Security modelling for cyber-physical systems:

A systematic literature review

Shaofei Huang∗, Christopher M. Poskitt, Lwin Khin Shar
Singapore Management University, Singapore
arXiv:2404.07527v1 [cs.CR] 11 Apr 2024

Abstract
Today, cyber-physical systems (CPS) find themselves at the intersection of
digital technology and engineering domains, rendering them high-value tar-
gets of sophisticated and well-funded cybersecurity threat actors. Prominent
cybersecurity attacks on CPS have brought attention to the vulnerability of
these systems, and the soft underbelly of critical infrastructure reliant on
CPS. Security modelling for CPS is an important mechanism to systemati-
cally identify and assess vulnerabilities, threats, and risks throughout system
lifecycles, and to ultimately ensure system resilience, safety, and reliability.
This literature review delves into state-of-the-art research in CPS secu-
rity modelling, encompassing both threat and attack modelling. While these
terms are sometimes used interchangeably, they are different concepts. This
article elaborates on the differences between threat and attack modelling,
examining their implications for CPS security. A systematic search across
leading scientific databases yielded 428 articles, from which 15 were selected
and categorised into three clusters: those focused on threat modelling meth-
ods, attack modelling methods, and literature reviews. Specifically, we sought
to examine what security modeling methods exist today, and how they ad-
dress real-world cybersecurity threats and CPS-specific attacker capabilities
throughout the lifecycle of CPS, which typically span longer durations com-
pared to traditional IT systems.
This article also highlights several limitations in existing research, wherein
security models adopt simplistic approaches that do not adequately consider

∗
Corresponding author
Email addresses: [email protected] (Shaofei Huang),
[email protected] (Christopher M. Poskitt), [email protected] (Lwin Khin Shar)

Preprint submitted to Elsevier April 12, 2024

the dynamic, multi-layer, multi-path, and multi-agent characteristics of real-
world cyber-physical attacks. Against this backdrop, we propose a unified
security modelling framework that aligns threat modelling, attack modelling,
and security monitoring across the lifecycle of CPS. Last but not least, this
article proposes future research directions in this evolving domain.
Keywords: cyber-physical systems, security modelling, threat modelling,
attack modelling, systematic literature review, advanced persistent threats,
self-healing systems, safety, reliability, resilience

1. Introduction
Cyber-physical systems (CPS) are complex systems that integrate physi-
cal processes with computational algorithms and network connectivity (Grif-
for et al. (2017)). These systems are designed to monitor, control, and op-
timize physical processes in real time, and are typically found in industrial
automation, smart infrastructure, healthcare, and transportation domains.
Today, CPS find themselves at the intersection of digital technology and engi-
neering, and consequently become a high-value target of cybersecurity threat
actors. Prominent cybersecurity attacks on Cyber-Physical Systems (CPS)
(Kumar et al. (2022)) have brought attention to the vulnerability of these sys-
tems, and the soft underbelly of critical infrastructure reliant on CPS. These
vulnerabilities could potentially result in significant consequences, affecting
lives, economies, and national security.
Although CPS cybersecurity is often discussed in the context of critical
infrastructure, CPS are increasingly interconnected in smart city infrastruc-
ture and the cloud. This presents cybersecurity risks not only from physical
and cyber components, but also from less conventional but critical attack
paths such as electric chargers. For example, Köhler et al. (2023) showed
that the Combined Charging System, one of the most widely used DC rapid
charging technologies for electric vehicles (EVs), could be exploited wirelessly
to interrupt charging sessions for individual vehicles or entire fleets at the
same time.
Today, CPS owners and operators face a daunting challenge in keeping
pace with the increasing volatility, uncertainty, complexity, and ambiguity
(VUCA) of cybersecurity threats. In IT systems, the consequences or impact
of IT security incidents are more predictable and can usually be identified
and mitigated before actual incidents occur. For example, companies can

2
prepare holding statements to media, and purchase cybersecurity insurance
to safeguard against reputational and financial loss before incidents occur.
In contrast, CPS cybersecurity attacks are dynamic, less predictable, conse-
quences may change quickly depending on the operating environment, and
incident triage and investigations can be especially challenging because of
the intricate and interconnected design of CPS.
Existing cybersecurity frameworks like the NIST Cybersecurity Frame-
work (National Institute of Standards and Technology (2023)) which could
help organisations manage and improve their cybersecurity risk manage-
ment, and international standards like IEC 62443-4-1:2018 (International
Electrotechnical Commission) which specifies process requirements for the
secure development of products used in industrial automation and control
systems, offer valuable guidance for securing CPS. However, the dynamic
nature and design constraints of CPS require a tailored approach, combin-
ing continual assessment and adaptation of physical measures, cybersecurity
practices, as well as risk mitigation controls.
Two key elements of this approach are threat and attack modelling. Al-
though both these terms are often used interchangeably, they are not the
same. Threat modelling aims to anticipate cybersecurity threats—usually
in the early stages of a system lifecycle, so that relevant mitigation controls
can be incorporated into the system design (Uzunov and Fernández (2014);
Dhillon (2011); Xiong and Lagerström (2019)). In contrast, attack modelling
delves into specific attacker tactics, techniques, and procedures—which may
not be limited to cyber but include physical actions as well—to develop tar-
geted defences and mitigation strategies when the system is in operation
(Al-Mohannadi et al. (2016); Saini et al. (2008); Schneier (1999); Zenitani
(2023)). On this note, threat and attack modelling need to be tailored for
CPS and can be an important tool for critical infrastructure owners and op-
erators when navigating cybersecurity threats faced in CPS (Yang and Zhang
(2023); Paudel et al. (2017)).
Contributions. In this review, we identified a number of state-of-the-
art threat modelling and attack modelling studies relevant to cyber-physical
systems (CPS), with the following findings:

• Threat modelling is commonly conducted in early stages of system

development. However, this means that evolving attacker tactics, tech-
niques and procedures (TTPs) in later stages of system lifecycles will
render threat models outdated and irrelevant.

3
 • Security models in the literature generally focus on IT systems, and
these models are challenging to use when modelling CPS cybersecurity
threats and attacks. This is a pertinent issue for practitioners given
the multi-layer, multi-path or multi-agent characteristics of real-world
cybersecurity attacks in CPS.

• Most papers do not differentiate between cybersecurity breaches in IT

systems versus those in CPS. Unlike IT systems, cybersecurity incidents
in CPS can result in complex failure modes, as well as consequences in
both cyber and physical domains. Adopting a consequence-driven and
cyber-informed approach to CPS security is vital towards ensuring that
cyber and physical attacks, effects and consequences are considered in
security modelling.

• There is ambiguity in the literature regarding the definitions and rela-

tionship between threat modelling and attack modelling. Correspond-
ingly, a unified security modelling framework that integrates threat
modelling, attack modelling, and security monitoring to enhance the
cyber resilience of CPS is proposed in this article.

The rest of the article is structured as follows: Section 2 provides an

overview of the review’s background while Section 3 describes related work.
Our methodology and results are outlined in Sections 4 and 5. Based on
the results, we discuss our findings and research directions for future work in
Section 6, and conclude in Section 7.

2. Background
This section provides some background into how CPS differ from con-
ventional IT systems, and the characteristics of adversaries who target CPS
in cyber attacks. Together, this explains why a tailored security modelling
approach is necessary for CPS.

2.1. Cyber-Physical Systems

Different from traditional IT systems, a CPS is a System of Systems (SoS)
that integrates computational elements, communication networks, and phys-
ical processes to form a unified system. CPS converges Information Technol-
ogy (IT) and Operational Technology (OT) and has different priorities for
cybersecurity. OT focuses on safety and reliability, while IT emphasises the

4
confidentiality, integrity, and availability of information. Additionally, CPS
networks must accommodate diverse communication modes, ranging from
standalone to highly networked systems, potentially utilising legacy proto-
cols such as serial communications, TCP/IP, or object exchange protocols.
The heterogeneity and, in certain instances, expansive geographic scopes of
CPS networks contribute to the complexity of modelling security for CPS.
Despite their longer system lifecycles, CPS are not upgraded or patched
frequently as system or software changes may affect their reliability or even
safety (Kavallieratos et al. (2020); Kriaa et al. (2015); Sabaliauskaite and
Mathur (2014); Suo et al. (2018)). This results in outdated software, expos-
ing CPS to an ever-increasing number of cybersecurity vulnerabilities over
time. At the same time, some CPS employ “security-by-obscurity”, using
proprietary software and technology that may contain undisclosed security
weaknesses that attackers could exploit. Moreover, the lack of “security-by-
design” in CPS lowers the resilience to cybersecurity attacks even further,
as CPS may lack security logs and fail to leverage log data for proactive
cybersecurity monitoring and defence. Finally, there is a misconception that
merely physically isolating Cyber-Physical Systems (CPS) from external net-
works, known as an “air gap” network security measure, is adequate to shield
CPS from all cybersecurity threats. However, this notion is flawed, particu-
larly in scenarios where multi-agent, multi-path CPS attacks could employ
social engineering techniques, physical access, insider threats, and exploit
supply-chain vulnerabilities, enabling attackers to breach the “air gap” and
compromise CPS, even when they are physically segregated from external
networks.

2.2. Adversarial model

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowl-
edge) (Strom et al. (2018)) serves as a widely adopted knowledge base for
characterising the actions and behaviours of cyber adversaries. Specifically
tailored for Industrial Control Systems (ICS)—a category of Cyber-Physical
Systems (CPS)—MITRE ATT&CK provides a matrix known as ”ATT&CK
for ICS” (Alexander et al. (2020)). This matrix focuses on the unique Tac-
tics, Techniques, and Procedures (TTPs) employed by adversaries targeting
industrial control environments. These TTPs play a crucial role in inform-
ing and guiding cybersecurity defence for CPS across the various stages of
a cyber-attack lifecycle, as outlined in the Lockheed Martin cyber kill chain
model (Hutchins et al. (2011)).

5
 An analysis of past cyber attacks on CPS reveals a taxonomy (Zhu et al.
(2011)) highlighting differences from those observed in IT systems, necessi-
tating a tailored security modelling approach for CPS. CPS attackers employ
dynamic, multi-agent, and multi-path attack TTPs to defeat physical access
controls and “airgap” measures (isolating CPS from external networks). Ad-
ditionally, adversaries evolve their TTPs over time, such as using “low and
slow” TTPs to evade detection and prolong access to compromised CPS.

2.3. CPS cyber-intrusion example

We present an example of a 6-month long CPS intrusion by a sophis-
ticated attacker group comprising two adversaries A and B, adapted from
one of the author’s professional experience. In this example, Adversary A
compromises the organisation’s IT network to gain remote access to a CPS
engineer’s computer and employs social engineering techniques to deliver
custom malware to an isolated (“air gapped”) CPS network. Adversary B’s
focus on the other hand is to develop custom malware to firstly profile the
CPS, then to weaponise custom malware to manipulate connected Remote
Terminal Units (RTUs) causing physical damage e.g. via actuators or valves.
The diamond model of intrusion analysis (Caltagirone et al. (2013)), as well
as a combination of the diamond model and the cyber kill-chain (Ertaul and
Mousa (2018)) are used to describe both the flow (Figure 1) and timeline
(Table 1) of this CPS cyber-attack.

2.4. Security modelling framework for CPS

In the CPS cyber intrusion example, we demonstrated the key character-
istics and inter-relationships between threat and attack modelling methods,
namely the diamond model and cyber kill-chain respectively. Against this
backdrop, we propose a unified security modelling framework for CPS (Fig-
ure 2) that integrates these modelling methods while drawing from contin-
uous security monitoring across all stages of the CPS lifecycle for informed
cybersecurity decision-making.
This security modelling framework for CPS does not replace threat mod-
elling and attack modelling methods. Rather, the framework makes it easier
and more practical for CPS cybersecurity practitioners to adopt and use
these modelling methods to address evolving cybersecurity threats and at-
tacker capabilities throughout the CPS lifecycle.

6
 1. Adversary A obtains list of users from
Exchange Server and acquire access
to the IT infrastructure with a valid
username and password.
2. Adversary A performs lateral
movement in the IT network, discovers
and acquires remote access to the
CPS engineer’s computer.
Adversary 3. Adversary B customises Malware A
to passively gather network
information from CPS network.
4. Adversary A saves Malware A and
autorun.inf in engineer’s thumb-drive
using social-engineering techniques
to automatically install malware on
5. Engineer delivers CPS.
Malware A to CPS
via USB thumb-drive

Infrastructure DEPLOYED VIA Capabilities (TTPs)

6. Malware A runs and collects
network information. Saves it in
engineer’s thumb-drive at next
access.
9. Engineer delivers
7. Adversary B customises Malware B
Malware B to CPS
to issue malicious commands to
via USB thumb-drive
connected RTUs and suppress alarm
reporting to central computer.

10.Malware B schedules task and hides 8. Adversary A saves Malware B and

in the background. autorun.inf in engineer’s thumb-drive
using social-engineering techniques
11.Scheduled task manipulates to automatically install malware on
connected RTUs causing physical CPS.
damage.
Victim (CPS Engineer)

Figure 1: CPS cyber intrusion flow

3. Related Work
There are few existing systematic literature reviews (SLR) on threat mod-
elling or attack modelling. Humayed et al. (2017)’s literature survey covered
the security and privacy of cyber-physical systems, with a special focus on
ICS, smart grids, medical devices, and smart cars. They presented a tax-
onomy of CPS threats, vulnerabilities, known attacks and existing controls,
and importantly, captured how an attack of the physical domain of a CPS
can result in unexpected consequences in the cyber domain and vice versa.
The SLR by Xiong and Lagerström (2019) was another early review on
cybersecurity threat modelling, where one CPS threat modeling method
was cited: Burmester et al. (2012)’s framework. Based on the Byzantine
paradigm, it enables the modeling of CPS security and facilitates formal
analysis and security proof through cryptographic methodologies. Tatam
et al. (2021) reviewed threat modelling approaches for APT-style attacks,
but the review did not focus on CPS security. The SLR by Khalil et al.
(2023) on the other hand, focused on threat modelling of industrial control
systems (ICS). The authors described the various ICS threat models adopted
in literature, and noted it was timely to consider a framework that covers all
aspects of the various threat modelling methods.

7
 Table 1: CPS cyber intrusion timeline
Phase January February March April May June
Reconnaissance Scan for Find users
email or systems
servers, that have
find account access to
credentials CPS
Weaponisation Customise Customise
malware malware for
for CPS RTU reset
information
gathering
Delivery Deploy mal- Deploy mal-
ware to CPS ware to CPS
through through
engineer’s engineer’s
USB thumb- USB thumb-
drive drive
Exploitation Access VPN Compromise Suppress Scheduled
CPS en- alarm re- task ma-
gineer’s porting to nipulates
computer main server connected
RTUs
Installation Install Install Malware Malware
Cobalt Cobalt runs and runs on
Strike bea- Strike bea- collects CPS and
con agent con agent network hides pro-
information cess, awaits
scheduled
task
C2 Establish Establish Maintain CPS in- Maintain Maintain
C2 callback C2 callback access formation access access
from IT saved in
network USB thumb-
drive
Actions on Objec- Services dis-
tives rupted

Earlier, the evaluation of threat modelling methods by Shevchenko et al.

(2018) made a similar conclusion that there is no one method that can cover
the full spectrum of CPS threats, and a framework that employed a combina-
tion of methods and techniques should be used. Supporting this argument,
the hybrid threat model for smart systems proposed by Valenza et al. (2023),
and the work by Li et al. (2021) on security-usability threat modelling for
industrial control systems underscored the need to consider not only cyber
but also human factors in ICS threat modelling due to the system-of-systems
(SoS) nature of CPS.
These CPS threat modelling methods and techniques were well-covered in
the literature, with case studies in specific industries and domains, e.g. the
study of smart grid CPS cybersecurity by Nafees et al. (2023), the study
of cyber-physical energy systems security (CPES) by Zografopoulos et al.
(2021), the application of the STRIDE threat model in modern vehicle vul-
nerability assessments by Abuabed et al. (2023), the work on CPS threat
modelling for power transformers by Ahn et al. (2021), the work on medical
CPS threat modelling by Almohri et al. (2017), the work by Al Asif and

8
 Cyber-physical systems have longer lifecycles than typical IT systems
Security Modelling

Design / Development Phase Deployment / Implementation Operation / Maintenance Phase

Phase
Threat Modelling Attack Modelling Security Monitoring
Design Specifications Attack Simulations Security Operations

System Integrator/ OEM Cybersecurity Analysts Attack Surface Management

System Owner / Operator Penetration Testing Threat Hunting

• Vulnerability and red-teaming • 24x7 security monitoring

• Threat identification
• Risk assessment
• Risk mitigation strategies
• Digital forensics and incident response (DFIR)
assessment
• Continuous improvement based on feedback
• Threat intelligence and incident analysis
• Corrective controls and actions
loop from threat and attack modeling

Real-world incidents inform future threat and attack models

Cyber-Physical Systems Lifecycle

Figure 2: Security modelling framework for CPS

Khondoker (2020) on telesurgery system threat modelling, the work by Jbair

et al. (2022) on threat modelling for industrial cyber-physical systems (ICPS)
in the manufacturing industry, and the work on threat modelling in smart
firefighting systems by Zahid et al. (2023).

4. Methodology
We followed the guidelines for systematic literature reviews proposed by
Kitchenham and Charters (2007). The process of our literature review is
shown in Figure 3.

4.1. Research questions

This review aims to answer the following Research Questions (RQs):

• RQ1: What cyber-physical system (CPS) threat or attack models have

been adopted in existing literature?

The rationale for this research question is to understand what the “state-
of-the-art” research in this area is.

9
 Planning Research Search
the review question(s) protocol

Conducting Clustering
Quality Data Data
and
the review classification
assessment collection synthesis

Reporting Future
Result
research
the review analysis
directions

Figure 3: Literature review process

• RQ1.1: How do the proposed threat and attack models align with cy-
bersecurity in various phases of the cyber-physical system lifecycle?

The rationale for this research question is to understand how existing

CPS threat and attack models address cybersecurity threats not only in
the design phase, but when CPS are in operational phases. This is par-
ticularly crucial as CPS may operate for many years, and likely render
threat models considered in the system design irrelevant.

• RQ1.2: In what manner do the proposed threat and attack models ad-
just to evolving attacker tactics, techniques, and procedures over time?

The rationale for this research question is to understand how existing

CPS threat and attack models are augmented and improved with real-
world feedback from cybersecurity intrusions, near-misses, or external
threat intelligence information. This is an important bridge between
theoretical models and practice, that can lead to tangible security im-
provements in CPS.

• RQ2: What research gaps have been identified in the methods used for
modelling threats and attacks in cyber-physical systems (CPS)?

The rationale for this research question is to help identify research gaps

10
 Figure 4: Comparison of search results between US and UK English keywords

in current CPS security modelling methodologies and to direct future

research efforts.

4.2. Search protocol

This sub-section aims to describe the search protocol that we used in this
review.
We used US English for all search terms. For example, we used “model-
ing” instead of “modelling”, in UK English. We validated that Scopus did
not distinguish between the spellings and returned the same search results
(Figure 4).
We selected IEEE Computer Society Digital Library, Science Direct,
ACM Digital Library and Scopus to perform our search for articles. These
scientific databases were chosen as they are recognised as reputable and ac-
curate repositories for academic literature, and they have a good collection
of results relating to cybersecurity articles and publications.
For the search keywords, we were primarily interested to search: cyberse-
curity modelling, security modelling, threat modelling and attack modelling,
in line with the subject of our literature review. As such, we specified our
first search keywords as: “security model”, “security modeling”, “cybersecu-
rity model”, “cybersecurity modeling”, “threat model”, “threat modeling”,

11
“attack model”, and “attack modeling”. We included both words, “model”
and “modeling” to increase the coverage of search results.
As we wanted to narrow our search results to articles on security, threat,
or attack modelling, we limited the initial search to article titles. There was
a need to make minor changes to the search terms, depending on the Boolean
vocabulary used on the database.

• On IEEE Computer Society Digital Library, we selected Advanced

Search, selected the “in Document Title” option, and entered the search
keywords: (model modeling) AND (cybersecurity security threat at-
tack).

• On ScienceDirect, we selected Advanced Search and entered (“cyber-

security model” OR “security model” OR “threat model” OR “attack
model”) in the Title field. The Boolean “OR” had to be specified, and
there was no need to specify the “modeling” keyword as it is implied
by “model” in the search term.

• On ACM Digital Library, we selected “Edit Search”, selected “Title”

under “Search Within”, then entered: (“security model” “security mod-
eling” “cybersecurity model” “cybersecurity modeling” “threat model”
“threat modeling” “attack model” “attack modeling”).

• On Scopus, we selected “Article title” under the “Search within” field,

then entered “security model” OR “security modeling” OR “threat
model” OR “threat modeling” OR “attack model” OR “attack mod-
eling” OR “cybersecurity model” OR “cybersecurity modeling” in the
“Search documents” field.

We then refined the search results further by specifying additional key-

words: (“cyber physical” CPS SCADA ICS APT), to search within article
titles, abstracts and contents. We included SCADA (Supervisory Control
and Data Acquisition), ICS (Industrial Control System) and APT (Advanced
Persistent Threat) in the search, so that search results would be relevant to
the adversarial tactics, techniques and procedures associated with CPS cyber
attacks.

• On IEEE Computer Society Digital Library, we used the Advanced

Search menu with the previous keywords, selected the “AND” and “in

12
 Anything” options, and entered the keywords: (“cyber physical” CPS
SCADA ICS APT).

• On ScienceDirect, we selected Advanced Search and entered (“cyber

physical” OR CPS OR SCADA OR ICS OR APT) in the “Find articles
with these terms” field.

• On ACM Digital Library, we selected “Edit Search”, added a new

search field, selected “Anywhere” under “Search Within”, then entered:
(“cyber physical” OR CPS OR SCADA OR ICS OR APT).

• On Scopus, we selected “Add search field”, selected “Article title, Ab-

stract, Keywords” under the “Search within” field, and entered: “cyber
physical” OR CPS OR SCADA OR ICS OR APT.

In the final phase of the search protocol, we removed repeated articles

from the combined search results, based on similar article titles. We also re-
moved articles that were not related to the research questions, after reviewing
article titles and abstracts.

4.3. Categorisation and classification

We categorised the selected articles into three clusters according to the
following criteria:

• Cluster 1 (C1): Article focuses on threat modelling method(s)

• Cluster 2 (C2): Article focuses on attack modelling method(s)

• Cluster 3 (C3): Article is a systematic literature review (SLR)

Additionally, we classified the articles according to the following criteria:

1. Year of publication

2. Document type, i.e. conference paper, article, review, book chapter,

etc.

3. Number of citations (based on Google Scholar Citations)

4. Research question(s) article is relevant to

13
4.4. Quality assessment
In this phase, we reviewed the articles to ensure they were relevant to CPS
security, threat or attack modelling, and we removed articles that do not de-
scribe these models’ approaches, CPS applications, or CPS case-studies. We
also reviewed bibliographies in the articles and included additional articles
that may be relevant to the review.

4.5. Data collection

We studied the articles closely to understand the background, approaches,
and results from the various research. Importantly, we sought to identify gaps
in the research in terms of security modelling in the context of CPS cyber
attacks. We documented our notes from the review in a shared repository
(Huang (2024)) for future reference.

4.6. Data analysis

In the final phase of the SLR methodology, we synthesised our findings
and documented our analysis as well future research directions.

5. Results
The search was conducted on the following digital libraries in January
2024: IEEE Computer Society Digital Library, Science Direct, ACM Digital
Library and Scopus. Following the search, we had 438 articles in total. We
performed a rigorous quality assessment, where we first excluded duplicate
articles, then we identified and excluded irrelevant articles based on their
abstracts. We then performed full-reading of about 27 articles that remained
and excluded articles that were not relevant to any of our research questions.
Finally, we had 15 articles subject to further analysis (Figure 5).
The articles were categorised into three clusters (Table 2) based on full
reading of the articles: threat modelling (C1), attack modelling (C2), and
SLRs (C3). There were no articles on “security modelling” that were relevant
to CPS.
There were 10 articles in C1 and five in C2, showing that existing lit-
erature delved into threat modelling methods more than attack modelling
methods. Next, we then classified the articles based on the criteria described
in Section 4.3.
The first selected article was published in 2013 and although no article was
published in 2014, the number of relevant articles has gradually risen over

14

Criteria A
(model modeling) AND (cybersecurity
security threat attack)
Criteria A
(“cybersecurity model” OR “security model”
OR “threat model” OR “attack model”)
Criteria A
"security model" OR "security modeling" OR
"threat model" OR "threat modeling" OR "attack
model" OR "attack modeling" OR "cybersecurity
model" OR "cybersecurity modeling"

Criteria A
IEEE Computer ACM Digital
Society Digital ScienceDirect Scopus
(“cybersecurity model” Library
“cybersecurity modelling”
Library
168 119 2515
”security model” “security 1132
modelling” “threat model”
”threat modeling” “attack
model” “attack modeling”)

* Search in article titles

Criteria B IEEE Computer ACM Digital

Society Digital ScienceDirect Scopus
Library
(“cyber-physical” CPS SCADA
Library
44 104 140
ICS APT) 150

Excluded irrelevant
Excluded articles based on
duplicates abstracts
Total Full reading Relevant Selected
438 27 to RQs?
15

Figure 5: Search results (January 2024)

the years (Figure 6), signaling a growing level of research interest in CPS
security modelling. Furthermore, out of the 15 selected articles, seven were
from conference proceedings and eight were from journals. This indicated
that almost an equal number of articles in CPS cybersecurity modelling were
published in journals and conferences.
Next, we used citation metrics on Google Scholar to identify articles that
had more than 100 citations. As of January 2024, only two of the 15 selected
articles had more than 100 citations (Table 3). The top cited article was on
STRIDE-based threat modelling for cyber-physical systems by Khan et al.
(2017), followed by the SLR on threat modelling by Xiong and Lagerström
(2019). This observation, together with that from the number of articles
published yearly, suggested that this field of research is still relatively new.
Finally, we performed full reading of the 15 articles and analysed which
research questions they were relevant to (Table 4).
Three of the articles (Ayrour et al. (2018); Kumar et al. (2022); Mekdad
et al. (2021)) addressed all the research questions. The remaining articles
addressed some, but not all the research questions. 12 of the 15 articles
were relevant to RQ1, and only two of the seven C1 articles were relevant
to RQ1.1 (28.57%), one was relevant to RQ1.2 (14.29%), and three (42.86%)

15
 Table 2: Categorisation of articles
Reference Title Threat Attack SLRs (C3)
Modelling Modelling
(C1) (C2)
Ayrour et al. (2018) Modelling cyber attacks: a survey study •
Fernandez (2016) Threat modeling in cyber-physical systems •
Khalil et al. (2022) Threat Modeling of Cyber-Physical Systems- •
A Case Study of a Microgrid System
Khalil et al. (2023) Threat modeling of industrial control sys- •
tems: A systematic literature review
Khan et al. (2017) STRIDE-based threat modeling for cyber- •
physical systems
Kim et al. (2022) STRIDE-based threat modeling and DREAD •
evaluation for the distributed control system
in the oil refinery
Kumar, R., et al. APT attacks on industrial control systems: •
(2022) A tale of three incidents
Martins et al. (2015) Towards a systematic threat modeling ap- •
proach for cyber-physical systems
Mekdad et al. (2021) A threat model method for ICS malware: the •
TRISIS case
Neubert and Viel- Kill chain attack modelling for hidden chan- •
hauer (2020) nel attack scenarios in industrial control sys-
tems
Paudel et al. (2017) Attack models for advanced persistent •
threats in smart grid wide area monitoring
Tatam et al. (2021) A review of threat modelling approaches for •
APT-style attacks
Xiong and Lagerström Threat modeling – A systematic literature •
(2019) review
Yang and Zhang From Tactics to Techniques: A Systematic •
(2023) Attack Modeling for Advanced Persistent
Threats in Industrial Control Systems
Zalewski et al. (2013) Threat modeling for security assessment in •
cyberphysical systems

Table 3: Top-cited articles

Reference Citations
Khan et al. (2017) 239
Xiong and Lagerström (2019) 231

were relevant to RQ2. On the other hand, three of the four C2 articles were
relevant to RQ1.1 (75%), four were relevant to RQ1.2 (100%) and two were
relevant to RQ2 (50%). Lastly, three of the four C3 articles were relevant to
RQ1.1 (75%), one was relevant to RQ1.2 (25%), and four were relevant to
RQ2.
A comparison of articles across the clusters (Figure 7) showed that ex-
isting literature that focused on threat modelling (C1) addressed RQ1 more
than the other research questions. Those that were focused on attack mod-
elling (C2) appeared to address RQ2 less. Lastly, the C3 articles did not
address RQ1 as they were literature reviews, and these articles appeared to
address RQ1.2 less.

16
 3

1
4

5
16

17

18

9
20

21

22

23
1

1
20

20

20

20

20

20

20

20

20

20
Figure 6: Number of articles per year

6. Discussion
This section aims to describe the findings and limitations of this review,
as well as future research directions.

6.1. Findings
The selected 15 articles were categorised into three clusters: threat mod-
elling methods (C1), attack modelling methods (C2), and SLRs (C3). There
were eventually seven C1 articles, five C2 articles, and three C3 articles.

6.1.1. RQ1
To answer the first research question, “what cyber-physical system (CPS)
threat or attack models have been adopted in existing literature?”, we aimed
to identify the threat and attack models that were adopted in the selected
articles. This was not straightforward as authors appeared to have varying
definitions of threat and attack modelling methods, and SLRs in particular,
categorised both as threat modelling methods.
For example, Khalil et al. (2023) proposed “attack-centric threat mod-
elling” in their ICS threat modelling taxonomy, and distinguished the term
from attack modelling, stating that the latter focused solely on the attacker’s
behaviour and not the defender’s perspective. In addition, Tatam et al.
(2021) categorised models that are typically used to analyse cyber attacks,
such as the diamond intrusion analysis model (Caltagirone et al., 2013), at-
tack trees (Saini et al. (2008); Schneier (1999)), the kill chain (Hutchins et al.

17
 Table 4: Article relevance to research questions
Reference Cluster RQ1 RQ1.1 RQ1.2 RQ2
Fernandez (2016) C1 •
Khalil et al. (2022) C1 • •
Khan et al. (2017) C1 •
Kim et al. (2022) C1 • •
Martins et al. (2015) C1 •
Mekdad et al. (2021) C1 • • • •
Zalewski et al. (2013) C1 • •
Kumar et al. (2022) C2 • • • •
Neubert & Vielhauer (2020) C2 • • •
Paudel et al. (2017) C2 • • •
Yang and Zhang (2023) C2 • • •
Ayrour et al. (2018) C3 • • • •
Khalil et al. (2023) C3 • •
Tatam et al. (2021) C3 • •
Xiong and Lagerström (2019) C3 •

(2011)), and the MITRE ATT&CK framework (Strom et al. (2018)) as threat
models.
As such, we used the clusters as a basis for identifying threat and attack
modelling methods described in the articles (Table 5), since the categori-
sation was based on research objectives and approach. We found that this
approach produced a reasonable result as the modelling methods appeared
to be categorised correctly. One exception was the article by Mekdad et al.
(2021) where the diamond intrusion analysis model may be more accurately
categorised as an attack modelling method.

6.1.2. RQ1.1
On the second research question, “how do the proposed threat and attack
models align with cybersecurity in various phases of the cyber-physical sys-
tem lifecycle?”, we found that threat modelling was conducted in the early
stages of the system development cycle (Khalil et al. (2022)), or more specif-
ically, during system design and validation phases (Khan et al. (2017); Kim
et al. (2022); Martins et al. (2015)). Interestingly, unlike threat modelling,
none of the C2 articles suggested or mentioned which phase of the system
lifecycle attack modelling should be performed in. A possible reason is that

18
 100 RQ1
Relevant articles (%)

RQ1.1
RQ1.2
RQ2
50

0
C1 C2 C3
Cluster

Figure 7: Relevant articles across clusters

attack modelling is seen as a complement to threat modelling methods (Khalil

et al. (2022); Kumar et al. (2022)).

6.1.3. RQ1.2
On the third research question, “in what manner do the proposed threat
and attack models adjust to evolving attacker tactics, techniques, and proce-
dures over time?”, we found that there were different views on incorporating
attacker tactics, techniques, and procedures (TTPs) into threat modelling
frameworks. For example, Khalil et al. (2022) viewed that attack categories
in their proposed attack taxonomy should be abstract and should not include
details of the attack techniques such as those in MITRE ATT&CK for In-
dustrial Control Systems (Alexander et al. (2020)). In contrast, Fernandez
(2016) proposed a threat model using misuse patterns which may include
attacker TTPs to represent CPS threats.
Likewise, several articles made references to attacker TTPs, or similar
attacker behavioural characteristics in their analysis. Mekdad et al. (2021)
combined the Diamond Model of intrusion analysis (Caltagirone et al. (2013))
and the ICS kill chain (Assante and Lee (2015)) to generate the ICS threat
model. Attack trees (Schneier (1999)) were used to model CPS attacks (Ku-
mar et al. (2022); Paudel et al. (2017)), while Neubert and Vielhauer (2020)
presented how the Lockheed Martin Cyber Kill Chain (Hutchins et al. (2011))
can be used to model hidden channel attack scenarios in ICS. Yang and Zhang
(2023) proposed an abstract APT attack model that can recognise and cor-

19
 Table 5: Threat and attack modelling methods adopted in selected articles
Reference Cluster Threat Modelling Attack Modelling
Method(s) Method(s)
Fernandez (2016) C1 Misuse patterns
Khalil et al. (2022) C1 STRIDE
Khan et al. (2017) C1 STRIDE
Kim et al. (2022) C1 STRIDE, DREAD
Martins et al. (2015) C1 Generic Model-
ing Environment
(GME)
Mekdad et al. (2021) C1 Diamond Model of
Intrusion Analysis
Zalewski et al. (2013) C1 STRIDE
Kumar et al. (2022) C2 Attack tree
Neubert and Vielhauer (2020) C2 Kill chain
Paudel et al. (2017) C2 Attack tree
Yang and Zhang (2023) C2 Abstract APT at-
tack model

relate attacker TTPs to identify and mitigate complex attacks in ICS, high-
lighting that the need to consider the range of TTPs used by sophisticated
adversaries to represent real threats and reflect the evolving threat landscape.
Importantly, we noted that while several articles considered the need
for threat or attack models to account for changes over time, they did not
include attacker TTPs as one of those changes. For example, Almohri et al.
(2017) recognised that the threat model of a medical CPS is related to its
corresponding trust model, and the trust model may include time-bound
elements such as temporarily-trusted individuals or accounts. Additionally,
Khalil et al. (2022) noted that systems may change over time and information
initially excluded from threat analysis should be included in future threat
models to account for system modifications.
Our findings raise the question of whether threat modelling continues
to be relevant in CPS security design if they are conducted in the early
stages of system development, given the usually long periods of development
and implementation for complex CPS infrastructure. The cyber threats and
available technologies to defend against those threats would have changed by
the time the CPS become operational, often resulting in insecure systems.
Relatedly, this presents a critical issue potentially affecting national secu-
rity. CPS are usually used in critical national infrastructure and for that

20
reason, are a prime target of sophisticated adversaries who have extended
resources, capabilities and experience, may adopt “low and slow” tactics to
infiltrate and maintain persistence in compromised CPS over many months
and years. Outdated threat models would not be able to adjust and enable
swift detection and eradication of these persistent threats.

6.1.4. RQ2
For our final research question, “what research gaps have been identified
in the methods used for modelling threats and attacks in cyber-physical sys-
tems (CPS)?”, we made several observations from the literature.

Security models mostly focus on IT systems. Firstly, threat and

attack models in the literature mostly focus on IT systems, even in the con-
text of CPS security. For example, the STRIDE model developed by Mi-
crosoft was used in several articles to identify CPS threats, notwithstanding
that the model is more commonly used in the context of software develop-
ment and system security. Using STRIDE in CPS threat modelling (Abuabed
et al. (2023); Khan et al. (2017); Kim et al. (2022)) has several limitations
which were not obvious in the literature.
Specifically, the STRIDE approach relies on Data Flow Diagrams (DFDs)
to identify system entities and trust boundaries, which has several shortcom-
ings related to inadequate representation of security concepts, data elements,
abstraction levels, and deployment information (Sion et al. (2020)). More-
over, it is sometimes not practical or even possible to construct an accurate
DFD in CPS. There are various reasons for this: a CPS is a system-of-systems
that includes both cyber and physical components; availability, accuracy and
integrity of data flows between cyber and physical components cannot be as-
sumed; and most importantly, the consequences of CPS compromise extend
beyond those specified in the STRIDE model, e.g. physical changes or effects.
This limitation may be addressed by leveraging diverse, multi-disciplinary
expertise from physical security and domain specialists to augment the DFD
by capturing interdependencies and interactions between cyber and physical
components, and not be limited to IT systems; and by continuously refining
the DFD based on real-time data and feedback from system operations and
cybersecurity events detected in the CPS environment over time.
Relatedly, the literature refers to CPS use-cases in the context of indus-
trial control systems (ICS), smart grids, medical CPS (MCPS), supervisory
control and data acquisition (SCADA) systems, or modern vehicles. We

21
expect that CPS use-cases will increasingly include new scenarios involving
technologies such as robotics, drones, EV charging infrastructure and smart
buildings. Conventional threat modelling approaches, primarily tailored for
IT systems, may encounter heightened challenges when addressing cyberse-
curity threats in these emerging domains.

Attack scenarios are not realistic. Secondly, most threat and attack
modelling methods in the literature made assumptions based on simplistic cy-
bersecurity attack scenarios, and did not consider the multi-layer, multi-path
or multi-agent characteristics of real-world cybersecurity attacks in CPS. The
exceptions were: Fernandez (2016) who proposed a patterns-based threat
model that considers multiple vulnerabilities exploited in different parts of
a distributed system, and Zografopoulos et al. (2021) who analysed Cyber-
Physical Energy Systems (CPES) security from a multi-layered attack per-
spective.

Differentiation between IT and CPS cybersecurity breaches.

Thirdly, most of the literature did not differentiate cybersecurity breaches
in CPS from those in IT systems in that they are not a binary (all or
nothing) event. Instead of abrupt, catastrophic system failures, CPS cy-
bersecurity breaches often result in gradual degradation of system services
before the CPS fails eventually (Zalewski et al. (2013)). This is analogous
to a system fault in an autonomous vehicle, the vehicle does not come to
a stop immediately—which would injure the passengers—but instead grad-
ually slows to a safe stop. The implication to CPS security is that from a
cyber defence perspective, there is an opportunity to remediate intrusions
through cyber or physical interventions (Ertaul and Mousa (2018)) or to
perform dynamic reconfiguration and self-healing tasks (Zografopoulos et al.
(2021)) before the CPS fails completely.

Consequence-driven considerations. CPS increasingly face cyber-

security threats that can endanger the safety, reliability and resilience of
critical infrastructure. With the convergence of cybersecurity, safety, and
reliability in CPS, it would be beneficial to adopt a consequence-driven and
cyber-informed approach (Freeman et al. (2016)) towards threat and attack
modelling, and align with system development processes in engineering do-
mains such as the V-model that is commonly used in the automotive industry
(Bolz et al. (2020)), as well as the failure mode and effect analysis (FMEA)

22
and fault-tree analysis (FTA) techniques used in safety and reliability engi-
neering domains (Kriaa et al. (2015)). Doing so will avoid making threat or
attack modelling a one-time event that assumes static cybersecurity threats
and vulnerabilities, resulting in inherent security weaknesses that are “baked”
into proprietary CPS systems and software designs.

Distinguishing between CPS threat and attack modelling. Lastly,

we found that while the literature used “threat modelling” and “attack mod-
elling” interchangeably, both terms usually referred to threat modelling and
not the latter. On the other hand, some authors promoted definitions of
threat modelling from literature and distinguished threat from attack mod-
elling (Khalil et al. (2023); Xiong and Lagerström (2019)), while others
proposed security modelling frameworks that are based on threat models
(Burmester et al. (2012)). Based on the literature, we analysed the various
characteristics and inter-relationships between threat and attack modelling
methods and these are aligned with our proposed unified security modelling
framework for CPS as described in Section 2.4.

6.2. Future work

The limitations identified in the literature can be summarised as fol-
lows: existing security models predominantly focus on IT systems, neglecting
the unique complexities of CPS scenarios and overlooking the multi-layered,
multi-path, and multi-agent nature of real-world CPS attacks. Additionally,
they often do not distinguish the consequences of cybersecurity breaches in
CPS from those in IT systems and tend to treat cybersecurity threats as
static and one-time events, contributing to inherent security weaknesses em-
bedded within proprietary CPS systems and software designs.
Against this backdrop, our future work may be to research cybersecu-
rity anomaly detection in CPS, to review the extent to which real-world
cybersecurity intrusions and threat intelligence can inform and at the same
time, enhance security modelling throughout the CPS system lifecycle. A
more context-driven security model as this would better enable the identifi-
cation of vulnerabilities, understanding of attack propagation mechanisms,
and evaluation of system resilience.
We may also use Petri net based approaches (Chen et al. (2011); Dahl and
Wolthusen (2006)) to better model CPS intrusions, integrating both cyber
and physical actions. Petri nets are a graphical and mathematical tool for
studying concurrent and distributed systems and have been widely applied

23
in many different areas of computer science and other disciplines (Murata
(1989)). In the context of CPS intrusion analysis, Petri nets are invalu-
able for modelling the interactions between cyber and physical components
over time, thereby overcoming limitations of existing security modelling ap-
proaches when considering dynamic, multi-agent cyber-physical threats.
Finally, our future work may be to research self-healing techniques in
CPS, to bolster existing cybersecurity defences and strengthen system re-
silience whether through cyber or physical actions, against sophisticated ad-
versaries and threats.

6.3. Limitations of this review

Although we aimed to cover as much existing literature on security, threat
and attack modelling in CPS as possible, we limited our search protocol to
leading scientific databases as the quality of the articles may be ensured.
Furthermore, we limited our search to journals and conference proceedings
and consequently, we may miss out relevant articles from other sources such
as book chapters, etc.
We also limited the initial scope of search to keywords in the article
titles. This approach may have excluded articles relevant to security mod-
elling, threat modelling, or attack modelling that did not explicitly mention
these terms in their titles. However, to partially mitigate this exclusion, we
reviewed the bibliographies of the selected papers and added any other rele-
vant articles that may have been missed initially. Nevertheless, we ensured
to select only articles that are pertinent to the research questions for eventual
review. Based on the review of abstracts of the shortlisted articles from the
search, we believe the coverage of the review to be sufficiently comprehensive.
Finally, our research questions were focused on how existing security mod-
elling approaches addressed CPS, and corresponding adversarial tactics, tech-
niques, and procedures. These factors may introduce some bias to the articles
selected for review and may miss out articles that are relevant to CPS but did
not mention adversarial models specifically. We addressed this by reviewing
bibliographies in the selected articles and then including additional articles
that may be relevant to the review.

7. Conclusion
In this review, we identified a number of state-of-the-art threat modelling
and attack modelling studies relevant to cyber-physical systems (CPS), with

24
the following findings.
• Threat modelling is commonly conducted in early stages of system
development. However, this means that evolving attacker tactics, tech-
niques and procedures (TTPs) in later stages of system lifecycles will
render threat models outdated and irrelevant.
• Security models in the literature generally focus on IT systems, and
these models are challenging to use when modelling CPS cybersecurity
threats and attacks. This is a pertinent issue for practitioners given
the multi-layer, multi-path or multi-agent characteristics of real-world
cybersecurity attacks in CPS.
• Most papers do not differentiate between cybersecurity breaches in IT
systems versus those in CPS. Unlike IT systems, cybersecurity incidents
in CPS can result in complex failure modes, as well as consequences in
both cyber and physical domains. Adopting a consequence-driven and
cyber-informed approach to CPS security is vital towards ensuring that
cyber and physical attacks, effects and consequences are considered in
security modelling.
• There is ambiguity in the literature regarding the definitions and rela-
tionship between threat modelling and attack modelling. Correspond-
ingly, a unified security modelling framework that integrates threat
modelling, attack modelling, and security monitoring to enhance the
cyber resilience of CPS is proposed in this article.
While the number of published articles is comparatively small compared
to more established research domains, there is visible growing interest in
CPS cybersecurity research, as evidenced by the rising number of publications
since 2013. Anticipating the broader use of CPS beyond traditional industrial
scenarios, we envisage continued improvements in both the diversity and
quality of articles in this domain, underscoring the growing significance of
CPS cybersecurity.

References
Abuabed, Z., Alsadeh, A., Taweel, A., 2023. STRIDE threat model-based
framework for assessing the vulnerabilities of modern vehicles. Comput-
ers & Security 133, 103391. URL: https://linkinghub.elsevier.com/
retrieve/pii/S0167404823003012, doi:10.1016/j.cose.2023.103391.

25
Ahn, B., Kim, T., Smith, S.C., Youn, Y.W., Ryu, M.H., 2021. Security
Threat Modeling for Power Transformers in Cyber-Physical Environments,
in: 2021 IEEE Power & Energy Society Innovative Smart Grid Tech-
nologies Conference (ISGT), IEEE. pp. 1–5. URL: https://ieeexplore.
ieee.org/document/9372271/, doi:10.1109/ISGT49243.2021.9372271.

Al Asif, M.R., Khondoker, R., 2020. Cyber Security Threat Mod-

eling of A Telesurgery System, in: 2020 2nd International Confer-
ence on Sustainable Technologies for Industry 4.0 (STI), IEEE. pp. 1–
6. URL: https://ieeexplore.ieee.org/document/9350452/, doi:10.
1109/STI50764.2020.9350452.

Al-Mohannadi, H., Mirza, Q.K.A., Namanya, A.P., Awan, I., Cullen, A.J.,
Disso, J.P., 2016. Cyber-attack modeling analysis techniques: An overview,
in: 4th IEEE International Conference on Future Internet of Things and
Cloud Workshops, FiCloud Workshops 2016, Vienna, Austria, August 22-
24, 2016, IEEE Computer Society. pp. 69–76. URL: https://doi.org/
10.1109/W-FiCloud.2016.29, doi:10.1109/W-FICLOUD.2016.29.

Alexander, O., Belisle, M., Steele, J., 2020. MITRE ATT&CK® for Indus-
trial Control Systems: Design and Philosophy.

Almohri, H., Cheng, L., Yao, D., Alemzadeh, H., 2017. On Threat
Modeling and Mitigation of Medical Cyber-Physical Systems, in: 2017
IEEE/ACM International Conference on Connected Health: Applications,
Systems and Engineering Technologies (CHASE), IEEE. pp. 114–119.
URL: http://ieeexplore.ieee.org/document/8010624/, doi:10.1109/
CHASE.2017.69.

Assante, M.J., Lee, R.M., 2015. The Industrial Control System Cyber Kill
Chain. URL: https://www.sans.org/white-papers/36297/.

Ayrour, Y., Raji, A., Nassar, M., 2018. Modelling cyber-attacks: a

survey study. Network Security 2018, 13–19. URL: http://www.
magonlinelibrary.com/doi/10.1016/S1353-4858%2818%2930025-4,
doi:10.1016/S1353-4858(18)30025-4.

Bolz, R., Rumez, M., Sommer, F., Dürrwang, J., Kriesten, R., 2020. En-
hancement of Cyber Security for Cyber Physical Systems in the Automo-
tive Field Through Attack Analysis .

26
Burmester, M., Magkos, E., Chrissikopoulos, V., 2012. Model-
ing security in cyber–physical systems. International Journal of
Critical Infrastructure Protection 5, 118–126. URL: https://
linkinghub.elsevier.com/retrieve/pii/S1874548212000443, doi:10.
1016/j.ijcip.2012.08.002.

Caltagirone, S., Pendergast, A., Betz, C., 2013. The Diamond Model of
Intrusion Analysis .

Chen, T.M., Sanchez-Aarnoutse, J.C., Buford, J., 2011. Petri Net Mod-
eling of Cyber-Physical Attacks on Smart Grid. IEEE Transactions on
Smart Grid 2, 741–749. URL: http://ieeexplore.ieee.org/document/
5967924/, doi:10.1109/TSG.2011.2160000.

Dahl, O., Wolthusen, S., 2006. Modeling and Execution of Complex At-
tack Scenarios using Interval Timed Colored Petri Nets, in: Fourth
IEEE International Workshop on Information Assurance (IWIA’06), IEEE.
pp. 157–168. URL: http://ieeexplore.ieee.org/document/1610008/,
doi:10.1109/IWIA.2006.17.

Dhillon, D., 2011. Developer-driven threat modeling: Lessons learned in the

trenches. IEEE Secur. Priv. 9, 41–47. URL: https://doi.org/10.1109/
MSP.2011.47, doi:10.1109/MSP.2011.47.

Ertaul, L., Mousa, M., 2018. Applying the Kill Chain and Diamond Models
to Microsoft Advanced Threat Analytics .

Fernandez, E.B., 2016. Threat Modeling in Cyber-Physical Systems, in: 2016

IEEE 14th Intl Conf on Dependable, Autonomic and Secure Computing,
14th Intl Conf on Pervasive Intelligence and Computing, 2nd Intl Conf on
Big Data Intelligence and Computing and Cyber Science and Technol-
ogy Congress(DASC/PiCom/DataCom/CyberSciTech), IEEE. pp. 448–
453. URL: https://ieeexplore.ieee.org/document/7588885/, doi:10.
1109/DASC-PICom-DataCom-CyberSciTec.2016.89.

Freeman, S.G., St Michel, C., Smith, R., Assante, M., 2016. Consequence-
driven cyber-informed engineering (CCE). Technical Report INL/EXT-
16-39212. URL: https://www.osti.gov/biblio/1341416, doi:10.2172/
1341416.

27
Griffor, E.R., Greer, C., Wollman, D.A., Burns, M.J., 2017. Frame-
work for cyber-physical systems: volume 1, overview. Technical Re-
port NIST SP 1500-201. URL: https://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.1500-201.pdf, doi:10.6028/NIST.SP.
1500-201.
Huang, S., 2024. CPS Security Modelling Literature Re-
view Notes. URL: https://github.com/shaofeihuang/
CPS-Security-Modelling-Literature-Review.
Humayed, A., Lin, J., Li, F., Luo, B., 2017. Cyber-Physical Systems Se-
curity—A Survey. IEEE Internet of Things Journal 4, 1802–1831. URL:
http://ieeexplore.ieee.org/document/7924372/, doi:10.1109/JIOT.
2017.2703172.
Hutchins, E.M., Cloppert, M.J., Amin, R.M., 2011. Intelligence-Driven Com-
puter Network Defense Informed by Analysis of Adversary Campaigns and
Intrusion Kill Chains .
International Electrotechnical Commission, . IEC 62443-4-1:2018. URL:
https://webstore.iec.ch/publication/33615.
Jbair, M., Ahmad, B., Maple, C., Harrison, R., 2022. Threat modelling for
industrial cyber physical systems in the era of smart manufacturing. Com-
puters in Industry 137, 103611. URL: https://linkinghub.elsevier.
com/retrieve/pii/S0166361522000069, doi:10.1016/j.compind.2022.
103611.
Kavallieratos, G., Katsikas, S.K., Gkioulos, V., 2020. Cybersecurity and
safety co-engineering of cyberphysical systems - A comprehensive survey.
Future Internet 12, 65. URL: https://doi.org/10.3390/fi12040065,
doi:10.3390/FI12040065.
Khalil, S.M., Bahsi, H., Dola, H.O., Korõtko, T., McLaughlin, K., Kotkas,
V., 2022. Threat Modeling of Cyber-Physical Systems - A Case Study of
a Microgrid System. Computers & Security 124, 102950. URL: https://
linkinghub.elsevier.com/retrieve/pii/S016740482200342X, doi:10.
1016/j.cose.2022.102950.
Khalil, S.M., Bahsi, H., Korõtko, T., 2023. Threat modeling of industrial
control systems: A systematic literature review. Computers & Security

28
 136, 103543. URL: https://linkinghub.elsevier.com/retrieve/pii/
S0167404823004534, doi:10.1016/j.cose.2023.103543.

Khan, R., McLaughlin, K., Laverty, D., Sezer, S., 2017. STRIDE-based
threat modeling for cyber-physical systems, in: 2017 IEEE PES Innovative
Smart Grid Technologies Conference Europe (ISGT-Europe), IEEE. pp.
1–6. URL: http://ieeexplore.ieee.org/document/8260283/, doi:10.
1109/ISGTEurope.2017.8260283.

Kim, K.H., Kim, K., Kim, H.K., 2022. STRIDE-based threat modeling and
DREAD evaluation for the distributed control system in the oil refinery.
ETRI Journal 44, 991–1003. URL: https://onlinelibrary.wiley.com/
doi/10.4218/etrij.2021-0181, doi:10.4218/etrij.2021-0181.

Kitchenham, B., Charters, S., 2007. Guidelines for performing systematic

literature reviews in software engineering.

Kriaa, S., Pietre-Cambacedes, L., Bouissou, M., Halgand, Y., 2015.

A survey of approaches combining safety and security for industrial
control systems. Reliability Engineering & System Safety 139, 156–
178. URL: https://www.sciencedirect.com/science/article/pii/
S0951832015000538, doi:10.1016/j.ress.2015.02.008.

Kumar, R., Kela, R., Singh, S., Trujillo-Rasua, R., 2022. APT attacks
on industrial control systems: A tale of three incidents. International
Journal of Critical Infrastructure Protection 37, 100521. URL: https://
linkinghub.elsevier.com/retrieve/pii/S1874548222000129, doi:10.
1016/j.ijcip.2022.100521.

Köhler, S., Baker, R., Strohmeier, M., Martinovic, I., 2023. Brokenwire:
Wireless Disruption of CCS Electric Vehicle Charging, in: Proceedings
2023 Network and Distributed System Security Symposium, Internet So-
ciety. doi:10.14722/ndss.2023.23251.

Li, K., Rashid, A., Roudaut, A., 2021. Vision: Security-Usability Threat
Modeling for Industrial Control Systems, in: Proceedings of the 2021 Eu-
ropean Symposium on Usable Security, ACM. pp. 83–88. doi:10.1145/
3481357.3481527.

29
Martins, G., Bhatia, S., Koutsoukos, X., Stouffer, K., Tang, C., Candell,
R., 2015. Towards a systematic threat modeling approach for cyber-
physical systems, in: 2015 Resilience Week (RWS), pp. 1–6. URL:
https://ieeexplore.ieee.org/abstract/document/7287428, doi:10.
1109/RWEEK.2015.7287428.

Mekdad, Y., Bernieri, G., Conti, M., Fergougui, A.E., 2021. A threat model
method for ICS malware: the TRISIS case, in: Proceedings of the 18th
ACM International Conference on Computing Frontiers, ACM. pp. 221–
228. doi:10.1145/3457388.3458868.

Murata, T., 1989. Petri Nets: Properties, Analysis and Applications. PRO-
CEEDINGS OF THE IEEE 77.

Nafees, M.N., Saxena, N., Cardenas, A., Grijalva, S., Burnap, P., 2023.
Smart Grid Cyber-Physical Situational Awareness of Complex Opera-
tional Technology Attacks: A Review. ACM Computing Surveys 55, 1–36.
doi:10.1145/3565570.

National Institute of Standards and Technology, 2023. The NIST Cy-

bersecurity Framework 2.0. Technical Report NIST CSWP 29 ipd.
URL: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.
pdf, doi:10.6028/NIST.CSWP.29.ipd.

Neubert, T., Vielhauer, C., 2020. Kill Chain Attack Modelling for Hid-
den Channel Attack Scenarios in Industrial Control Systems. IFAC-
PapersOnLine 53, 11074–11080. URL: https://linkinghub.elsevier.
com/retrieve/pii/S2405896320305231, doi:10.1016/j.ifacol.2020.
12.246.

Paudel, S., Smith, P., Zseby, T., 2017. Attack Models for Advanced Persistent
Threats in Smart Grid Wide Area Monitoring, in: Proceedings of the
2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids,
ACM. pp. 61–66. doi:10.1145/3055386.3055390.

Sabaliauskaite, G., Mathur, A.P., 2014. Aligning cyber-physical system safety

and security, in: Complex Systems Design & Management Asia, Design-
ing Smart Cities: Proceedings of the First Asia - Pacific Conference on
Complex Systems Design & Management, CSD&M Asia 2014, Singapore,

30
 December 10-12, 2014, Springer. pp. 41–53. URL: https://doi.org/10.
1007/978-3-319-12544-2_4, doi:10.1007/978-3-319-12544-2\_4.
Saini, V., Duan, Q., Paruchuri, V., 2008. Threat Modeling Using Attack
Trees .
Schneier, B., 1999. Attack Trees. URL: https://tnlandforms.us/
cs594-cns96/attacktrees.pdf.
Shevchenko, N., Frye, B.R., Woody, C., 2018. Threat Modeling For Cyber-
Physical System-of-Systems: Methods Evaluation .
Sion, L., Yskout, K., Landuyt, D.V., van Den Berghe, A., Joosen, W.,
2020. Security threat modeling: Are data flow diagrams enough?, in:
ICSE ’20: 42nd International Conference on Software Engineering, Work-
shops, Seoul, Republic of Korea, 27 June - 19 July, 2020, ACM. pp. 254–
257. URL: https://doi.org/10.1145/3387940.3392221, doi:10.1145/
3387940.3392221.
Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G.,
Thomas, C.B., 2018. MITRE ATT&CK: Design and philosophy.
Suo, D., Siegel, J.E., Sarma, S.E., 2018. Merging safety and cybersecu-
rity analysis in product design. IET Intelligent Transport Systems 12,
1103–1109. URL: https://ietresearch.onlinelibrary.wiley.com/
doi/abs/10.1049/iet-its.2018.5323, doi:https://doi.org/10.1049/
iet-its.2018.5323.
Tatam, M., Shanmugam, B., Azam, S., Kannoorpatti, K., 2021. A re-
view of threat modelling approaches for APT-style attacks. Heliyon
7, e05969. URL: https://linkinghub.elsevier.com/retrieve/pii/
S2405844021000748, doi:10.1016/j.heliyon.2021.e05969.
Uzunov, A.V., Fernández, E.B., 2014. An extensible pattern-based library
and taxonomy of security threats for distributed systems. Comput. Stand.
Interfaces 36, 734–747. URL: https://doi.org/10.1016/j.csi.2013.
12.008, doi:10.1016/J.CSI.2013.12.008.
Valenza, F., Karafili, E., Steiner, R.V., Lupu, E.C., 2023. A Hybrid Threat
Model for Smart Systems. IEEE Transactions on Dependable and Se-
cure Computing 20, 4403–4417. URL: https://ieeexplore.ieee.org/
document/9916127/, doi:10.1109/TDSC.2022.3213577.

31
Xiong, W., Lagerström, R., 2019. Threat modeling – A systematic lit-
erature review. Computers & Security 84, 53–69. URL: https://
linkinghub.elsevier.com/retrieve/pii/S0167404818307478, doi:10.
1016/j.cose.2019.03.010.

Yang, Y., Zhang, M., 2023. From Tactics to Techniques: A Systematic Attack
Modeling for Advanced Persistent Threats in Industrial Control Systems,
in: 2023 IEEE European Symposium on Security and Privacy Workshops
(EuroS&PW), IEEE. pp. 336–344. URL: https://ieeexplore.ieee.
org/document/10190669/, doi:10.1109/EuroSPW59978.2023.00042.

Zahid, S., Mazhar, M.S., Abbas, S.G., Hanif, Z., Hina, S., Shah, G.A.,
2023. Threat modeling in smart firefighting systems: Aligning MITRE
ATT&CK matrix and NIST security controls. Internet of Things
22, 100766. URL: https://linkinghub.elsevier.com/retrieve/pii/
S2542660523000896, doi:10.1016/j.iot.2023.100766.

Zalewski, J., Drager, S., McKeever, W., Kornecki, A.J., 2013. Threat mod-
eling for security assessment in cyberphysical systems, in: Proceedings of
the Eighth Annual Cyber Security and Information Intelligence Research
Workshop, ACM. pp. 1–4. doi:10.1145/2459976.2459987.

Zenitani, K., 2023. Attack graph analysis: An explanatory guide. Com-

put. Secur. 126, 103081. URL: https://doi.org/10.1016/j.cose.2022.
103081, doi:10.1016/J.COSE.2022.103081.

Zhu, B., Joseph, A., Sastry, S., 2011. A Taxonomy of Cyber Attacks on
SCADA Systems, in: 2011 International Conference on Internet of Things
and 4th International Conference on Cyber, Physical and Social Comput-
ing, IEEE. pp. 380–388. URL: http://ieeexplore.ieee.org/document/
6142258/, doi:10.1109/iThings/CPSCom.2011.34.

Zografopoulos, I., Ospina, J., Liu, X., Konstantinou, C., 2021. Cyber-
Physical Energy Systems Security: Threat Modeling, Risk Assess-
ment, Resources, Metrics, and Case Studies. IEEE Access 9, 29775–
29818. URL: https://ieeexplore.ieee.org/document/9351954/,
doi:10.1109/ACCESS.2021.3058403.

32