Security modelling for cyber-physical systems: A systematic literature review

Author

Shaofei @wong Shao Fei HUANG, Singapore Management UniversityFollow
Christopher M. POSKITT, Singapore Management UniversityFollow
Lwin Khin SHAR, Singapore Management UniversityFollow

Publication Type

Journal Article

Version

acceptedVersion

Publication Date

11-2025

Abstract

Cyber-physical systems are at the intersection of digital technology and engineering domains, rendering them high-value targets of sophisticated and well-funded cybersecurity threat actors. Prominent cybersecurity attacks on CPS have brought attention to the vulnerability of these systems and the inherent weaknesses of critical infrastructure reliant on them. Security modelling for CPS is an important mechanism to systematically identify and assess vulnerabilities, threats, and risks throughout system life cycles, and to ultimately ensure system resilience, safety, and reliability. This survey delves into state-of-the-art research on CPS security modelling, encompassing both threat and attack modelling. While these terms are sometimes used interchangeably, they are different concepts. This paper elaborates on the differences between threat and attack modelling, examining their implications for CPS security. We conducted a systematic search that yielded 449 papers, from which 32 were selected and categorised into three clusters: those focused on threat modelling methods, attack modelling methods, and literature reviews. Specifically, we sought to examine what security modelling methods exist today, and how they address real-world cybersecurity threats and CPS-specific attacker capabilities throughout the life cycle of CPS, which typically span longer durations compared to traditional IT systems. This paper also highlights several limitations in existing research, wherein security models adopt simplistic approaches that do not adequately consider the dynamic, multi-layer, multi-path, and multi-agent characteristics of real-world cyber-physical attacks.

Keywords

Cyber-physical systems, security modelling, threat modelling, attack modelling, systematic literature review, advanced persistent threats, self-healing systems, safety, reliability, resilience

Discipline

Information Security

Research Areas

Cybersecurity; Software and Cyber-Physical Systems

Publication

ACM Transactions on Cyber-Physical Systems

First Page

1

Last Page

29

ISSN

2378-962X

Identifier

10.1145/3776549

Publisher

Association for Computing Machinery (ACM)

Citation

HUANG, Shaofei @wong Shao Fei; POSKITT, Christopher M.; and SHAR, Lwin Khin. Security modelling for cyber-physical systems: A systematic literature review. (2025). ACM Transactions on Cyber-Physical Systems. 1-29.
Available at: https://ink.library.smu.edu.sg/sis_research/10957

Copyright Owner and License

Authors-CC-

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3776549