails on cyber threat intelligence, a brief survey of CPS security ap-
external event attributes. If these events are combined, they proaches was presented in Bou-Harb [14]. For further information
can be used to define a spatio-temporal property of any given about cyber security threats, more details can be found in Cleve-
event, while also identifying all the components that were ob- land [70], Metke and Ekl [71].
serving the event. Since cyber security is not limited to a single aspect, it can be
• Hybrid-Based CPS Model Hybrid CPS systems are heteroge- considered from different perspectives, such as:
neous systems that are made up of two distinct interactive
system types, continuous state (physical dynamic systems) and • Centring Information: which requires protecting the data flow
discrete-state (discrete computing systems) [60,61]. Both devel- during the storage phase, transmission phase, and even the pro-
opment and evolution depend on the response of discrete tran- cessing phase.
sient events represented by finite state machines, and the the • Oriented Function: which requires integrating the cyber-
dynamic behaviour represented by differential/difference equa- physical components in the overall CPS.
tion(s) [62]. Unlike other CPS models, hybrid CPS is intercon- • Oriented Threat: which impacts data confidentiality, integrity,
nected via a network, which makes it prone to delays. More- availability, and accountability [70].
over, hybrid CPS systems do not support any hierarchical mod-
The above issues make CPS systems prone to:
eling, and are not suitable for modeling concurrent systems.
Hence, hybrid systems modeling challenges caused by CPS were • Wireless Exploitation: It requires knowledge of the system’s
discussed by Benveniste et al. [63]. In fact, CPS system network structure and thus, exploiting its wireless capabilities to gain
6 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

remote access or control over a system or possibly disrupt the • Loss: the most worrying scenario is having more than a sin-
system’s operations. This causes collision and/or loss of con- gle substation failure caused by a malicious attacker. In case
trol [72]. of a severe damage in the smart grid, a total blackout of ma-
• Jamming: In this case, attackers usually aim at changing the jor metropolitan areas may occur for several hours [84]. A real-
device’s state and the expected operations to cause damage by case scenario includes the cascading blackout that managed to
launching waves of de-authentication or wireless jamming sig- hit the U.S. on August 14th, 2003 [85], caused by the People
nals, which would result into denial of device and system ser- Liberation Army (PLA), which is a Chinese politically-motivated
vices [73]. group [86].
• Reconnaissance: An example of such a threat is where intel- • Repair: it can be based on a self-healing process [87], which is
ligence agencies continuously perform operations targeting a based on the ability to either sense faults or disruptions, whilst
nation’s Computational Intelligence (CI) and Industrial Control isolating the problem and sending alerts to the correspond-
System (ICS) mainly through a malware spread [74]. This re- ing control system to automatically reconfigure the back-up re-
sults in violating data confidentiality due to the limitation of sources in order to continuously provide the necessary service.
traditional defenses [75,76]. The aim is to ensure a fast recovery in as short of a time as
• Remote Access: This is mainly done by trying to gain remote possible. However, critical components do suffer from either a
access to the CPS infrastructure, for example, causing distur- lack or a limited backup capability. Therefore, self-healing can
bances, financial losses, blackouts, as well as industrial data respond faster to a severe damage.
theft and industrial espionage [77]. Moreover, Havex Trojans
Some of the threats associated with CPS systems include:
are among the most dangerous malware against ICSs, as they
can be weaponized and used as part of cyber-warfare campaign • Spoofing: it consists of masquerading the identity of a trusted
management against a nation’s CPS [78]. entity by a malicious unknown source. In this case, attackers
• Disclosure of Information: Hackers can disclose any pri- are capable of spoofing sensors, for example, by sending mis-
vate/personal information through the interception of commu- leading and/or false measurements to the control center.
nication traffic using wireless hacking tools [16], violating both • Sabotage: Sabotage consists of intercepting the legal communi-
privacy and confidentiality [79]. cation traffic and redirecting it to malicious third party or dis-
• Unauthorised Access: Attackers try to gain an unauthorized ac- rupting the communication process. For example, attackers can
cess through either a logical or physical network breach and to sabotage physically exposed CPS components across the power
retrieve important data, leading to a privacy breach [80]. grid, to cause a service disruption or even denial of service that
• Interception: Hackers can intercept private conversations leads to either total or partial blackout.
through the exploitation of already existing or new vulnera- • Service Disruption or Denial: Attackers are capable of phys-
bilities leading to another type of privacy and confidentiality ically tampering with any device to disrupt a service or to
breach [72]. change the configuration. This has serious effects, especially in
• GPS Exploitation: Hackers can track a device or even a car by the case of medical applications.
exploiting (GPS) navigation systems, resulting in a location pri- • Tracking: Since devices are physically exposed, an attacker can
vacy violation [72,81]. gain access to a given device, and/or even attach a malicious
• Information Gathering: software manufacturers covertly device or track the legal ones.
gather files and audit logs stored on any given device in order
In the following, we present the main CPS vulnerabilities that
to sell this huge amount of personal information for marketing
can be targeted by the above-mentioned threats.
and commercial purposes in an illegal manner.
3.2. CPS vulnerabilities

3.1.2. Physical threats

A vulnerability is identified as a security gap that can be ex-
CPS systems are recently evolving into the industrial domain by
ploited for industrial espionage purposes (reconnaissance or ac-
introducing an Advanced Metering Infrastructure (AMI), and Neigh-
tive attacks). Hence, a vulnerability assessment includes the iden-
bourhood Area Networks (NANs), along with data meter manage-
tification and analysis of the available CPS weaknesses, while also
ment systems to maintain the robustness of CPS in industrial do-
identifying appropriate corrective and preventive actions to reduce,
mains [82]. In fact, physical threats might be classified according
mitigate or even eliminate any vulnerability [88].
to the following three factors:
In fact, CPS vulnerabilities are divided into three main cate-
gories:
• Physical Damage: since different facility types implement dif-
ferent levels of protection, power-generating stations (E.g power • Network Vulnerabilities: include weaknesses of the protec-
grid, power plants, base stations) are well protected. This is tive security measures, in addition to compromising open
due to the fact that these stations are well-manned and well- wired/wireless communication and connections, including
guarded based on the implementation of access controls, au- man-in-the-middle, eavesdropping, replay, sniffing, spoof-
thorisation and authentication mechanisms such as usernames ing and communication-stack (network/transport/application
and passwords, access cards, biometrics and video surveillance. layer) [89], back-doors [90], DoS/DDoS and packet manipulation
However, the main concern is related to the less protected attacks [91].
power-generating sub-stations since transmission lines are vul- • Platform Vulnerabilities: include hardware, software, configu-
nerable to sabotage attacks and disruption. In fact, smart me- ration, and database vulnerabilities [36].
ters are also vulnerable to a number of threats as explained • Management Vulnerabilities: include lack of security guide-
in Chen et al. [83]. To address this problem, smart meters must lines, procedures and policies.
be tamper-resistant by relying on outage detection or even
Vulnerabilities occur due to many reasons. However, there are
host-based intrusion detection. However, it is almost impossi-
three main causes of vulnerabilities:
ble to prevent physical tampering or theft by adversaries (such
as Advanced Persistent Threats (APTs)), except that it is possible • Assumption and Isolation: It is based on the “security by ob-
to mitigate the risk and reduce its impact. scurity” trend in most CPS designs. Therefore, the focus here is
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 7

to design a reliable and safe system, taking into consideration thorization through the injection of a malicious code that keeps
the implementation of necessary security services, without as- on running endlessly once executed without the user’s knowl-
suming that systems are isolated from the outside world. edge [122].
• Increasing Connectivity: More connectivity increases the at- Since many medical devices heavily rely on wireless communi-
tack surfaces. Since CPS systems are more connected nowadays, cations, they are prone to a large number of wireless attacks in-
manufacturers have improved CPS through the implementation cluding jamming, modification and replay attacks due to the lack
and usage of open networks and open wireless technologies. of encryption. Moreover, GPS and the device’s microphone are now
Most ICS attacks were based on internal attacks up until 2001. becoming a tracking tool, allowing the identification of the target’s
This was before utilizing the internet which shifted attacks to location, or intercepting the in-car conversations through eaves-
external ones [92]. dropping [13].
• Heterogeneity: CPS systems include heterogeneous third party By default, ICS relies on Modbus and DNP3 protocols to moni-
components which are integrated to build CPS applications. tor and send control commands to sensors and actuators. In [16],
This has resulted in CPS becoming a multi-vendor system, Humayed et al. stated that the Modbus protocol lacks basic secu-
where each product is prone to different security prob- rity measures such as encryption, authentication and authorization.
lems [93]. This has made it prone to eavesdropping, wiretapping, and port-
• USB Usage: this is a main cause of CPS vulnerabilities, such scan [123], with the risk of the controller being spoofed through
as the case of the Stuxnet attack that targeted Iranian power false data injection [124]. The DNP3 protocol is also prone to the
plants, since the malware is inside the USB. Upon plugging it, same vulnerabilities and attacks, with one main difference which
the malware spread across several devices through exploitation is the integration of Cyclic Redundancy Check (CRC) as an in-
and replication. tegrity measure [125]. Moreover, Windows Server Services were
• Bad Practice: is primarily related to a bad coding/weak skills vulnerable to remote code execution [99], with more attacks being
that lead to the code to execute infinite loops, or to become achieved through the exploitation of buffer overflow vulnerabilities
too easy to be modified by a given attacker. in any running Operating System (OS).
• Spying: CPS systems are also prone to spying/surveillance at- Moreover, power system infrastructure of smart grids is prone
tacks, mainly by using spyware (malware) types that gain a to the same vulnerabilities as ICS, Modbus and DNP3, since they
stealthy access and remain undetected for years with the main are based on the same protocols. As a result, IEC 61850 protocol
task to eavesdrop, steal and gather sensitive/confidential data was introduced in substations’ communications, which lack secu-
and information. rity properties and are prone to eavesdropping attacks. Therefore,
• Homogeneity: similar cyber-physical system types suffer from leading to interference attacks [126], or false information injection
the same vulnerabilities, which once exploited, can affect all attacks [127]. In [128], Santamarta et al. analysed the available doc-
the devices within their vicinity, a prime example is the Stuxnet umentation of smart meters, and located a “factory login” account
worm attack on Iranian nuclear power plants [94]. used to perform basic configurations. This gives the user full con-
• Suspicious Employees: can intentionally or inadvertently dam- trol over a smart meter and leads to power disruption, wrong de-
age or harm CPS devices, by sabotaging and modifying the cod- cision making and targeting neighbouring smart meters within the
ing language, or granting remote access to hackers through the same network. In addition, many devices are prone to battery ex-
opening of closed ports or plugging in an infected USB/device. hausting attacks [73].
Gollakota et al. [129] and Halperin et al. [130] exploited the
Thus, CPS vulnerabilities can be of three types, including cy- Implantable Cardioverter Defibrillator (ICD) wireless vulnerabili-
ber, physical, and when combined, they result into a cyber-physical ties through injection attacks. The authors also showed that Smart
threat. cars are vulnerable to various attack types. In [131], Radcliffe, re-
vealed another vulnerability with Continuous Glucose Monitoring
3.2.1. Cyber vulnerabilities (CGM) devices being vulnerable to replay attacks. The CGM de-
Since ICS heavily relies on open standard protocols includ- vice was spoofed with the injection of incorrect values. This is due
ing Inter-Control Center Communications Protocol (ICCP) [95] and to the fact that security considerations were not made when the
Transmission Control Protocol/Internet Protocol (TCP/IP) [96], ICS smart cars were designed [132]. In fact, the Controller Area Net-
applications are prone to security attacks. In fact, ICCP suffers from work (CAN) protocol suffers from many vulnerabilities, which if ex-
a critical buffer overflow vulnerability [89] and also lacks the ba- ploited could result in attacks against smart cars. This will increase
sic security measures [97]. In fact, the Remote Procedure Call (RPC) the likelihood of a DoS attack [133]. A Tire-Pressure Monitoring
protocol [98] and ICSs are prone to various vulnerabilities includ- System (TPMS) is also vulnerable to eavesdropping and spoofing
ing the Stuxnet (1 & 2) [99–101] and Duqu malware (1.0, 1.5 & due to the lack of encryption [134]. In addition, Adaptive Cruise
2.0) attack types [102–104], Gauss malware [102,105,106], and RED Control (ACC), which forms a part of the CAN network can be di-
October malware [107,108], as well as Shamoon Malware (1, 2 & rectly exploited [13]. In fact, a well-equipped attacker is able to in-
3) [109–111], Mahdi malware [112–114], and Slammer Worm [115]. terrupt ACC sensors’ operations by adding noise or spoofing. Thus,
Open/Non-secure wired/wireless communications such as Eth- controlling the car by either reducing, increasing its speed or even
ernet are vulnerable to interception, sniffing, eavesdropping, wire- causing collisions.
tapping and wardialing and wardriving attacks [116–118] and
meet-in-the-middle attacks [119]. Short-range wireless communi- 3.2.2. Physical vulnerabilities
cations are also vulnerable, since they can be captured, analysed, Physical tampering may result into misleading data in cyber-
damaged, deleted or even manipulated by insiders [120]. More- physical components. In fact, physical attacks with cyber impact
over, employees’ connected devices to ICS wireless network, if were studied in MacDonald et al. [135]. The physical exposure of
not secure, are prone to botnet, remote access Trojan and rootkit ICS components is classified as a vulnerability due to the insuffi-
attacks, where their devices will be remotely controlled by an cient physical security provided to these components. Thus, mak-
attacker [121]. Long-range wireless communications are vulnera- ing them prone to physical tampering, alteration, modification or
ble to eavesdropping, replay attacks, and unauthorized access at- even sabotage. CPS field devices (i.e smart grids, power grids, sup-
tacks. Yet, SQL injection remains the most Web-related vulnera- ply chains etc.) are prone to the same ICS vulnerabilities since a
bility since attackers can access any server database without au- large number of physical components is exposed without physi-
8 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

cal security, making them prone to physical destruction. Therefore, • Malicious Third Party Software Provider: the main purpose
in Mo et al. [136], Mo et al. stressed on detection and preven- of this attack is to target the company’s CPS by compromis-
tion solutions. In [16], Humayed et al. stated that medical devices ing the legitimate “Industrial Control Systems” software, such
are vulnerable to physical access along with the possibility of in- as the case of the Georgia Nuclear Power Plant Shutdown in
stalling malware into them, or even modifying the device’s config- 2008 [145]. This includes replacing legitimate files in their
urations, risking the patient’s health. Moreover, a physical access repositories with a malware that will be installed to offer re-
to any medical device is also a vulnerability since an attacker can mote access functionalities to control or compromise a given
retrieve the device’s serial number to launch targeted attacks [131]. system.
As listed above, CPS systems suffer from various vulnerabilities • Abuse of Privilege: is mainly led by insiders or “whistle-
making them prone to different types of attacks, which are dis- blowers” to perform or help perform a (cyber)-attack from
cussed next. within. Such high privilege grants them the ability to conduct
these attacks by exposing valuable knowledge on CPS systems’
3.3. Cyber-physical system attacks vulnerabilities and weaknesses. This abuse of privilege can take
many forms.
In this section, we present the different types of attacks that − Physical Tampering: including gaining unauthorised or
target the different aspects of CPS systems, including cyber and masqueraded authorised access to restricted areas to dam-
physical ones: age CPS systems, devices, modify their operational mode,
inject malicious data/information or steal confidential doc-
3.3.1. Physical attacks uments.
Physical attacks were more active in past years, especially − Unauthorised Activities: are based on performing suspi-
against industrial CPS systems [137,138]. Many of these attacks cious tasks, such as opening/closing pumping stations, in-
were already presented in Al-Mhiqani et al. [139]. Nonetheless, this creasing/decreasing power voltage, opening closed ports,
paper presents a broader range of physical attack types: communicating with an external entity, network traffic redi-
• Infected Items: this includes infected CDs, USBs, devices and rection or information leakage.
drives such as the case of the Stuxnet worm [140], which upon • Social Engineering: can take many deceptive forms [91] such
their insertion into a cyber-physical device, a covert malware is as reverse engineering (impersonating a techy-savvy), baiting
installed containing a malicious software. (selling malicious USBs or software), tailgating (following au-
• Abuse of Privilege: this attack occurs when rogue or unsatis- thorised personnel) or Quid Pro Quo (impersonating technical
fied employees access the server rooms and installation areas support teams), and is based on the art of manipulating people
within the CPS domain. This allows them to insert a rogue USB (either mentally or emotionally) to reveal confidential informa-
for infection through the installation of malicious malware/code tion by manipulating their emotions to gain their trust to reveal
or as keystroke, or to capture confidential data. sensitive information related to a CPS, PLC or ICS system.
• Wire Cuts/Taps/Dialing: since communication lines including
telephony and Wi-Fi of many cyber-physical headquarters (HQs) Recently, CPS systems became the new target of hackers for
are still physically visible, attackers can cut the wires or wire- espionage, sabotage, warfare, terrorism, and service theft [146],
tap into them to intercept the communicated data [117]. mainly as part of cyber-warfare [147], cyber-crimes [148,149],
• Fake Identity: this attack occurs when attackers masquerade (cyber)-terrorism [150–152], (cyber)-sabotage [153] (such as cyber-
themselves as legitimate employees, with enough experience attacks against Estonia in 2007 [154], and Georgia in 2008 [155]),
to fool the others. They mainly act as cleaners to gain an or (cyber)-espionage [156,157]. The lack of (cyber)-security re-
easier access and better interaction with other employees. A vealed a serious issue with possibly drastic effects [12], especially
prime example of that is Australia’s Maroochy Water Breach in in countries like Lebanon [158,159].
20 0 0 [141].
• Stalkers: these are usually legal employees who act curious 3.3.2. Cyber attacks
(with malicious intents) by being on the shoulder of CPS ad- In recent years, there was a rise in the rate of cyber-attacks
ministrators and engineers to acquire their credentials to black- targeting CPS and IoCPT with very devastating consequences. Ac-
mail or sell them to other competing CPS organisations. cording to current studies carried out by [160,161], CPS is highly
• CCTV Camera Interception: this includes intercepting the prone to malicious code injection attacks [162] and code-reuse
footage of Closed-circuit television cameras that are securing attacks [163], along with fake data injection attacks [164], zero-
entry and key points within CPS areas. This can be done by control data attacks [165], and finally Control-Flow Attestation (C-
distorting the signals of cameras, cutting off the communica- FLAT) attacks [160]. Such attacks can result into a total black-
tion wires, deleting the footage, gaining access to the remote out targeting CPS industrial devices and systems as presented in
control and monitoring area, etc., before performing a physical Table 2.
attack in an undetected manner.
• Key-Card Hijacking: this includes cloning legitimate cards • Eavesdropping: eavesdropping includes the interception of
that are stolen from employees, or creating look-alike genuine non-secure CPS network traffic to obtain sensitive information
copies to gain full/partial access and to compromise the CPS do- (passwords, usernames, or any other CPS information). Eaves-
main. dropping can take two main forms:passive by listening to CPS
• Physical Breach: this attack requires gaining an illegal physi- network message transmission, and active by probing, scanning
cal access to the system, mainly through a physical breach such or tampering the message by claiming to be a legitimate source.
as the case of the Springfield Pumping Station in 2011 [142], • Cross-Site Scripting: or XSS occurs when third-party web re-
a backdoor such as the case of US Georgia Water Treatment sources are used to run malicious scripts in the targeted vic-
Plant in 2013 [143], or an exploited security gap such as the tim’s web browser (mainly a targeted CPS engineer, contractor,
case of the Canadian Telvent Company in 2012 [144]. This al- workers, etc.) by injecting malicious Coding Script into a web-
lows an attacker to damage and shut-down network-connected site’s database. XSS can achieve session hijacking, and in some
manufacturing systems and CPS devices, resulting into loss of cases, can log key strokes along and remotely accesses a vic-
availability and productivity. tim’s machine.
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 9

Table 2
Real CPS attacks.

Country Target Attack Nature Type Date Motives

United States of Ohio Nuke Plant Network [215] Slammer Worm Malware-DoS January 25, 2003 Criminal
America Taum Sauk Hydroelectric Power Sensors Failure Accident December 14, 2005 N/A
Station Failure [216]
Georgia Nuclear Power Plant Installed Software Undefined Software March 7, 2008 Unclear
Shutdown [145] Update
US Electricity Grid [217] Reconnaissance Undefined Software April 8, 2009 Political
Programs
Springfield Pumping Station [142] Backdoor Unauthorised Access November 8, 2011 Criminal
Georgia Water Treatment Physical Breach Unauthorised Access April 26, 2013 Criminal
Plant [143]
Iran Iranian nuclear facilities Stuxnet [218] Worm November, 2007 Political
power plant and other industries Stuxnet-2 worm December 25, 2012 Political
Iranian Infrastructure (nuclear,oil) DDoS Disruptive October 03, 2012 Political
and communications companies
Iranian key oil facilities Computer Virus Malware April 23, 2012 Political
Saudi Arabia Saudi infrastructure in the energy Shamoon-1 Malware August 15–17, 2012 Religio-Political
industry
Saudi government computers and Shamoon-2 Malware November 17, 2016 Religio-Political
targets
Tasnee and other petrochemical Shamoon-3 Malware January 23, 2017 Religio-Political
firms, National Industrialization
Company, Sadara Chemical
Company
Qatar Qatar’s RasGas Shamoon Malware August 30, 2012 Political
United Arab Emirates UAE energy sector Trojan Laziok Malware January-February 2015 Political
Australia Maroochy Water Breach [141] Remote Access Unauthorised Access March, 2000 Criminal
Canada Telvent Company [144] Security Breach Exploited Vulnerability September 10, 2012 Criminal
Ukraine Ukrainian Power-grids [219] BlackEnergy Malware DDoS December 23, 2015 Political
Ukramian Electricity Firms [220] Petya [221] Ransomware June 27, 2017 Political

• SQL Injection: or SQLi targets CPS database-driven websites to ing a reply [184]. This leads to a buffer overflow and causes
read and/or modify sensitive data, along possibly executing ad- the cyber-physical system to crash.
ministrative operations such as database shutdown, especially • Malicious Third Party: includes software that covertly exploit
when CPS systems are still relying on SQL for data manage- data aggregation network and compromises them, mainly us-
ment [166]. ing botnets, Trojans or worms to infiltrate information through
• Password Cracking: aim to target the authenticity of CPS users a CPS encrypted channel from an internal system (i.e PLC, ICS
[167,168] (mainly engineers and managers) by trying to crack or RTU) through the reliance on Trusted Third Party in dis-
their passwords using brute-force [169], dictionary [170] (miti- guise, to a botnet Command-and-Control server. Thus, targeting
gated by using key exchange [171]), rainbow table [172], birth- CPSs [185] and AMIs [186].
day (mitigated by hashing) [173] or online/offline password • Watering-hole Attack: The attacker scans for any cyber-
guessing attacks [174] to gain access to the password database, physical security weakness. Once a weakness is identified, the
or to the incoming/outgoing network traffic. Therefore, it is im- chosen CPS website will be manipulated by a “watering hole”
portant to prevent such escalation from taking place [175,176]. where a malware will delivered by exploiting the targeted
• Phishing: has many types such as e-mail phishing, vishing, CPS system mainly through backdoor, rootkits or zero-day ex-
spear phishing or whaling that target some or all CPS users ploit [187].
(such as engineers, specialists, businessmen, Chief Executive Of- • Malware: is used to compromise CPS devices in order to
ficers (CEOs), Chief Operations Officers (COO), or/and Chief Fi- steal/leak data, harm devices or bypass access control systems.
nancial Officers (CFO)), through impersonation of business col- The malware can take many forms, however, the main forms
leagues or service providers. that target CPS are briefly listed and presented in the follow-
• Replay: includes intercepting transmitted/received packets be- ing.
tween ICSs, RTUs, and PLCs through impersonation to cause de- − Botnets: this includes exploiting CPS devices vulnerabili-
lays that affect CPS’s real-time operations and affect their avail- ties to turn them into bots or zombies, mainly to conduct
ability. In some cases, these intercepted packets can be modi- hardly-traceable DDoS attacks (i.e Ramnit (2015) [188], Mi-
fied, which would seriously hinder normal operations. rai (2016) [189], Smominru botnet (2017) [188], Mootbot
• DoS/DDoS: DoS attacks target the cyber-physical system re- (2020) [190], WildPressure and VictoryGate (2020).)
sources and are launched from a large number of locally in- − Trojan: is a disguised malware that seems legitimate
fected devices. DDoS attacks are usually exploited by Bot- and tricks users to download it. Upon download, the
nets, whereby a large number of infected devices simultane- Trojan infects the device and offers a remote access
ously launch a DDoS attack from different geographical loca- to steal data credentials and monitor users activities.
tions. DoS attacks can take many forms (i.e blackhole [177], This also includes Remote Access Trojans which in
teardrop [178]), while DDoS can take the following forms (i.e turn, can be used to turn a device into a bot (i.e
ping-of-death [179], smurf [180] and Black Energy series (BE-1, Turla (2008) [191], MiniPanzer/MegaPanzer (2009) [192],
BE-2 and BE-3 [181–183]), all targeting CPS systems. Gh0st RAT (2009) [193], Shylock (2011) [194], Coreflood
− TCP SYN Flood: exploits the TCP handshake process by con- (2011) [195], DarkCornet (2012) [196], MEMZ (2016) [197],
stantly sending requests without responding back to the TinyBanker (2016) [198] and Banking.BR Android Botnet
server, causing the server to constantly allocate space await- (2020)).
10 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

− Virus: it can replicate and spread to other devices through • Sensors Failure: means that the sensors are no longer function-
human/non-human intervention. Viruses spread by attach- ing properly, and would seriously hinder the decision making
ing themselves to other executable codes and programs to process due to misinformation, or bringing a CPS system to a
harm CPS devices and steal information. sudden halt. A similar case occurred in 2005, at Taum Sauk Hy-
− Worms: spread by exploiting operating system vulnera- droelectric Power Station [216].
bilities to harm host networks by carrying payloads to • Silent Failure: occurs when there is no message sent or re-
steal, modify and delete data, or overload to web-servers ceived in a distributed system.
(aside Stuxnet, Flame and Duqu, i.e aCode Red/Code Red II • Babbling Failure: occurs when the information is delivered,
(2001) [199], Nimda (2001) [200], Triton (2017 [201])). causing the system to malfunction and to operate in a babbling
− Rootkit: is designed to remotely and covertly access or manner.
control a computer to execute files, access/steal informa- • Budget Failure: occurs when the cost of implementing a cyber-
tion or modify system configurations (i.e Moonlight Maze physical system outweighs the budget set, before ever reaching
(1999) [202], and Blackhole exploit kit (2012) [203]). the testing level. This is mainly caused by poor planning.
− Polymorphic Malware: constantly and frequently changes • Schedule Failure: occurs when the schedule set for planning,
its identifiable to evade being detected to become unrecog- testing and evaluating a given CPS is not achieved due to fur-
nizable against any pattern-matching detection technique. ther upgrades, additional testing, or inadequacy for users needs.
− Spyware: is a malicious software covertly installed on a de- • Service Failure: occurs when having an error propagates
vice without the user or authorization knowledge, for spying through the service interface and affects its decision making
purposes (e.g surveillance, reconnaissance, or scanning). In or/and normal performance ability. This failure can either cause
fact, they can be used for future cyber-attack purposes (i.e a partial or full CPS system failure either temporarily or perma-
ProjectSauron (2011) [204], Dark Caracal (2012) [205], Red nently.
October (2013) [107], WarriorPride (2014) [206], FinFisher • Consistent/Inconsistent Failures: a consistent failure occurs
(2014) [207], and COVID-19 spyware.) when a given service is identically perceived by all CPS users.
− Ransomware: is a malicious software that holds and en- An inconsistent failure takes place when all CPS users differ-
crypts CPS data as a ransom by exploiting CPS vulnerabil- ently perceive an incorrect service (i.e bohrbugs, mandelbugs,
ities, targeting oil refineries, power grids [208], manufac- heisenbugs and Byzantine failures) [223].
turing facilities, medical centers and encrypting all data-
backups until a ransom has been paid. A prime example 4. Evaluating risks
of that is the Siskey (2016), SamSam (2016), Locky (2016),
Jigsaw (2016) [209], Hitler-Ransomware (2016) [210], Wan- Evaluating risks is essential to assess the risk’s economic impact
naCry (2017), Petya (2017), Bad-Rabbit (2017), Maze (2019) of an attack on any CPS system, before managing it. Such manage-
and Ekans (2020) ransomware [211–214]. ment is based on assessing and analysing the risk before mitigat-
• Side-Channel: is based on the information gained from the im- ing it, then deploying the right security measures according to the
plemented CPS system such as timing information, power con- level of severity and risk impact (see Fig. 4).
sumption and electromagnetic leaks that can be exploited.
4.1. Risk identification & management
For this reason, some of the most infamous cyber-attacks de-
serve being mentioned (Table 2). Moreover, for further details, you
Risk Management is implemented in order to identify, analyse,
can refer to [139]. In fact, Do et al. presented a much more detailed
rank, evaluate, plan and monitor any possible risk through risk as-
attack description as early as 1980s in Fillatre et al. [142]. However,
sessment.
this paper aims to classify the occurrence of these attacks as early
as 20 0 0 and based on, but not limited to, political, religious, and • Identifying Risks: identification is based on uncovering and
criminal motives. recognising risks that can negatively affect a project/project
After reviewing the main CPS attacks, it is essential to assess outcome and describing it [224].
their associated risks to design the convenient counter-measures. • Analysing Risks: risks likelihood and consequence must be de-
In the next section, the risks associated with the different CPS se- termined once they are identified, to understand the nature of
curity attacks are evaluated. a risk.
• Ranking Risks: risks rank is evaluated according to the risk
3.4. CPS failures magnitude, based on the combination of both risk likelihood
and consequence in case it occurred.
Given the different threats, attacks and vulnerabilities that the • Evaluating Risks: based on their ranks, risks are either deemed
CPS domain suffers from, it is important to highlight the main fail- as acceptable or require serious treatment and urgent attention.
ures than CPs systems suffer from. These failures can either be mi- • Planning Risks Response: highest ranked risks are assessed to
nor (limited damage) or major (severe damage). In fact, further de- treat, modify and mitigate them to once again achieve an ac-
tails can be found in Avizienis et al. [222], where Avizienis et al. ceptable risk level. Therefore, risk mitigation strategies are cre-
presented a well-defined and detailed explanation in this regards. ated, along with the deployment of preventive and contingency
plans.
• Content Failure: means that the content of the delivered infor- • Monitoring and Reviewing Risks: risks are constantly moni-
mation is inaccurate, which would result into some functional tored, tracked and reviewed. In case of any suspicious activity,
system failure. Content failure can be either numerical or non- these risks are mitigated before any serious threat occurs.
numerical (i.e alphabets, graphics, sounds or colours).
• Timing Failure: means that the timing of information de- 4.2. Risk assessment
livery (transmission/receiving) is delayed or interrupted (re-
ceived/transmitted too early or too late). This would affect the Risk Assessment is implemented to minimize the impact of a
decision making process and may cause data management is- given attack [225]. In fact, risks are evaluated based on calculat-
sues. ing the average loss in each occurring event [226]. Additionally,
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 11

Fig. 4. CPS risk evaluation.

several risk assessment methods, as well as various techniques to • Medium Impact: in case of its occurrence, the impact is less
secure CPS were revealed in Ashibani and Mahmoud [25]. In fact, severe. However, it also imposes a serious threat against CPS. It
since most studies are focused on securing enterprise systems in is used to evaluate and mitigate advanced threats [234].
order to assess risks, security became an emerging issue that im- • Low Impact: in case this risk has occurred, its impact is not
poses a serious risk on CPS [227]. As a result in Lu et al. [228,229], severe, nor has damaging effects. As a result, its impact is very
Lu et al. presented an adequate risk assessment method. The main limited and can be easily mitigated. It is used to evaluate and
security focus was based on transferring it from risk assessment, mitigate basic threats [235].
to Computer Risk Assessment (CRA), to Network Risk Assessment
(NRA) with a heavy reliance on the internet [230]. Asset Identifi- 4.4. Risk mitigation
cation: is also important, since it is a resource value that can ei-
ther be tangible, or intangible that impacts daily transactions and Risk mitigation requires the adaptation and implementation of
services [231]. In fact, CPS assets can be divided between cyber a well-built management strategy in addition to cyber and physi-
assets, physical assets, and cyber-physical assets. Finally, since as- cal security in order to counter-espionage, theft, or/and terrorist at-
set quantization is estimated from both direct and indirect eco- tacks. Such a mitigation model also requires, data security and pro-
nomic losses [232], it is important to determine the Asset Value tection, as well as anti-counterfeit and supply chain risk manage-
(AV). ment [236]. These models should also be supported by both foren-
sic and recovery plans. This can help in analyzing cyber-attacks
whilst coordinating and cooperating with the responsible agencies
4.3. Risk impact to identify external cyber-attack vectors [237]. Therefore, preven-
tive, detective, repressive and corrective logical security measures
Risk is assessed based on its possible impact on CPS systems. It can be adopted.
is divided into three main types: As a result, a qualitative risk assessment table is presented (see
Table 3) where the exposure is either Low (L), Moderate (M) or
• High Impact: in case the risk has occurred, this can result in High (H), the risk level is either Major (Ma), Minor (Mi) or Critical
devastating and damaging effects on CPS systems. It is used to (Cr), and the security measures are Detective (D), Repressive (R),
evaluate and mitigate persistent advanced threats [233]. Preventive (P) and Corrective (C), respectively.
12 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

Table 3
Qualitative CPS risk assessment.
Attack System/Data Exposure Evaluation Risk Mitigation Targeted Security Goals
Type Impact Protected Unprotected Risk Level Security Countermeasures Confident- Integrity Availability Authent-ication
Measures iality
Malware High L/M/H H Ma/Cr D, P, C & R IDS, Firewalls,   X 
Anti-Malware,
Anti-Virus
Spyware Moderate M H Ma/Mi D, P & R Anti-Spyware,  X X X
Defence in Depth
Ransomware High M/H H Ma/Cr D, R & C Honeypot, Verified    
Backup/Update,
Lesson Learnt
Botnets High M/L H Ma D, C & P IDS, Anti-Malware    X
DoS/DDoS High H H Ma/Mi D, P & R Backups, Secondary X X  X
Devices, IDS,
Leverage to Clouds
Eavesdrop Low L H Mi D&P HTTPS/SSH  X X X
Encryption,
Personal Firewalls,
VPNs [238]
Side-Channel Moderate M/L H Ma D, P & R Ultra-Low Power  X X X
Processors, Faraday
Cage, Obfuscating
Timing/Power
Information [239]
Zero-Day High H H Cr D, C & R Real-Time Threat    
Intelligence, Rapid
Incident Response
Teams, Constant
Updates
Malicious Data Moderate L H Ma D, P & C Hybrid IDS, ML,   X X
Injection BYOD Policy [240]
Social Low L M/H Mi D&P Employee Training &   X X
Engineering Awareness
Phishing Moderate L H Ma D&P IDS, Anti-Phshing   X X
Software/Training
Password Moderate L M Ma P&C Password Policy,   X 
Cracking Periodic Password
Changing
Replay Low L M Mi D&P Timestamp, Filtering, X X  X
Random Session
Keying
XSS High L H Cr D&P Validate & Sanitize   X 
User Input
SQLi Moderate L H Ma/Mi D, C & P Least Privilege,    X
Strong Code,
Whitelisting

4.4.1. Attack cost & impact cially if the information is deleted beyond recovery. CPS sys-
The cost of security attacks can take many forms, and the main tems might take months and even years to recover.
ones are highlighted as follows: • Additional Spending: may be required to tackle the advanced
persistent threat attempts and zero-day attacks, which re-
• Delays: CPS systems may be prone to service delays, which may quire additional spending in terms of security protection in a
affect their performance and render them inactive (blackout, defense-in-depth manner.
burnout) until the issue is sorted either through maintenance • Loss of Life: can be the result of flooding, radioactivity, fire or
or back up. electric shock due to hazardous or intentional acts.
• Affected Performance: system delays due to a malicious • Disclosure of Information: can affect CPS businesses and busi-
(cyber-attack)/non-malicious (accident) event can gradually af- ness trades and put the privacy of users at risk of having their
fect the CPS performance and cause it to operate in an ab- personal information being exposed.
normal manner which can seriously affect the decision making
process.
• Cascading Failures: such as sensor failures, software bugs or Before proceeding any further, it is important to classify CPS
nuclear power plant overheating, which can cause environ- components as critical, moderate and non-critical, to identify the
mental catastrophes such as the case of Chernobyl (1986) and risk of an event occurrence (malicious/hazard) along its impact to
Fukushima (2011), natural gas pipeline explosion in Belgium define the proper security measures (basic, standard or advanced),
(2004), series of TransCanada Corporation’s natural gas leakage as seen in Fig. 5.
and explosion in Canada (between 20 0 0 and 2018) [241] as well While adopting all possible security measures might be costly
as similar incidents in the US [242], Mexico, China and other in all terms (i.e. complexity, financial cost, delay, etc.), risk man-
countries, oil spilling, water pipeline incidents, flooding, black- agement is key for selecting the convenient security solutions. In
outs, and so on. the next section, the different security solutions proposed to de-
• Financial Losses: malware attacks such as ransomware (i.e fend the security issues are reviewed. While these security solu-
Ekans snake malware) targeting Industrial Control Systems tions aim at preventing, detecting or correcting system damage,
(ICMs) can lead to huge loss of information beyond recovery if the CPS forensics aim at knowing the system issues causes, which
the backup is not maintained, or if the ransom is not paid. This help in reducing and preventing future attacks. Thus, the main CPS
leads to huge financial losses over short and long terms espe- forensics solutions are also reviewed.
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 13

Fig. 5. CPS component classification & protection.

Fig. 6. Targeting CPS security goals.

5. Securing CPS 5.1. CPS security requirements

Securing CPS is not a straightforward task. For this reason, According to National Institute of Standards and Technology
various existing solutions are mentioned and discussed in this (NIST) guidelines [243,244], ensuring trust between IoT and CPS,
section. Already existing testing tools are also introduced. All should consist of various multi-factors. This is due to both IoT and
of these schemes are presented to protect CPS domains against CPS systems relying on safety, security, privacy, consistency, de-
attacks that target the confidentiality, integrity, availability, au- pendability, resiliency, reliability, interaction and coordination, all
thentication and privacy of both data and systems as seen of which are combined to form a well-designed and trustworthy
in Fig. 6. system. If this condition is satisfied, a perfect CPS mechanism is
14 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

Table 4
CPS testing tools.

Tools Origins Nature Description

Achilles [246] uniquely designed for embedded and industrial control uses Wurldtech proprietary fuzzing algorithms to generate
devices tests of known and unknown vulnerabilities, provides the
analysis of the attack impact, monitors the whole system
BreakingPoint [247] designed as the industry’s first cyber tomography a 4 RU rack-mountable, modular system that accurately
machine recreates a live network environment and identifies
network devices “Breaking-Points”. It measures and
hardens the resiliency of CI component against crippling
attacks
beSTORM [248] automated tool programmed to make an excessive search of all possible input
combinations, tests any product for potential weaknesses
Codenomicon Defensics [249] a specialized fuzzing tool which supports the security of sends to the system invalid or unexpected inputs that expose
industrial protocols software defects and vulnerabilities, ensures a broader test
coverage, can be used to test digital media, wireless
infrastructures and network protocols. Easy integration.
Proactive testing. Integrated online documentation
Mu-8000 [250] Mu Studio Security, built on a powerful automation consists of four types of tests, Protocol Mutation Tests
platform that provides extensive automation, monitors including DNP3, IEC 61850, MMS, and MODBUS/TCP
hardware/software-based restarters, and reports industrial protocols, generates test cases packets containing
capabilities protocol mutations secure targets handles them
successfully, non-secure targets might respond abnormally
Peach [251] Smart Fuzzing tool that performs generation and requires the creation of PeachPit files to define the structure
mutation based fuzzing and type of information in the to be fuzzed data, allows
the configuration of a fuzzing run including data transport
and interface logging
Sully [252] is a fuzzer development and fuzz testing framework It consists of multiple extensible components, it also
supports ICCP, modbus and DNP3 fuzzing modules
SPIKE [253] designed to focus on finding exploitable bugs It is a fuzzer creation kit, it provides an API to allow users to
create their own fuzzer for network based protocols, allows
the use of the C programming language

Table 5
CPS security certifications.

CPS security certifications

Certification name Levels Description

WST Achilles Certification [246] 1 includes basic testing Layer 2–4 Industrial Protocols
2 includes in-depth testing Layer 2–4 Industrial Protocols
Exida Certification [254] N/A includes three main types which are functional safety, functional integrity, and cyber security
ISASecure EDSA Certification [255] N/A consists of Functional security assessment (FSA), Software development security assessment
(SDSA), and Communication robustness testing (CRT)
MuDynamics MUSIC Foundation includes various protocols such as ARP, IPv4, TCP, UDP, and IEEE 802.lp/Q
Certification [250] Advanced includes various protocols such as DNP3, FTP, HTTP, MODBUS/TCP, and Telnet

achieved. As a result, several CPS testing tools were used to eval- mised and exploited by a hacker, or due to CPS failure. Hence,
uate the security of Industrial Control devices upon their develop- safety is of a high concern for IoT, CPS and (Internet of Cyber-
ment (see Table 4). For further details, these tools are explained Physical Things) IoCPT users alike. While reliability is based on
in Zhao et al. [245]. Moreover, several security certifications are the ability to adapt to changing conditions to overcome and re-
also discussed, reviewed, analysed and compared according to their cover from any possible disruption either based on cyber or/and
different aspects [245] (see Table 5). physical attacks led by adversaries, in addition to natural disas-
In the following, the main CPS security requirements are de- ters [243].
fined and discussed. Physical systems rely on timing and proper functionality. How-
ever, in case of any possible mismatch, unreliability and un-
• Privacy: In CPS, a huge data collection process is constantly certainty can cause problems and disruptions for CPS services.
taking place, and this is what most people are not aware Therefore, maintaining a high reliability requires reducing the
of [256,257]. Therefore, a person has the right to access his own uncertainty levels. In fact, it is also recommended to implement
data, along with being given the right to know what type of error-correction algorithms to sort electronic components im-
data is being collected about them by data collectors, and to perfect reliability [260]. As a result, Rajamäki et al. [260] stated
whom these data is being given or sold to. However, this also that CPS behaviour can be predictable through the implemen-
requires preventing the illegal/unauthorised access to the user’s tation and use of artificial intelligence or/and even Machine
personal data and their information disclosure [258,259]. Learning (ML) schemes. This allows the prediction of the so
• Dependability: Intelligent Physical World (IPW) ensures that called “next-time system state”.
the CPS adaptive behaviour is achieved to bring a higher • Resiliency: CPS must be resilient to overcome accidents and
dependability and ensure the right Quality of Service (QoS) malicious attacks. Therefore, CPS logical and physical systems
through the adoption of fault-tolerance mechanisms in a timely are prone to cyber security vulnerabilities from a security as-
manner. Dependability includes two other qualities, safety and pect. This included the demonstration of Carshark software
reliability. Safety is often an objective defined in terms of the tools that control a car in Koscher et al. [133], along with the
organisation’s goals [243]. This is due to the negative impact successful design of a virus in 2010 which attacked Siemens
of cyber-security risks, where vulnerabilities can be compro- plant-control systems [261], along with how hackers broke into
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 15

the United States Federal Aviation Administration (US FAA) air Environment (E3), to increase the OS’s integrity. Moreover, the
traffic control system in 2009 [262]. Resiliency is achieved by authors’ work in Almohri et al. [269] has successfully achieved
each CPS component in a Base Architecture (BA) presented a higher security level in the presence of untrustworthy compo-
in Rajhans et al. [263], where each communication and phys- nents. This allowed the improvement of CPS by enhancing sys-
ical connection path between elements is granted access by the tem’s integrity. However, if the Graph-based optimization was
BA’s connectors. This requires the BA system to know and iden- combined with parameters, it can provide a reasoning basis
tify every possible path, while overcoming any connection dis- to ensure an overall system integrity [270]. Therefore, it is es-
ruption. Moreover, in case the elements were inconsistent, a sential to set the right privileges (task-based, role-based, rule-
multi-view editor will be deployed to make corrections. based, etc..) and strong password complexity policies in order
• Interaction and Coordination: are essential to maintain an all- to enhance the security level. Moreover, this also includes get-
time operational CPS security. In [58], Hu et al. stated that CPS ting rid of old unused accounts and open yet unused ports to
interaction and coordination between cyber and physical sys- reduce the exposure to remote wireless attacks. As a result,
tem elements are a key aspect. In fact, the main physical world CPS nature must be considered before achieving any design.
characteristics are based on the constant system change over In [136], Mo et al. presented a Cyber-Physical security by com-
time. However, the cyber world characteristics are based on se- bining systems-theoretic with Cyber-Physical security controls.
quence series with no temporal semantics. Moreover, two basic
approaches are presented to study and analyse this problem. 5.2. CPS security challenges
These approaches are based on the “cyberizing” the physical
(CtP) aspect through the introduction of cyber-properties and The adoption of security measures has many benefits when it
interfaces into physical systems, and “physicalizing” the cyber comes to protecting CPS components, layers and domains. How-
(PtC) where cyber-software components are to be represented ever, despite these advantages, CPS systems are impacted by the
in real-time [264]. application of these security measures, which can be summarized
• Operational Security (OpSec): Operational Security (OpSec) as follows:
was introduced in 1988 to ensure physical security, information
• Reduced Performance: security measures can partially or fully
security, and personnel security [265] through careful planning,
affect the performance of a given CPS, in the absence of care-
risk assessment and risk management [266]. Its primary task
ful consideration for a balanced security-performance trade-off.
is to ensure operational effectiveness by denying any adversary
This can affect normal operations and requires more human in-
access to public/private information; hence controlling informa-
terventions to manually assign services and domains.
tion and observable actions about a given cyber-physical sys-
• Higher Power Consumption: is a serious issue, especially for
tem, especially in hostile environments/areas [265]. One of its
resource-constrained and battery-limited CPS end devices. A
key benefits is providing means to develop cost-effective secu-
higher power consumption means a shorter lifespan and a
rity measures to overcome a given threat. To achieve this task,
higher cost to maintain their availability.
OPSEC involves five main steps:
• Transmission Delays: transmitted/received data is prone to de-
− Critical Information Identification: includes identifying
lays due to the additional encryption process that is being
which information, if targeted, can effectively degrade a
added to thwart passive/active eavesdropping and sniffing at-
CPS’s operational effectiveness or place its potential organi-
tacks. Despite the protective advantage that is offers, this is un-
zational success at risk, and develop an initial plan to pro-
acceptable in a real-time CPS systems.
tect it.
• Higher Cost: higher security levels are associated with higher
− Threat Analysis: includes determining an adversary’s poten-
computational costs, which are not limited to the initial capital
tial and capabilities to gather, process, analyze, and use the
spending phase, but also include training, update, and opera-
needed information.
tional phases.
− Vulnerability Analysis: includes studying the weaknesses of
• Compatibility Issues: some CPS systems are not compatible
a given cyber-physical system and the strengths of an ad-
with the employed security measures and vice versa. This can
versary. Thus, building a possible view over how a potential
be due to the software in-use, firmware, Operating System, etc.
adversary might exploit this security gap to perform a secu-
• Operational Security Delays: upon the deployment of any se-
rity breach.
curity service, there is a training phase that precedes the full
− Risk Assessment: risks are assessed based on the threat
operational security mode, and during which the service is
and vulnerability levels combined, depending on how high
temporarily ineffective or basic and thus, prone to attacks.
or how low these levels are. Risk assessment levels include
evaluating the cost of implementing the right security mea-
5.3. CPS security solutions
sures by ensuring a trade-off between the effective cost and
benefit balance.
Maintaining a secure CPS environment is not an easy task due
− Appropriate Application Countermeasures: once the trade-
to the constant increase of challenges, integration issues and lim-
off is achieved in the earlier phase, the appropriate coun-
itation of the existing solutions including the lack of security, pri-
termeasures are then developed to offer the best protection
vacy and accuracy. Nonetheless, this can be mitigated through dif-
of CPS against these ongoing threats in terms of feasibility,
ferent means including cryptographic and non-cryptographic solu-
cost, and effectiveness.
tions as seen in Fig. 7.
• System Hardening: System hardening can be used to defend a
wider range of threats. Therefore, it is highly recommended to
5.3.1. CPS criticality
isolate critical applications that lack the proper security mea-
CPS systems can be divided into four main types based on the
sures, from any OS that is not trusted in order to boost the
aspect of their criticality:
IoCPT and CPT security. In [267], Shepherd et al. analysed differ-
ent trust-computing technologies along with their applications • Safety Critical: in such a CPS type, an attack can lead to loss
in the CPS domain. According to [268], such analysis included of life or to chronic deadly diseases, with significant damage
a Trusted Platform Module (TPM), Trusted Execution Environ- to the environment such as fire, floods, radioactivity (e.g. Cher-
ments (TEE), Secure Elements (SE), and Encrypted Execution nobyl in 1986 and Fukushima in 2011) incidents [271,272].
16 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

Fig. 7. Protecting CPS layers, components & personnel.

• Mission Critical: for this type of CPS, an attack can result into communications confidentiality, user authentication, data integrity
a fatal/non-fatal, total/partial failure of a CPS to achieve its ob- and services availability, along attacks and modern threats with
jectives [273]. their countermeasures.
• Business Critical: in such a CPS type, an attack can result into Many solutions were presented to maintain a secure CPS en-
huge financial and economic losses, damaged reputation and vironment by fulfilling its main security goals. In [277], Adam et.
loss of CPS contractors and clients. al. presented a novel framework to understand cyber-attacks and
• Security Critical: for this type of CPS, an attack can result into CPS risks. Their framework offers a novel approach to ensure a
a security breach of the cyber-physical system (security gap, ex- comprehensive study of CPS attack elements, including the attacker
ploitable vulnerability, rootkits, backdoors, etc.). and his objectives, cyber exploitation, control-theoretic and phys-
ical system properties. In [232], Stouffer et al. provided a com-
5.3.2. Cryptographic-based solutions prehensive ICS security guideline that is related to technical con-
Cryptographic measures are mainly employed to secure the trols including Intrusion Detection Systems (IDS), Access Controls
communication channel from active/passive attacks, along any (AC), firewalls, and operational controls including training, aware-
unauthorized access and interception, especially in SCADA sys- ness and personnel security. In [97], security experts were able
tems [274]. In fact, traditional cryptography approaches based on to gain the employees’ credentials due to their lack of aware-
utilizing ciphers and hash function are not easily applied to CPS ness and training, using phishing and social engineering techniques
including IoCPT due to power and size constraints. As a result, through a simulated attack. In [34], Sommestad et al. conducted
the main focus should be limited to data security alone, instead a keyword mining comparison, and concluded that the main fo-
it should maintain and ensure the efficiency of the overall sys- cus was either on operational controls, or technical controls only.
tem process along. Therefore, various solutions were presented. In [278], Sharma et al. presented a novel multi-level Network Se-
In [23] Kocabas et al. conducted their own survey which was ded- curity Evaluation Scheme (NSES) that represent five different lev-
icated to conventional and emerging encryption schemes which els of security. Therefore, providing a holistic view over whether
could be employed to offer secure data storage and sharing. In [24], NSES is suitable for Wireless Sensor Networks (WSN) security for
Lai et al. reviewed and discussed prominent cryptographic au- IoT/CPS/IoCPT applications. NSES offers recommendation for net-
thentication and encryption methods [275] to secure Distributed work administrators on early design phases to achieve the right
Energy Resources (DER) systems, while providing recommenda- security needs. As a result, this paper classifies these solutions in
tions on applying cryptography to DER systems. In [276], Ding terms of them fulfilling one of the following security goals:
et al. presented an overview of recent advances on security control
and attack detection of industrial CPS, especially against denial-of- • Confidentiality: securing CPS communication lines is essen-
service, replay, and deception attacks. In [15], Sklavos et al. pre- tial. As a result, various cryptographic solutions were presented.
sented a tutorial that discusses the implementation efficiency of In [279], the authors presented a solution based on the use
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 17

of compression techniques before being encrypted. Their solu- mechanism. Thus, preventing attackers from intercepting data
tion reduces the overhead and mitigates the problem. Since, from a higher security level zone. Therefore, ICS applications
lightweight cryptography became the centre of attention with vendors should work on releasing compatible versions of their
various lightweight block ciphers being presented by different applications to ensure that the ICS operators will not resort to
authors, including an ultra-lightweight block cipher by Bog- older versions of vulnerable OS [22].
danov et al. [280] and a low-latency block cipher for perva- • Availability: maintaining the availability of CPS devices is a
sive computing applications [281]. This was due to their low- must. Hence, different solutions are presented to mitigate and
cost and low-latency with the ability to provide cryptographic overcome availability issues. For this reason, the Tennessee-
blocks for any resource constrained, normal, industrial, or even Eastman Process Control System (TE-PCS) model is used to test
medical devices. In [282], Shahzad, et al. suggested the instal- integrity and DoS attacks [299]. Upon testing, this model re-
lation of encryption-decryption modules at both ends of non- veals how DoS attacks are ineffective against sensor networks.
secure Modbus communication to protect its connection from Thus, requesting to prioritize security defences against integrity
confidentiality attacks. Thus, requiring an additional overhead attacks due to their effectiveness to overcome DoS attacks
to convert plaintexts into ciphertexts and vice versa. In [283], only [300]. In [39], Gao et al. designed and presented the net-
The American Gas Association (AGA) presented its AGA-12 stan- work ICS testbed based on Emulation, Physical, and Simulation
dard to provide “bump-in-the-wire” encryption services for CPS, (EPS-ICS testbed) as a control process for corporate and SCADA
but at the expense of large latency overheard [284]. In [285], network emulations through the use of PLCs, RTUs, and DCS
Vegh et al. described a hierarchical cryptosystem method ob- controllers to interact with the process. In [301], Thiago et. al.
tained through the ElGamal algorithm that protects CPS com- combined an open source PLC with a machine learning-based
munications. To fix decryption issues, WSO2 Complex Event IPS design to secure the OpenPLC version and render it im-
Processor (WSO2-CEP) was presented in Jayasekara et al. [286], mune against a wide range of attacks. Their presented approach
Perera et al. [287] and used in to sort different challenges. Re- revealed the ineffectiveness of interception, injection and de-
sults ensure the ability to ensure confidentiality, privacy and nial of service attacks, along with the ability of their OpenPLC
availability in a secure and reliable CPS environment. project to overcome man-in-the-middle attacks through data
In [288], Zhou et al. presented a novel lightweight encryption encryption, without interfering with its own real-time charac-
scheme for real-time requirement in CPS including Vehicular teristics.
ad hoc networks (VANETs) [289,290]. Results revealed that this • Authentication: authentication is the first line of defense that
scheme is secure, reliable and efficient. In [291], He et al. pre- should be well-built, designed and maintained [259,302–304].
sented a Lightweight Attribute Based Encryption Scheme (LABE) As a result, in Halperin et al. [130], Halperin et al. presented
for mobile cloud-assisted CPS. Security analysis revealed that a public key-exchange authentication mechanism to prevent
LABE is secure with fine grained access control and users re- unauthorized parties from gaining access. Their mechanism re-
vocation capability, with low overhead. In [292], Zhao et al. lies on external radio frequency rather than batteries as an en-
presented a new architecture called Secure Pub-Sub (SPS) that ergy source. In fact, out-of-band authentication were deployed
is based on blockchain. Hybrid encryption was used to en- in certain wearable devices, where the authentication mecha-
sure data confidentiality. Therefore, ensuring data confidential- nism uses additional channels including audio and visual chan-
ity and reliability, while achieving anonymity of subscribers and nels [73]. On the other hand, Medical CPS (MCPS) biometrics,
payment fairness between subscribers and publishers. In [293], including mainly heart rates and blood pressure [305], can pos-
Sepulveda et al. presented a feasible post-quantum enhanced sibly be used to generate a key to encrypt and secure the body
Datagram Transport Layer security (DTLS) by using Public Key sensor network communication [73]. In [306], Ankarali et al.
Cryptography (PKC) based on traditional Elliptic-Curves (ECC) to presented a physical layer authentication technique which re-
secure communication channels between different parties. lies on pre-equalization. In [307], Ibrokhimov et al. presented a
• Integrity: maintaining the integrity of CPS devices require five high-level features categories of user authentication in the
preventing any physical or logical modification of incom- gadget-free world, including security, privacy, and usability as-
ing/outgoing real-time data. Hence, different solutions are pre- pects.
sented. In [294], Omkar et. al. addressed the problems of soft- In [308], Chen et al. presented an authentication scheme
ware reconfiguration and network attacks on ICS through the that applies Authenticated Identity-Based Cryptography With-
description of their presented approach called Trustworthy Au- out Key-Escrow (AIBCwKE) mechanism to protect user’s pri-
tonomic Interface Guardian Architecture (TAIGA). TAIGA offers vacy and property from illegal attacks on Machine-to-Machine
protection against the attacks that originate from both super- (M2M) communications. Making it secure and suitable for safe
visory and plant control nodes, whilst integrating a trusted sessions between mobile devices with an acceptable overhead.
safety-preserving backup controller. In [295], Tiago et al. in- In [309], Haroon et. al. detailed how recent versions of PLCs
troduced the Shadow Security Unit “SSU” as a low-cost device (2016) are prone to various vulnerabilities, especially password-
used in parallel with a PLC or Remote Terminal Unit (RTU) to based mechanisms. The authors revealed that passwords stored
secure SCADA systems [296]. in a PLC memory can be intercepted and cracked. Thus, allow-
SSU is complementary to the existing SIEM architectures, and it ing them to carry out advanced attacks including replay attacks
can transparently intercept its communication control channels and memory corruption attacks. In [310], Choi et al. presented
along with its physical process Input/Output lines to constantly an ICS-specific key management solution with no delays.
assess both security and operational status of PLC or RTU. An- • Privacy Preserving Preserving the privacy of users’ big data is
other approach was also presented in Ghaleb et al. [297], by not an easy task. As a result, various privacy preserving tech-
Asem et. al to overcome MITM, replay and command modifi- niques were presented to solve this issue including differential
cation attacks by providing an encryption level for the trans- privacy and homomorphic encryption.
ferred packets, along with the use of hardware cipher mod- − Differential Privacy: limits the disclosure of private real-
els. In [298], Cao et al. presented a layered approach with the time big-data and information during its transmission.
aim of protecting sensitive data. Their techniques relied on hash in [311], Keshk et al. studied the feature reduction role along
chains that provide a layered protection for both high and low privacy protection levels using Independent Component
security levels zones along with a lightweight key management Analysis (ICA) as a technique on big power CPS data. Results
18 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

revealed that ICA is more secure without breaching con-

fidential data and offers a better privacy preservation and
data utility. In [312], J. Feng et al. presented a lightweight
privacy-preserving high-order Bi-Lanczos scheme in inte-
grated edge-fog-cloud architectural paradigm for big data
processing. User’s privacy is achieved using an homomor-
phic cryptosystem, while computation overheads are of-
floaded using privacy-preserving tensor protocols. In [313],
Ye et al. presented a secure and efficient outsourcing Differ-
ential Privacy (DP) scheme to solve data providers issues re-
lated to being vulnerable to privacy attacks. In [314], Zhang
et al. presented a practical lightweight identity-based proxy-
oriented outsourcing with public auditing scheme in cloud-
based MCPS, by using elliptic curve cryptography to achieve
storage correctness guarantee and proxy-oriented privacy-
preserving property.
Fig. 8. IDS structure.
− Homomorphic Encryption: for a better data confidentiality
and privacy protection, homomorphic encryption techniques
were adopted. In [315], Zhang et al. presented a Secure Esti-
mation based on Kalman Filtering (SEKF) using a multiplica-
tive homomorphic encryption scheme with a modified de- • Intrusion Detection System Placement: IDS can be placed
cryption algorithm to reduce network overhead and enhance at the border router of any given IoT network, in one or
the confidentiality of the communicated data. In [316], Kim many given hosts, or in every physical object to ensure the
et al. a fully homomorphic encryption (FHE) as an advanced required detection of attacks. Simultaneously, IDS may be
cryptographic scheme to directly enable arithmetic opera- able to generate a communication overhead between the
tions on the encrypted variables without decryption. More- LLN (Low Power Lossy Networks) nodes and the border
over, a tree-based computation of sequential matrix multi- router due to the IDS ability to frequently query the network
plication is introduced to slow down the decrease of the state. In fact in Zarpelão et al. [326], Zarpel at al. described
lifespan. In [317], Min et al. presented a parallel fully homo- three main IDS placement strategies (see Fig. 8):
morphic encryption algorithm that supports floating-point − Distributed IDS: D-IDSs are being employed in every
numbers to achieve an efficient ciphertext operation with- physical LLN object, whilst being optimized in each
out decryption. Results revealed that the ability to limited resource-constrained node. Therefore, a lightweight dis-
application problems while meeting the efficient homomor- tributed IDS was presented. In [327], Oh et al. identi-
phic encryption requirements in cloud computing environ- fied a lightweight algorithm matching the attack signa-
ment. tures, and the packet payloads, while suggesting other
techniques that require less matching numbers to detect
5.3.3. Non-cryptographic-based solutions any possible attack. In [328], Lee et al. suggested their
Many non-cryptographic solutions were also presented to mit- own lightweight method that allows them to monitor a
igate and eliminate any possible cyber-attack or malicious event. node’s energy consumption by assigning nodes to moni-
This was done by implementing Intrusion Detection Systems (IDS), tor their neighbours in the distributed placement. These
firewalls and honeypots. As a result, various solutions presented by nodes are defined as “watchdogs”. In [329], Cervantes
various authors are mentioned and discussed. et al., presented a solution called “Intrusion detection of
Sinkhole attacks on IPv6 over Low -Power Wireless Per-
• Intrusion Detection Systems Various IDS methodology types sonal Area Networks (6LoWPAN) for IoT” (INTI), which
are available due to the availability of different network con- combines their concepts of trust and reputation with the
figurations [318]. Each IDS methodology is characterised by watchdogs nodes to mainly detect and mitigate sinkhole
its own advantages and drawbacks when it comes to detec- attacks. This included the node’s role possibly changing
tion, configuration, cost, and their placement in the network. every time a network is reconfigured or an attack event
In [268], Almohri et al. stated that various research activities has occurred.
were implemented to detect attacks against the CPS. These at- − Centralized IDS: C-IDS is mainly deployed in central-
tacks are split into two main models. Physics-Based model, ized components. This allows all data to be gathered
which defines normal CPS operations in CPS through anomaly and transmitted by the LLN to the Internet across the
detection. Cyber-Based model which is used in order to rec- border. Therefore, Centralised IDS can analyse all of the
ognize potential attacks as listed in Shu et al. [319], Xu et al. exchanged traffic between the LLN and the Internet. In
[320]. In fact, existing approaches were mainly designed to fact, it is not enough to only detect attacks involving
detect specific attacks against specific applications, including nodes within the LLN, since it is difficult to monitor
Unmanned Aerial Vehicles (UAV) [321], Industrial Control Pro- each node during an occurring attack [330]. In [331],
cesses [322], and smart grids [323]. In [324], Zimmer et al. ex- Cho et al. presented their solution which is based on
ploited the possibility of a worst case execution time, through analysing all the packets that pass through the border
obtaining information using a static application analysis in or- router between physical and network domains. However,
der to detect malicious code injection attacks in CPS. In [325], the main task is based on how to overcome a botnet at-
Mitchell et al. analysed a behaviour-rule specification-based tack. In [332,333], Kasinathan et al. deployed a central-
technique to employ IDS mainly in Medical CPS. The authors ized placement that allows them to take into considera-
also presented the transformation of behaviour rules in a state tion the possibility of overcoming DoS attacks, where in
machine, which can detect any suspicious deviation initiated case of a DoS attack, the IDS data transmission would not
from any medical device behaviour specification. be affected. In [334], Wallgren et al. employed their cen-
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 19

tralized approach which is placed in the border router to sented a signature-based IDS that employs an “Artificial
detect the attacks that target the physical domain. Immune System” (AIS) mechanism with detectors being
− Hybrid IDS: H-IDS utilizes both concepts of centralized modelled as immune cells with an ability to classify any
and distributed placements, by combining their advan- datagram as malicious or non-malicious according to the
tages and overcoming their drawbacks. The initial ap- matching signature. Such approach can evolve into the
proach allows the network to be organised into clusters adaptation ability new conditions in new environments
with the main node of each cluster being able to host that are being monitored. In [332], Kasinathan et al. in-
an IDS instance before taking the responsibility for mon- tegrated a signature-based IDS into the network frame-
itoring other neighbouring nodes. Therefore, Hybrid IDS work, with the objective of being able to detect DoS
placements can be designed in order to consume more Attacks against 6LoWPAN-based networks. This IDS was
resources than a distributed IDS placement. implemented through the adaptation of “Suricata4” used
In [335], Le et al. followed the same approach, through for 6LoWPAN networks, with the main objective of re-
the use of a hybrid placement using a relatively small ducing the false alarm rate. In [333], Kasinathan et al.
number of “watchdogs” nodes covering the network. This presented a signature-based approach as an extension of
offered them the ability to sniff the communication of its their presented approach in Kasinathan et al. [332].
surrounding neighbours in order to indicate whether a − Behaviour Based: Behaviour Based can be classified as
node was compromised or not. Therefore, reducing the a set of rules and thresholds implemented to define the
communication overhead. In [336], Le et al. also man- expected behaviour of the network’s components includ-
aged to organize the network into smaller clusters with ing both nodes and protocols. This approach is capable
a cluster head for each, using the same number of nodes. of detecting any intrusion as soon as the network be-
This allowed an IDS instance to be placed in each clus- haviour deviates from its original behaviour. Behaviour-
ter head, with each cluster member reporting its own based acts in the same way as the Anomaly-based de-
related information and other neighbours related infor- tection with a slight difference from specification-based
mation to the cluster head. In the second approach, IDS systems where a human expert is needed to manu-
modules were placed in, both the border router and ally define each specification rule. Thus, providing a
other network nodes with the presence of a central lower false-positive rate than the anomaly based detec-
component. In [337], Raza et al. presented their own tion [343,344]. Therefore, there will be no need for any
IDS named as SVELTE, where the border router hosts training phase, since they are implemented to operate
are given the task of processing intensive IDS modules instantly. However, such an approach is not fit for all
that are responsible for detecting any intrusion attempt scenarios, and may become time consuming and error
by analysing the Routing Protocol Low-power and Lossy prone. In [345], Misra et al. presented their new ap-
device’s (RPL) network data. Based on Pongle et al.’s proach to protect the IoT middleware from DDoS attacks,
work [338], network nodes were responsible for any de- by triggering an alert whenever the request number ex-
tectable changes in their neighbourhood. Moreover, net- ceeds the threshold line. In [335], Le et al. presented a
work nodes were also responsible for sending informa- different specification-based approach, aimed at detect-
tion about their surrounding neighbours to their cen- ing RPL attacks [346], by specifying the RPL behaviour
tralized module which is deployed in the border router through network monitoring operation and malicious ac-
having the main assigned responsibility of storing and tion detection.
analysing data. Thus, making it easier to detect and in- In [336], Le et al.’s work was extended. Their experimen-
trusion while identifying attacks in their early stages. tation resulted in a high true-positive rate, where false
In [339], Thanigaivelan et al. presented an IDS, which positive rates were low throughout their experimenta-
allocates different responsibilities to the network nodes tion, whilst also causing an energy overhead compared
and also to the router’s border. Thus, ensuring a coopera- to a typical RPL network as stated in Zarpelão et al.
tive combined work amongst them, with the IDS module [326]. In [347], Amaral et al. presented a specification-
monitoring neighbouring nodes, detecting any intrusion based IDS that grants the network administrator the abil-
attempt, and sending notifications to the IDS modules. ity to create and maintain rules in order to detect any
• Intrusion Detection Methods: The four main IDS methods potential attack. Whenever the rule is violated, the IDS
are signature-based, anomaly-based, behaviour-based and would right away send an alert to the Event Manage-
hybrid based. In fact in Zarpelão et al. [326], these meth- ment System (EMS) that correlates these alerts for dif-
ods were presented, while testing methods and techniques ferent available nodes in a given network. The success
were classified into five main categories, depending on their of Misra et al. [345] and Amaral et al. [347] approaches
detection mechanism. highly relied on the expertise of the network admin-
− Signature Based: Such a detection technique is very fast istrator, as well as his experience and skills combined.
and easy to configure. However, it is only effective for Therefore, in case of any wrong specifications, it will
detecting known threats. Thus, showing a high weak- cause an excessively high false-positive rate and/or a
ness against unknown threats mainly polymorphic mal- high false-negative rate, leading to a possibly serious risk
wares and crypting services. Despite its limited capabil- that threatens the network’s security.
ity, Signature Based IDS is very accurate, and also very − Anomaly Based: This type compares system’s activities
effective at detecting known threats, with an easy way instantly with the ability to generate an alert whenever
to understand mechanism. However, this approach is in- a deviation from normal behaviour is detected. How-
effective against the detection of both new and vari- ever, such a detection method suffers from a high false
ants of known attacks, due to their matching signature positive rate [343,348,349]. In [331], Cho et al. pre-
remaining unknown, and constantly updating its signa- sented a botnet detection scheme using the anomaly-
ture patches [340,341]. In [327], Oh et al.’s aimed to re- based method, by computing an average for each three
duce the computational cost by comparing attack sig- metrics composing the normal behaviour profile. This
natures and packet payloads. In [342], Liu et al. pre- was achieved before the system monitors the network’s
20 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

traffic and raises the alert whenever a metric violates the performance. The Cincinnati Bell Any Distance (CBAD)
already defined computed averages. In [350], Gupta et al. approach reached a Threat Agent Detection and Response
presented their own architecture for a wireless IDS, by (TADR) detection rate higher than 90% benchmark re-
applying the necessary Computational Intelligence algo- alised at an Signal Power Ratio (SNR) higher or equal
rithms which are used in order to a construct normal to 0 dB. Despite these results, this approach is prone to
profile behaviour. Moreover, a distinct normal behaviour RF noise, signal degradation and coding loops. In [356],
profile will be implemented for each different IP address Stephen et al. presented a timing-based side channel
being assigned. In [328], Lee et al. suggested that en- analysis technique to help control system operators in
ergy consumption should be classified as parameter in detecting any firmware and ladder logic programs modi-
order to be used in analyzing each node’s behaviour. fication to the programmable logic controllers. This ap-
Thus, defining a regular energy consumption model for proach allows a field device to be fingerprinted upon
each mesh-under routing scheme and route-over routing deployment to create an supplicate baseline fingerprint.
scheme, where each node will monitor its own energy Various fingerprints of the device are taken and com-
consumption. In case the node deviates, the IDS classi- pared to the baseline in order to detect and alert opera-
fies the node as malicious and removes it. tors of both intentional and unintentional modifications
In [351], Summerville et al. successfully managed to de- in programmable logic controllers.
velop a deep-packet anomaly detection approach aimed − Hybrid Based: It is based on using a specification-based
at reducing the run on resource constrained IoT devices, techniques of signature-based, and anomaly-based detec-
by using a bit-pattern matching technique which per- tion in order to maximize their advantage whilst mini-
forms a feature selection. In their experimental evalu- mizing their drawbacks. In [337], Raza et al. presented
ation, they used internet enabled devices against four a hybrid IDS known as SVELTE which offers the right
main attack types (including SQLi, worms, etc..), and trade-off between storage cost of signature-based meth-
results have shown low false-positive rates. In [339], ods, and computational cost of anomaly-based meth-
Thanigaivelan et al. successfully introduced an IoT dis- ods. In [357], Krimmling et al. tested their anomaly and
tributed internal anomaly detection system, that mon- signature-based IDS using the IDS evaluation framework
itors the node’s data rate and packet size. Moreover, that they presented. Their results revealed the failure of
in Pongle and Chavan [338] Pongle and Chavan presented each approach in detecting certain attacks alone. As a
an IDS that is designed specifically in order to detect result, the authors combined these approaches to cover
wormhole attacks in IoT devices, in addition to present- and detect a wider attack range. In [329], Cervantes et al.
ing three main algorithms to detect network anomalies. presented the Intrusion Detection of SiNkhole attacks on
As a result, their experiment revealed that the system 6LoWPAN for Internet of Things (INTI), to detect and iso-
has achieved a true positive rate of 94% when tested late sinkhole attacks by combining the anomaly-based
against wormhole detection, whilst scoring an 87% when approach which ensures a packet exchange between
it came to detecting both, the attack, and the attacker these nodes. This was done by using the specification-
launching it. In [352], K. Demertzis et al. presented an based method in order to extract the evaluation node
advanced Spiking One-Class Anomaly Detection Frame- based on both trust and reputation. However, when com-
work (SOCCADF) based on the evolving Spiking Neural paring SVELTE [337] to INTI IDS, Cervantes et al. simu-
Network algorithm. This algorithm implements a One- lated a scenario where INTI IDS achieved a sinkhole de-
class classification methodology in an innovative appli- tection with a rate up to 92%. In case of a fixed sce-
cable way, due to it being exclusively trained with data nario, the rate has only reached 75%. Either ways, it has
to characterise normal ICS operations. Moreover, this al- shown a low rate of false-positives and false-negatives
gorithm can detect any divergence in behaviours and ab- compared to SVELTE.
normalities that are associated with APT attacks. The au- • Firewalls Firewalls saw rare use of employment in CPS domain
thors stated that SOCCADF is highly suitable for difficult due to the advancement of IDS and Artificial Intelligence tech-
problems, and applications with a huge amount of data. nologies. Therefore, a handful number of firewall-based solu-
According to their results, the authors stated that SOC- tions were presented. In [358], Jiang et al. mentioned the use of
CADF has a better performance at a very fast learning paired Firewalls between enterprise and manufacturing zones
speed, with higher accuracy, reliability, and efficiency, to enhance the cyber security of servers. Their choice of paired
and it outperforms the other approaches. firewalls is due to the stringent security and clear management
− Radio-Frequency Based: In [353], Stone et al. presented separation. In [359], Nivethan et al. presented a novel method-
a Radio-frequency based anomaly detection method for ology that uses iptables as an effective powerful open-source
programmable logic controllers in the critical infrastruc- network-level firewall for SCADA systems that inspects and fil-
ture [354]. Their experimental results have demonstrated ters SCADA protocol messages. In [360], Adepu et al. presented
that the use of a single collected waveform response pro- Argus as a framework for defending a public utility against
vides sufficient separability to enable the differentiation cyber-physical attacks. Its implementation tests revealed its ef-
between anomalous and normal operational conditions. fectiveness in detecting single and complex multi-component
However, in case of using multi-time domain waveform deception attacks. In [361], Ghosh et al. presented their ap-
response, their performance significantly degrades. To proach towards predicting real-time failures of network devices
solve this problem, the authors presented anomaly de- including load balancers and firewalls using event data. Their
tection method based on RF fingerprint feature retrieved focus was on raw device event data. Results revealed that a low
from the waveform amplitude, phase, and frequency re- failure rate of devices, while achieving a precision rate of 77%
sponse to ensure a qualitative differentiation between an and recall network device failure prediction of 67%. In [362],
anomalous and normal operating conditions. Javed et al. presented a novel security architecture that localizes
In [355], Stone et al. also presented an RF-based method- the cyber-attack in a timely manner, and simultaneously recov-
ology to detect anomalous programmable logic controller ers the affected cyber-physical system functionality. Results re-
behaviours with a superior time-domain RF emissions vealed its effectiveness against system availability attacks only.
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 21

• Honeypots & Deception Techniques Deception is a key defen- Custody may be simultaneously established to the generated prei-
sive security measure that CPS rely on as a decoy to hide and dentified data (data of interest) by an IoT device. In [377], Chan
protect their system. This can be mainly done using honeypots. et al. described a novel security block method for detecting mem-
However, other deceptive solutions also exist. In [363], Cohen ory variable changes that may affect the integrity of programmable
presented how honeypot deception can be made more effective logic controllers and efficiently and effectively enhancing secu-
upon employment, while discussing different ranges of decep- rity and forensics. This is done by by adding monitoring and
tion tactics. In [364], Antonioli et al. presented the design of logging mechanisms to PLCs. Therefore, ensuring faster anomaly
a virtual, high-interaction, server-based ICS honeypot to ensure detection with higher accuracy, less overhead and adjustable
a realistic, cost-effective, and maintainable ICS honeypot that impact.
captures the attackers activities. Such implementation aims to In [378], Ahmadi et al. presented a federated Blockchain (BC)
target Ethernet/IP based ICS honeypots. In [365], Litchfield et al. model that achieves forensic-readiness by establishing a digital
presented HoneyPhy, a physics-aware framework for complex Chain-of-Custody (CoC) and a CPS collaborative environment to
CPS honeypots that monitor the originating behaviour from the qualify as Digital Witnesses (DW) to support post-incident inves-
CPS process and the device that controls the CPS itself. Results tigations. In [379], Parry et al. presented a high speed hardware-
reveal that HoneyPhy can be employed to simulate these be- software network forensics tool that was specifically designed for
haviours in a real-time manner. In [366], Irvene et al. leverage capturing and replaying data traffic in SCADA systems. Experimen-
HoneyPhy framework to create the HoneyBot. HoneyBot is the tal results guaranteed preserving the original packet ordering with
first software hybrid interaction honeypot specifically designed improvement in data capture and replay capabilities. In [380], Cebe
for networked robotic systems. Simulations reveal that Honey- et al. presented a blockchain infrastructure by integrating a Vehic-
Bot can fool attackers into believing that their exploits are suc- ular Public Key Infrastructure (VPKI) to achieve membership es-
cessful. tablishment and privacy along a fragmented ledger related to de-
In [367], Fraunholz et al. set up a medium interaction hon- tailed vehicular data. Moreover, identities pseudonyms were used
eypot offering telnet and Secure Shell (SSH) services to cap- to preserve users’ privacy. In [381], P. Taveras presented a high
ture data from attack sessions. This data was analysed to al- level software application that detects critical situations like ab-
low the classification of attacker types and sessions, respec- normal changes of sensor reads and traffic over the communication
tively. In [368], Tian et al. presented a honeypot game model channel, mainly. Therefore, helping by improving critical infrastruc-
with both low/high-interaction modes to mainly improve CPS ture protection and providing appropriate SCADA forensics tools
security. Simulation results revealed that optimal human analy- for incident response and forensics analysis. In [382], Ahmed et.
sis cost allocation and defensive strategy are obtained. Making al. presented a testbed of three IPPs (Industrial Physical Processes)
their method suitable for CPS data protection. In [369], Duan using real-world industrial equipment including PLC. The authors
et al. presented a framework called “CONCEAL” as a new de- stated that their presented testbed is useful in cyber-security, edu-
ception as a service paradigm that is effective and scalable. This cation (SCADA systems) and forensics research including PLC anal-
was done by combining m-mutation for address anonymization, ysis and programming. Moreover, their testbed includes fully func-
k-anonymity for fingerprint anonymization, and l-diversity for tional physical processes which are deemed very essential for both
configuration diversification. CONCEAL’s proxies save can reach research and pedagogical efforts.
as high as 90%. In [370], Bernieri et al. presented a modular In [383], Yau and Chow presented a novel methodology which
framework called Deep Detection Architecture (DDA) to provide logs relevant memory address values, that are being used by pro-
cyber-physical security for industrial control systems. A cyber- grammable logic controller programs, in addition to their times-
physical simulation methodology was also presented and ex- tamps. This methodology can be extremely valuable in a forensic
ploited to analyse the security modules under several differ- investigation in case of an ICS incident. This is realized by apply-
ent attack scenarios. Moreover, DDA will be extensively used ing machine learning techniques to the logged data in order to
for the next ICS generation and implemented into the Industry identify any anomalous programmable logic controller operation.
v4.0 paradigm. In [371], Sayin et al. introduced a deceptive sig- In [384] Saman et. al. combined symbolic execution with model
nalling framework as a new defence measure against advanced checking to analyse any malicious PLC code bound injection. Their
adversaries in CPS. This framework relies on information that is combined approach can also be used for forensic purposes includ-
strategically accessible to adversaries to indirectly control their ing the identification of the areas where the code injection took
actions. place, along with which part of the code caused its execution.
In [385], McMinn et al. presented a firmware verification tool used
5.4. CPS forensics for the forensics analysis of trials of the altered firmware codes
to gain unauthorised access over ICS networks. Such verification
It is not enough to encrypt, detect and protect against pas- is achieved either though the analysis of the PLC’s captured data
sive and active attacks. In fact, aside from identifying the source to check whether the PLC’s firmware is modified or not. In [386],
of the attack, it is also important to know how the attack was Kleinmann et al. presented an accurate IDS that utilizes a deter-
performed despite of the challenges [372]. Hence, there an urgent ministic finite automaton that models the network traffic with a
need for the forensics domain to enhance the forensics tools and 99.26% accuracy, after analysing and observing the highly periodic
techniques to retrieve and analyze logs of events that took place network traffic of Siemens S7 PLC. In [387], Saranyan et al. pro-
before, during and after the incident. In fact, CPS forensic analysis vided a comprehensive forensic analysis of network traffic gener-
is still in its early stages of development, due to the ICS specialized ated by the PCCC (Programmable Controller Communication Com-
nature along with its proprietary and poorly documented proto- mands) protocol, and also presented prototype tool that extracts
cols [373]. In [374], Awad et al. surveyed the digital forensics ap- updates of the programmable logic and crucial configuration infor-
plied to SCADA systems and covered the challenges that surround mation. Authors also stated that their proof-of-concept tool, “Cut-
them. Therefore, presenting the current state-of-the-art device and ter”, which is capable of parsing the content of PCCC messages, ex-
network-specific tools. In [375], Grispos et al. presented a forensic- tracts and presents digital artifacts in a human-readable form such
by-design framework that ensure the integration of forensics prin- as Simple Mail Transfer Protocol (SMTP) configuration. Moreover,
ciples and concepts in MCPS. In [376], H. Al-Khateeb et al. shed the SMTP configuration can be retrieved from the network log and
a light on a new approach where a Blockchain-based Chain-of- can be parsed, too.
22 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

In [377], Chan et. al. presented a novel security block method erations but with minimum computational complexity. These
that enhances ICS security and forensics by adding monitoring cryptographic solutions can help ensure the following security
and logging mechanisms to PLCs, and ICS’s key components. Their services:
results demonstrated that their approach increased the anomaly • Confidentiality: there is a need for a new class of
detection range, speed and accuracy with a slight performance lightweight block or stream cipher algorithms to secure CPS
impact and a reduced network overhead. Thus, ensuring a more resource-constrained real-time communications. Recently, a
enhanced, efficient and effective forensic investigation procedure. new approach was presented, and it is based on the dy-
In [388], Yua et al. described the design and implementation of a namic key-dependent cipher structure and it requires two or
novel PLC logging system. To overcome the inadequacy of infor- one iteration with few operations [391–394]. A set of these
mation in forensics investigations, their logging system is used to solutions can be applied at the physical layer [393–395].
extract data from Siemens S7 communications protocol traffic. This • Message/Device Integrity: this includes the protection of
logging system also helps in recording the evidence based on the CPS data and devices’ integrity from any physical/logical al-
exchanged data between the PLC and other network devices. Thus, teration(s). This can be done by ensuring that the Oper-
providing key information about the attack source, actions and ating System, applications, and software are securely de-
timelines. The choice of Simatic S7 PLC is due to their widespread signed and without any flaws to prevent tampering, with
use [389] and successful exploitation by insidious Stuxnet mal- strong cryptographic hash functions (SHA256, SHA384 and
ware. In [390], Chan et al. focused on the logging mechanism of SHA512). In this end, a new lightweight hash function was
a Siemens PLC, including the Siemens Total Integrated Automation presented in Noura et al. [396] and it requires a single round
Portal V13 program (Siemens TIA Portal, known as Siemens Step- compared to the existing ones.
7). The author’s methodology performs an effective and practical • Device/Data Availability: requires the need for computa-
forensics analysis of the PLC. Moreover, it focuses on Siemens PLC tional resources along with verified backups, and a self-
along with an installed computer workstation with the Siemens healing ability of CPS in such a way to recover immediately
TIA Portal (previously targeted by Stuxnet). from availability attack types. Also, maintaining data avail-
ability is as necessary [397], and this can be done by defin-
5.5. Limitations ing a multi-secure connection [398–403].
2. Strong Device/user Authentication: An efficient device/user
During the evaluation and analysis of the existing presented se- mutual multi-factor authentication scheme is necessary, along
curity solutions, several limitations can be deduced, presented and with enhancing verification and identification phases based
discussed as follows: on attribute access-control privileges (least-privilege) to ensure
non-repudiation and stronger accountability.
• Asymmetric Cryptography: introduces overhead in terms of la-
3. Protecting Digital Evidences: this is highly important since
tency and resources. The asymmetric nature of certain crypto-
most of the advanced attacks focus on eliminating any source
graphic work [285,292] leaves CPS’s real-time communication
of evidence that traces back to the attack source, such as
prone to network latency and overhead due to delays in the
the case of Shamoon, Duqu, Flame and Stuxnet malware
encryption/decryption process.
types [75,109,404]. Furthermore, modern digital forensics so-
• Weak Device/User Authentication Scheme: many of the pre-
lutions should define new countermeasures to preserve digital
sented authentication techniques [73,130,306,308] are not very
forensics logs.
suitable for a secure appliance, due to the lack of multi-factor
4. Enhancing Security Policy: in many cases, CPS attacks oc-
authentication schemes to protect CPS systems from unautho-
curred by insiders (by accident or on purpose). Accordingly,
rised users and access.
all employees must undergo a screening process before re-
• CPS Forensics Field: are still prone to many challenges includ-
cruitment, and have their privileges suspended outside work-
ing the lack of tools, skills and responses against any potential
ing hours and monitored their actions in the case of advanced
anti-forensics activity [372,373].
tasks. This means that CPS security policy should be contain
• Inefficient Honeypot & Deception System: despite of the re-
new rules to limit access and to reduce the potential damage.
cently proposed techniques in Irvene et al. [366], Tian et al.
5. Smart Cooperation with non-cryptographic solutions: Intru-
[368], Bernieri et al. [370], Sayin and Basar [371], there are
sion detection systems should be hybrid in all terms and should
no appropriate honeypot techniques that can be specifically
be coordinated in an efficient manner with firewalls and dy-
adopted to protect CPS systems, especially in the wake of In-
namic honeypot systems.
dustry v4.0.
6. Enforcing Compliance: by respecting users’ privacy through
• Lack of Firewall Protection: firewall solutions includ-
ensuring data access regulatory compliance that processes
ing [358,359] are not very applicable and suitable for em-
CPS’s big data via clouds, especially when stored by utility
ployment into the CPS domain, nor they offer an effective
providers (Trusted Third Party (TTP)) to prevent any data leak-
protection. The best solution requires dynamic firewalls, as
age and users privacy violations. Therefore, maintaining a suit-
well as application and next generation firewall types.
able trade-off between users privacy and systems’ security and
• Inefficient Intrusion Detection Systems: despite the avail-
performance, while also ensuring firmer accountability mea-
ability of various IDS types such as anomaly-based [352],
sures [405,406].
behaviour-based [345] and signature-based [333], these are
7. Achieving Trade-Off: is essential for maintaining systems’
generally applied within IoT-based domains and not specifically
availability, safety and security [407,408]. Therefore, such a
designed to protect CPS systems.
trade-off must be achieved based on the combination of these
three key requirements while taking into consideration avail-
6. Learnt lessons
able budget and cost requirements in terms of risk assessment:
• Availability & Safety: both features are linked together since
To secure CPS, many lessons were learnt as how to maintain
issues related to the safety of a CPS system also affect its op-
and achieve their required security goals. Among such lessons:
erational availability. To ensure this trade-off, verified back-
1. Maintaining Security Services: new lightweight cryptographic ups of computational devices must always be considered in
solutions are required to secure CPS and IoCPT in real-time op- the planning phase, as a second line of defense to handle
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 23

any sudden service/system disruption (power cuts, black- ues. It provides a high level of granularity, which is necessary
outs, pumping stoppage), or maintenance (updates, renova- to make CPS control access scheme more secure.
tion, installation, etc.). • Strong Entity Multi-Factor Authentication: Unfortunately, en-
• Availability & Security: since availability is very crucial for tity authentication schemes that are based on a single factor of
all real-time CPS operations, securing them is a top pri- authentication (you have, you know, you do or you are) are not
ority. For this reason, a trade-off is to be established be- resistant enough against authentication attacks, which are in-
tween availability and security (Frequency Hopping/Shifting, creasingly becoming more dangerous. The first line of defense
Signal-to-Noise Ration, Backup devices, Firewalls, IDS, Traf- in any system is the entity authentication scheme since any en-
fic Monitoring, etc.) especially against wireless jamming at- tity authentication attack can lead to confidentiality, integrity
tacks. and/or availability attack. Recently, the concept of multi-factor
• Safety & Security: having a secure CPS does not always authentication was applied by combining two or more factors:
mean that it is protected. In fact, a trade-off must be (1) “you are” which includes device fingerprint, user finger-
achieved to maintain both safety and security features in print, hand geometry, iris scan, retina scan, etc., and (2) “you
any CPS domain, where a safety feature is meant to protect have” which includes cryptographic keys to increase its robust-
the CPS from any accidental failure/hazard (system failure, ness against authentication attacks such as the ones described
miscalculations, abnormal activities, etc.), while a security in Melki et al. [411], Noura et al. [412].
feature (IDS, Firewalls, Artificial Intelligence (AI), etc.) en- This mechanism should be an essential requirement in CPS sys-
sures protection against intentional cyber-physical attacks. tems, in addition to the use of the geographical location. The
advantage of these solutions is their ability to reduce false pos-
itives, and to complicate the authentication attacks since sev-
7. Suggestions & recommendations eral factors should be broken instead of one. Consequently, this
limits the access only to authorised entities and personnel (de-
Different security measures could be adopted and enhanced to vices/users).
enhance the protection against various threats and attacks. These • Strong Password & dynamic Hashing Process: Passwords are
include: considered as the “you know” authentication factor. However,
several attacks such as rainbow and hash table attacks can be
• Prioritization & Classification: of critical CPS components and applied. In order to prevent them from occurring, after a pe-
assets before assessing, managing and analysing risks to en- riodic interval, passwords must be re-hashed with a new dy-
sure the proper budget spending on the right choice of security namic Nonce for each user. Moreover, a secure cryptographic
measures (basic, standard or advanced) in accordance to their hash function should be used such as SHA-3 and SHA-2 (vari-
costs compared to the likelihood of the occurrence of a given ant 512). This avoids birthday attacks and reduces rainbow/hash
incident and its impact. table attacks.
• Careful Financial Planning & Management: must be con- • Secure and Protected Audit: can be done by using an Audit
ducted in terms of available budget and needed costs/resources manager system that collects and stores logs in a distributed
to protect critical/non-critical CPS assets and components. system. A possible solution that can be applied in this context
• Lightweight Dynamic Key Dependent Cryptographic Algo- was presented recently in Noura et al. [413]. This limits any in-
rithms: These solutions can be used to to ensure several se- sider attempt against a cyber-physical system and it preserves
curity services such as message confidentiality, integrity and the digital evidence of internal and external attacks to trace
authentication, which are mandatory during any secure CPS them back.
communications. This can be done by using new generation • Enhanced Non-Cryptographic Solutions: require the need for
of cryptographic algorithms, which were presented in Noura hybrid IDS/IPS systems or AI-based IDS/IPS (using Machine
et al. [392,409,410]. The advantage of these solutions that it Learning algorithms), along with advanced firewalls (i.e Ap-
can reach a good balance between security and performance plication and Next Generation Firewalls) [414], and dynamic
level. The robustness against attacks were proved since a dy- honeypots [415] to prevent any future security breach based
namic key is used per message (or a set of messages; depend on a vulnerability exploit. This can be done by employing
of application constraints and requirements). Moreover, this dy- lightweight IDS/IPS and especially the anomaly-based ones. In
namic key is used to produce a set of cryptographic primitives fact, one should select the anomaly detection algorithm accord-
and update cryptographic primitives. This means different ci- ing to the CPS device constraints, which can be statistical for
phertext can be obtained for the same plaintext since differ- limited ones or based on machine algorithm, such as random
ent cryptographic primitives are used. While, the effectiveness forest, for powerful CPS devices. On the other hand, signature-
is validates since these algorithms require only one round it- based techniques can be applied at the Gateway (GW) where
eration and uses simple operations in addition to avoid diffu- all network traffic can be analyzed.
sion operation. The new generation of these cryptographic algo- • Secure & Verified Backups: this is essential to maintain the
rithms reduce the required latency, resources and computation CPS data availability and to avoid data destruction or alteration
overhead, which help CPS devices to preserve better their main by ensuring robustness against DoS/DDoS and Ransowmare at-
functionalities. tacks, especially that such attacks may result in total blackouts
• Defining Privileges: This should be considered as the most as in the case of the US. This can be done by using lightweight
suitable access control policy, which assigns permissions and data protection solutions such as the ones presented in Noura
rights depending on the users’ roles/tasks/attributes when it et al. [399].
comes to accessing CPS, and removing these access rights upon • Forensic Efforts: are essential to retrieve the traces of any oc-
completing the task or upon the employee’s leave. This also in- curring attack. Also, new solutions against anti-forensic tech-
cludes the use of the least privilege policy. Therefore, the defi- niques should be introduced to preserve any digital evi-
nition of privilege should be done based on Attribute Based Ac- dence [413]. This is realized by recovering logs and moni-
cess Control (ABAC), where policies combined with attributes toring network and system behaviour, which can successfully
specify access authorizations. Note that ABAC makes access limit various reconnaissance attempts. However, the newly in-
control decisions based on Boolean conditions of attribute val- troduced forensics tools must be compatible with different
24 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

CPS devices’ software/hardware, especially resource constrained ered as a game-changing solution against a variety of cyber-
devices, and must also be resistant against anti-forensics at- physical attacks targeting CPS systems, devices and communica-
tempts. tion points. Despite the time consuming process of training an
• Enhanced Incident Response: includes the ability to iden- AI system, the accuracy of detection and prevention are much
tify, alert and respond to a given incident. Moreover, in- higher than any human intervention. Recent advancements in
cident recovery and incident investigation plans should be machine learning, and especially in deep learning, can make
put in place to mitigate attacks. This provides protec- CPS systems more secure, robust and resistant against cyber-
tion against non-intentional technical and operational failures physical attacks.
(power shortage, blackout) through back-up plans, and from • Defense In-Depth: most of the existing solutions offer protec-
intentional failures (cyber-attacks), through CERT (Computer tion against a single attack aspect or a security requirement.
Emergency Response) [416], CSIRT (Computer Security Incident Instead, there is need for a multi-purpose security solution that
Response) [417], and IRCF (Incident Response And Computer ensures the best protection at each operational layer (percep-
Forensics) teams [418,419]. As such, CPS scientists and engi- tion, transmission and application) of CPS. For example, the two
neers must undergo further education and training to ensure an most known international standards for functional safety in the
enhanced and efficient cyber, physical and computational envi- automotive industry, the ISO 26262 [423] and IEC 61508/Edi-
ronment with secure computing and communications. tion2 [424,425] should be respected and applied. This ensures a
• Real time Monitoring: running real-time systems using spe- safe CPS implementation based on the Functional safety, which
cialised forensics or non-forensics tools and methods is essen- includes the Safety Integrity Level (SIL) basics [426] which in
tial to prevent any cyber-physical system accidental or non- turn, rely on the Probability of Failure on Demand (PoFoD) and
accidental failure. This enables constant checking and monitor- the Risk Reduction Factor (RRF) to ensure a much more ac-
ing of CPS devices’ behaviour and hence, the detection of any curate and efficient Hazard and Risk Analysis (HRA) [424,426],
cyber-attack attempt in its early stages. mainly in the Electronic Control Units (ECU) [427,428]).
• Security Check: and employee screening must be done for each • CPS Security & Privacy Life-cycle: finally, to sum up this
employee before and during the job to eliminate and contain work, our paper presents a combined Operational and Func-
any possible insider/whistle-blower attempt. Therefore, sign- tional Safety/Security (OFSS) life-cycle that ensures a success-
ing agreements [420] such as Non-Disclosure Agreement (NDA), ful and safe CPS employment as seen in Fig. 9). This frame-
Confidentiality Agreement (CA), Confidential Disclosure Agree- work is derived from ISO 26262 and IEC 61508/Edition2 pro-
ment (CDA), Proprietary Information Agreement (PIA) or Se- tocols and their approach towards ensuring the CPS Functional
crecy Agreement (SA) is highly recommended. Such security safety/security. The framework consists of six main phases:
checks are essential especially in critical areas such as nuclear − Phase 1: Devising a plan to design a CPS system by follow-
power plants [421]. ing a well-defined time-table and schedule in accordance to
• Periodic Employee Training: includes periodic awareness the needed budget and corresponding costs. This also re-
training of ICS and PLC employees on the best cyber-security quires the assistance of humans (businessmen, engineers,
practices based on their level and knowledge, with the abil- workers, etc.) and non-human assets (vehicles, machines,
ity to detect any suspicious behaviour or activity. Moreover, etc.).
employees must be trained over various security threats and − Phase 2: requires a careful risk and hazard analysis, which
wrong practices such as avoiding the installation of any soft- consists of a proper risk management and asset classifica-
ware update, how to counter social-engineering and phish- tion, as well as the mutual connection between the two to
ing attempts, while also maintaining accountability in case of ensure an accurate decision-making over the adoption of the
wrong doings. right security measures/counter-measures.
• Periodic Pen Testing & Vulnerability Assessment: must be − Phase 3: defines the right functional safety, security
maintained in a periodic manner to enforce system auditing, and dependability requirements along their key com-
detecting threats, and mitigating them in a real-time manner ponents/mechanisms that are essential to mitigate a
before they are discovered and exploited by an attacker under risk/hazard and to reduce their likelihood and impact in
the zero-day exploit conditions. case of their occurrence.
• Periodic Risk Assessment: must also be enforced to study the − Phase 4: consists of evaluating the performance of CPS
likelihood and impact of a given risk against a critical/non- in terms of the recently introduced functional safety, se-
critical cyber-physical system based on a qualitative or/and curity and dependability measures in an operational man-
quantitative risk assessment and a Cost” Benefit Analysis (CBA), ner where a performance management and analysis will be
to classify the risk based on acceptable/non-acceptable level conducted to ensure a proper/mutual security-performance,
and to mitigate it as early as possible. safety-performance and dependability-performance trade-
• Up-to-Date Systems: cyber-physical systems must be kept up- offs.
to-date in terms of software, firmware and hardware through − Phase 5: once the performance is evaluated, the cyber-
constant verified patches and updates [422]. Moreover, such physical system is tested and validated to detect any re-
systems must be secured at different levels of their implemen- maining software/hardware bug, security gap, or perfor-
tations (layered protection), with the ability to mitigate and mance issue to apply the required modifications before be-
tackle a given attack to reduce its impact and prevent further ing commissioned. If the testing is unsuccessful, the process
escalation and damage. Furthermore, USB ports must be phys- restarts again to find where the issue took place. If success-
ically and logically removed to prevent any payload injection, ful, the CPS will head towards further commissioning before
and PLC systems behaviour and activities must be constantly being officially deployed.
monitored for any suspicious/abnormal behaviour [422]. − Phase 6: upon successful testing, the deployed CPS system
• AI Security Solutions: Artificial Intelligence is used in IDS/IPS will undergo a trial phase to evaluate its operational status,
anomaly detection schemes or in “you are” or “you do” en- while monitoring its behaviour and performance before be-
tity authentication schemes. In fact, AI is now being consid- coming fully operational.
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 25

Fig. 9. CPS-OFSS life-cycle framework.

8. Conclusion Supplementary material

CPS systems are key components of Industry v4.0, and they are Supplementary material associated with this article can be
already transforming how humans interact with the physical envi- found, in the online version, at doi:10.1016/j.micpro.2020.103201.
ronment by integrating it with the cyber world. The aim of im-
plementing CPS systems, either within or outside IoT (IoCPT), is References
to enhance the products’ quality and systems’ availability and re-
[1] J. Lee, B. Bagheri, H.-A. Kao, A cyber-physical systems architecture for indus-
liability. However, CPS systems suffer from various security and try 4.0-based manufacturing systems, Manuf. Lett. 3 (2015) 18–23.
privacy issues that can degrade their reliability, safety, efficiency, [2] Y. Lu, Industry 4.0: a survey on technologies, applications and open research
and possibly hindering their wide deployment. In this paper, we issues, J. Ind. Inf. Integr. 6 (2017) 1–10.
[3] J. Lee, E. Lapira, S. Yang, A. Kao, Predictive manufacturing system-trends of
first overview all components within CPS systems and their in- next-generation production systems, IFAC Proc. Vol. 46 (7) (2013) 150–156.
terconnections including IoT systems, and we focus on the main [4] S. Heng, Industry 4.0: huge potential for value creation waiting to be tapped,
CPS security threats, vulnerabilities and attacks, as related to the Deutsche Bank Res. (2014) 8–10.
[5] S. Gries, M. Hesenius, V. Gruhn, Cascading data corruption: about dependen-
components and communication protocols being used. Then, we
cies in cyber-physical systems: poster, in: Proceedings of the 11th ACM In-
discuss and analyze the recently available CPS security solutions, ternational Conference on Distributed and Event-Based Systems, ACM, 2017,
which can be categorized as cryptographic and non-cryptographic pp. 345–346.
solutions. Next, we highlight the important lessons learnt through- [6] A. Di Ferdinando, P. Ezhilchelvan, M. Dales, J. Crowcroft, Ninth IEEE interna-
tional symposium on object and component-oriented real-time distributed
out, and accordingly, we present suggestions and recommenda- computing.
tions with respect to the various security aspects, services, and [7] I. Chun, J. Park, W. Kim, W. Kang, H. Lee, S. Park, Autonomic comput-
best practices that must be put in place to ensure resilient and ing technologies for cyber-physical systems, in: 2010 The 12th International
Conference on Advanced Communication Technology (ICACT), 2, IEEE, 2010,
secure CPS systems, while maintaining the required performance pp. 1009–1014.
and quality of service. [8] C.-R. Rad, O. Hancu, I.-A. Takacs, G. Olteanu, Smart monitoring of potato crop:
a cyber-physical system architecture model in the field of precision agricul-
Declaration of Competing Interest ture, Agric. Agric. Sci. Procedia 6 (2015) 73–79.
[9] T. Haidegger, G.S. Virk, C. Herman, R. Bostelman, P. Galambos, G. Györök,
I.J. Rudas, Industrial and medical cyber-physical systems: tackling user re-
The authors declare that they have no known competing finan- quirements and challenges in robotics, in: Recent Advances in Intelligent En-
cial interests or personal relationships that could have appeared to gineering, Springer, 2020, pp. 253–277.
[10] B. Siddappaji, K. Akhilesh, Role of cyber security in drone technology, in:
influence the work reported in this paper.
Smart Technologies, Springer, 2020, pp. 169–178.
[11] J.-P.A. Yaacoub, M. Noura, H.N. Noura, O. Salman, E. Yaacoub, R. Couturier,
Acknowledgments A. Chehab, Securing internet of medical things systems: limitations, issues
and recommendations, Future Gener. Comput. Syst. 105 (2020) 581–606.
This paper is supported with funds from the Maroun Semaan [12] T.M. Chen, Survey of cyber security issues in smart grids, in: Cyber Security,
Situation Management, and Impact Assessment II; and Visual Analytics for
Faculty of Engineering and Architecture at the American University Homeland Defense and Security II, 7709, International Society for Optics and
of Beirut. Photonics, 2010, p. 77090D.
26 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

[13] C. Miller, C. Valasek, A survey of remote automotive attack surfaces, Black Hat [43] S.P. Pomroy, R.R. Lake, T.A. Dunn, Data masking system and method, 2011. US
USA 2014 (2014) 94. Patent 7,974,942.
[14] E. Bou-Harb, A brief survey of security approaches for cyber-physical systems, [44] C. Konstantinou, M. Maniatakos, F. Saqib, S. Hu, J. Plusquellic, Y. Jin, Cyber–
in: 2016 8th IFIP International Conference on New Technologies, Mobility and physical systems: a security perspective, in: 2015 20th IEEE European Test
Security (NTMS), IEEE, 2016, pp. 1–5. Symposium (ETS), IEEE, 2015, pp. 1–8.
[15] N. Sklavos, I.D. Zaharakis, Cryptography and security in internet of things [45] S. Raza, Lightweight security solutions for the internet of things, Mälardalen
(IoTs): models, schemes, and implementations, in: 2016 8th IFIP International University, Västerås, Sweden, 2013 Ph.D. thesis.
Conference on New Technologies, Mobility and Security (NTMS), IEEE, 2016, [46] J. Gubbi, R. Buyya, S. Marusic, M. Palaniswami, Internet of things (IoT): a
pp. 1–2. vision, architectural elements, and future directions, Future Gener. Comput.
[16] A. Humayed, J. Lin, F. Li, B. Luo, Cyber-physical systems security-a survey, IEEE Syst. 29 (7) (2013) 1645–1660.
Internet of Things J. 4 (6) (2017) 1802–1831. [47] D.C. Mazur, R.D. Quint, V.A. Centeno, Time synchronization of automation
[17] H. Yoo, T. Shon, Challenges and research directions for heterogeneous cyber— controllers for power applications, in: 2012 IEEE Industry Applications So-
physical system based on IEC 61850: vulnerabilities, security requirements, ciety Annual Meeting, IEEE, 2012, pp. 1–8.
and security architecture, Future Gener. Comput. Syst. 61 (2016) 128–136. [48] U. Morelli, L. Nicolodi, S. Ranise, An open and flexible cybersecurity train-
[18] R. Alguliyev, Y. Imamverdiyev, L. Sukhostat, Cyber-physical systems and their ing laboratory in it/ot infrastructures, in: Computer Security, Springer, 2019,
security issues, Comput. Ind. 100 (2018) 212–223. pp. 140–155.
[19] H. Ye, X. Cheng, M. Yuan, L. Xu, J. Gao, C. Cheng, A survey of security and [49] S.R. Vogel, S.J. Zack, Method and apparatus providing remote reprogramming
privacy in big data, in: Communications and Information Technologies (ISCIT), of programmable logic devices using embedded jtag physical layer and pro-
2016 16th International Symposium on, IEEE, 2016, pp. 268–272. tocol, 2006, US Patent 7,155,711.
[20] H. Ye, X. Cheng, M. Yuan, L. Xu, J. Gao, C. Cheng, A survey of security and [50] A. Ardanza, A. Moreno, Á. Segura, M. de la Cruz, D. Aguinaga, Sustainable and
privacy in big data. flexible industrial human machine interfaces to support adaptable applica-
[21] J.S. Kumar, D.R. Patel, A survey on internet of things: security and privacy tions in the industry 4.0 paradigm, Int. J. Prod. Res. 57 (12) (2019) 4045–4059.
issues, Int. J. Comput. Appl. 90 (11) (2014). [51] J.R. Saunders, Automated remote telemetry paging system, 1989, US Patent
[22] R.E. Johnson, Survey of SCADA security challenges and potential attack vec- 4,856,047.
tors, in: Internet Technology and Secured Transactions (ICITST), 2010 Interna- [52] K. Stouffer, J. Falco, Guide to Supervisory control and data acquisition
tional Conference for, IEEE, 2010, pp. 1–5. (SCADA) and industrial control systems security, National Institute of Stan-
[23] O. Kocabas, T. Soyata, M.K. Aktas, Emerging security mechanisms for medi- dards and Technology, 2006.
cal cyber physical systems, IEEE/ACM Trans. Comput. Biol. Bioinform. 13 (3) [53] R.E. Zapolin, Remote terminal industrial control communication system, 1992,
(2016) 401–416. US Patent 5,122,948.
[24] C. Lai, P. Cordeiro, A. Hasandka, N. Jacobs, S. Hossain-McKenzie, D. Jose, [54] M. Geilen, S. Tripakis, M. Wiggers, The earlier the better: a theory of timed
D. Saleem, M. Martin, Cryptography considerations for distributed energy re- actor interfaces, in: Proceedings of the 14th International Conference on Hy-
source systems, in: 2019 IEEE Power and Energy Conference at Illinois (PECI), brid Systems: Computation and Control, ACM, 2011, pp. 23–32.
IEEE, 2019, pp. 1–7. [55] P.A. Vicaire, E. Hoque, Z. Xie, J.A. Stankovic, Bundle: a group-based program-
[25] Y. Ashibani, Q.H. Mahmoud, Cyber physical systems security: analysis, chal- ming abstraction for cyber-physical systems, IEEE Trans. Ind. Inform. 8 (2)
lenges and solutions, Comput. Secur. 68 (2017) 81–97. (2012) 379–392.
[26] R. Mahmoud, T. Yousuf, F. Aloul, I. Zualkernan, Internet of things (IoT) secu- [56] A. Canedo, E. Schwarzenbach, M.A. Al Faruque, Context-sensitive synthesis of
rity: current status, challenges and prospective measures, in: 2015 10th In- executable functional models of cyber-physical systems, in: Proceedings of
ternational Conference for Internet Technology and Secured Transactions (IC- the ACM/IEEE 4th International Conference on Cyber-Physical Systems, ACM,
ITST), IEEE, 2015, pp. 336–341. 2013, pp. 99–108.
[27] N. Gaddam, G.S.A. Kumar, A.K. Somani, Securing physical processes against [57] Z. Zhang, J. Porter, E. Eyisi, G. Karsai, X. Koutsoukos, J. Sztipanovits, Co-sim-
cyber attacks in cyber-physical systems, in: Proc. Nat. Workshop Res. High– ulation framework for design of time-triggered cyber physical systems, in:
Confidence Transp. Cyber-Phys. Systems, Autom., Aviation Rail, 2008, pp. 1–3. Proceedings of the ACM/IEEE 4th International Conference on Cyber-Physical
[28] K. Zhao, L. Ge, A survey on the internet of things security, in: 2013 Ninth Systems, ACM, 2013, pp. 119–128.
International Conference on Computational Intelligence and Security, IEEE, [58] F. Hu, Y. Lu, A.V. Vasilakos, Q. Hao, R. Ma, Y. Patil, T. Zhang, J. Lu, X. Li,
2013, pp. 663–667. N.N. Xiong, Robust cyber–physical systems: concept, models, and implemen-
[29] R. Khan, S.U. Khan, R. Zaheer, S. Khan, Future internet: the internet of tation, Future Gener. Comput. Syst. 56 (2016) 449–475.
things architecture, possible applications and key challenges, in: 2012 10th [59] Y. Tan, M.C. Vuran, S. Goddard, Y. Yu, M. Song, S. Ren, A concept lattice-based
International Conference on Frontiers of Information Technology, IEEE, 2012, event model for cyber-physical systems, in: Proceedings of the 1st ACM/IEEE
pp. 257–260. International Conference on Cyber-Physical Systems, ACM, 2010, pp. 50–60.
[30] Y. Geng, C.-m. Rong, C. Veigner, J.-T. Wang, H.-B. Cheng, Identity-based key [60] R. Alur, C. Courcoubetis, N. Halbwachs, T.A. Henzinger, P.-H. Ho, X. Nicollin,
agreement and encryption for wireless sensor networks, J. China Univ. Posts A. Olivero, J. Sifakis, S. Yovine, The algorithmic analysis of hybrid systems,
Telecommun. 13 (4) (2006) 54–60. Theor. Comput. Sci. 138 (1) (1995) 3–34.
[31] Q. Jing, A.V. Vasilakos, J. Wan, J. Lu, D. Qiu, Security of the internet of things: [61] P.J. Antsaklis, J.A. Stiver, M. Lemmon, Hybrid system modeling and au-
perspectives and challenges, Wirel. Netw. 20 (8) (2014) 2481–2501. tonomous control systems, in: Hybrid Systems, Springer, 1992, pp. 366–392.
[32] A.D. Wood, J.A. Stankovic, Security of distributed, ubiquitous, and embedded [62] Y. Yalei, Z. Xingshe, Cyber-physical systems modeling based on extended hy-
computing platforms, Wiley Handb. Sci. Technol. Homel. Secur. (2008) 1. brid automata, in: 2013 International Conference on Computational and In-
[33] M. Wu, T.-J. Lu, F.-Y. Ling, J. Sun, H.-Y. Du, Research on the architecture of formation Sciences, IEEE, 2013, pp. 1871–1874.
internet of things, in: 2010 3rd International Conference on Advanced Com- [63] A. Benveniste, T. Bourke, B. Caillaud, M. Pouzet, Hybrid systems model-
puter Theory and Engineering (ICACTE), 5, IEEE, 2010, pp. V5–484. ing challenges caused by cyber-physical systems, Cyber-Phys. Syst. (CPS)
[34] T. Sommestad, G.N. Ericsson, J. Nordlander, SCADA system cyber security-a Found. Chall. (2013). Available on-line: http://people.rennes.inria.fr/Albert.
comparison of standards, in: Power and Energy Society General Meeting, Benveniste/pub/NIST2012.pdf
2010 IEEE, IEEE, 2010, pp. 1–8. [64] P. Kumar, D. Goswami, S. Chakraborty, A. Annaswamy, K. Lampka, L. Thiele,
[35] B. Zhu, S. Sastry, SCADA-specific intrusion detection/prevention systems: a A hybrid approach to cyber-physical systems verification, in: DAC Design Au-
survey and taxonomy, in: Proceedings of the 1st Workshop on Secure Con- tomation Conference 2012, IEEE, 2012, pp. 688–696.
trol Systems (SCS), 11, 2010, p. 7. [65] T. Tidwell, X. Gao, H.-M. Huang, C. Lu, S. Dyke, C. Gill, Towards configurable
[36] V. Sridharan, Cyber security in power systems, Georgia Institute of Technol- real-time hybrid structural testing: a cyber-physical system approach, in:
ogy, 2012 Ph.D. thesis. 2009 IEEE International Symposium on Object/Component/Service-Oriented
[37] J. Weiss, Protecting Industrial Control Systems from Electronic Threats, Mo- Real-Time Distributed Computing, IEEE, 2009, pp. 37–44.
mentum Press, 2010. [66] M. Jianhui, Event driven monitoring of cyber-physical systems based on hy-
[38] W. Hu, J. Oberg, J. Barrientos, D. Mu, R. Kastner, Expanding gate level in- brid automata, Natl. Univ. Defense Technol. Changsha (2011).
formation flow tracking for multilevel security, IEEE Embed. Syst. Lett. 5 (2) [67] C.-W. Ten, C.-C. Liu, G. Manimaran, Vulnerability assessment of cybersecurity
(2013) 25–28. for SCADAsystems, IEEE Trans. Power Syst. 23 (4) (2008) 1836–1846.
[39] H. Gao, Y. Peng, K. Jia, Z. Dai, T. Wang, The design of ICS testbed based on [68] R. Godreau, SCADA systems and their vulnerabilities within the Smart Grid:
emulation, physical, and simulation (EPS-ICS testbed), in: 2013 Ninth Inter- Can they be defended from a cyber attack, Utica College, 2013 Ph.D. thesis.
national Conference on Intelligent Information Hiding and Multimedia Signal [69] K. Coffey, R. Smith, L. Maglaras, H. Janicke, Vulnerability analysis of network
Processing, IEEE, 2013, pp. 420–423. scanning on SCADAsystems, Secur. Commun. Netw. 2018 (2018).
[40] A. Saqib, R.W. Anwar, O.K. Hussain, M. Ahmad, M.A. Ngadi, M.M. Mohamad, [70] F.M. Cleveland, Cyber security issues for advanced metering infrasttructure
Z. Malki, C. Noraini, B.A. Jnr, R. Nor, et al., Cyber security for cyber physcial (AMI), in: Power and Energy Society General Meeting-Conversion and Deliv-
systems: atrust-based approach, J. Theor. Appl. Inf. Technol. 71 (2) (2015) ery of Electrical Energy in the 21st Century, 2008 IEEE, IEEE, 2008, pp. 1–5.
144–152. [71] A.R. Metke, R.L. Ekl, Smart grid security technology, in: Innovative Smart Grid
[41] B. Zhang, X.-X. Ma, Z.-G. Qin, Security architecture on the trusting internet of Technologies (ISGT), 2010, IEEE, 2010, pp. 1–7.
things, J. Electron. Sci. Technol. 9 (4) (2011) 364–367. [72] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage,
[42] J. Clause, A. Orso, Camouflage: automated anonymization of field data, in: K. Koscher, A. Czeskis, F. Roesner, T. Kohno, et al., Comprehensive experimen-
2011 33rd International Conference on Software Engineering (ICSE), IEEE, tal analyses of automotive attack surfaces., in: USENIX Security Symposium,
2011, pp. 21–30. San Francisco, 2011, pp. 77–92.
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 27

[73] M. Rushanan, A.D. Rubin, D.F. Kune, C.M. Swanson, Sok: security and privacy [107] R. Chavez, W. Kranich, A. Casella, Red october and its reincarnation, Bost.
in implantable medical devices and body area networks, in: 2014 IEEE Sym- Univ.| CS558 Netw. Secur (2015).
posium on Security and Privacy (SP), IEEE, 2014, pp. 524–539. [108] H. Mwiki, T. Dargahi, A. Dehghantanha, K.-K.R. Choo, Analysis and triage of
[74] R. de Oliveira Albuquerque, L.J.G. Villalba, A.L.S. Orozco, R.T. de Sousa Júnior, advanced hacking groups targeting western countries critical national infras-
T.-H. Kim, Leveraging information security and computational trust for cyber- tructure: Apt28, red october, and regin, in: Critical Infrastructure Security and
security, J. Supercomput. 72 (10) (2016) 3729–3763. Resilience, Springer, 2019, pp. 221–244.
[75] K. Munro, Deconstructing flame: the limitations of traditional defences, Com- [109] S. Zhioua, The middle east under malware attack dissecting cyber weapons,
put. Fraud Secur. 2012 (10) (2012) 8–11. in: 2013 IEEE 33rd International Conference on Distributed Computing Sys-
[76] B. Miller, D. Rowe, A survey SCADA of and critical infrastructure incidents, in: tems Workshops, IEEE, 2013, pp. 11–16.
Proceedings of the 1st Annual Conference on Research in Information Tech- [110] Z. Dehlawi, N. Abokhodair, Saudi arabia’s response to cyber conflict: a case
nology, ACM, 2012, pp. 51–56. study of the shamoon malware incident, in: 2013 IEEE International Confer-
[77] P. McDaniel, S. McLaughlin, Security and privacy challenges in the smart grid, ence on Intelligence and Security Informatics, IEEE, 2013, pp. 73–75.
IEEE Secur. Priv. 7 (3) (2009) 75–77. [111] A. Alabdulatif, Cybercrime and Analysis of Laws in Kingdom of Saudi Arabia,
[78] J. Vávra, M. Hromada, An evaluation of cyber threats to industrial control 2018 Ph.D. thesis.
systems, in: International Conference on Military Technologies (ICMT) 2015, [112] K. Geers, D. Kindlund, N. Moran, R. Rachwald, World war c: understanding
IEEE, 2015, pp. 1–5. nation-state motives behind today’s advanced cyber attacks, Tech. Rep., Fire-
[79] D. Halperin, T.S. Heydt-Benjamin, K. Fu, T. Kohno, W.H. Maisel, Security and Eye, Milpitas, CA, USA, Sep 2014.
privacy for implantable medical devices, IEEE Perv. Comput. (1) (2008) 30–39. [113] G. Wangen, The role of malware in reported cyber espionage: a review of the
[80] I. Lee, O. Sokolsky, S. Chen, J. Hatcliff, E. Jee, B. Kim, A. King, M. Mullen– impact and mechanism, Information 6 (2) (2015) 183–211.
Fortino, S. Park, A. Roederer, et al., Challenges and research directions in [114] M. Gaietta, The Trajectory of Iran’s Nuclear Program, Springer, 2016.
medical cyber-physical systems, Proc. IEEE 100 (1) (2012) 75–90. [115] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver, Inside the
[81] R. Brooks, S. Sander, J. Deng, J. Taiber, Automotive system security: chal- slammer worm, IEEE Secur. Priv. (4) (2003) 33–39.
lenges and state-of-the-art, in: Proceedings of the 4th Annual Workshop on [116] A. Simmonds, P. Sandilands, L. Van Ekert, An ontology for network se-
Cyber Security and Information Intelligence Research: Developing Strategies curity attacks, in: Asian Applied Computing Conference, Springer, 2004,
to Meet the Cyber Security and Information Intelligence Challenges Ahead, pp. 317–323.
ACM, 2008, p. 26. [117] G. Francia III, D. Thornton, T. Brookshire, Cyberattacks on SCADA systems, in:
[82] H. Zeynal, M. Eidiani, D. Yazdanpanah, Intelligent substation automation sys- Proc. 16th Colloquium Inf. Syst. Security Educ, 2012, pp. 9–14.
tems for robust operation of smart grids, in: 2014 IEEE Innovative Smart Grid [118] P.S. Ryan, War, peace, or stalemate: wargames, wardialing, wardriving, and
Technologies-Asia (ISGT ASIA), IEEE, 2014, pp. 786–790. the emerging market for hacker ethics, Va. JL Tech. 9 (2004) 1.
[83] T.M. Chen, J.C. Sanchez-Aarnoutse, J. Buford, Petri net modeling of cyber– [119] H. Demirci, A.A. Selçuk, A meet-in-the-middle attack on 8-round AES,
physical attacks on smart grid, IEEE Trans. Smart Grid 2 (4) (2011) 741–749. in: International Workshop on Fast Software Encryption, Springer, 2008,
[84] S.M. Amin, Securing the electricity grid, Bridge 40 (1) (2010) 19–20. pp. 116–126.
[85] T. Force, Final report on the august 14, 2003 blackout in the United States [120] A. D’Amico, C. Verderosa, C. Horn, T. Imhof, Integrating physical and cyber se-
and Canada: Causes and recommendations, US-Canada power system outage curity resources to detect wireless threats to critical infrastructure, in: Tech-
task force, 2004. nologies for Homeland Security (HST), 2011 IEEE International Conference on,
[86] Y.-S. Eun, J.S. Aßmann, Cyberwar: taking stock of security and warfare in the IEEE, 2011, pp. 494–500.
digital age, Int. Stud. Perspect. 17 (3) (2016) 343–360. [121] G. Francia III, D. Thornton, T. Brookshire, Wireless vulnerability of SCADA
[87] C.M. Davidson, M.J. Santorelli, Realizing the smart grid imperative, 2011. systems, in: Proceedings of the 50th Annual Southeast Regional Conference,
[88] J. Moteff, Risk Management and Critical Infrastructure Protection: Assessing, ACM, 2012, pp. 331–332.
Integrating, and Managing Threats, Vulnerabilities and Consequences, Library [122] T. Paukatong, SCADA security: a new concerning issue of an in-house egat-S-
of Congress Washington DC Congressional Research Service, 2005. CADA, in: Transmission and Distribution Conference and Exhibition: Asia and
[89] B. Zhu, A. Joseph, S. Sastry, A taxonomy of cyber attacks on SCADA systems, Pacific, 2005 IEEE/PES, IEEE, 2005, pp. 1–5.
in: 2011 International Conference on Internet of Things and 4th International [123] I.N. Fovino, A. Carcano, M. Masera, A. Trombetta, An experimental investiga-
Conference on Cyber, Physical and Social Computing, IEEE, 2011, pp. 380–388. tion of malware attacks on SCADA systems, Int. J. Critical Infrastruct. Prot. 2
[90] T. Nash, Backdoors and holes in network perimeters, 2005. Online]: http:// (4) (2009) 139–145.
ics- cert.us- cert.gov/controlsystems [124] R. Tsang, Cyberthreats, vulnerabilities and attacks on scada networks, Uni-
[91] S. Amin, X. Litrico, S. Sastry, A.M. Bayen, Cyber security of water SCADA sys- versity of California, Berkeley, Working Paper, 2010. http://gspp.berkeley.edu/
tems-part I: Analysis and experimentation of stealthy deception attacks, IEEE iths/Tsang_SCADA%20Attacks.pdf(as of Dec. 28, 2011)
Trans. Control Syst. Technol. 21 (5) (2012) 1963–1970. [125] P. Huitsing, R. Chandia, M. Papa, S. Shenoi, Attack taxonomies for the modbus
[92] E. Byres, J. Lowe, The myths and facts behind cyber security risks for in- protocols, Int. J. Critical Infrastruct. Prot. 1 (2008) 37–44.
dustrial control systems, in: Proceedings of the VDE Kongress, 116, 2004, [126] D. Mashima, A.A. Cárdenas, Evaluating electricity theft detectors in smart grid
pp. 213–218. networks, in: International Workshop on Recent Advances in Intrusion Detec-
[93] S. Amin, G.A. Schwartz, A. Hussain, In quest of benchmarking security risks tion, Springer, 2012, pp. 210–229.
to cyber-physical systems, IEEE Netw. 27 (1) (2013) 19–24. [127] W. Wang, Z. Lu, Cyber security in the smart grid: survey and challenges, Com-
[94] E. Iasiello, Cyber attack: a dull tool to shape foreign policy, in: 2013 5th In- put. Netw. 57 (5) (2013) 1344–1371.
ternational Conference on Cyber Conflict (CYCON 2013), IEEE, 2013, pp. 1–18. [128] R. Santamarta, Here be backdoors: a journey into the secrets of industrial
[95] V.C. Gungor, D. Sahin, T. Kocak, S. Ergut, C. Buccella, C. Cecati, G.P. Hancke, firmware, Black Hat USA (2012).
Smart grid technologies: communication technologies and standards, IEEE [129] S. Gollakota, H. Hassanieh, B. Ransford, D. Katabi, K. Fu, They can hear your
Trans. Ind. Inform. 7 (4) (2011) 529–539. heartbeats: non-invasive security for implantable medical devices, in: ACM
[96] J.W. Jorgensen, Transmission control protocol/internet protocol (TCP/IP) SIGCOMM Computer Communication Review, 41, ACM, 2011, pp. 2–13.
packet-centric wireless point to multi-point (PTMP) transmission system ar- [130] D. Halperin, T.S. Heydt-Benjamin, B. Ransford, S.S. Clark, B. Defend, W. Mor-
chitecture, 2005, US Patent 6,862,622. gan, K. Fu, T. Kohno, W.H. Maisel, Pacemakers and implantable cardiac de-
[97] A. Nicholson, S. Webber, S. Dyer, T. Patel, H. Janicke, SCADA security in the fibrillators: Software radio attacks and zero-power defenses, in: Security and
light of cyber-warfare, Comput. Secur. 31 (4) (2012) 418–436. Privacy, 2008. SP 2008. IEEE Symposium on, IEEE, 2008, pp. 129–142.
[98] R. Srinivasan, Rpc: remote procedure call protocol specification version 2 [131] J. Radcliffe, Hacking medical devices for fun and insulin: breaking the human
(1995). SCADA system, in: Black Hat Conference Presentation Slides, 2011, 2011.
[99] M. Dondo, J. Risto, R. Sawilla, Reliability of exploits and consequences for de- [132] U.E. Larson, D.K. Nilsson, Securing vehicles against cyber attacks, in: Proceed-
cision support, Tech. Rep. (2015) 1–16. ings of the 4th Annual Workshop on Cyber Security and Information Intelli-
[100] S. Karnouskos, Stuxnet worm impact on industrial cyber-physical system se- gence Research: Developing Strategies to Meet the Cyber Security and Infor-
curity, in: IECON 2011-37th Annual Conference of the IEEE Industrial Elec- mation Intelligence Challenges Ahead, ACM, 2008, p. 30.
tronics Society, IEEE, 2011, pp. 4490–4494. [133] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy,
[101] T.M. Chen, S. Abu-Nimeh, Lessons from stuxnet, Computer 44 (4) (2011) B. Kantor, D. Anderson, H. Shacham, et al., Experimental security analysis of a
91–93. modern automobile, in: Security and Privacy (SP), 2010 IEEE Symposium on,
[102] B. Bencsáth, G. Pék, L. Buttyán, M. Felegyhazi, The cousins of stuxnet: duqu, IEEE, 2010, pp. 447–462.
flame, and gauss, Future Internet 4 (4) (2012) 971–1003. [134] R.M. Ishtiaq Roufa, H. Mustafaa, S.O. Travis Taylora, W. Xua, M. Gruteserb,
[103] B. Bencsáth, G. Ács-Kurucz, G. Molnár, G. Vaspöri, L. Buttyán, R. Kamarás, W. Trappeb, I. Seskarb, Security and privacy vulnerabilities of in-car wireless
Duqu 2.0: a comparison to duqu, Budapest. Retriev. 27 (February 2015) 2016. networks: a tire pressure monitoring system case study, in: 19th USENIX Se-
[104] B. Bencsáth, G. Pék, L. Buttyán, M. Félegyházi, Duqu: a stuxnet-like malware curity Symposium, Washington DC, 2010, pp. 11–13.
found in the wild, CrySyS Lab Tech. Rep. 14 (2011) 1–60. [135] D. MacDonald, S.L. Clements, S.W. Patrick, C. Perkins, G. Muller, M.J. Lancaster,
[105] D. Storm, Gauss malware: nation-state cyber-espionage banking trojan re- W. Hutton, Cyber/physical security vulnerability assessment integration, in:
lated to flame, stuxnet, Computerworld 9 (2012). Innovative Smart Grid Technologies (ISGT), 2013 IEEE PES, IEEE, 2013, pp. 1–6.
[106] A. Leedom, Stuxnet-risk & uncertainty in the first salvo of global cyber war- [136] Y. Mo, T.H.-J. Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig, B. Sinopoli, Cy-
fare, SAIS Europe J. Glob. Aff. (2016). ber–physical security of a smart grid infrastructure, Proc. IEEE 100 (1) (2012)
195–209.
28 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

[137] H. He, J. Yan, Cyber-physical attacks and defences in the smart grid: a survey, [169] J. Owens, J. Matthews, A study of passwords and methods used in brute-force
IET Cyber-Phys. Syst. 1 (1) (2016) 13–27. SSH attacks, USENIX Workshop on Large-Scale Exploits and Emergent Threats
[138] H. Fawzi, P. Tabuada, S. Diggavi, Secure estimation and control for cyber– (LEET), 2008.
physical systems under adversarial attacks, IEEE Trans. Autom. Control 59 (6) [170] A. Narayanan, V. Shmatikov, Fast dictionary attacks on passwords using
(2014) 1454–1467. time-space tradeoff, in: Proceedings of the 12th ACM Conference on Com-
[139] M.N. Al-Mhiqani, R. Ahmad, W. Yassin, A. Hassan, Z.Z. Abidin, N.S. Ali, puter and Communications Security, ACM, 2005, pp. 364–372.
K.H. Abdulkareem, Cyber-security incidents: a review cases in cyber-physical [171] D.P. Jablon, Extended password key exchange protocols immune to dictionary
systems, Int. J. Adv. Comput. Sci. Appl. 9 (1) (2018) 499–508. attack, in: Proceedings of IEEE 6th Workshop on Enabling Technologies: In-
[140] D. Albright, P. Brannan, C. Walrond, Stuxnet malware and natanz: update of frastructure for Collaborative Enterprises, IEEE, 1997, pp. 248–255.
isis december 22, 2010 report, Inst. Sci. Int. Secur. 15 (2011) 739883–739893. [172] P. Papantonakis, D. Pnevmatikatos, I. Papaefstathiou, C. Manifavas, Fast, FP-
[141] J. Slay, M. Miller, Lessons learned from the maroochy water breach, in: In- GA-based rainbow table creation for attacking encrypted mobile communi-
ternational Conference on Critical Infrastructure Protection, Springer, 2007, cations, in: 2013 23rd International Conference on Field programmable Logic
pp. 73–82. and Applications, IEEE, 2013, pp. 1–6.
[142] L. Fillatre, I. Nikiforov, P. Willett, et al., Security of SCADA systems against [173] M. Bellare, T. Kohno, Hash function balance and its impact on birthday at-
cyber–physical attacks, IEEE Aerosp. Electron. Syst. Mag. 32 (5) (2017) 28–45. tacks, in: International Conference on the Theory and Applications of Crypto-
[143] M.J. Credeur, Fbi probes georgia water plant break-in on terror concern, 2013. graphic Techniques, Springer, 2004, pp. 401–418.
[144] F.Y. Rashid, Telvent hit by sophisticated cyber-attack, SCADA admin tool com- [174] P.G. Kelley, S. Komanduri, M.L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin,
promised, Retrieved from SecurityWeek website:http://www.securityweek. L.F. Cranor, J. Lopez, Guess again (and again and again): measuring password
com/telvent- hit- sophisticated- cyber- attack- scada- admin- tool- compromised strength by simulating password-cracking algorithms, in: 2012 IEEE Sympo-
(2012). sium on Security and Privacy, IEEE, 2012, pp. 523–537.
[145] B. Krebs, Cyber incident blamed for nuclear power plant shutdown, Washing- [175] N. Provos, M. Friedl, P. Honeyman, Preventing privilege escalation., USENIX
ton Post 5 (2008) June2008. Security Symposium, 2003.
[146] T. Flick, J. Morehouse, Securing the Smart Grid: Next Generation Power Grid [176] S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, Xmandroid: a new
Security, Elsevier, 2010. android evolution to mitigate privilege escalation attacks, Technical Report
[147] L. Ray, Cyber-physical systems: an overview of design process, applications, TR-2011-04, Technische Universität Darmstadt, 2011.
and security, in: Cyber Warfare and Terrorism: Concepts, Methodologies, [177] M. Al-Shurman, S.-M. Yoo, S. Park, Black hole attack in mobile ad hoc net-
Tools, and Applications, IGI Global, 2020, pp. 128–150. works, in: Proceedings of the 42nd Annual Southeast Regional Conference,
[148] M. Choraś, R. Kozik, A. Flizikowski, W. Hołubowicz, R. Renk, Cyber threats 2004, pp. 96–97.
impacting critical infrastructures, in: Managing the Complexity of Critical In- [178] P. Solankar, S. Pingale, R. Parihar, Denial of service attack and classification
frastructures, Springer, Cham, 2016, pp. 139–161. techniques for attack detection, Int. J. Comput. Sci. Inf. Technol. 6 (2) (2015)
[149] T. Kiravuo, M. Särelä, J. Manner, Weapons against cyber-physical targets, in: 1096–1099.
2013 IEEE 33rd International Conference on Distributed Computing Systems [179] F. Yihunie, E. Abdelfattah, A. Odeh, Analysis of ping of death DoS and DDoS
Workshops, IEEE, 2013, pp. 321–326. attacks, in: 2018 IEEE Long Island Systems, Applications and Technology Con-
[150] Y.Y. Haimes, Risk of terrorism to cyber-physical and organizational-societal ference (LISAT), IEEE, 2018, pp. 1–4.
infrastructures, Public Works Manag. Policy 6 (4) (2002) 231–240. [180] S. Kumar, Smurf-based distributed denial of service (DDoS) attack amplifica-
[151] A. Gupta, M. Kumar, S. Hansel, A.K. Saini, Future of all technologies-the cloud tion in internet, in: Second International Conference on Internet Monitoring
and cyber physical systems, Future 2 (2) (2013). and Protection (ICIMP 2007), IEEE, 2007, p. 25.
[152] A. Yeboah-ofori, J.-D. Abdulai, F. Katsriku, Cybercrime and risks for cyber [181] R. Khan, P. Maynard, K. McLaughlin, D. Laverty, S. Sezer, Threat analysis of
physical systems: a review (2018). blackenergy malware for synchrophasor based real-time control and moni-
[153] K. Alenius, M. Warren, An exceptional war that ended in victory for estonia or toring in smart grid, in: 4th International Symposium for ICS & SCADA Cyber
an ordinary e-disturbance? Estonian narratives of the cyber-attacks in 2007, Security Research 2016 4, 2016, pp. 53–63.
in: Institute Ecole Supérieure en Informatique Electronique et Automatique, [182] A. Cherepanov, R. Lipovsky, Blackenergy–what we really know about the no-
Laval, France 5-6 July 2012 Edited by, 2012, p. 18. torious cyber attacks, Virus Bull. (October 2016).
[154] M. Kaeo, Cyber attacks on estonia: short synopsis, Double Shot Security. http: [183] E. Kovacs, Blackenergy malware used in ukraine power grid attacks, 2016.
//www.doubleshotsecurity.com/pdf/NANOG_eesti.pdf (accessed 18 July 2009) [184] J. Lemon, et al., Resisting SYN flood DoS attacks with a SYN cache, in: BSDCon,
(2007). 20 02, 20 02, pp. 89–97.
[155] G.T. Donovan Jr., Russian Operational Art in the Russo-Georgian War of 2008, [185] D. Antonioli, G. Bernieri, N.O. Tippenhauer, Taking control: design and im-
Technical Report, ARMY WAR COLL CARLISLE BARRACKS PA, 2009. plementation of botnets for cyber-physical attacks with cpsbot, arXiv:1802.
[156] M.M. Saudi, S. Sukardi, N.A.A.A. Aziz, A. Ahmad, M. Husainiamer, Malware 00152(2018).
classification for cyber physical system (CPS) based on phylogenetics. [186] K.I. Sgouras, A.N. Kyriakidis, D.P. Labridis, Short-term risk assessment of bot-
[157] A. Yeboah-Ofori, J.-D. Abdulai, F. Katsriku, Cybercrime and risks for cyber net attacks on advanced metering infrastructure, IET Cyber-Phys. Syst. 2 (3)
physical systems 2019., Int. J. Cyber-Secur. Digital Forensics 8 (1) (2019) (2017) 143–151.
43–58. [187] F. Shrouf, J. Ordieres, G. Miragliotta, Smart factories in industry 4.0: a review
[158] K. Barakat, Does Lebanon possess the capabilities to defend itself from cy- of the concept and of energy management approached in production based
ber-theats? Learning from Estonia’s experience.(c2019), Lebanese American on the internet of things paradigm, in: Industrial Engineering and Engineer-
University, 2019 Ph.D. thesis. ing Management (IEEM), 2014 IEEE International Conference on, IEEE, 2014,
[159] A.J. Hejase, H.J. Hejase, J.A. Hejase, Cyber warfare awareness in lebanon: ex- pp. 697–701.
ploratory research, Int. J. Cyber-Secur. Digital Forensics (IJCSDF) 4 (4) (2015) [188] L. De Carli, R. Torres, G. Modelo-Howard, A. Tongaonkar, S. Jha, Botnet
482–497. protocol inference in the presence of encrypted traffic, in: IEEE INFOCOM
[160] T. Abera, N. Asokan, L. Davi, J.-E. Ekberg, T. Nyman, A. Paverd, A.-R. Sadeghi, 2017-IEEE Conference on Computer Communications, IEEE, 2017, pp. 1–9.
G. Tsudik, C-flat: control-flow attestation for embedded systems software, in: [189] C. Kolias, G. Kambourakis, A. Stavrou, J. Voas, Ddos in the IoT: mirai and other
Proceedings of the 2016 ACM SIGSAC Conference on Computer and Commu- botnets, Computer 50 (7) (2017) 80–84.
nications Security, ACM, 2016, pp. 743–754. [190] J. Seering, J.P. Flores, S. Savage, J. Hammer, The social roles of bots: evalu-
[161] D.D. Chen, M. Woo, D. Brumley, M. Egele, Towards automated dynamic anal- ating impact of bots on discussions in online communities, Proc.ACM Hum.
ysis for linux-based embedded firmware., NDSS, 2016. Comput. Interact. 2 (CSCW) (2018) 1–29.
[162] A. Francillon, C. Castelluccia, Code injection attacks on harvard-architecture [191] P. Rascagneres, E. Willems, Regin, an old but sophisticated cyber espionage
devices, in: Proceedings of the 15th ACM Conference on Computer and Com- toolkit platform (2016).
munications Security, ACM, 2008, pp. 15–26. [192] K. Zdravkova, Reconsidering human dignity in the new era, New Ideas Psy-
[163] R. Roemer, E. Buchanan, H. Shacham, S. Savage, Return-oriented program- chol. 54 (2019) 112–117.
ming: systems, languages, and applications, ACM Trans. Inf. Syst. Secur. (TIS- [193] V. Boinapally, G. Hsieh, K.S. Nauer, Building a Gh0st malware experimenta-
SEC) 15 (1) (2012) 2. tion environment, in: Proceedings of the International Conference on Security
[164] H. Alemzadeh, D. Chen, X. Li, T. Kesavadas, Z.T. Kalbarczyk, R.K. Iyer, Targeted and Management (SAM), The Steering Committee of The World Congress in
attacks on teleoperated surgical robots: Dynamic model-based detection and Computer Science, Computer, 2017, pp. 89–95.
mitigation, in: Dependable Systems and Networks (DSN), 2016 46th Annual [194] S. Murdoch, N. Leaver, Anonymity vs. trust in cyber-security collaboration, in:
IEEE/IFIP International Conference on, IEEE, 2016, pp. 395–406. Proceedings of the 2nd ACM Workshop on Information Sharing and Collabo-
[165] H. Hu, S. Shinde, S. Adrian, Z.L. Chua, P. Saxena, Z. Liang, Data-oriented pro- rative Security, ACM, 2015, pp. 27–29.
gramming: on the expressiveness of non-control data attacks, in: Security [195] L. Hendraningrat, S. Li, O. Torsæter, A coreflood investigation of nanofluid en-
and Privacy (SP), 2016 IEEE Symposium on, IEEE, 2016, pp. 969–986. hanced oil recovery, J. Pet. Sci. Eng. 111 (2013) 128–138.
[166] V.N. Gudivada, S. Ramaswamy, S. Srinivasan, Data management issues in [196] B. Farinholt, M. Rezaeirad, P. Pearce, H. Dharmdasani, H. Yin, S. Le Blond,
cyber-physical systems, in: Transportation Cyber-Physical Systems, Elsevier, D. McCoy, K. Levchenko, To catch a ratter: monitoring the behavior of am-
2018, pp. 173–200. ateur darkcomet rat operators in the wild, in: 2017 IEEE Symposium on Se-
[167] G. Loukas, Cyber-Physical Attacks: A Growing Invisible Threat, Butter- curity and Privacy (SP), IEEE, 2017, pp. 770–787.
worth-Heinemann, 2015. [197] S. Hilt, L.A. Remorin, How cybercriminals can abuse chat platform APIs as
[168] L. Davi, A. Dmitrienko, A.-R. Sadeghi, M. Winandy, Privilege escalation attacks C&C infrastructures.
on android, in: International Conference on Information Security, Springer, [198] A. Gostev, R. Unuchek, M. Garnaeva, D. Makrushin, A. Ivanov, It threat evolu-
2010, pp. 346–360. tion in q1 2016, Kapersky 2015 Report, Kapersky L, 2016.
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 29

[199] J. Cowie, A. Ogielski, B. Premore, Y. Yuan, Global routing instabilities triggered sessment, in: 2013 Ninth International Conference on Intelligent Information
by Code Red II and Nimda worm attacks, Technical Report, Tech. Rep., Re- Hiding and Multimedia Signal Processing, IEEE, 2013, pp. 442–447.
nesys Corporation, 2001. [231] A.M. Gamundani, An impact review on internet of things attacks, in: 2015 In-
[200] A. Machie, J. Roculan, R. Russell, M. Velzen, Nimda worm analysis, Technical ternational Conference on Emerging Trends in Networks and Computer Com-
Report, Tech. Rep., Incident Analysis, SecurityFocus, 2001. munications (ETNCC), IEEE, 2015, pp. 114–118.
[201] A.A. Di Pinto, Y. Dragoni, A. Carcano, Triton: the first ICS cyber attack on [232] K. Stouffer, J. Falco, K. Scarfone, Guide to industrial control systems (ICS) se-
safety instrument systems, in: Proc. Black Hat USA, 2018, pp. 1–26. curity, NIST Spec. Publ. 800 (82) (2011) 16.
[202] R. Prasad, V. Rohokale, Malware, in: Cyber Security: The Lifeline of Informa- [233] N. Virvilis, D. Gritzalis, The big four-what we did wrong in advanced persis-
tion and Communication Technology, Springer, 2020, pp. 67–81. tent threat detection? in: Availability, Reliability and Security (ARES), 2013
[203] D. Desai, T. Haq, Blackhole exploit kit: rise & evolution, Malware Research Eighth International Conference on, IEEE, 2013, pp. 248–254.
Team Technical Paper, 2012. [234] M. Jouini, L.B.A. Rabai, A.B. Aissa, Classification of security threats in informa-
[204] N. Adams, R. Chisnall, C. Pickering, S. Schauer, How port security has tion systems, Procedia Comput. Sci. 32 (2014) 489–496.
to evolve to address the cyber-physical security threat: lessons from the [235] A. Ahmad, Type of security threats and it’s prevention, Int. J. Comput. Tech-
SAURON project, Int. J. Transp. Dev. Integr. 4 (1) (2020) 29–41. nol. Appl. 3 (2) (2012) 750–752.
[205] J. Twist, Cyber threat report 16 jan-31 jan 2018(2018). [236] S. Ruffle, F. Caccioli, A. Coburn, S. Kelly, B. Leslie, D. Ralph, Stress test sce-
[206] M. Marquis-Boire, M. Marschalek, C. Guarnieri, Big Game Hunting: The Pe- nario: sybil logic bomb cyber catastrophe, in: Cambridge Risk Framework se-
culiarities in Nation-State Malware Research, Black Hat, Las Vegas, NV, USA, ries, Centre for Risk Studies, University of Cambridge, Cambridge Centre for
2015. Risk Studies, University of Cambridge Judge Business School, 2014, pp. 1–45.
[207] M. Marquis-Boire, B. Marzcak, C. Guarnieri, The smartphone who loved me: [237] R. Rajkumar, I. Lee, L. Sha, J. Stankovic, Cyber-physical systems: the next
finfisher goes mobile(2012). computing revolution, in: Design Automation Conference (DAC), 2010 47th
[208] J.E. Sullivan, D. Kamensky, How cyber-attacks in ukraine show the vulnera- ACM/IEEE, IEEE, 2010, pp. 731–736.
bility of the us power grid, Electr. J. 30 (3) (2017) 30–35. [238] A.N. Kandhil, A study on secure shell (SSH) protocol.
[209] D. Byrne, C. Thorpe, Jigsaw: an investigation and countermeasure for ran- [239] K. Yang, D. Blaauw, D. Sylvester, Hardware designs for security in ultra-
somware attacks, in: European Conference on Cyber Warfare and Security, -low-power IoTsystems: an overview and survey, IEEE Micro 37 (6) (2017)
Academic Conferences International Limited, 2017, pp. 656–665. 72–89.
[210] S.I. Popoola, S.O. Ojewande, F.O. Sweetwilliams, S. John, A. Atayero, et al., Ran- [240] A. Scarfo, New security perspectives around BYOD, in: 2012 Seventh Inter-
somware: current trend, challenges, and research directions, 2017. national Conference on Broadband, Wireless Computing, Communication and
[211] M.A. Branquinho, Ransomware in industrial control systems. what comes af- Applications, IEEE, 2012, pp. 446–451.
ter wannacry and Petya global attacks? WIT Trans. Built Environ. 174 (2018) [241] X. Keystone, C. ENTRIX, Comments of the sierra club, et al., to the department
329–334. of state on the supplemental draft environmental impact statement for the
[212] J.S. Aidan, H.K. Verma, L.K. Awasthi, Comprehensive survey on Petya ran- transcanada keystone xl pipeline.
somware attack, in: 2017 International Conference on Next Generation Com- [242] S. Girgin, E. Krausmann, Historical analysis of us onshore hazardous liquid
puting and Information Systems (ICNGCIS), IEEE, 2017, pp. 122–125. pipeline accidents triggered by natural hazards, J. Loss Prevent. Process Ind.
[213] A.S. Petrenko, S.A. Petrenko, K.A. Makoveichuk, P.V. Chetyrbok, Protection 40 (2016) 578–590.
model of pcs of subway from attacks type «wanna cry»,«petya» and «bad rab- [243] L. Monostori, B. Kádár, T. Bauernhansl, S. Kondoh, S. Kumara, G. Reinhart,
bit» IoT, in: 2018 IEEE Conference of Russian Young Researchers in Electrical O. Sauer, G. Schuh, W. Sihn, K. Ueda, Cyber-physical systems in manufactur-
and Electronic Engineering (EIConRus), IEEE, 2018, pp. 945–949. ing, CIRP Ann. 65 (2) (2016) 621–641.
[214] R. Brewer, Ransomware attacks: detection, prevention and cure, Netw. Secur. [244] Z. Drias, A. Serhrouchni, O. Vogel, Analysis of cyber security for industrial
2016 (9) (2016) 5–9. control systems, in: 2015 International Conference on Cyber Security of Smart
[215] K. Poulsen, Slammer worm crashed ohio nuke plant network, 2003. http:// Cities, Industrial Control System and Communications (SSIC), IEEE, 2015,
www.securityfocus.com/news/6767 pp. 1–8.
[216] J.D. Rogers, C.M. Watkins, Overview of the Taum Sauk pumped storage power [245] W. Zhao, F. Xie, Y. Peng, Y. Gao, X. Han, H. Gao, D. Wang, Security testing
plant upper reservoir failure, Reynolds county, MO (2008). methods and techniques of industrial control devices, in: 2013 Ninth Inter-
[217] S. Gorman, Electricity grid in us penetrated by spies, Wall Street J. 8 (2009). national Conference on Intelligent Information Hiding and Multimedia Signal
[218] M. Brunner, H. Hofinger, C. Krauß, C. Roblee, P. Schoo, S. Todt, Infiltrating Processing, IEEE, 2013, pp. 433–436.
Critical Infrastructures with Next-Generation Attacks, Fraunhofer Institute for [246] D. Rhoades, Achilles - the world’s first man-in-the-middle web security tool,
Secure Information Technology (SIT), Munich, 2010. (https://www.mavensecurity.com/about/achilles).
[219] T. FoxBrewster, Ukraine claims hackers caused christmas power outage, [247] D. Reading, Breakingpoint unveils firestorm cyber tomography, 2011,
Forbes Secur. (2016). (https://www.darkreading.com/risk/breakingpoint-unveils-firestorm-
[220] P. Katerynchuk, Challenges and threats of Ukraine’s national cyber secu- cyber-tomography-machine/d/d-id/1135182).
rity in hybrid war, [248] R. Nishimura, R. Kurachi, K. Ito, T. Miyasaka, M. Yamamoto, M. Mishima, Im-
plementation of the CAN-FD protocol in the fuzzing tool beSTORM, in: 2016
21 (2018) IEEE International Conference on Vehicular Electronics and Safety (ICVES),
166–173. IEEE, 2016, pp. 1–6.
[221] V. Zhoghov, The ransomware “Petya” as a challenge to the cybersecurity of [249] A. MacFarland, Codenomicon defensics finds risks that lurk in your protocols,
Ukraine, main factors of spreading this virus in the focus of Ukraine, the steps august 16, 2007, The Clipper Group Navigator, Report# TCG20070811–3.
taken by the authorities to combat this phenomenon and suggest ways to [250] Mu studio performance suite, (https://www.slideshare.net/aquaphlex/
improve such activities using experience of other countries, Victor Zhoghov mu- studio- performance- suite).
The ransomware “Petya” as a challenge to the cybersecurity of, 2017 Ph.D. [251] M. Eddington, Peach fuzzing platform, Peach Fuzzer 34 (2011).
thesis. [252] G. Devarajan, Unraveling scada protocols: using sulley fuzzer, Defon 15 Hack-
[222] A. Avizienis, J.-C. Laprie, B. Randell, C. Landwehr, Basic concepts and taxon- ing Conf, 2007.
omy of dependable and secure computing, IEEE Trans. Dependable Secure [253] D. Aitel, An introduction to spike, the fuzzer creation kit, Presentation Slides,
Comput. 1 (1) (2004) 11–33. 1, Aug 2002.
[223] T. Johnson, Fault-tolerant distributed cyber-physical systems: Two case stud- [254] exida certification - IEC 61508, IEC 61511, IEC 62443, ISO 26262, CFSE, 2015,
ies, 2010. (https://www.exida.com/Certification).
[224] A. Cardenas, S. Amin, B. Sinopoli, A. Giani, A. Perrig, S. Sastry, et al., Chal- [255] Isasecure - IEC 62443-4-2 - EDSA certification, 2018, (https://www.isasecure.
lenges for securing cyber physical systems, Workshop on Future Directions in org/en- US/Certification/IEC- 62443- EDSA- Certification).
Cyber-Physical Systems Security, 5, 2009. [256] S. Belguith, N. Kaaniche, G. Russello, Pu-abe: lightweight attribute-based en-
[225] G. Dondossola, Risk assessment of information and communication systems– cryption supporting access policy update for cloud assisted IoT, in: 2018
analysis of some practices and methods in the electric power industry, CIGRÉ IEEE 11th International Conference on Cloud Computing (CLOUD), IEEE, 2018,
Electra (2008). pp. 924–927.
[226] C.M. Krishna, I. Koren, Adaptive fault-tolerance fault-tolerance for cyber-phys- [257] S. Belguith, N. Kaaniche, M. Mohamed, G. Russello, C-ABSC: cooperative at-
ical systems, in: Computing, Networking and Communications (ICNC), 2013 tribute based signcryption scheme for internet of things applications, in:
International Conference on, IEEE, 2013, pp. 310–314. 2018 IEEE International Conference on Services Computing (SCC), IEEE, 2018,
[227] J. Zalewski, S. Drager, W. McKeever, A.J. Kornecki, Threat modeling for secu- pp. 245–248.
rity assessment in cyberphysical systems, in: Proceedings of the Eighth An- [258] A.O. Moyegun, Information Security and Innovation; Guide to Secure Technol-
nual Cyber Security and Information Intelligence Research Workshop, ACM, ogy Innovation Initiatives, 2016 Ph.D. thesis.
2013, p. 10. [259] N. Kaaniche, M. Laurent, Data security and privacy preservation in cloud stor-
[228] T. Lu, B. Xu, X. Guo, L. Zhao, F. Xie, A new multilevel framework for cyber– age environments based on cryptographic mechanisms, Comput. Commun.
physical system security, First International Workshop on the Swarm at the 111 (2017) 120–141.
Edge of the Cloud, 2013. [260] J. Rajamäki, P. Rathod, A. Ahlgren, J. Aho, M. Takari, S. Ahlgren, Resilience
[229] T. Lu, J. Lin, L. Zhao, Y. Li, Y. Peng, An analysis of cyber physical system se- of cyber-physical system: a case study of safe school environment, in: Intelli-
curity theories, in: 2014 7th International Conference on Security Technology, gence and Security Informatics Conference (EISIC), 2012 European, IEEE, 2012,
IEEE, 2014, pp. 19–21. p. 285.
[230] Y. Peng, T. Lu, J. Liu, Y. Gao, X. Guo, F. Xie, Cyber-physical system risk as- [261] V. Fuhrmans, Virus attacks siemens plant-control systems, Wall Street J.
(2010).
30 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

[262] E. Mills, Hackers broke into faa air traffic control system, Wall Street J. Page [289] S. Zeadally, R. Hunt, Y.-S. Chen, A. Irwin, A. Hassan, Vehicular ad hoc net-
A 6 (2009) 2009. works (VANETS): status, results, and challenges, Telecommun. Syst. 50 (4)
[263] A. Rajhans, S.-W. Cheng, B. Schmerl, D. Garlan, B.H. Krogh, C. Agbi, A. Bhave, (2012) 217–241.
An architectural approach to the design and analysis of cyber-physical sys- [290] S. Al-Sultan, M.M. Al-Doori, A.H. Al-Bayatti, H. Zedan, A comprehensive sur-
tems, Electron. Commun. EASST 21 (2009). vey on vehicular ad hoc network, J. Netw. Comput. Appl. 37 (2014) 380–392.
[264] S. Deshmukh, B. Natarajan, A. Pahwa, State estimation in spatially distributed [291] Q. He, N. Zhang, Y. Wei, Y. Zhang, Lightweight attribute based encryption
cyber-physical systems: bounds on critical measurement drop rates, in: Dis- scheme for mobile cloud assisted cyber-physical systems, Comput. Netw. 140
tributed Computing in Sensor Systems (DCOSS), 2013 IEEE International Con- (2018) 163–173.
ference on, IEEE, 2013, pp. 157–164. [292] Y. Zhao, Y. Li, Q. Mu, B. Yang, Y. Yu, Secure pub-sub: blockchain-based fair
[265] K. Van Brabant, et al., Operational Security Management in Violent Environ- payment with reputation for reliable cyber physical systems, IEEE Access 6
ments, Overseas Development Institute London, 20 0 0. (2018) 12295–12303.
[266] T. Aven, Risk assessment and risk management: review of recent advances on [293] J. Sepúlveda, S. Liu, J.M.B. Mera, Post-quantum enabled cyber physical sys-
their foundation, Eur. J. Oper. Res. 253 (1) (2016) 1–13. tems, IEEE Embed. Syst. Lett. (2019) 106–110.
[267] C. Shepherd, G. Arfaoui, I. Gurulian, R.P. Lee, K. Markantonakis, R.N. Akram, [294] O.A. Harshe, N.T. Chiluvuri, C.D. Patterson, W.T. Baumann, Design and imple-
D. Sauveron, E. Conchon, Secure and trusted execution: past, present, and fu- mentation of a security framework for industrial control systems, in: 2015 In-
ture-a critical review in the context of the internet of things and cyber-physi- ternational Conference on Industrial Instrumentation and Control (ICIC), IEEE,
cal systems, in: Trustcom/BigDataSE/ISPA, 2016 IEEE, IEEE, 2016, pp. 168–177. 2015, pp. 127–132.
[268] H. Almohri, L. Cheng, D. Yao, H. Alemzadeh, On threat modeling and mitiga- [295] T. Cruz, J. Barrigas, J. Proença, A. Graziano, S. Panzieri, L. Lev, P. Simões, Im-
tion of medical cyber-physical systems, in: Connected Health: Applications, proving network security monitoring for industrial control systems, in: 2015
Systems and Engineering Technologies (CHASE), 2017 IEEE/ACM International IFIP/IEEE International Symposium on Integrated Network Management (IM),
Conference on, IEEE, 2017, pp. 114–119. IEEE, 2015, pp. 878–881.
[269] H.M. Almohri, D.D. Yao, D. Kafura, Process authentication for high system as- [296] M.E. Luallen, Sans SCADA and process control security survey, A SANS
surance, IEEE Trans. Dependable Secure Comput. 11 (1) (2013) 1. Whitepaper, February 2013.
[270] H.M. Almohri, L.T. Watson, D. Yao, X. Ou, Security optimization of dynamic [297] A. Ghaleb, S. Zhioua, A. Almulhem, On plc network security, Int. J. Critical
networks with probabilistic graph modeling and linear programming, IEEE Infrastruct. Protect. 22 (2018) 62–69.
Trans. Dependable Secure Comput. 13 (4) (2016) 474–487. [298] H. Cao, P. Zhu, X. Lu, A. Gurtov, A layered encryption mechanism for net-
[271] K.A. Higley, Environmental consequences of the chernobyl accident and their worked critical infrastructures, IEEE Netw. 27 (1) (2013) 12–18.
remediation: twenty years of experience. report of the chernobyl forum ex- [299] S. Amin, G.A. Schwartz, S.S. Sastry, On the interdependence of reliability and
pert group ‘environment’ STI/PUB/1239, 2006, international atomic energy security in networked control systems, in: Decision and Control and Euro-
agency, Vienna, Austria ISBN: 92-0-114705-8, 166 pp, 40.00 euros (soft- pean Control Conference (CDC-ECC), 2011 50th IEEE Conference on, IEEE,
bound), Radiat. Protect. Dosim. 121 (4) (2006) 476–477. 2011, pp. 4078–4083.
[272] Y.-H. Koo, Y.-S. Yang, K.-W. Song, Radioactivity release from the Fukushima [300] A.A. Cárdenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, S. Sastry, Attacks
accident and its consequences: a review, Progr. Nucl. Energy 74 (2014) 61–70. against process control systems: risk assessment, detection, and response, in:
[273] A. Banerjee, K.K. Venkatasubramanian, T. Mukherjee, S.K.S. Gupta, Ensuring Proceedings of the 6th ACM Symposium on Information, Computer and Com-
safety, security, and sustainability of mission-critical cyber–physical systems, munications Security, ACM, 2011, pp. 355–366.
Proc. IEEE 100 (1) (2011) 283–299. [301] T. Alves, R. Das, T. Morris, Embedding encryption and machine learning in-
[274] A.G. Association, et al., Cryptographic protection of SCADA communications trusion prevention systems on programmable logic controllers, IEEE Embed.
part 1: background, policies and test plan, Technical Report, AGA Report, Syst. Lett. 10 (3) (2018) 99–102.
2005. [302] S. Belguith, N. Kaaniche, M. Hammoudeh, T. Dargahi, Proud: verifiable priva-
[275] M. Kirkpatrick, E. Bertino, F.T. Sheldon, Restricted authentication and encryp- cy-preserving outsourced attribute based signcryption supporting access pol-
tion for cyber-physical systems, DHS CPS Workshop Restricted Authentication icy update for cloud assisted IoT applications, Future Gener. Comput. Syst.
and Encryption for Cyber-Physical Systems, 2009. (2019) 899–918.
[276] D. Ding, Q.-L. Han, Y. Xiang, X. Ge, X.-M. Zhang, A survey on security control [303] N. Kaaniche, M. Laurent, P.-O. Rocher, C. Kiennert, J. Garcia-Alfaro, Pcs, a
and attack detection for industrial cyber-physical systems, Neurocomputing privacy-preserving certification scheme, in: Data Privacy Management, Cryp-
275 (2018) 1674–1683. tocurrencies and Blockchain Technology, Springer, 2017, pp. 239–256.
[277] A. Hahn, R.K. Thomas, I. Lozano, A. Cardenas, A multi-layered and kill-chain [304] N. Kaaniche, Cloud data storage security based on cryptographic mechanisms,
based security analysis framework for cyber-physical systems, Int. J. Critical 2014 Ph.D. thesis.
Infrastruct. Protect. 11 (2015) 39–50. [305] R.M. Seepers, J.H. Weber, Z. Erkin, I. Sourdis, C. Strydis, Secure key-exchange
[278] M. Sharma, F. Gebali, H. Elmiligi, M. Rahman, Network security evaluation protocol for implants using heartbeats, in: Proceedings of the ACM Interna-
scheme for WSN in cyber-physical systems, in: 2018 IEEE 9th Annual Infor- tional Conference on Computing Frontiers, ACM, 2016, pp. 119–126.
mation Technology, Electronics and Mobile Communication Conference (IEM- [306] Z.E. Ankaralı, A.F. Demir, M. Qaraqe, Q.H. Abbasi, E. Serpedin, H. Arslan,
CON), IEEE, 2018, pp. 1145–1151. R.D. Gitlin, Physical layer security for wireless implantable medical devices,
[279] M. Zhang, A. Raghunathan, N.K. Jha, Trustworthiness of medical devices and in: Computer Aided Modelling and Design of Communication Links and Net-
body area networks., Proc. IEEE 102 (8) (2014) 1174–1188. works (CAMAD), 2015 IEEE 20th International Workshop on, IEEE, 2015,
[280] A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J. Robshaw, pp. 144–147.
Y. Seurin, C. Vikkelsoe, Present: an ultra-lightweight block cipher, in: In- [307] S. Ibrokhimov, K.L. Hui, A.A. Al-Absi, M. Sain, et al., Multi-factor authenti-
ternational Workshop on Cryptographic Hardware and Embedded Systems, cation in cyber physical system: A state of art survey, in: 2019 21st Inter-
Springer, 2007, pp. 450–466. national Conference on Advanced Communication Technology (ICACT), IEEE,
[281] J. Borghoff, A. Canteaut, T. Güneysu, E.B. Kavun, M. Knezevic, L.R. Knudsen, 2019, pp. 279–284.
G. Leander, V. Nikov, C. Paar, C. Rechberger, et al., Prince–a low-latency block [308] S. Chen, M. Ma, Z. Luo, An authentication scheme with identity-based cryp-
cipher for pervasive computing applications, in: International Conference on tography for m2m security in cyber-physical systems, Secur. Commun. Netw.
the Theory and Application of Cryptology and Information Security, Springer, 9 (10) (2016) 1146–1157.
2012, pp. 208–225. [309] H. Wardak, S. Zhioua, A. Almulhem, Plc access control: a security analysis, in:
[282] A. Shahzad, M. Lee, Y.-K. Lee, S. Kim, N. Xiong, J.-Y. Choi, Y. Cho, Real time 2016 World Congress on Industrial Control Systems Security (WCICSS), IEEE,
modbus transmissions and cryptography security designs and enhancements 2016, pp. 1–6.
of protocol sensitive information, Symmetry 7 (3) (2015) 1176–1210. [310] D. Choi, H. Kim, D. Won, S. Kim, Advanced key-management architecture
[283] M. Hadley, K. Huston, T. Edgar, AGA-12, part 2 performance test results, Pa- for secure SCADAcommunications, IEEE Trans. Power Deliv. 24 (3) (2009)
cific Northwest Natl. Lab. (2007). 1154–1163.
[284] J. Rubio-Hernán, L. De Cicco, J. Garcia-Alfaro, Revisiting a watermark-based [311] M. Keshk, N. Moustafa, E. Sitnikova, B. Turnbull, Privacy-preserving big data
detection scheme to handle cyber-physical attacks, in: 2016 11th Interna- analytics for cyber-physical systems, Wirel. Netw. (2018) 1–9.
tional Conference on Availability, Reliability and Security (ARES), IEEE, 2016, [312] J. Feng, L.T. Yang, R. Zhang, Practical privacy-preserving high-order Bi-Lanczos
pp. 21–28. in integrated edge-fog-cloud architecture for cyber-physical-social systems,
[285] L. Vegh, L. Miclea, Secure and efficient communication in cyber-physical sys- ACM Trans. Internet Technol. (TOIT) 19 (2) (2019) 26.
tems through cryptography and complex event processing, in: 2016 Interna- [313] H. Ye, J. Liu, W. Wang, P. Li, T. Li, J. Li, Secure and efficient outsourcing dif-
tional Conference on Communications (COMM), IEEE, 2016, pp. 273–276. ferential privacy data release scheme in cyber–physical system, Future Gener.
[286] S. Jayasekara, S. Perera, M. Dayarathna, S. Suhothayan, Continuous analytics Comput. Syst. (2018) 1314–1323.
on geospatial data streams with wso2 complex event processor, in: Proceed- [314] X. Zhang, J. Zhao, L. Mu, Y. Tang, C. Xu, Identity-based proxy-oriented out-
ings of the 9th ACM International Conference on Distributed Event-Based sourcing with public auditing in cloud-based medical cyber–physical systems,
Systems, ACM, 2015, pp. 277–284. Pervasive Mob. Comput. 56 (2019) 18–28.
[287] S. Perera, S. Sriskandarajah, M. Vivekanandalingam, P. Fremantle, S. Weer- [315] Z. Zhang, J. Wu, D. Yau, P. Cheng, J. Chen, Secure Kalman filter state esti-
awarana, Solving the grand challenge using an opensource CEP engine, in: mation by partially homomorphic encryption, in: 2018 ACM/IEEE 9th Inter-
Proceedings of the 8th ACM International Conference on Distributed Even- national Conference on Cyber-Physical Systems (ICCPS), IEEE, 2018, pp. 345–
t-Based Systems, ACM, 2014, pp. 288–293. 346.
[288] T. Zhou, J. Shen, X. Li, C. Wang, H. Tan, Logarithmic encryption scheme for [316] J. Kim, C. Lee, H. Shim, J.H. Cheon, A. Kim, M. Kim, Y. Song, Encrypting con-
cyber–physical systems employing fibonacci q-matrix, Future Gener. Comput. troller using fully homomorphic encryption for security of cyber-physical sys-
Syst. (2018) 1307–1313. tems, IFAC-PapersOnLine 49 (22) (2016) 175–180.
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 31

[317] Z. Min, G. Yang, A.K. Sangaiah, S. Bai, G. Liu, A privacy protection-oriented [346] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, M. Ayyash, Internet
parallel fully homomorphic encryption algorithm in cyber physical systems, of things: a survey on enabling technologies, protocols, and applications, IEEE
EURASIP J. Wirel. Commun. Netw. 2019 (1) (2019) 15. Commun. Surv. Tutor. 17 (4) (2015) 2347–2376.
[318] N. Chakraborty, Intrusion detection system and intrusion prevention system: [347] J.P. Amaral, L.M. Oliveira, J.J. Rodrigues, G. Han, L. Shu, Policy and net-
a comparative study, Int. J. Comput. Bus. Res. (IJCBR) 4 (2013) 2229–6166. work-based intrusion detection system for IPv6-enabled wireless sensor net-
ISSN (Online) works, in: Communications (ICC), 2014 IEEE International Conference on,
[319] X. Shu, D. Yao, N. Ramakrishnan, Unearthing stealthy program attacks IEEE, 2014, pp. 1796–1801.
buried in extremely long execution paths, in: Proceedings of the 22nd ACM [348] H. Debar, An introduction to intrusion-detection systems, Proc. Connect 2002
SIGSAC Conference on Computer and Communications Security, ACM, 2015, (20 0 0) 1–18.
pp. 401–413. [349] K. Scarfone, P. Mell, Guide to intrusion detection and prevention systems
[320] K. Xu, K. Tian, D. Yao, B.G. Ryder, A sharper sense of self: probabilistic reason- (IDPS), NIST Spec. Publ. 800 (2007) (2007) 94.
ing of program behaviors for anomaly detection with context sensitivity, in: [350] A. Gupta, O.J. Pandey, M. Shukla, A. Dadhich, S. Mathur, A. Ingle, Computa-
2016 46th Annual IEEE/IFIP International Conference on Dependable Systems tional intelligence based intrusion detection systems for wireless commu-
and Networks (DSN), IEEE, 2016, pp. 467–478. nication and pervasive computing networks, in: Computational Intelligence
[321] R. Mitchell, R. Chen, Adaptive intrusion detection of malicious unmanned air and Computing Research (ICCIC), 2013 IEEE International Conference on, IEEE,
vehicles using behavior rule specifications, IEEE Trans. Syst. Man. Cybern. 44 2013, pp. 1–7.
(5) (2014) 593–604. [351] D.H. Summerville, K.M. Zach, Y. Chen, Ultra-lightweight deep packet anomaly
[322] D.I. Urbina, J.A. Giraldo, A.A. Cardenas, N.O. Tippenhauer, J. Valente, M. Faisal, detection for internet of things devices, in: Computing and Communications
J. Ruths, R. Candell, H. Sandberg, Limiting the impact of stealthy attacks on Conference (IPCCC), 2015 IEEE 34th International Performance, IEEE, 2015,
industrial control systems, in: Proceedings of the 2016 ACM SIGSAC Confer- pp. 1–8.
ence on Computer and Communications Security, ACM, 2016, pp. 1092–1105. [352] K. Demertzis, L. Iliadis, S. Spartalis, A spiking one-class anomaly detection
[323] S. Sridhar, A. Hahn, M. Govindarasu, et al., Cyber-physical system security for framework for cyber-security on industrial control systems, in: International
the electric power grid., Proc. IEEE 100 (1) (2012) 210–224. Conference on Engineering Applications of Neural Networks, Springer, 2017,
[324] C. Zimmer, B. Bhat, F. Mueller, S. Mohan, Time-based intrusion detection pp. 122–134.
in cyber-physical systems, in: Proceedings of the 1st ACM/IEEE International [353] S. Stone, M. Temple, Radio-frequency-based anomaly detection for pro-
Conference on Cyber-Physical Systems, ACM, 2010, pp. 109–118. grammable logic controllers in the critical infrastructure, Int. J. Critical In-
[325] R. Mitchell, R. Chen, Behavior rule specification-based intrusion detection for frastruct. Protect. 5 (2) (2012) 66–73.
safety critical medical cyber physical systems, IEEE Trans. Dependable Secure [354] A. Hildick-Smith, Security for critical infrastructure SCADA systems, SANS
Comput. 12 (1) (2015) 16–30. Read. Room GSEC Practical Assign. Version 1 (2005) 498–506.
[326] B.B. Zarpelão, R.S. Miani, C.T. Kawakani, S.C. de Alvarenga, A survey of intru- [355] S.J. Stone, M.A. Temple, R.O. Baldwin, Detecting anomalous programmable
sion detection in internet of things, J. Netw. Comput. Appl. 84 (2017) 25–37. logic controller behavior using RF-based hilbert transform features and a cor-
[327] D. Oh, D. Kim, W.W. Ro, A malicious pattern detection engine for em- relation-based verification process, Int. J. Critical Infrastruct. Protect. 9 (2015)
bedded security systems in the internet of things, Sensors 14 (12) (2014) 41–51.
24188–24211. [356] S. Dunlap, J. Butts, J. Lopez, M. Rice, B. Mullins, Using timing-based side chan-
[328] T.-H. Lee, C.-H. Wen, L.-H. Chang, H.-S. Chiang, M.-C. Hsieh, A lightweight in- nels for anomaly detection in industrial control systems, Int. J. Critical Infras-
trusion detection scheme based on energy consumption analysis in 6LoW- truct. Protect. 15 (2016) 12–26.
PAN, in: Advanced Technologies, Embedded and Multimedia for Human-cen- [357] J. Krimmling, S. Peter, Integration and evaluation of intrusion detection for
tric Computing, Springer, 2014, pp. 1205–1213. CoAP in smart city applications, in: Communications and Network Security
[329] C. Cervantes, D. Poplade, M. Nogueira, A. Santos, Detection of sinkhole at- (CNS), 2014 IEEE Conference on, IEEE, 2014, pp. 73–78.
tacks for supporting secure routing on 6LoWPAN for internet of things., in: [358] N. Jiang, H. Lin, Z. Yin, C. Xi, Research of paired industrial firewalls in de-
IM, 2015, pp. 606–611. fense-in-depth architecture of integrated manufacturing or production sys-
[330] A.H. Farooqi, F.A. Khan, Intrusion detection systems for wireless sensor tem, in: 2017 IEEE International Conference on Information and Automation
networks: A survey, in: Communication and Networking, Springer, 2009, (ICIA), IEEE, 2017, pp. 523–526.
pp. 234–241. [359] J. Nivethan, M. Papa, On the use of open-source firewalls in ICS/SCADA sys-
[331] C.S. Hong, T. Tonouchi, Y. Ma, C.-S. Chao, Management enabling the future in- tems, Inf. Secur. J. 25 (1–3) (2016) 83–93.
ternet for changing business and new computing services, in: 12th Asia-Pa- [360] S. Adepu, S. Shrivastava, A. Mathur, Argus: an orthogonal defense framework
cific Network Operations and Management Symposium, APNOMS 2009 Jeju, to protect public infrastructure against cyber-physical attacks, IEEE Internet
South Korea, September 23–25, 2009 Proceedings, 5787, Springer, 2009. Comput. 20 (5) (2016) 38–45.
[332] P. Kasinathan, C. Pastrone, M.A. Spirito, M. Vinkovits, Denial-of-service detec- [361] T. Ghosh, D. Sarkar, T. Sharma, A. Desai, R. Bali, Real time failure prediction
tion in 6LoWPAN based internet of things, in: 2013 IEEE 9th International of load balancers and firewalls, in: 2016 IEEE International Conference on In-
Conference on Wireless and Mobile Computing, Networking and Communi- ternet of Things (iThings) and IEEE Green Computing and Communications
cations (WiMob), IEEE, 2013, pp. 600–607. (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and
[333] P. Kasinathan, G. Costamagna, H. Khaleel, C. Pastrone, M.A. Spirito, AnIDS IEEE Smart Data (SmartData), IEEE, 2016, pp. 822–827.
framework for internet of things empowered by 6LoWPAN, in: Proceedings [362] Y. Javed, M. Felemban, T. Shawly, J. Kobes, A. Ghafoor, A partition-
of the 2013 ACM SIGSAC Conference on Computer & Communications Secu- driven integrated security architecture for cyber-physical systems, arXiv:1901.
rity, ACM, 2013, pp. 1337–1340. 03018(2019).
[334] L. Wallgren, S. Raza, T. Voigt, Routing attacks and countermeasures in the [363] F. Cohen, The use of deception techniques: honeypots and decoys, Handb. Inf.
RPL-based internet of things, Int. J. Distrib. Sensor Netw. 9 (8) (2013) 794326. Secur. 3 (1) (2006) 646–655.
[335] A. Le, J. Loo, Y. Luo, A. Lasebae, Specification-basedIDS for securingRPL from [364] D. Antonioli, A. Agrawal, N.O. Tippenhauer, Towards high-interaction virtual
topology attacks, in: Wireless Days (WD), 2011 IFIP, IEEE, 2011, pp. 1–3. ICS honeypots-in-a-box, in: Proceedings of the 2nd ACM Workshop on Cy-
[336] A. Le, J. Loo, K.K. Chai, M. Aiash, A specification-basedIDS for detecting attacks ber-Physical Systems Security and Privacy, ACM, 2016, pp. 13–22.
on RPL-based network topology, Information 7 (2) (2016) 25. [365] S. Litchfield, D. Formby, J. Rogers, S. Meliopoulos, R. Beyah, Rethinking the
[337] S. Raza, L. Wallgren, T. Voigt, Svelte: real-time intrusion detection in the in- honeypot for cyber-physical systems, IEEE Internet Comput. 20 (5) (2016)
ternet of things, Ad Hoc Netw. 11 (8) (2013) 2661–2674. 9–17.
[338] P. Pongle, G. Chavan, Real time intrusion and wormhole attack detection in [366] C. Irvene, D. Formby, S. Litchfield, R. Beyah, Honeybot: a honeypot for robotic
internet of things, Int. J. Comput. Appl. 121 (9) (2015). systems, Proc. IEEE 106 (1) (2017) 61–70.
[339] N.K. Thanigaivelan, E. Nigussie, R.K. Kanth, S. Virtanen, J. Isoaho, Distributed [367] D. Fraunholz, D. Krohmer, S.D. Anton, H.D. Schotten, Investigation of cyber
internal anomaly detection system for internet-of-things, in: Consumer Com- crime conducted by abusing weak or default passwords with a medium in-
munications & Networking Conference (CCNC), 2016 13th IEEE Annual, IEEE, teraction honeypot, in: 2017 International Conference on Cyber Security and
2016, pp. 319–320. Protection of Digital Services (Cyber Security), IEEE, 2017, pp. 1–7.
[340] H.-J. Liao, C.-H.R. Lin, Y.-C. Lin, K.-Y. Tung, Intrusion detection system: a com- [368] W. Tian, X. Ji, W. Liu, G. Liu, R. Lin, J. Zhai, Y. Dai, Defense strategies against
prehensive review, J. Netw. Comput. Appl. 36 (1) (2013) 16–24. network attacks in cyber-physical systems with analysis cost constraint based
[341] J.R. Vacca, Computer and Information Security Handbook, Newnes, 2012. on honeypot game model, 2019, pp. 193–211.
[342] C. Liu, J. Yang, Y. Zhang, R. Chen, J. Zeng, Research on immunity-based intru- [369] Q. Duan, E. Al-Shaer, M. Islam, H. Jafarian, Conceal: a strategy composition
sion detection technology for the internet of things, in: Natural Computation for resilient cyber deception-framework, metrics and deployment, in: 2018
(ICNC), 2011 Seventh International Conference on, 1, IEEE, 2011, pp. 212–216. IEEE Conference on Communications and Network Security (CNS), IEEE, 2018,
[343] R. Mitchell, I.-R. Chen, A survey of intrusion detection techniques for cyber– pp. 1–9.
physical systems, ACM Comput. Surv. (CSUR) 46 (4) (2014) 55. [370] G. Bernieri, M. Conti, F. Pascucci, A novel architecture for cyber-physical secu-
[344] I. Butun, S.D. Morgera, R. Sankar, A survey of intrusion detection systems rity in industrial control networks, in: 2018 IEEE 4th International Forum on
in wireless sensor networks, IEEE Commun. Surv. Tutor. 16 (1) (2014) 266– Research and Technology for Society and Industry (RTSI), IEEE, 2018, pp. 1–6.
282. [371] M.O. Sayin, T. Basar, Deception-as-defense framework for cyber-physical sys-
[345] S. Misra, P.V. Krishna, H. Agarwal, A. Saxena, M.S. Obaidat, A learning au- tems, arXiv:1902.01364(2019).
tomata based solution for preventing distributed denial of service in internet [372] I. Ahmed, S. Obermeier, M. Naedele, G.G. Richard III, SCADA systems: chal-
of things, in: Internet of Things (ithings/CPSCom), 2011 International Confer- lenges for forensic investigators, Computer 45 (12) (2012) 44–51.
ence on and 4th International Conference on Cyber, Physical and Social Com- [373] I. Ahmed, S. Obermeier, S. Sudhakaran, V. Roussev, Programmable logic con-
puting, IEEE, 2011, pp. 114–122. troller forensics, IEEE Secur. Priv. 15 (6) (2017) 18–24.
32 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201

[374] R.A. Awad, S. Beztchi, J.M. Smith, B. Lyles, S. Prowell, Tools, techniques, and ti-rats, in: 2018 14th International Wireless Communications & Mobile Com-
methodologies: a survey of digital forensics for SCADA systems, in: Proceed- puting Conference (IWCMC), IEEE, 2018, pp. 249–254.
ings of the 4th Annual Industrial Control System Security Workshop, ACM, [403] H.N. Noura, R. Melki, M. Malli, A. Chehab, Design and realization of efficient &
2018, pp. 1–8. secure multi-homed systems based on random linear network coding, Com-
[375] G. Grispos, W.B. Glisson, K.-K.R. Choo, Medical cyber-physical systems devel- put. Netw. 163 (2019) 106886.
opment: a forensics-driven approach, in: Proceedings of the Second IEEE/ACM [404] J. Demme, M. Maycock, J. Schmitz, A. Tang, A. Waksman, S. Sethumadha-
International Conference on Connected Health: Applications, Systems and En- van, S. Stolfo, On the feasibility of online malware detection with perfor-
gineering Technologies, IEEE Press, 2017, pp. 108–114. mance counters, in: ACM SIGARCH Computer Architecture News, 41, ACM,
[376] H. Al-Khateeb, G. Epiphaniou, H. Daly, Blockchain for modern digital foren- 2013, pp. 559–570.
sics: the chain-of-custody as a distributed ledger, in: Blockchain and Clinical [405] N. Kaaniche, M. Laurent, C. Levallois-Barth, Id-based user-centric data usage
Trial, Springer, 2019, pp. 149–168. auditing scheme for distributed environments, Front. Blockchain 3 (2020) 17.
[377] C.-F. Chan, K.-P. Chow, S.-M. Yiu, K. Yau, Enhancing the security and forensic [406] N. Kaaniche, M. Mohamed, M. Laurent, H. Ludwig, Security sla based moni-
capabilities of programmable logic controllers, in: IFIP International Confer- toring in clouds, in: 2017 IEEE International Conference on Edge Computing
ence on Digital Forensics, Springer, 2018, pp. 351–367. (EDGE), IEEE, 2017, pp. 90–97.
[378] G. Ahmadi-Assalemi, H.M. Al-Khateeb, G. Epiphaniou, J. Cosson, H. Ja- [407] G. Sabaliauskaite, A.P. Mathur, Aligning cyber-physical system safety and
hankhani, P. Pillai, Federated blockchain-based tracking and liability attribu- security, in: Complex Systems Design & Management Asia, Springer, 2015,
tion framework for employees and cyber-physical objects in a smart work- pp. 41–53.
place, in: 2019 IEEE 12th International Conference on Global Security, Safety [408] F. Xie, T. Lu, X. Guo, J. Liu, Y. Peng, Y. Gao, Security analysis on cyber-physi-
and Sustainability (ICGS3), IEEE, 2019, pp. 1–9. cal system using attack tree, in: 2013 Ninth International Conference on In-
[379] J. Parry, D. Hunter, K. Radke, C. Fidge, A network forensics tool for precise telligent Information Hiding and Multimedia Signal Processing, IEEE, 2013,
data packet capture and replay in cyber-physical systems, in: Proceedings of pp. 429–432.
the Australasian Computer Science Week Multiconference, ACM, 2016, p. 22. [409] H.N. Noura, A. Chehab, R. Couturier, Efficient & secure cipher scheme
[380] M. Cebe, E. Erdin, K. Akkaya, H. Aksu, S. Uluagac, Block4forensic: an inte- with dynamic key-dependent mode of operation, Signal Process. 78 (2019)
grated lightweight blockchain framework for forensics applications of con- 448–464.
nected vehicles, IEEE Commun. Mag. 56 (10) (2018) 50–57. [410] H. Noura, R. Couturier, C. Pham, A. Chehab, Lightweight stream cipher
[381] P. Taveras, SCADA live forensics: real time data acquisition process to detect, scheme for resource-constrained IoT devices, in: 2019 International Confer-
prevent or evaluate critical situations, Eur. Sci. J. 9 (21) (2013). ence on Wireless and Mobile Computing, Networking and Communications
[382] I. Ahmed, V. Roussev, W. Johnson, S. Senthivel, S. Sudhakaran, A SCADA sys- (WiMob), IEEE, 2019, pp. 1–8.
tem testbed for cybersecurity and forensic research and pedagogy, in: Pro- [411] R. Melki, H.N. Noura, A. Chehab, Lightweight multi-factor mutual authentica-
ceedings of the 2nd Annual Industrial Control System Security Workshop, tion protocol for IoT devices, Int. J. Inf. Secur. (2019) 1–16.
ACM, 2016, pp. 1–9. [412] H.N. Noura, R. Melki, A. Chehab, Secure and lightweight mutual multi-factor
[383] K. Yau, K.-P. Chow, Detecting anomalous programmable logic controller authentication for IoT communication systems, in: 2019 IEEE 90th Vehicular
events using machine learning, in: IFIP International Conference on Digital Technology Conference (VTC2019-Fall), IEEE, 2019, pp. 1–7.
Forensics, Springer, 2017, pp. 81–94. [413] H.N. Noura, O. Salman, A. Chehab, R. Couturier, Distlog: a distributed logging
[384] S. Zonouz, J. Rrushi, S. McLaughlin, Detecting industrial control malware us- scheme for IoTforensics, Ad Hoc Netw. 98 (2020) 102061.
ing automated plc code analytics, IEEE Secur. Priv. 12 (6) (2014) 40–47. [414] S. Thomason, Improving network security: next generation firewalls and ad-
[385] L. McMinn, J. Butts, A firmware verification tool for programmable logic vanced packet inspection devices, Glob. J. Comput. Sci. Technol. (2012).
controllers, in: International Conference on Critical Infrastructure Protection, [415] I. Kuwatly, M. Sraj, Z. Al Masri, H. Artail, A dynamic honeypot design for in-
Springer, 2012, pp. 59–69. trusion detection, in: The IEEE/ACS International Conference onPervasive Ser-
[386] A. Kleinmann, A. Wool, Accurate modeling of the siemens S7 SCADA protocol vices, 2004. ICPS 2004. Proceedings., IEEE, 2004, pp. 95–104.
for intrusion detection and digital forensics, J. Digit. Forensics Secur. Law 9 [416] L. Carver, M. Turoff, The human and computer as a team in emergency man-
(2) (2014) 4. agement information systems, CACM 50 (3) (2007) 33–38.
[387] S. Senthivel, I. Ahmed, V. Roussev, SCADA network forensics of the PCCC pro- [417] R. Ruefle, A. Dorofee, D. Mundie, A.D. Householder, M. Murray, S.J. Perl, Com-
tocol, Digit. Investig. 22 (2017) S57–S65. puter security incident response team development and evolution, IEEE Se-
[388] K. Yau, K.-P. Chow, S.-M. Yiu, A forensic logging system for siemens pro- cur. Priv. 12 (5) (2014) 16–26.
grammable logic controllers, in: IFIP International Conference on Digital [418] K. Kent, S. Chevalier, T. Grance, H. Dang, Guide to integrating forensic tech-
Forensics, Springer, 2018, pp. 331–349. niques into incident response, NIST Spec. Publ. 10 (14) (2006) 800–886.
[389] D. Beresford, Exploiting siemens simatic S7 plcs, Black Hat USA 16 (2) (2011) [419] C. Prosise, K. Mandia, M. Pepe, Incident response & computer forensics(2003).
723–733. [420] M.M. Klee, The importance of having a non-disclosure agreement, IEEE Eng.
[390] R. Chan, K.-P. Chow, Forensic analysis of a siemens programmable logic Med. Biol. Mag. 19 (3) (20 0 0) 120.
controller, in: International Conference on Critical Infrastructure Protection, [421] J. Hogan, R. Hogan, How to measure employee reliability., J. Appl. Psychol. 74
Springer, 2016, pp. 117–130. (2) (1989) 273.
[391] H. Noura, A. Chehab, M. Noura, R. Couturier, M.M. Mansour, Lightweight, dy- [422] A. Serhane, M. Raad, R. Raad, W. Susilo, Plc code-level vulnerabilities, in: 2018
namic and efficient image encryption scheme, Multimed. Tools Appl. 78 (12) International Conference on Computer and Applications (ICCA), IEEE, 2018,
(2019) 16527–16561. pp. 348–352.
[392] H. Noura, A. Chehab, L. Sleem, M. Noura, R. Couturier, M.M. Mansour, One [423] Y.-C. Chang, L.-R. Huang, H.-C. Liu, C.-J. Yang, C.-T. Chiu, Assessing automotive
round cipher algorithm for multimedia IoT devices, Multimed. Tools Appl. functional safety microprocessor with ISO 26262 hardware requirements, in:
(2018), doi:10.1007/s11042- 018- 5660- y. Technical Papers of 2014 International Symposium on VLSI Design, Automa-
[393] H.N. Noura, R. Melki, A. Chehab, M.M. Mansour, A physical encryption scheme tion and Test, IEEE, 2014, pp. 1–4.
for low-power wireless M2M devices: a dynamic key approach, Mob. Netw. [424] R. Bell, Introduction and revision of IEC 61508, in: Advances in Systems
Appl. 24 (2018) 1–17. Safety, Springer, 2011, pp. 273–291.
[394] R. Melki, H.N. Noura, M.M. Mansour, A. Chehab, An efficient OFDM-based en- [425] R. Bell, Introduction to IEC 61508, in: ACM International Conference Proceed-
cryption scheme using a dynamic key approach, IEEE Internet of Things J. ing Series, 162, 2006, pp. 3–12.
(2018). [426] C. Miller, J. Kassie, D. Poston, et al., Assessing and computing the safety in-
[395] R. Melki, H.N. Noura, M.M. Mansour, A. Chehab, A survey on OFDM physical tegrity level (SIL) for turbo machinery protection, in: Proceedings of the 46th
layer security, Phys. Commun. 32 (2019) 1–30. Turbomachinery Symposium, Turbomachinery Laboratory, Texas A&M Engi-
[396] H. Noura, S. Hussein, S. Martin, L. Boukhatem, K. Al Agha, Erdia: an effi- neering Experiment Station, 2017.
cient and robust data integrity algorithm for mobile and wireless networks, [427] T. Goto, Electronic control unit, 2001,. US Patent App. 29/132,291.
in: Wireless Communications and Networking Conference (WCNC), 2015 IEEE, [428] N. Dellantoni, B. Schinkowitsch, A. Schoenekaes, A. Nix, N.R. Lynam, Scalable
IEEE, 2015, pp. 2103–2108. integrated electronic control unit for vehicle, 2015, US Patent 9,036,026.
[397] H. Qiu, G. Memmi, H. Noura, An efficient secure storage scheme based on in-
formation fragmentation, in: 2017 IEEE 4th International Conference on Cyber
Security and Cloud Computing (CSCloud), IEEE, 2017, pp. 108–113. Jean-Paul Yaacoub is a Master student in the department
[398] H. Noura, S. Martin, K. Al Agha, K. Chahine, ERSS-RLNC: efficient and robust of Electrical and Computer Engineering at the Arab Open
secure scheme for random linear network coding, Comput. Netw. 75 (2014) University.
99–112.
[399] H. Noura, O. Salman, A. Chehab, R. Couturier, Preserving data security in dis-
tributed fog computing, Ad Hoc Netw. 94 (2019) 101937.
[400] K. Kapusta, G. Memmi, H. Noura, Secure and resilient scheme for data pro-
tection in unattended wireless sensor networks, in: 2017 1st Cyber Security
in Networking Conference (CSNet), IEEE, 2017, pp. 1–8.
[401] K. Kapusta, G. Memmi, H. Noura, Additively homomorphic encryption and
fragmentation scheme for data aggregation inside unattended wireless sen-
sor networks, Ann. Telecommun. 74 (3-4) (2019) 157–165.
[402] R. Diba, E. Yaacoub, M. Al-Husseini, H. Noura, K. Abualsaud, T. Khattab,
M. Guizani, A simple approach for securing IoT data transmitted over mul-
 J.A. Yaacoub, O. Salman and H.N. Noura et al. / Microprocessors and Microsystems 77 (2020) 103201 33

Ola Salman is a PhD student in the department of Electri- Ali Chehab is a professor in the department of Electrical
cal and Computer Engineering at the American University and Computer Engineering at the American University of
of Beirut (AUB), Lebanon. Beirut (AUB), Lebanon.

Hassan Noura is a research associate in the department Mohamad Malli is a professor in the department of Elec-
of Electrical and Computer Engineering at the American trical and Computer Engineering at the Arab Open Uni-
University of Beirut (AUB), Lebanon. versity.

Nesrine Kaaniche is Lecturer in Cybersecurity and expert

in cryptographic solutions at the University of Salford,
School of Computing, Science and Engineering, Greater
Manchester, England.