Computers in Industry 103 (2018) 97–110

Contents lists available at ScienceDirect

Computers in Industry
journal homepage: www.elsevier.com/locate/compind

Cybersecurity for Industry 4.0 in the current literature: A reference

framework
Marianna Lezzi* , Mariangela Lazoi, Angelo Corallo
Università del Salento, Dipartimento di Ingegneria dell’Innovazione, Campus Ecotekne, Via per Monteroni, s.n. 73100 Lecce Italy

A R T I C L E I N F O A B S T R A C T

Article history: The cybersecurity issues represent a complex challenge for all companies committing to Industry 4.0
Received 2 July 2018 paradigm. On the other hand, the characterization of cybersecurity concept within Industry 4.0 contexts
Received in revised form 7 September 2018 proved to be an emerging and relevant topic in the recent literature.
Accepted 10 September 2018
The paper proposes to analyse, through a systematic literature review approach, the way in which the
Available online xxx
existing state of art deals with the cybersecurity issues in Industry 4.0 contexts. In particular, the focus
will be on the investigation of the main elements associated with cybersecurity theme (i.e. asset involved
Key words:
into cyber-attacks, system vulnerabilities, cyber threats, risks and countermeasures) within those
Cybersecurity
Industry 4.0
industrial contexts where physical systems (machines, shop floors, plants) are connected each other via
Industrial Internet of Things the Internet. Four areas of analysis are defined: definitions of cybersecurity and Industry 4.0 concepts, the
Review industrial focus of the analysed studies, the cybersecurity characterization and the management
attempts of cybersecurity issues. Through the literature review analysis, a framework of the main
features characterizing each area is discussed, providing interesting evidences for future research and
applications.
© 2018 Elsevier B.V. All rights reserved.

Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2. Research method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.1. Search process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.1.1. Searching criteria definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.1.2. Papers selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
2.1.3. Papers assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4. Industrial focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5. Cybersecurity characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.1. Systems vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.2. Cyber threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.3. Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.4. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6. Managing of cybersecurity issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.1. Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.2. Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
7. A framework for cybersecurity in I-4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
8. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

* Corresponding author.
E-mail address: [email protected] (M. Lezzi).

https://doi.org/10.1016/j.compind.2018.09.004
0166-3615/© 2018 Elsevier B.V. All rights reserved.
98 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110
1. Introduction
An ever-increasing number of companies are approaching to
Industry 4.0 paradigm (even known as Industrial Internet of Things
or Industrial Internet), by connecting the factories and plants to the
Internet with the aim to improve their efficiency and effectiveness.
In these Internet-connected industrial contexts, the cybersecurity
issues represent one of the most relevant challenges to be dealt
with.
According to the management-consulting firm, McKinsey &
Company, Industry 4.0 transformations are potentially able to
create value equivalent to efficiency improvements of 15 to 20
percent [1]. This means a reduction of total machine downtime
thanks to predictive maintenance or remote monitoring, as well as
an increase of labour productivity due to the automation of manual
work. Moreover, a certain number of benefits result from the
possibility to analyse the huge amount of data coming from
industrial processes (for instance, from sensors and actuators
which connect machines and products to computing systems).
These benefits include the reduction of inventories and the
improvement of service levels (in terms of shorter time-to-market,
delivery time and freight costs) and of the product quality (more
compliant to the customer expectations).
Within Industry 4.0 contexts, cybersecurity plays a leading role
in preventing the loss of companies’ competitiveness. In fact,
critical industrial equipment is today vulnerable to a number of
cyber-attacks, which are able to affect the entire business model.
According to Cisco 2018 Annual Cybersecurity Reports [2], 31% of
organizations have experienced cyber-attacks on Operational
Technology (OT); while, 38% expect attacks to extend form
Information Technology to Operational Technology. Although
cybersecurity is perceived as a priority by 75% of experts, only
16% say their company is well prepared to face cybersecurity
challenges [3]. This is mainly due to the lack of accurate standards
to which companies can refer to, as well as the lack of managerial
and technical skills necessary to implement them.
European and international organizations are moving in this
direction. For instance, in 2017, European Cyber Security Organi-
zation (ESCO) collected in a document all existing standards and
specifications related to Cybersecurity in reference to the European
Digital Single Market [4]. This document helps to understand
which schemes (if existing) can be used by companies to address
the cybersecurity challenges. In addition, International Electro-
technical Commission (IEC) has published a guide on information
security and data privacy [5], which provides guidelines to be
covered in IEC publications, and explains how to implement them.
IEC Publications are recommendations (accepted by IEC National
Committees) for international use.
In the current fast-moving scenario, it is expected that
cybersecurity will become an integral part of the strategy, design,
and operations of companies that embrace Industry 4.0 paradigm.
Through a systematic literature review approach, the purpose
of the paper is to investigate cybersecurity within Industry 4.0
contexts. A reference framework as basis of future research and
Fig. 1. Cyber security definition.
applications in the field of cybersecurity management in such
Internet-connected industrial contexts will be defined.
The next section of the paper describes the research method,
and, in particular, the search process (which includes searching
criteria definition, papers selection and their assessment). In
Sections 3– 6, definitions of industry 4.0 and cybersecurity, the
target industrial focus, cybersecurity characterization and manag-
ing of cybersecurity issues, based on the literature review, are
respectively explored. The final sections, concerning findings and
conclusions, end the paper.
2. Research method
This study adopts the systematic literature review approach [6]
with the aim to characterize the cybersecurity concept within
Industry 4.0 contexts. This was achieved by investigating: the
target industries to which cybersecurity refers to and the industrial
assets damaged; the typology of cyber-threats and the resulting
risks for the industrial contexts; the countermeasures to be taken
to deal with the cyber-attack events; the guidelines and solutions
to manage cybersecurity issues.
According to the systematic approach, the literature review
process was based on keywords and search terms with a replicable
and defined search strategy. Although the literature review cannot
be considered exhaustive, this provides a significant overview of
the current role played by cybersecurity within Industries 4.0,
revealing as an emerging research field at international level.
2.1. Search process
The search process consists of three main steps: (i) definition of
searching criteria, (ii) papers selection, and (iii) papers assessment.
The papers search was carried out through three important
indexed electronic scientific databases: Scopus (www.scopus.
com), Web of Science (www.webofknowledge.com) and Scholar
(scholar.google.it). The research took place until March 2018.
Chapters of books, as well as the non-scientific material coming
from Google Scholar were not considered.
2.1.1. Searching criteria definition
The criteria for searching are based on the terms “cyberse-
curity” and “Industry 4.0”. In order to strengthen the research,
some of the most significant related words to the cybersecurity
concept, as well as the most accredited variants of Industry 4.0 are
taken into consideration.
In particular, concerning cybersecurity, the following definitions
were considered to create a properly taxonomy:
 “The ability to protect or defend the use of cyberspace from
cyber attacks” [7];
 “Preservation of confidentiality, integrity and availability of
information in the cyberspace” [8];
 “All activities necessary to protect cyberspace, its users and
impacted persons from cyber threats” [9];
 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110
 “The protection of information assets by addressing threats to
information processed, stored, and transported by internet-
worked information systems” [10];
 “Prevention of damage to, protection of, and restoration of
computers electronic communications systems, electronic
communication services, wire communication, and electronic
communication, including information contained therein, to
ensure its availability, integrity, authentication, confidentiality,
and nonrepudiation” [11].
In Fig. 1, a schematic view of the cybersecurity concept merges
information from the just mentioned definitions. It can be stated
that cybersecurity aims at protecting the cyberspace (which
includes both information and infrastructures) from any cyber
threat or cyber-attack. Therefore, the words “cyberspace”, “cyber
threats” and “cyber-attacks” take part of the searching criteria for
papers selection.
Due to this preliminary analysis, the first group of papers was
determined through the following searching queries:
 (“Cybersecurity” OR “cyber security”) AND (“Industry 4.0”);
 (“Cyber attack*” OR “cyber threat*” OR “cyberspace”) AND
(“security”) AND “Industry 4.0”).
On the other hand, concerning the term Industry 4.0, the Unite
States variants “Industrial Internet of Things” (even referred to
with “IIoT” or “Industrial IoT”) and “Industrial Internet” (coined by
General Electric) were considered [12]. For this reason, the second
group of papers is characterized by the following searching
queries:
 (“Cybersecurity” OR “cyber security”) AND (“Industrial Internet
of Things” OR “IIoT” OR “Industrial IoT” OR “Industrial Internet”);
 (“Cyber attack*” OR “cyber threat*” OR “cyberspace”) AND
(“security”) AND (“Industrial Internet of Things” OR “IIoT” OR
“Industrial IoT” OR “Industrial Internet”).
In the following, the analysis is based on the first and second
group of papers to identify the results of the two searching queries
here defined.
2.1.2. Papers selection
Concerning the first group of papers, the search in Scopus,
conducted into “Title”, “Keywords” and “Abstract”, returned 31
articles, three of which are written in German language. On the
other hand, the search in Web of Science, conduced into “Topic”
(involving Title, Abstract, Author Keywords and Keywords Plus),
returned 15 articles, 12 of which are the same of Scopus and two
are written in German language. Finally, the search in Scholar,
conducted into “Advanced Research” on “Article Title” returned
three articles, two of which are the same of Scopus. As a result, 30
scientific papers were identified for the first group of papers.
Regarding the second group of papers, instead, the search in
Scopus returned 24 articles, four of which have already been
considered in the first group of papers. On the other hand, the
search in Web of Science returned 13 articles, four of which have
Fig. 2. Paper selection summary.
99
already been considered in the first group of papers and five are the
same of Scopus. Finally, the search in Scholar, conducted into
“Advanced Research” on “Article Title” returned three articles, one
of which has already been considered in the first group and
another is the same of Scopus. As a result, 25 scientific papers were
identified for the second group of papers.
Overall, 55 scientific papers were identified. However, ana-
lysing the abstract of each of them, 15 papers (four coming from the
first group and eleven from the second one) were rejected since
considered off topic with respect to the objectives of this literature
review. Therefore, the selection phase conduced to 40 scientific
papers to be assessed.
In the following Fig. 2, a summary of the paper selection results
is shown.
2.1.3. Papers assessment
In order to evaluate the 40 papers selected, it was firstly defined
a matrix (see Fig. 3) to record authors notes about each of these
papers. This matrix is composed of 17 records, in which the
following information was collected: title, authors with affili-
ations, publication year, source, reference, abstract, keywords,
study focus, industry, definition of industry 4.0/Industrial Internet
of Things (and variants), definition of cyber security, industrial
asset involved into cyber security risks, systems security vulner-
abilities, cyber threats, risks related to cyber attacks, and methods
to deal with cyber security risks.
The second phase of the papers' assessment involved the
analysis, in a critical way, of the most significant information
identified for each paper. The same categories of information was
compared among all different papers and the main findings
discussed. In particular, the following areas were taken into
consideration (a schematic description is given in Fig. 4):
1 Analysis of the concept of Industry 4.0/Industrial Internet of
Things (or variants) and that of cybersecurity;
2 Definition of the target industry threatened by cybersecurity
risks and the industrial assets involved in the cyber-attack
events;
3 Characterization of the cybersecurity concept, in terms of:
systems security vulnerabilities, cyber threats, risks due to
cyber-attacks and countermeasures to be taken;
4 Overview on guidelines and solutions proposed to manage
cybersecurity issues.
The results of this comparative review are reported in the
following sections.
3. Definitions
After having analysed the first group of papers, the main
features of Industry 4.0 emerged from a certain number of
definitions; while only a paper defined the cybersecurity concept
as “the protection of theft or damage to IT hardware, software and
the data stored on the systems” [13].
A comparative analysis across the definitions of Industry 4.0 in
reference to cybersecurity, allowed us to notice that some
100 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110

Fig. 3. Evaluation matrix.

Fig. 4. Areas of analysis.

keywords (such as, Internet of Things, Cyber-Physical Systems,
manufacturing and data networking) are very common in the
selected papers (see Table 1). These words highlight that Industry
4.0 is characterized by two enabling (technological) conditions (i.e.
Internet of Things and Cyber-Physical Systems), a target industrial
context (i.e. manufacturing), and an enabled condition (i.e. data
networking). Consequently, combining all definitions, it can be
stated that Industry 4.0 is mainly associated with the concepts of
Internet of Things (IoT) and Cyber-Physical Systems (CPS) within
manufacturing industrial contexts, entailing the networking of
data coming from machines, products, people and, in general, the
interconnection of smart devices among different plants and
factories.
At the same way, due to the analysis of the second group of
papers, it was possible to investigate on the concept of Industrial
Internet of Things (IIoT), even referred as Industrial Internet by
General Electric in 2014 [22]. To this purpose, a number of
definitions were collected. On the other hand, only a paper among
those selected described cybersecurity, as that condition where “a
system does what it is supposed to do and no more” [23].
As for the first group of papers, also in this case, a comparative
analysis across IIoT definitions associated with the cybersecurity
issues have revealed some common keywords (such as, sensors,
cloud technologies, manufacturing and IoT devices networking),
which enable to characterize the IIoT concept (see Table 2). In
particular, three main elements emerged:
1 The presence of some enabling technologies (i.e. wireless sensor
networks and cloud technologies) that, with the support of
advanced industrial analytics and intelligence machine appli-
cations, play increasingly more pivotal roles in controlling and
monitoring functionalities of facilities;
2 The application of these technologies within manufacturing
industrial contexts (with particular reference to Industrial
Control Systems);
3 The fact that IoT devices (associated with machines, computers
and people) are networked.
Putting together the previous concepts, it can be stated that
Industrial Internet of Things is related to the use of wireless sensor

Table 1
Industry 4.0 key words.

Enabling (technological) conditions Industrial context Enabled condition

Industry 4.0 Internet of Things (IoT) Cyber-Physical Systems (CPS) Manufacturing Data networking
Papers reference [14–17] [16,18,19] [14–16] [14–16], [20,21], [17]
 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110
Table 2
IIoT key words.
Enabling (technological) conditions
Industrial Internet of Things Wireless sensor networks
Papers reference [24,25,22],
Fig. 5. Comparison between Industry 4.0 and Industrial Internet of Things.
networks (to monitor functionalities of facilities) and cloud
technologies (to manage data produced by sensors) within
manufacturing industrial contexts. In this reference, a set of IoT
devices, associated with machines, computers and people, are
networked, and communicate and interact with each other.
In the following Fig. 5, a graphic representation of the key words
associated with the concepts of Industry 4.0 and Industrial Internet
of Things in relation to cybersecurity issues.
4. Industrial focus
This section aims at analysing the types of industry and the
related assets threatened by cybersecurity issues within Industry
4.0 and Industrial Internet of Things contexts, focusing on the
industrial assets directly involved in the cyber-attack events. In the
Table 3, an overview on all selected papers is provided.
Due to the analysis of the two groups of papers, it can be noticed
that the manufacturing industry results the main sector in which
the different studies deal with the cybersecurity issues. In fact,
referring to the first group of papers, 15 on 26 papers explicitly
mention it. Moreover, six papers refers to Critical Infrastructures
(CI)1, without providing more details. However, CI can include a
number of sectors (among them the manufacturing one), such as
[30]: chemical, commercial facilities, communications, critical
manufacturing, dams, defence industrial, emergency services,
energy, financial services, food and agriculture, government
facilities, healthcare and public health, information technology,
nuclear, transportation systems, and waste and wastewater
systems. On the other hand, only one paper explicitly refers to
healthcare industry, while for three of them the industry is not
specified.
At the same way, considering the 14 papers taking part of the
second group of papers, six of them explicitly refer to the
manufacturing industry; while, the remaining part splits in the
1 other embedded systems to monitor and collect data from physical
European Commission defines critical infrastructure as “an asset or system,
which is essential for the maintenance of vital societal functions” [61].
101
Industrial context Enabled condition
Cloud technologies Manufacturing IoT devices networking
[24,26,27] [24,28,25], [29,26,28,27]
following way: one paper focuses on Critical Infrastructures, three
refer to energy industry, one to telecommunication, and for three
of them the industry is not specified.
Regarding the industrial assets involved into cyber-attack
events, all papers of both groups point out Industrial Control
Systems (ICS) and Cyber-Physical System (CPS) as the vulnerable
systems to be protected. In the following, the main features of the
two types of systems are briefly reported.
The Industrial Control System (ICS) is a management and
control system, which can ensure that the industrial technical
facilities run automatically, while controlling and monitoring the
business processes [31]. In particular, ICSs consist of combinations
of control components (e.g., electrical, mechanical, hydraulic,
pneumatic) that act together to achieve an industrial objective
(e.g., manufacturing, transportation of matter or energy) [32].
These systems are commonly used in the critical infrastructures,
especially in the electrical, water and wastewater, oil and natural
gas, chemical, transportation, pharmaceutical, pulp and paper,
food and beverage, and discrete manufacturing (e.g., automotive,
aerospace, and durable goods) industries [32]. Actually, the
Industrial Control System is a general term that encompasses
several types of control systems, including Supervisory Control and
Data Acquisition (SCADA) systems and Distributed Control Systems
(DCS); while, ICS core components are Programmable Logic
Controller (PLC), Remote Terminal Unit (RTU), Intelligent Electron-
ic Device (IED) and the interface technology, which is to ensure the
communication of components [33] provides more information
about ICS and its components.
The term Cyber-Physical System, instead, identifies anything that
integrates computation, networking and physical processes. In other
words, these systems enable the virtual digital world of computers
and software to merge through interaction with the physical
analogue world. For instance, a smart manufacturing line can be
considered a CPS whether the machines perform many work
processes by communicating with the components and/or the
products they are in the process of making [12]. CPSs use sensors or
processes (such as the steering of a vehicle, energy consumption, or
102 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110

Table 3
Industry analysis.

Industry types

Manufacturing Critical Infrastructure Healthcare Not specified

First group of papers

Industrial assets involved ICS CPS ICS CPS Service Platform ICS CPS
Papers reference [37,15,38–40,17,41] [14,15,42,21,43,13,44,18,45] [46,47,16,48] [49,19] [50] [20,51] [52]

Industry types

Manufacturing Critical Infrastructure Energy Telecommunication Not specified

Second group of papers

Industrial asset involved ICS CPS ICS ICS Not specified ICS CPS
Papers reference [53,22,28,54,24] [28,24,55] [56] [27,26,57] [58] [25,23] [29]

temperature/humidity control). Moreover, they are supported in the
definition of corrective decisions to the process by a decentralized
intelligence, which evaluates data coming from sensors or other CPSs
and defines in real time the possible scenarios of choice; while,
actuators support CPSs in implementing the corrective decisions
able to optimize the same process.
Downstream of this high-level analysis, it is possible to state
that Industrial Control Systems represent an application area of
the Cyber-Physical Systems. This is confirmed by the literature
[34–36].
5. Cybersecurity characterization
Once having identified the industrial assets mainly involved
into cybersecurity issues in Industry 4.0 contexts (in other
words, what needs to be protected), this section takes
advantages of:
1 The definition of the intrinsic vulnerabilities of the systems that
undermine their security;
2 The cyber threats affecting the systems;
3 The risks associated with the cyber-attacks;
4 The countermeasures to deal with cybersecurity issues.
Although there are different types of vulnerabilities which
affect CPSs or ICSs, very common are those unknown (i.e. zero-day
vulnerabilities) [46,21,27,57,55]; these are placed in every
interfaces between different components where there is informa-
tion exchange [14]. In particular, there are a number of
vulnerabilities in each component of SCADA systems, in particular
concerning: communication infrastructure and network protocols,
application server, database server, human machine interfaces,
program logic controllers, remote terminal units [40,48].
The evidence shows that IoT devices are attractive targets for
botnets because of security is not a priority for many manufacturers.
This is confirmed by the use of default passwords and open ports, the
lack of built-in mechanisms to receive automatic firmware updates,
and the fact that firmware are often forgotten about once installed
(owners do not know when their devices are used for malicious
purposes or when firmware need to be updated) [17].
Jansen [17] pinpoints the following reasons as cause of most
industry devices get hacked:
 Devices in many plants run for weeks or months without any
security updates or anti-virus tools;
 Many of the controllers used in ICS networks can be disrupted by
malformed network traffic or even by high volumes of correctly-

These elements are all associated with the cybersecurity

concept (see Fig. 6). In particular, (1) and (2) answer the
question “what is to be protected against?”; (3) highlights the
potential risks for the company due to the exploitation of the
system vulnerabilities at the hand of cyber-attacks (that is,
“what are the impacts?”); finally, (4) answers the question
“how should you protect yourself?”.

5.1. Systems vulnerability

Vulnerabilities are defined by Jansen and Jeschke [52] as

weaknesses in the IT or automation systems that might be
exploited by hackers to compromise the cyber-physical
system. In a more general perspective, NIST (National Institute
of Standards and Technology) glossary of key information
security terms [7] refers to vulnerability as weakness in an
information system, system security procedures, internal
controls, or implementation that could be exploited or
triggered by a threat source.
Vulnerabilities can be classified referring to remote access,
software and Local Area Network (LAN) [47], and can be
associated with both virtual machines belonging to cloud
resources and IT systems [21].
Fig. 6. Cybersecurity characterization.
 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110
formed traffic since they were designed in an era when
cybersecurity was not a concern;
 Many ICS networks have multiple pathways through which
cyber-security threats can enter, bypassing existing cyberse-
curity measures (for instance, laptops which are carried in and
out of facilities or USB sticks which are used among multiple
computers, without being properly checked for malware);
 Many ICS networks are still implemented as a large, flat
network, with no physical or virtual isolation between unrelated
networks (allowing the spread of malware even to remote plant
sites).
In order to address these problems, companies should
undertake a vulnerability assessment process able to identify
and assess potential vulnerabilities of systems [54]. In particular,
NIST [7] defines the vulnerability assessment as “systematic
examination of an information system or product to determine the
adequacy of security measures, identify security deficiencies,
provide data from which to predict the effectiveness of proposed
security measures, and confirm the adequacy of such measures
after implementation”.
5.2. Cyber threats
The NIST glossary defines threat as “any circumstance or event
with the potential to adversely impact organizational operations
(including mission, functions, image, or reputation), organizational
assets, individuals, other organizations, or the Nation through an
information system via unauthorized access, destruction, disclo-
sure, modification of information, and/or denial of service” [7].
Attacks to interconnected physical systems can be character-
ized by three dimensions [41]:
1 The type of attacker to the system (i.e. insider or outsider);
2 Attacker’s aims and objectives (i.e., destruction at a larger scale
or on a specific target);
3 The attack mode (i.e., active or passive).
Regarding the attack mode, active attacks aim at making
changes to system resources or affecting system operations (some
examples are Distributed Denial of Service attacks and Compro-
mised-Key attacks); while, the passive attacks goal is to learn or
make use of information from a system rather than making any
changes on the system (this category includes eavesdropping and
sniffing attacks) [54].
Table 4
Cyber threats list.
Cyber threats
Transfer data from and to unauthorized devices
Denial of Service (DoS) attack using massive traffic
Escalation of privilege
Data tampering, spoofing or man-in-the-middle attacks
Eavesdropping or data interface
Repudiation attacks
Jamming, Collision, Fake Location Injection, Sybil, Node Replication, Wormhole, Sinkhole, False Routing Information, and Selective
Forwarding
Malware, worms and viruses infection (in accidentally or intentionally way)
Abnormal operations induction by using abnormal Distributed Network Protocol (DNP3) function code
Scan DNP3 data points through changing object qualifier
Zero-day attacks
Phishing attacks
Physical destructions
Insider attacks and unwitting behaviours
Advanced Persistent Threat (APT)
Social engineering attacks
103
Furthermore, Roy et al. [43] consider three main layers in which
cybersecurity threats could act:
1 Aware execution layer (i.e. from sensors and actuators);
2 Data transport layer (i.e. from network architecture);
3 Application control layer (i.e. from user data storage).
In particular, the first layer includes physical attacks, equipment
failures, failures of node power lines and electromagnetic
interferences. In the second layer, there are denial of service
attacks, routing attacks, aggregation node attacks, flood attacks
(exhausting the network resources), black hole attacks, direction
misleading attacks, Sybil attacks by adding malicious nodes.
Finally, the third layer, characterized by unauthorized accesses and
taking over control of machines, as well as by dispatching of
malicious code, entails the leakage of user privacy and data
confidentiality in data mining operations.
The German Federal Office for Information Security (Bundesamt
für Sicherheit in der Informationstechnik - BSI) identifies the
following main categories of cyber threats referring to Industry
4.0 contexts [21]:
 Direct attacks on external accesses;
 Indirect attacks on the IT systems of the service provider for
which the external access has been granted;
 Unknown attack vectors without detection capabilities enabled
by unknown vulnerabilities (or zero-day exploits);
 Non-targeted malicious software which infects components and
impairs in their functionality;
 Intrusion into neighbouring networks or network segments (for
instance, the existing office network).
In addition to this, Jansen [49] and Jansen and Jeschke [52] refer
to a number of targeted attacks to automation systems, attacks via
internet on decentralized control systems, unauthorized accesses
from office to production network, malicious (re-) configurations
(via remote access), and disruption of machine-to-machine
communications.
Summarizing information from the selected papers, the
following Table 4 provides a list of cyber threats, which can affect
Industrial Control Systems and Cyber Physical Systems.
In the literature, the most mentioned cyber threat is Denial of
Service attack. This attack makes the systems not respond to
legitimate command from the network [54]. In particular, the
attackers flood the controller to force the system and change its
Reference
[46,38,51,48]
[46,47,38,39,40,51,54,55,27,25,42]
[47,38,42]
[38,42]
[38,41,24]
[38,42]
[48]
[17,41,27,25]
[46]
[46]
[47,55]
[54,55,27,25,29]
[41,24]
[41,27]
[55,27,25]
[27]
104 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110
behaviour. A common variant of DoS attacks is the Distributed
Denial of Service (DDoS) attack where the incoming traffic flooding
the victim originates from many different sources (multiple
compromised computer systems).
Generally, once a cyber threat succeeds, it may occur an
unauthorized access to information systems, as well as confiden-
tial data [35,40,36,46,15]. In particular, this can result in:
 Unauthorized use, disclosure, disruption, modification, or
destruction of critical data and/or data interfaces
[37,14,21,51,41,45,28,54];
 Denial of service of networks and computers (in the worst case,
this may result in a reduced availability of the entire system)
[37,14,21,17].
5.3. Risks
According to NIST [7], risk is “the level of impact on
organizational operations (including mission, functions, image,
or reputation), organizational assets, or individuals resulting from
the operation of an information system given the potential impact
of a threat and the likelihood of that threat occurring”.
Security risks related to information systems depend on the loss
of confidentiality, integrity, or availability (known as “CIA triad”) of
information or information systems [49]. In particular, confidenti-
ality refers to the ability to keep information secret from
unauthorized users; in this way, the lack of confidentiality may
result in data disclosure. Integrity, which means to protect the
trustworthiness of data or resources, might entail deception
attacks if it is not preserved. In this case, the risk concerns the
corruption or modification of records and data and data loss. At the
end, availability represents the ability of a system to be accessible
and usable on demand; for this reason, when system availability is
not guaranteed, denial of service may occur (this causes a lack of
productivity at the physical system).
At the business level, cyber threats may have a certain number
of negative impacts (see Table 5).
The sabotage to the entire critical infrastructure or specific
machines and components is the most cited business impact
among the analysed papers. This impact is strictly correlated to
DoS attacks, which in turn are the most mentioned in the
literature.
In general, any of the impacts identified translate into a drop in
the company productivity and competitiveness (in terms of
degradation of the product quality, reduction of production rate,
increasing of maintenance efforts, and delays to fulfil demand)
[45,27,54,23]. In other words, the company incurs in higher costs
and loss of profitability.
5.4. Countermeasures
Countermeasures stands for a set of actions, devices, proce-
dures, or techniques that meet or oppose a threat, a vulnerability,
or an attack by eliminating or preventing it, by minimizing the
harm it can cause, or by discovering and reporting it so that
corrective action can be taken [7].
Jansen [17] refers to the following three high level approaches
to guarantee security of Industrial Control Systems:
1 Harden the perimeter, which means to isolate the plant network
from the office network with the use of firewalls and
demilitarized zone (DMZ) if necessary;
2 Defence in depth, by applying several layers of defence
throughout the network, in order to stop and contain those
malware breaching the perimeter.
3 Remote access, which is one of the most common ways to
penetrate the perimeter firewall. In such case, the use of Virtual
Private Network is recommended to isolate remote users in a
separate demilitarized zone.
Moreover, with the aim to keep the protection up-to-date, it
is necessary to continuously update the implemented security
controls on device level (installing new security patches),
network level (updating firewall signatures of new threat) and
plant/ factory level (monitoring and analysing the actual log
sources) [52].
In particular, Cheminod et al. [39] underline that the counter-
measures play a key role in protecting from unwanted accesses
from/to the Internet, as well as in separating some (critical)
services, within the plant, between the different areas of the plant,
between the different subsystems in the same area, and inside the
production/automation cell at the shop floor level.
The following list of countermeasures can be followed in order
to detect or prevent the cyber-attacks occurrence within Industry
4.0. Table 6 results from the analysis of all selected papers.
In the literature, encryption seems to be the most adopted
countermeasures. This technique converts plain-text data into
cipher-text, which can be decoded only by authorized parties who
have a key. There are different levels of encryption [42,38]:
encryption of the communication between entities in a networked
production to mitigate tampering, information disclosure, and
denial of service threats; encryption of stored data and use of
digital signatures to mitigate repudiation attack; encryption of the
data streams to deal with tampering with data, repudiation,
information disclosure and denial of service.
6. Managing of cybersecurity issues
In this section, an overview of the guidelines and solutions
proposed by the selected papers to manage cybersecurity issues
within Industry 4.0 contexts is provided.
These guidelines and solutions reflect the existence of a certain
number of security standards and guidance documents, which
create a common understanding of industry specific security
controls and methods for assessing the effectiveness of such
controls [53]. In particular, the analysed papers mainly refer to:
 NIST 800-53, which provides a set of security control categories
and families (i.e. access control, awareness and training, audit
and accountability, security assessment and authorization,
configuration management, contingency planning, identifica-
tion and authentication, incident response, maintenance, media
protection, physical and environmental protection, planning,
personnel security, risk assessment, system and services
acquisition, system and communications protection, system
and information integrity, program management);
 IEC 62443 series of standards, which evaluates the potential
weak points in the overall organization, component and system
development process for Industrial Control Systems, with the
aim to identify threats and manage cyber risks;
 UL 2900 series of standards, which contains foundational
security requirements and testing criteria for software and
devices within products.
6.1. Guidelines
The following Table 7 gives a general view of the main
guidelines in the field of cybersecurity that have been collected
from the literature and that are later described.
 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110
Focusing on the manufacturing industry, Huxtablea and
Schaefera [13] suggest that a firm should offer support to its
connected products, in particular in the fields of:
 Cybersecurity consulting to give advice and guidance with regard
to cybersecurity strategy at a top level;
 Risk management to prevent cyber-attacks;
 Threat monitoring and detection to provide software and
hardware that allow cyber threats to be monitored and detected;
 Cyber incident response to limit damage and prevent further
cyber-attack;
 Training to limit the likelihood of attacks taking place;
 Cybersecurity packages in relation to the products being sold
(basic subscriptions might include anti-malware software as a
service, by offering for instance monitoring, detection and
training).
In general, any security approach should pay attention on
network, transport and application levels. In particular, the focus
on network level aims at providing a secure and trustworthy
connection; transport level wants to guarantee nobody can read
along and even authenticate both sides; finally, application level
goal is to ensure security on the transmitted information even if
there is no encryption on transport level [16].
In order to guarantee information security at any level, Sergey
and Nikolay [58] recommend to follow a set of actions. These
actions include ranging the sources of information, classifying the
objects of protection, describing the threats arising in case of
unauthorized access to information and in case of malicious
change of information, and describing the influence preventing
unauthorized access and change of information, as well as the
influence correcting the unauthorized access taking place and
change of information.
Regarding the implementation phase of industrial security
services, instead, Jansen [49] explores four steps. The first step
consists of designing the service on the knowledge of automation
systems and their intended operational environment. Then, it is
necessary to define the operations of managed security services
addressing the customers’ needs, and implement the DevOps
approach able to integrate operational experience in development
process. Finally, the fourth steps entails the introduction of some
control loops to the socio-technical and economic systems of
industrial companies in order to bring the system (in case of
disturbances) back into a stable state.
6.2. Solutions
In addition to the above guidelines, useful to start approaching
the cybersecurity issues within Industry 4.0 contexts, different
cybersecurity solutions are proposed in the analysed papers. These
solutions are referred to with a high variety of terms, such as
framework, approach, method, model, methodology and architec-
ture. In particular, Babiceanu and Seker [37] speak of Software-
Defined Networks-based (SDN-based) cybersecurity-resilience
mechanisms for manufacturing applications and proposes a
framework including the areas of system identification, resilience
objective setting, vulnerability analysis, and stakeholder engage-
ment. At the same way, the NIST proposes a framework to address
and manage cybersecurity risks associated with Industrial Control
Systems. The NIST framework is comprised of five core functions (i.e.
identification, protection, detection, response, and recovery), with
each being implemented through a set of security controls [25].
In relation to the highlighted approach, the DevOps approach is
mentioned in [52] as enabler of new industrial security business,
where, for instance, the log sources for security monitoring of
comparable asset classes are identified. In order to express security
105
risks visually, instead, Kobara [47] presents an improved attack
tree approach, where the problem is shown as root and its sources
as leaves; moreover, the severity level of each stage (node), the
transferability from one stage to another and the countermeasures
and their effects are also depicted.
According to Ren et al. [54], a number of risks evaluation
methods, as well as quantitative and qualitative methods to
calculate the likelihood of attacks on certain components of the
systems if other parts are attacked have been developed for
manufacturing systems. For instance, a typical risk evaluation
method is the hierarchical model, which identifies potential
vulnerabilities of a system on six layers: control, communication,
network, supervisory and management. Moreover, some examples
of quantitative methods are those based on statistics (i.e. Bayesian
probability and Leontief-based models); while qualitative methods
provide a holistic view of the risks based on conceptual diagrams
and graphs.
On the other hand, Preuveneers and Ilie-Zudor [42] and
Preuveneers et al. [38] model the networked production workflow
as a dataflow diagram with the aim to carry out a STRIDE security
analysis, which is a threat modelling method developed by
Microsoft focusing on Spoofing, Tampering, Repudiation, Informa-
tion disclosure, Denial of service, and Elevation of privilege.
Furthermore, Flatt et al. [21] adopt the process model of VDI/
VDE guideline 2182 to consider IT security along the whole life
cycle of industrial systems. The model includes eight consecutive
steps (carried out in an iterative way), that is: identify assets,
determine relevant security objectives, analyse threats, analyse
and assess risks, identify measures and assess effectiveness, select
overall solution, implement and use overall solution, perform
audit.
In order to deal with security issues in Industrial Control
Systems, a methodology for assessing vulnerabilities is proposed
by Januario et al. [48]. This methodology entails:
 For each component, a complete network representation;
 For each subsystem, the definition of component's functionali-
ties and decomposition in each subsystem that implements
them;
 For each operation, the list of the used resources and operations
that can affect them.
Another methodology is that of CYBEX (Structured Cyberse-
curity Exchange) [58], which aims at protecting data exchange
between customers. In particular, this methodology is based on
five-level block model of data exchange:
1 Information Description Block that describes all information
required to be transferred between consumers, including a
format and language of the description;
2 Information Discovery Block, which is responsible for definition
and research of information on a source;
3 Information Query Block, representing specially developed
programming language of the protected inquiries of CYBEX;
4 Information Assurance Block, which is focused on three
standards for certification of the protected sources (i.e. X.evcert,
X.eaa and ETSI TS 102042 V2.0);
5 Information Transport Block, based on the protocols standard-
ized by X.cybex-tp.
At the end, in the work of Bordel et al. [18] a functional
architecture to support a protection system for Industry 4.0
applications is described. The architecture is composed of five
elements. In particular, the predictive model represents the
system’s state in a certain moment and at some future instants;
while, the analysis module allow comparing data to the real state of
106 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110
the components in the system (the results of the comparison
process are employed to infer if the system is under a cyber-
physical attack). Furthermore, the architecture includes a template
repository, enabling the description of different cyber-physical
attacks (and the security and protection policies associated with
the attacks); a distance function, which determines the set of
templates closer to the observations (made about the system); and
a decision-making module to select the protection method to be
applied.
A schematic view of the cybersecurity solutions here described
is provided in Table 8.
7. A framework for cybersecurity in I-4.0
In the literature, the cybersecurity and Industry 4.0 terms
started to be strongly correlated since 2015. This was revealed by
the electronic scientific databases adopted in this study, which
gave back papers where both terms could appear in the title,
within the abstract, or as key words.
In fact, although the Industry 4.0 paradigm was used for the first
time in Germany in 2011 during the Hannover Fair [60], the
awareness of the relevance of cybersecurity issues for the
industrial physical systems connected into the network (and for
the industrial information correlated to them) has spread only
some years later. Still today, this topic needs to be better
investigated, in order to provide a more systematic view of its
main elements, and support the industrial management environ-
ment to face the cybersecurity challenges.
In the following Table 9, a summary of the findings based on the
study carried out is provided.
The findings are organized in the four main areas of analysis
introduced in Fig. 4: analysis of cybersecurity and Industry 4.0/IIoT
definitions; study of the industrial context; characterization of
cybersecurity in Industry 4.0 scenario; and identification of
management attempts with regard to cybersecurity issues. The
analysis of these areas has presented some peculiarities, used to
carry out the study and to address relevant considerations for
future research.
Firstly, the analysis of the most representative definitions of
‘cybersecurity’ have made it possible to create a properly taxonomy
at the base of the study. Therefore, the words “cyberspace”, “cyber
threats” and “cyber-attacks” have become part of the searching
criteria for papers selection. Then, the identification of some
keywords associated with the different Industry 4.0 and IIoT
definitions (collected form the selected papers) has allowed to:
 Identify the enabling technological conditions (i.e., Internet of
Things and Cyber-Physical Systems for Industry 4.0, and wireless
sensor networks and cloud technologies for IIoT), a target
industrial context (the manufacturing industry) and a specific
condition enabled by the technologies referred to above (in
particular, data networking for Industry 4.0, and IoT devices
networking for the IIoT). This is reported in Tables 1 and 2;
Table 5
Business impacts.
Business impacts
Sabotage to the entire critical infrastructure or target machines and components (e.g., loss of observability, controllability or
eventually the loss of power in the physical system)
Denial of service of networks and computers
Theft of industrial trade secrets and intellectual property
Compliance violation in the fields of safety and pollution
Life-threatening situations for the workers
 Provide a new and comprehensive definition for both concepts,
combining together all the keywords identified;
Moreover, the analysis of the industry type mainly involved into
cybersecurity issues has showed the centrality of the manufactur-
ing industry (see Table 3). Here, Industrial Control Systems and
Cyber-Physical System result as the main vulnerable systems to be
protected from cyber-attack events.
A core part of the study regarded the cybersecurity characteri-
zation within Industry 4.0 (or IIoT) context. In particular, the
systemvulnerabilities, the potential cyber threats, as well as the
risks associated with the cyber threats and the countermeasures
to take into consideration have been analysed in the current
literature. The analysis of vulnerabilities has shown that security
is not a priority for many manufacturers; for instance, they fault
passwords and open ports, do not care of firmware updates, or
forget to monitor the firmware once installed. Furthermore,
another problem is correlated to the use of industrial devices
(such as the controllers in the ICS networks) which were designed
in an era when cybersecurity was not a concern. In general, the
study has allowed to put in evidence that the most common
vulnerabilities are those unknown (even known as zero-day
vulnerabilities), which can be potentially placed in every
interfaces between different components where there is an
information exchange. With the aim to better know and manage
the systems vulnerabilities, companies should undertake a
vulnerability assessment process, able to determine the adequacy
of security measures, identify security deficiencies, provide data
from which to predict the effectiveness of proposed security
measures, and confirm the adequacy of such measures after
implementation.
From the analysis of the cyber threats, a list of attacks affecting
ICS and CPS has been defined (see Table 4), where the most
mentioned one is Denial of Service attack. Cyber threats can
potentially act on three main layers: the aware execution layer
(involving, for example, sensors and actuators), the data transport
layer (affecting the network architecture), and the application
control layer (that is, for instance, the user data storage). In general,
any attack to interconnected physical systems should be charac-
terized by specifying the type of attacker to the system, the
attacker’s aims and objectives, and the attack mode. Whether a
cyber-attack succeeds, the unauthorized use, disclosure, disrup-
tion, modification, or destruction of critical data and/or data
interfaces, as well as denial of service of networks and computers
may occur.
Regarding the security risks originated by the cyber threats, it is
possible to state that they depend on the loss of confidentiality
(data disclosure risk), integrity (risk of corruption or modification
of records and data loss) and availability of information or
information systems (denial of service risk). Moreover, the study of
the literature has made it possible to identify a set of impacts at the
business level generated by the cyber threats occurrence (see
Table 5). These impacts may regard the sabotage to the entire
Reference
[47,42,38,40,41,52,45,29,55,27,23,59]
[28,16,27]
[8,16,55,27]
[41,52,23]
[59,52]
 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110 107

Table 6
Countermeasures list.

Countermeasures Reference
Encryption [47,42,38,51,24,26,54,27,53,23]
Fuzzing to detect software safety errors [47,53]
Obfuscation to obscure the intended meaning of communication by making the message difficult to understand [47]
Patching to solve security vulnerabilities or bugs in the systems [47]
Vulnerability scan [47]
Firewall/zoning, gateway and proxy [47,40,25,23]
Access control (i.e. user authentication, multiple-terminal authorization) [47,54,27,25,53]
Quarantine to isolate infected files on a computer's hard disk [47]
Isolation of data, language, sandbox, Virtual Machine (VM) and Operating System (OS) [54]
Physical resource-based isolation, also known as air gap [54]
Software updates [20,53]
Machine Learning (ML) method on physical data, covering k-Nearest Neighbours (kNN) algorithm, random forest algorithm and [44]
anomaly detection algorithm to real-time detect the malicious attacks
Physical protection through shielded wires for physical links and utilizing separated racks or spaces [54]
Tamper proof hardware to prevent attackers from altering system operations and conducting falsification of data [54,27]
Keep data distributed instead of centralising them into one, more vulnerable central storage point [27]
Local storage and analytics so that the raw data do not leave the hardware, and any analytics can be run locally [27]
Intrusion Detection System (IDS) and Intrusion Prevention System [25]
Secure Communication (Virtual Private Network, Secure Sockets Layer, IP Security) [25,53,22]
Antivirus and antimalware [25,53]
Vulnerability assessment (process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications [25]
and network infrastructures)
Known vulnerability testing [53]
Static source code analysis to look for software weaknesses [53]
Penetration testing to evaluate and exploit vulnerabilities [53]

critical infrastructure or machines and components (this is the
most mentioned impact in the literature), denial of service of
networks and computers, the theft of industrial trade secrets and
intellectual property, as well as compliance violation in the fields
of safety and pollution, and life-threatening situations for the
workers.
Finally, the countermeasures result necessary to prevent or
eliminate the cyber threats. The countermeasures may concern:
the isolation of the plant network (harden the perimeter) by using
firewall and demilitarized zone; the application of several layers of
defence (defence in depth) throughout the network to stop and
contain those malware breaching the perimeter; and the isolation
of remote users in a separate demilitarized zone through the use of
Virtual Private Network. Obviously, it is required to keep the
protection measures up-to-date; this means to continuously
update the implemented security controls on device level
(installing new security patches), network level (updating firewall
signatures of new threat) and plant/ factory level (monitoring and

Table 7
Cybersecurity guidelines.

Guideline Reference
Providing support to connected products in the field of: cybersecurity consulting, risk management, threat monitoring, cyber incident response, training, [13]
cybersecurity packages.
Defining a security approach focusing on network level, transport level, and application level. [16]
Appling a set of actions (focused on information to be protected, the type of threats and the influence necessary to prevent or correct unauthorized accesses) [58]
in order to guarantee information security.
Respecting four main steps (design the service, definition of operations, implementation of DevOps, and introduction of control loops) with the aim to [49]
implement industrial security services.

Table 8
Cybersecurity solutions.

Solution Reference

Framework Framework based on the areas of system identification, resilience objective setting, vulnerability analysis, and stakeholder engagement. [37]
NIST framework comprises of five core functions: identification, protection, detection, response, and recovery. [25]
Approach DevOps approach identifies the log sources for security monitoring of comparable asset classes. [52]
Attack tree approach, where the problem is shown as root and its sources as leaves. [47]
Method Collection of a set of risks evaluation methods and quantitative and qualitative methods to calculate the likelihood of attacks on certain [54]
components of the systems if other parts are attacked.
STRIDE security analysis of Microsoft as a threat modelling method. [42,38]
Model Process model of VDI/VDE guideline 2182 that considers IT security along the whole life cycle of industrial system. [21]
Methodology Methodology for assessing vulnerabilities in Industrial Control Systems, which entails actions at the level of component, subsystem and [48]
operation.
CYBEX methodology is based on five-level block model of data exchange (Information Description, Information Discovery, Information Query, [58]
Information Assurance, and Information Transport) to protect data exchange between customers.
Architecture Functional architecture (including a predictive model, an analysis module, a template repository, a distance function, a decision-making [18]
module) to support a protection system for Industry 4.0 applications.
108 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110

Table 9
Framework of references for cybersecurity research in I-4.0.

Area of analysis Topic Features

Analysis of definitions
Study of industrial context
Analysis of cybersecurity in Industry System security
4.0 (or IIoT) contexts
Identification of management
attempts
Cybersecurity Strictly correlated words: cyberspace, cyber threats and cyber-attacks.
Industry 4.0 Enabling technological conditions: Internet of Things and Cyber-Physical Systems.
Target industry: manufacturing.
Condition enabled by the technology: data networking.
Industrial Internet of Enabling technological conditions: wireless sensor networks and cloud technologies.
Things (IIoT) Target industry: manufacturing.
Condition enabled by the technology: IoT devices networking.
Industry types Most frequently mentioned industry: manufacturing.
Industrial assets Main vulnerable systems: Industrial Control Systems (ICS) and Cyber-Physical System (CPS)
Most common vulnerabilities: zero-day vulnerabilities.
vulnerability Suggestion: undertake a vulnerability assessment process.
Cyber threats Levels of action: aware execution layer, data transport layer, application control layer.
Main points to focus on: type of attacker, attacker’s aims and objectives, and attack mode.
Most mentioned cyber threat: Denial of Service attack.
Main consequences: unauthorized use, disclosure, disruption, modification, or destruction of critical data
and/or data interfaces; denial of service of networks and computers.
A list of attacks affecting ICS and CPS.
Risks Cause: loss of confidentiality, integrity and availability of information or information systems.
Risk typologies: data disclosure (loss of confidentiality); corruption or modification of records and data loss
(loss of integrity); denial of service (loss of availability).
Impacts at business level: sabotage to the infrastructure or machines and components; denial of service of
networks and computers; theft of industrial trade secrets and intellectual property; compliance violation
in the fields of safety and pollution; life-threatening situations for the workers.
Most mentioned business impact: sabotage to the infrastructure or machines and components.
Countermeasures Main categories: isolation of the plant network; application of several layers of defence; isolation of remote
users.
Main action: update the security controls on device level, network level and plant/ factory level.
Most mentioned countermeasure: encryption techniques.
A list of countermeasures.
Cybersecurity Security standards and guidance documents: NIST 800-53, IEC 62443 and UL 2900.
guidelines A set of guidelines to deal with cybersecurity issues.
Cybersecurity Security standards and guidance documents: NIST 800-53, IEC 62443 and UL 2900.
solutions A set of solutions to deal with cybersecurity issues.

analysing the actual log sources). From the literature review, a list
of countermeasures has been drawn up (see Table 6), where the
encryption results to be the most mentioned.
The last section of the study focused on the guidelines and
solutions in the literature to manage cybersecurity issues. In
general, it was noticed that there are a number of security
standards and guidance documents, which create a common
understanding of industry specific security controls and methods
for assessing the effectiveness of such controls (e.g. NIST 800-53,
IEC 62443 and UL 2900 series of standards). In line with these
security standards, some attempts to manage cybersecurity have
been done. Some of them aim to provide a high-level guide (target
to the management area) in facing the argument (see Table 7);
some others, instead, propose more structured solutions (see
Table 8) which need to be customized to the specific industrial
scenario.
8. Conclusions
This study explored the cybersecurity issues within Industry 4.0
contexts, using a structured approach for the literature review
through a qualitative analysis of the contents coming from the
selected papers. In particular, the papers’ assessment focused on
four areas of analysis. These areas involve: (1) the analysis of
cybersecurity and Industry 4.0/IIoT definitions; (2) the study of
industry type and industrial assets mainly affected by cyberse-
curity issues; (3) definition of systems vulnerabilities, cyber
threats, risks and countermeasures to be taken, with regard to
Industry 4.0 scenarios; (4) identification of guidelines and more
structured solutions to deal with cybersecurity issues.
As a result, a reference framework of the main features for each
area was defined. The framework collects the most cited evidences
for each area of analysis and summarizes them for providing an
immediate prospect of synthesis useful to lead future research but
also the managerial actions.
Although a number of different solutions for dealing with
cybersecurity issues within Industry 4.0 have been already
developed (see Section 6.2), none of them take into consideration,
at the same time, the three exposure layers of Cyber Physical
Systems (physical, network and computation) that could be abused
by cyber-attacks. For instance, in the research of Flatt et al. [21], the
physical aspects are treated but without an integration with
networking and computation processes; while, in the studies of
Preuveneers and Ilie-Zudor [42] and Preuveneers et al. [38] the
aspects of networking is treated without an integration with the
others elements of the system.
Moreover, papers analysed do not face cybersecurity theme
with a purely management perspective, but they focus on IT side. A
management perspective should support companies in the correct
implementation of new organizational practices and initiatives of
change management.
Future research can use this study as reference framework to
address investigation in the industrial field and enlarge the current
state of art. From the managerial point of view, instead, the study
provides a shortcut to a complete view about cybersecurity in I-4.0
that can be used as basis for supporting the decision making
process about cybersecurity issues but also a reference material for
training in IT department.
References
[1] A. Behrendt, N. Müller, P. Odenwälder, C. Schmitz, Industry 4.0 Demystified—
Lean’s Next Level [Online]. [Accessed 12 June 2018] Available:, McKinsey &
Company, 2017. https://www.mckinsey.com/business-functions/operations/
our-insights/industry-4-0-demystified-leans-next-level.
 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110
[2] Cisco, Cisco 2018 Annual Cybersecurity Report, (2018) .
[3] H. Bauer, G. Scherf, V. von der Tann, Six Ways CEOs Can Promote Cybersecurity
in the IoT Age [Online]. [Accessed 12 June 2018] Available:,
McKinsey&Company, 2017. https://www.mckinsey.com/featured-insights/
internet-of-things/our-insights/six-ways-ceos-can-promote-cybersecurity-
in-the-iot-age.
[4] E.C.S. Organisation, State of the Art Syllabus – Overview of Existing
Cybersecurity Standards and Certification Schemes, ECSO, 2017.
[5] I. E. Commission, IEC Webstore [Online]. [Accessed 6 September 2018]
Available:, (2018) . https://webstore.iec.ch/publication/62122.
[6] A. Bryman, E. Bell, Business Research Methods, Oxford University Press,
Oxford, 2015.
[7] NIST, Glossary of Key Information Security Terms, NISTIR 7298r, 2nd ed.,
Richard Kissel, Gaithersburg, 2013.
[8] I. 27032:2012, Information Technology – Security Techniques – Giudelines for
Cybersecurity, (2012) .
[9] E.U.A.F.N.a. ENISA, ENISA Overview of Cybersecurity and Related Terminology,
(2017) .
[10] ISACA, Cybersecurity Fundamentals Glossary, (2016) .
[11] C.o.N.S.S. CNSS, Committee on National Security Systems (CNSS) Glossary,
(2015) .
[12] A. Gilchrist, Industry 4.0 - The Industrial Internte of Things, Apress, Bangken,
Nonthaburi, Thailand, 2016.
[13] J. Huxtablea, D. Schaefera, On servitization of the manufacturing industry in
the UK, Procedia CIRP 52 (2016) 46–51.
[14] H. He, C. Maple, T. Watson, A. Tiwari, J. Mehnen, Y. Jin, B. Gabrys, The security
challenges in the IoT enabled cyber-physical systems and opportunities for
evolutionary computing & other computational intelligence, 2016 IEEE
Congress on Evolutionary Computation, (2016) .
[15] E. Pontarollo, Industry 4.0: a new approach to industrial policy, L’industria 37
(3) (2016) 375–381.
[16] J. Daniels, B. Amaba, A. Sargolzaei, Industrial control system applications go
mobile in the cloud, IAMOT 2016 - 25th International Association for
Management of Technology Conference, Proceedings: Technology - Future
Thinking, (2016) .
[17] C. Jansen, A review on the readiness level and cyber-security challenges in
Industry 4.0, ACM SEEDA-CECNSM Conference 2017, (2017) .
[18] B. Bordel, R. Alcarria, D. Sánchez-de-Rivera, T. Robles, Protecting Industry 4.0
systems against the malicious effects of cyber-physical attacks, Computer
Science Book Series, Springer, Cham, 2017, pp. 161–171.
[19] H. Gao, Y. Peng, Z. Wen, K. Jia, H. Li, Cyber-physical systems testbed based on
cloud computing and software defined, Proceedings - 2015 International
Conference on Intelligent Information Hiding and Multimedia Signal
Processing, (2015) .
[20] I. Mugarza, J. Parra, E. Jacob, Software updates in safety and security co-
engineering, Computer Safety, Reliability, and Security, Springer, Cham, 2017,
pp. 199–210.
[21] H. Flatt, S. Schriegel, J. Jasperneite, H. Trsek, H. Adamczyk, Analysis of the
cyber-security of industry 4.0 technologies based on RAMI 4.0 and
identification of requirements, IEEE International Conference on Emerging
Technologies and Factory Automation (2016).
[22] A. Gurtov, M. Liyanage, D. Korzun, Secure communication and data processing
challenges in the industrial internet, Balt. J. Mod. Comput. 4 (4) (2016) 1058–1073.
[23] C. Sandberg, B. Hunter, Cyber security primer for legacy process plant
operation, 2017 56TH Annual Conference of the Society of Instrument and
Control Engineers of Japan (SICE), (2017) .
[24] P. Xu, S. He, W. Wang, W. Susilo, H. Jin, Lightweight searchable public-key
encryption for cloud-assisted wireless sensor networks, IEEE Trans. Ind. Inf. 14
(8) (2018) 3712–3723.
[25] A. Hassanzadeh, S. Modi, S. Mulchandani, Towards effective security control
assignment in the industrial internet of things, IEEE World Forum on Internet
of Things, (2015) .
[26] C.J. Smith, The industrial internet of things and cyber security. An ecological
and systemic perspective on security in digital industrial ecosystems,
Petroleum and Chemical Industry Conference Europe Conference, (2017) .
[27] L. Urquhart, D. McAuley, Avoiding the Internet of insecure industrial things,
Comput. Law Secur. Rev.: Int. J. Technol. Law Pract. 34 (3) (2018) 450–466.
[28] G.J. Palavicini, J. Bryan, E. Sheets, M. Kline, J. San Miguel, Towards firmware
analysis of Industrial Internet of Things (IIoT) - applying symbolic analysis to
IIoT firmware vetting, 2nd International Conference on Internet of Things, Big
Data and Security, (2017) .
[29] B. Van Lier, The Industrial Internet of Things and Cyber Security. An ecological and
systemic perspective on security in digital industrial ecosystems, 2017 21st
International Conference on System Theory, Control and Computing, (2017) .
[30] NIST - National Institute of Standards and Technology. Cybersecurity
framework - Critical Infrastructure Resources, 13 February 2018. [Online].
[Accessed 22 March 2018] Available: NIST https://www.nist.gov/
cyberframework/critical-infrastructure-resources
[31] X. Fan, K. Fan, Y. Wang, R. Zhou, Overview of cyber-security of industrial control
system, 2015 International Conference on Cyber Security of Smart Cities,
Industrial Control System and Communications (SSIC), (2015) .
[32] K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, A. Hahn, Guide to Industrial
Control Systems (ICS) Security, NIST - National Institute of Standards and
Technology, 2015.
109
[33] D. Sullivan, E. Luiijf, E.J.M. Colbert, Components of industrial control systems,
Cyber-security of SCADA and Other Industrial Control Systems, Springer,
Cham, 2016, pp. 15–28.
[34] T. Lu, X. Guo, Y. Li, Y. Peng, X. Zhang, F. Xie, Y. Gao, Cyberphysical security for
industrial control systems based on wireless sensor networks, Int. J. Distrib.
Sens. Netw. 10 (6) (2014) p.17.
[35] A. Humayed, J. Lin, F. Li, B. Luo, Cyber-physical systems security—a survey, IEEE
Internet Things J. 4 (6) (2017).
[36] Y. Ashibani, Q.H. Mahmoud, Cyber physical systems security: analysis,
challenges and solutions, Comput. Secur. 68 (2017) 81–97.
[37] R.F. Babiceanu, R. Seker, Cybersecurity and resilience modelling for software-
defined networks-based manufacturing application, Service Orientation in
Holonic and Multi-Agent Manufacturing. Studies in Computational
Intelligence, Springer, Cham, 2017, pp. 167–176.
[38] D. Preuveneers, W. Joosen, E. Ilie-Zudor, Trustworthy data-driven networked
production for customer-centric plants, Ind. Manag. Data Syst. 117 (10) (2017)
2305–2324.
[39] M. Cheminod, L. Durante, L. Seno, F. Valenza, A. Valenzano, C. Zunino,
Leveraging SDN to improve security in industrial networks, IEEE International
Workshop on Factory Communication Systems - Proceedings, (2017) .
[40] G. Corbò, C. Foglietta, C. Palazzo, S. Panzieri, Smart behavioural filter for
industrial internet of things, Mobile Networks and Application, Springer, 2017,
pp. 1–8.
[41] A. Khalid, P. Kirisci, Z. Zeashan Hameed Khan, Z. Ghrairi, K.-D. Thoben, J.
Pannek, Security framework for industrial collaborative robotic cyber-physical
systems, Comput. Ind. J. 97 (2018) 132–145.
[42] D. Preuveneers, E. Ilie-Zudor, Identity management for cyber-physical
production workflows and individualized manufacturing in industry 4.0,
Proceedings of the ACM Symposium on Applied Computing Part F128005,
(2017) .
[43] R. Roy, R. Stark, K. Tracht, S. Takata, M. Mori, Continuous maintenance and the
future – foundations and technological challenges, CIRP Ann. Manuf. Technol.
65 (2) (2016) 667–688.
[44] J. Yang, Y. Chen, W. Huang, Y. Li, Survey on artificial intelligence for additive
manufacturing, ICAC 2017 - 2017 23rd IEEE International Conference on
Automation and Computing, (2017) .
[45] S. Tedeschi, D. Rodrigues, C. Emmanouilidis, J. Erkoyuncu, R. Roy, A. Starr, A cost
estimation approach for IoT modular architectures implementation in legacy
systems, Procedia Manuf. 19 (2017) 103–110.
[46] S. Lee, S. Lee, H. Yoo, S. Kwon, T. Shon, Design and implementation of
cybersecurity testbed for industrial IoT systems, J. Supercomput. (2017) 1–15.
[47] K. Kobara, Cyber physical security for industrial control systems and IoT, IEICE
Trans. Inf. Syst. E99D (4) (2016) 787–795.
[48] F. Januario, C. Carvalho, A. Cardoso, P. Gil, Security challenges in SCADA systems
over wireless sensor and actuator networks, International Congress on Ultra
Modern Telecommunications and Control Systems and Workshops 2016,
(2016) .
[49] C. Jansen, Stabilizing the industrial system: managed security services’
contribution to cyber-peace, IFAC-PapersOnLine 50 (1) (2017) 5155–5160.
[50] T. Ahram, A. Sargolzaei, S. Sargolzaei, J. Daniels, B. Amaba, Blockchain
technology innovations, 2017 IEEE Technology & Engineering Management
Conference (TEMSCON), (2017) .
[51] B. Diebera, B. Breilinga, S. Taurera, S. Kaciankab, S. Rass, P. Schartner, Security
for the robot operating system, Rob. Auton. Syst. 98 (2017) 192–203.
[52] C. Jansen, S. Jeschke, Mitigating risks of digitalization through managed
industrial security services, AI Soc. J. (2018) 1–11.
[53] R. Chaturvedi, UL testing standards to mitigate cybersecurity risk  UL’s
approach with complement to the other standards for SICE 2017, 017 56TH
Annual Conference of the Society of Instrument and Control Engineers of Japan
(SICE), (2017) .
[54] A. Ren, D. Wu, W. Zhang, J. Terpenny, P. Liu, Cyber security in smart
manufacturing: survey and challenges, 67th Annual Conference and Expo of
the Institute of Industrial Engineers, (2017) .
[55] A. Ren, D. Wu, W. Zhang, J. Terpenny, P. Liu, Securing manufacturing data in the
cloud, Manuf. Eng. Mag. 157 (1) (2016) 69–77.
[56] C. Occhiuzzi, S. Amendola, S. Manzari, G. Marrocco, Industrial RFID sensing
networks for critical infrastructure security, European Microwave Week 2016:
"Microwaves Everywhere" (2016).
[57] L. Urquhart, D. McAuley, Cybersecurity implications of the industrial internet
of things, Conference TILTing Perspectives 2017: Regulating a Connected
World (2017).
[58] M. Sergey, S. Nikolay, Cyber security concept for internet of everything (IoE),
2017 Systems of Signal Synchronization, Generating and Processing in
Telecommunications, (2017) .
[59] T.H. Szymanski, Securing the industrial-tactile internet of things with
deterministic silicon photonics switches, IEEE Access 4 (2016).
[60] S. Pfeiffer, The vision of “Industrie 4.0” in the making—a case of future told,
tamed, and traded, NanoEthics 11 (1) (2017) 107–121.
[61] European Commission. Critical Infrastructure, [Online]. [Accessed 22 March
2018]. Available: European Commission https://ec.europa.eu/home-affairs/
what-we-do/policies/crisis-and-terrorism/critical-infrastructure_en
110 M. Lezzi et al. / Computers in Industry 103 (2018) 97–110
Marianna Lezzi is a PhD student in Complex System
Engineering at the University of Salento. Her research is
about the management of cybersecurity risks within
Industry 4.0 contexts. She has been involved in European
research projects (such as PRACTICE and TOREADOR)
based on the development of models for the management
of Big Data belonging to aeronautical companies. She has
experience in the definition of innovative business
management methodologies and secure collaborative
processes within the aeronautical supply chain.
Mariangela Lazoi, PhD, is Researcher in Department of
Innovation Engineering, University of Salento. She re-
ceived the Ph.D. degree in eBusiness from the University
of Salento, Lecce, in 2009. She is scientific responsible of
national research projects about new technologies
implementation in manufacturing and creative industries
and is involved in European research projects about big-
data management and product-service system imple-
mentation. She is responsible of the area IT4Industry in
the CORELab (Collaborative hOlistic Research Approach)
in the University of Salento and collaborates with
different companies addressing tecno-organizational
solutions. Her research interests are product design
methods and tools, product lifecycle management, business process management
and collaborative tools.
Angelo Corallo received the M.Sc. degree in physics from
the University of Lecce, Lecce, Italy, in 1999. He is an
Associated Professor with the Department of Innovation
Engineering, University of Salento, Lecce, and is respon-
sible of CORELab (Collaborative hOlistic Research Ap-
proach Laboratory) in the same University. His main
research interests include technologies and organization-
al strategies in complex industries, knowledge manage-
ment, and collaborative working environments in project
and process-based organizations, with specific reference
to the aerospace industry and languages, methodologies,
and technologies for knowledge modelling. He is coordi-
nator or scientific responsible of several research projects
such as: X@Work, Open Philosophies for Associative Autopoietic Digital Ecosystems
(OPAALS), Distributed Information Systems for Co-ordinated Service Oriented
interoperability (DISCORSO), Multichannel Adaptive Information system (MAIS),
Knowledge-based Innovation for the Web Infrastructure (KIWI), Towards Evolving
Knowledge-based internetworked Enterprise (TEKNE) Extended Net-Lab (X-Net-
Lab), Digital Business Ecosystem (DBE), Privacy-Preserving Computation in the
Cloud (PRACTICE), Secure Supply Chain Management (SecureSCM), Collaborative &
Robust Engineering using Simulation Capability Enabling Next Design Optimisation
(CRESCENDO), and TrustwOrthy model-awaRE Analytics Data platfORm (TOREA-
DOR).