A summary on: Cybersecurity for Critical Infrastructures

ABSTRACT

This paper explores the complexities and challenges in securing critical infrastructure, focusing on the vulnerabilities introduced by the convergence of Information Technology (IT) and Operational Technology (OT). Through case studies of Stuxnet and the Ukrainian Power Grid, the paper highlights the tangible risks of cyber-attacks on essential systems. It discusses the hurdles posed by technological heterogeneity, lack of standardization, human factors, and resource constraints. The paper advocates for a multi-layered, defense-in-depth approach to cybersecurity, emphasizing the need for regulatory oversight, continuous monitoring, and real-time updates. It concludes by calling for adaptive cybersecurity frameworks that can navigate the intricacies of the IT-OT landscape, thereby ensuring the resilience and security of critical infrastructure.

Keywords: Critical Infrastructure, Cybersecurity, Information Technology (IT), Operational Technology (OT)

INTRODUCTION

To commence our exploration of cybersecurity for critical infrastructure, it is essential to first establish a general understanding of what encompasses critical infrastructure.

As the name suggests, critical infrastructure refers to the essential systems and assets that are necessary for the functioning of society, economy, and state[1]. Therefore, critical infrastructures prevent us, members of society, from plunging into chaos and anarchy, for without them, there would be no emergency number to reach in case of distress, there would be no electricity, there would be no water supply[2], all of which we take for granted as a functioning member of society, would be forfeit. ?

In today's digital age, the threat of cyberattacks has become increasingly prevalent, highlighting the need to protect our valuable assets and ensure the security of our society. The consequences of cyberattacks can be devastating, leaving us vulnerable and exposed when we least expect it[3].

Despite the growing concern about cybersecurity, there is a paradoxical gap between public perception and action. Studies have shown that the public expresses great concern about cybersecurity but fails to take adequate measures to protect their safety online[4], which can by extension, be applied to the lack of cybersecurity measures in the workplace, be it neglect from the user, under-enforced cybersecurity policies, or even governmental funding[5].

Regardless of this lack of awareness, by the public, governments and organizations, the ever-increasing frequency and severity of cyberattacks on critical infrastructures have highlighted the urgent need for effective cybersecurity measures. Prominent examples such as the Stuxnet attack, the Ukrainian power grid outage, and the Viasat attack[6] serve as stark reminders of the potential consequences of cyberattacks on our critical infrastructures. These incidents have raised awareness about the vulnerabilities and risks associated with industrial environments and underscored the importance of cybersecurity in safeguarding critical infrastructures[7].

In this paper, we are going to explore exactly why it is it not only of paramount importance to protect our critical assets, but also, why it can be an extremely cumbersome task to accomplish, as there is an overlap between new and old technology, in a field that forgives no mistakes.?

Where IT and OT meet

Critical infrastructures predominantly serve industrial functions, as they are designed to provide essential services and goods like energy and transportation[8]. These infrastructures largely operate on Operational Technology (OT), also known as Industrial Control Systems (ICS).

Initially, the design of industrial operations did not factor in cybersecurity, for reasons that were evident at the time. However, the landscape has dramatically shifted, rendering what was once considered "air-gapped" and impenetrable in the OT world as vulnerable as its IT counterpart[9].

The shift towards integrating Information Technology (IT) with OT has gained momentum, a trend further accelerated by the COVID-19 lockdowns that necessitated remote work[10]. This convergence, while beneficial for operational efficiency, introduces a unique set of challenges, particularly in cybersecurity.

IT systems, designed primarily for data processing and transfer, focus on the Confidentiality and Integrity aspects of the CIA triad in Information Security. In stark contrast, OT systems, which are engineered to monitor and control physical processes, prioritize Availability. This is especially crucial as these systems have a direct impact on human safety[11].

Navigating this complex landscape requires a nuanced understanding of the operational priorities of both IT and OT systems. While IT systems can afford frequent updates to address security vulnerabilities, OT systems must exercise caution. Any downtime in OT could lead to catastrophic operational disruptions with the potential to endanger human lives.

Challenges in securing critical infrastructure

Technological Heterogeneity

The inherent technological heterogeneity in critical infrastructure systems introduces a significant layer of complexity to cybersecurity efforts. These systems frequently encompass a broad spectrum of technologies, each with distinct security vulnerabilities and requirements. On one end, there are Operational Technology (OT) devices, often legacy systems that have been running continuously for decades and consequently lack modern security features. On the other end are state-of-the-art Information Technology (IT) and Internet of Things (IoT) devices, which present their own unique security challenges[12].

In this context, cybersecurity professionals face formidable challenges related to system integration. The melding of diverse technologies inherently expands the attack surface, offering more opportunities for malicious actors to exploit vulnerabilities. This complexity often results in security gaps, as traditional IT security solutions may not be directly transferable to OT environments. Consequently, specialized security protocols, tailored to the unique characteristics of each technology, become a necessity[13].

Lack of Standardization

The lack of uniform cybersecurity standards in critical infrastructures creates a significant hurdle in securing these systems. This inconsistency in security implementation and management across various sectors and technologies is exacerbated by the perception that existing standards are "too complex and hard to navigate." Due to the complexity inherent in ICT systems, industrial safety and security standards are often viewed as overly intricate and challenging to apply[14].

Consequently, organizations may resort to simpler approaches, such as checklists, for security measures as the application of these industrial standards also frequently requires specialized technical skills.

The healthcare sector is notably impacted by the absence of standardized cybersecurity protocols. Research indicates that this lack of standardization, coupled with the interconnected nature of healthcare systems, significantly amplifies cybersecurity vulnerabilities, thereby posing a risk to the consistent and reliable delivery of healthcare services[15].

In the energy sector, the issue of standardization is similarly pressing. While the adoption of the NIST Framework for Improving Critical Infrastructure[16] is prevalent in the United States, a notable lack of standardization exists in European countries. This discrepancy leads to inconsistencies in cybersecurity management policies across different regions[17].

The railways also face these problems, with the adoption of ICT-based technologies, this sector is now more vulnerable to cyber-related threats. To help mitigate these threats, L. Coventry and D. Branley propose a Cybersecurity Capability Maturity Model (C2M2), that can be used to assess and enhance cybersecurity capabilities, diving the subject into different domains, each with different maturity levels and associated practices. Organizations can therefore use this model to identify gaps and improve their cybersecurity posture, aiding in compliance and risk management for the railway sector[18].

It is, however, worth considering the adoption of the IEC 62443 standard, and although this framework is not addressed to a specific sector, it is designed to help secure Industrial Automation and Control Systems (ICS), which can be tailored to specific needs and complexities[19].

?

Human Factors

Human factors are integral to the efficacy of cybersecurity initiatives. Even with technological advancements, the security of critical infrastructure remains susceptible to human errors or lapses in awareness. The increasing body of research on the role of human factors in information security underscores their importance in fortifying cybersecurity measures[20].

A key element in bolstering an organization's cybersecurity is the human aspect. The prevailing theory identifies three core components—human, technical, and organizational—as vital to enhancing cybersecurity measures[21]. This emphasizes the pivotal role that human factors play in shaping an organization's overall cybersecurity stance.

In the realm of critical infrastructure entities, human elements are indispensable for ensuring cybersecurity. The provision of comprehensive cybersecurity training to employees in these organizations is crucial for sustaining a secure operational landscape. This accentuates the vital role that human factors occupy in shaping an organization's collective cybersecurity defenses[22].

Factors such as stress, occupational burnout, and security fatigue are human variables that can adversely affect cybersecurity measures. The ongoing issues related to human performance in cybersecurity can be traced back to insufficient education on these human-centric factors. Addressing and educating on these human elements can significantly enhance the efficacy of cybersecurity initiatives[23].

Resource Constraints

Resource constraints present formidable challenges to the effective deployment of cybersecurity measures, especially in sectors involving critical infrastructure[24]. Financial limitations often restrict organizations from procuring cutting-edge cybersecurity technologies, compounded by the ongoing costs of updates and maintenance. The scarcity of qualified cybersecurity professionals further aggravates these constraints, leaving organizations vulnerable to risks that could otherwise be managed[25].

As stated previously, technological limitations are another facet of resource constraints. Legacy systems, often prevalent in critical infrastructure, may lack compatibility with contemporary security solutions, thereby hindering cybersecurity initiatives[26].

To mitigate these constraints, organizations could explore economical options such as open-source software or cloud-based security solutions[24]. Collaborative endeavors, including inter-organizational information sharing and public-private partnerships, offer avenues for resource optimization and improved cybersecurity outcomes[24].

Investment in intellectual capital, encompassing cybersecurity training and preparedness, can induce positive shifts in cybersecurity investment, especially in post-crisis scenarios[26].

In the context of critical infrastructure, stringent cybersecurity protocols are imperative for safeguarding both sector-specific data and the infrastructure itself[27].

CASE studies

Stuxnet

Stuxnet serves as a pivotal case study in cybersecurity, particularly illuminating vulnerabilities in critical infrastructure. Originating as a computer worm, it targeted SCADA systems with the aim of debilitating Iran's nuclear facilities[28]. The intricacy of the attack exposed gaps in existing cybersecurity frameworks and prompted scrutiny of their sufficiency.

One salient takeaway is the imperative for fortified cybersecurity protocols for SCADA systems. Research presents a fractional-order mathematical model of Stuxnet, facilitating the analysis of its propagation dynamics and attack vectors on isolated critical infrastructures[29]. This underscores the necessity of comprehending the behavior of such malware for devising effective countermeasures.

The Stuxnet incident also revealed the tangible impact of cyber-physical attacks. Discussions focus on the detrimental effects an informed adversary can exert on safety-critical infrastructures[30]. The authors advocate for data integrity monitoring in reactor protection systems, leveraging technologies like blockchain for enhanced security.

Moreover, the Stuxnet case accentuates the role of international collaboration in cybersecurity. Discussions around secure control frameworks for resource-constrained adversaries are pertinent, given Stuxnet's targeted nature[31]. Global cooperation is indispensable for tackling cyber threats with international ramifications.

Additionally, Stuxnet provides a framework for analyzing security threats in cyber-physical systems. Research employs a systems theoretic approach for a detailed analysis of the attack, emphasizing the need for a holistic understanding of vulnerabilities in cyber-physical systems[32].

The feasibility of cyber manipulations affecting physical processes in SCADA networks was also highlighted by Stuxnet. Research discusses smart behavioral filters for SCADA networks, citing Stuxnet as a proof-of-concept[33]. This accentuates the need for advanced detection and prevention mechanisms, such as artificial intelligence.

Stuxnet was a watershed moment, being the first identified malware targeting critical infrastructure, specifically SCADA systems. The need for specialized SCADA forensics architectures for investigating such attacks is discussed[28], emphasizing the importance of specialized investigative tools.

Implications for smart grid security also arise from the Stuxnet case. Research focuses on the cyber-physical security aspects of wide-area monitoring in smart grids[34]. Stuxnet serves as a cautionary tale for the potential physical impacts of sophisticated cyber-attacks on smart grid systems.

Effective modeling and evaluation of cyber-physical system security are also necessitated by the Stuxnet attack. Research proposes methodologies for identifying vulnerabilities and assessing countermeasure effectiveness[35], highlighting the need for proactive security strategies.

Stuxnet also raises alarms about the stability of power grids. Research discusses internet-based load-altering attacks against smart grids, emphasizing the need for robust cybersecurity measures[36].

Lastly, the human element in cyber-attacks is not to be overlooked. Research discusses the social engineering tactics employed by Stuxnet's architects[37], underlining the importance of user education and awareness.

The Stuxnet attack serves as a seminal case study, spotlighting the vulnerabilities in critical infrastructure and questioning the adequacy of extant cybersecurity measures. It underscores the need for robust SCADA system security, the tangible risks of cyber-physical attacks, and the indispensability of international cooperation. It also emphasizes the importance of proactive security measures, advanced technologies, and human factors in cybersecurity.

?

Ukrainian Power Grid

The cyber-attack on Ukraine's power grid in 2015 serves as a critical case study, revealing the fragility of energy infrastructure in the face of sophisticated cyber threats. The incident led to widespread electrical outages and emphasized the sector's vulnerability.

One of the primary insights from this event is the crucial role of real-time surveillance and immediate incident management. The Ukraine incident demonstrates the urgency for vigilant oversight of essential systems to detect and neutralize cyber threats as they emerge[38]. Effective monitoring systems are vital for the early identification and mitigation of cyber risks.

Furthermore, the event underscores the strategic importance of alliances between public institutions and private corporations in enhancing cybersecurity. These synergies can pool resources and expertise from both sectors, thereby improving the overall security posture[39]. Such collaborations are instrumental in facilitating a culture of information sharing, collective threat analysis, and the establishment of cybersecurity best practices[40].

To fortify the vulnerabilities exposed by the Ukraine incident, a multi-layered cybersecurity approach is advisable. This should include the incorporation of secure authentication methods, specialized hardware modules, and unique physical identifiers to deter unauthorized access and cyber-attacks[41]. Additionally, the entry of traditional energy players into emerging markets can foster technological credibility and facilitate the exchange of expertise, thereby strengthening the resilience of essential systems[42].

The 2015 cyber-attack on Ukraine's power grid was a significant event that exposed the vulnerabilities inherent in critical energy infrastructure. It emphasized the need for advanced cybersecurity protocols, vigilant real-time monitoring, and effective incident response mechanisms. The collaboration between public and private sectors is vital for enhancing security measures, and a layered approach to cybersecurity is essential for protecting critical systems from future threats.

Reccommendations and future directions

Implementation of Multi-Layered Security

The rapidly evolving landscape of cyber threats demands a multi-layered, comprehensive approach to security, particularly in critical infrastructure sectors. This is often termed as defense-in-depth. Endpoint security is the first layer, employing antivirus software and intrusion detection systems to protect individual devices from cyber threats[43]. Network security forms the next layer, utilizing firewalls, virtual private networks (VPNs), and network segmentation to safeguard communication channels and infrastructure[44].

Application security focuses on the integrity of software applications, employing secure coding practices, vulnerability assessments, and penetration testing[45]. Data security is another pivotal layer, emphasizing encryption, access controls, and data backup and recovery processes to ensure the confidentiality, integrity, and availability of data[46]. Identity and access management (IAM) is crucial for controlling user access to systems and resources, involving strong authentication, role-based access control, and user provisioning[46].

Physical security is also essential, involving surveillance systems, access controls, and security guards to prevent unauthorized physical access and tampering[47]. Beyond these technical measures, a well-defined incident response plan is indispensable for effectively responding to and mitigating cyber incidents. This plan should outline the steps for incident detection, containment, eradication, and recovery[48].

Collaboration between the public and private sectors is also beneficial for strengthening this multi-layered security approach. Such collaboration can involve information sharing, joint exercises, and coordinated response efforts, leveraging the expertise and resources of both sectors.

In summary, the complex and ever-changing nature of cyber threats necessitates a robust, multi-layered security approach, augmented by public-private partnerships, for the protection of critical infrastructure sectors.

?

Regulatory oversight

Regulatory oversight is pivotal for establishing a foundational level of cybersecurity within critical infrastructure sectors. To this end, regulatory bodies should enforce compliance with recognized cybersecurity standards such as NIST or IEC 62443, providing a structured framework for these sectors to bolster their cybersecurity measures[27].

Periodic audits are essential for ensuring sustained compliance and identifying areas for improvement within critical infrastructure. These audits scrutinize an organization's cybersecurity protocols, ensuring alignment with established standards and preemptively identifying vulnerabilities[49].

To incentivize compliance within critical infrastructure sectors, stringent penalties for non-adherence should be enforced. The severity of these penalties should be commensurate with the level of non-compliance, compelling organizations to prioritize cybersecurity[50].

Inclusive governance, involving non-state actors, can offer additional layers of oversight and critical policy assessment, specifically tailored for critical infrastructure[51]. Board members within these sectors are also pivotal, expected to be proactive in comprehending and managing cybersecurity risks[52].

As cyber threats evolve, continuous reassessment of cybersecurity measures is imperative for critical infrastructure. The role of auditors in these sectors extends to evaluating cybersecurity risks. While empirical data on this subject is limited, auditors can integrate cybersecurity risk disclosures into their assessments and fee structures, reflecting the unique challenges faced by critical infrastructure[53].

Economic theories can offer insights into cybersecurity decision-making within critical infrastructure, addressing market failures and perverse incentives that are particularly relevant to these sectors[54].

Regulatory oversight is, therefore, essential for maintaining a baseline cybersecurity standard in critical infrastructure sectors. This is augmented by periodic audits, stringent penalties, inclusive governance, continuous reassessment, and auditor involvement.

?

Continuous Monitoring and Updating

Continuous monitoring and real-time updates are imperative for fortifying the cybersecurity posture of critical infrastructure, particularly in safeguarding vulnerable Operational Technology (OT) systems[55]. Traditional cybersecurity measures, often reliant on static algorithms, are increasingly inadequate for countering dynamically evolving cyber threats[56]. This necessitates the adoption of dynamic cybersecurity capabilities that can adapt to emerging threats, thereby offering a more robust defense mechanism.

The inability to regularly update OT systems due to operational constraints accentuates the importance of the layers of protection that precede these systems[57]. Metrics for assessing the security posture of industrial control systems, including real-time monitoring and visualization, are thus critical[57].

Moreover, the integration of cyber intelligence into security protocols is essential for proactively identifying and mitigating potential threats. Techniques such as machine learning can further enhance the efficacy of these intelligence systems by clustering malicious URLs, thereby aiding in the early identification of cyber threats[58].

A multi-faceted approach involving continuous monitoring, dynamic capabilities, and cyber intelligence is crucial for safeguarding critical infrastructure. This is particularly relevant for OT systems, which due to their operational constraints, cannot be updated as frequently as their IT counterparts.

Conclusion

The cybersecurity landscape for critical infrastructure is fraught with complexities and challenges, exacerbated by the convergence of Information Technology (IT) and Operational Technology (OT). This paper has elucidated the vulnerabilities inherent in critical infrastructure systems, emphasizing the urgent need for robust cybersecurity measures. The technological heterogeneity, lack of standardization, human factors, and resource constraints present formidable hurdles in securing these essential systems[12][14][20][24].

The case studies of Stuxnet and the Ukrainian Power Grid serve as cautionary tales, highlighting the tangible risks and far-reaching consequences of cyber-attacks on critical infrastructure[28][38]. These incidents underscore the necessity for a multi-layered, defense-in-depth approach to security, involving endpoint, network, application, data, and physical security measures[43][44][45][46][47].

Regulatory oversight is pivotal for establishing a foundational level of cybersecurity within critical infrastructure sectors. Compliance with recognized standards, periodic audits, and stringent penalties for non-compliance are essential components of a comprehensive cybersecurity strategy[27][49][50]. Inclusive governance and board engagement further augment these efforts, providing additional layers of oversight and critical policy assessment[51][52].

The paper also advocates for continuous monitoring and real-time updates, particularly in the context of vulnerable OT systems. Given the operational constraints that limit frequent updates to OT systems, the layers of protection that precede these systems become even more critical[55][57]. The integration of cyber intelligence and dynamic capabilities into security protocols offers a more adaptive and proactive approach to countering evolving cyber threats[56][58].

In summary, safeguarding critical infrastructure necessitates a multi-faceted, dynamic approach that integrates technological, human, and organizational elements. As cyber threats continue to evolve, so must our strategies for defending the essential systems that underpin our society, economy, and state. Future work should focus on the development of adaptive cybersecurity frameworks that can effectively navigate the complexities of the IT-OT landscape, thereby ensuring the resilience and security of our critical infrastructure.

References

?

[1]????????? M. Pavi?, I. Jokanovi?, and M. Svilar, ‘Kriti?na Infrastruktura U Saobra?aju’, Zb. Rad. Gra?ev. Fak., 2021, doi: 10.14415/konferencijagfs2021.38.

[2]????????? R. L. Church, M. P. Scaparra, and R. S. Middleton, ‘Identifying Critical Infrastructure: The Median and Covering Facility Interdiction Problems’, Ann. Assoc. Am. Geogr., 2004, doi: 10.1111/j.1467-8306.2004.00410.x.

[3]????????? H. Alqahtani and M. Kavakli, ‘Design and Evaluation of an Augmented Reality Game for Cybersecurity Awareness (CybAR)’, Information, 2020, doi: 10.3390/info11020121.

[4]????????? H. Aljihani, F. Eassa, K. A. Almarhabi, A. Algarni, and A. Attaallah, ‘Standalone Behaviour-Based Attack Detection Techniques for Distributed Software Systems via Blockchain’, Appl. Sci., 2021, doi: 10.3390/app11125685.

[5]????????? D. F. Norris, L. Mateczun, A. Joshi, and T. Finin, ‘Cybersecurity at the Grassroots: American Local Governments and the Challenges of Internet Security’, J. Homel. Secur. Emerg. Manag., 2018, doi: 10.1515/jhsem-2017-0048.

[6]????????? ‘Viasat cyberattack blamed on Russian wiper malware | TechCrunch’. Accessed: Oct. 22, 2023. [Online]. Available: https://techcrunch.com/2022/03/31/viasat-cyberattack-russian-wiper/?guce_referrer=aHR0cHM6Ly9jeWJlcmNvbmZsaWN0cy5jeWJlcnBlYWNlaW5zdGl0dXRlLm9yZy8&guce_referrer_sig=AQAAAA-76w1U0VWPeQcKthA8Qn9FrbGFn_LJ8Gpo7BTmkqi9hLH5jeR9s07fHSq1qJzCTYEq1y-LySbAVo65P_m7pls-XHMA9IzCiD_UzDIX3ULjIbpPM6cL5Cu0iCDl3ONOYPmCRkAsCcUTo2jw9KbrxrvLud47B7hCu7t0fTGcjjij&guccounter=2

[7]????????? V. D. Savin, ‘Cyber-Security in the New Era of? Integrated Operational – Informational Technology Systems’, Bus. Excell. Manag., 2021, doi: 10.24818/beman/2021.11.1-05.

[8]????????? E. Ferrario, N. Pedroni, and E. Zio, ‘Evaluation of the Robustness of Critical Infrastructures by Hierarchical Graph Representation, Clustering and Monte Carlo Simulation’, Reliab. Eng. Syst. Saf., 2016, doi: 10.1016/j.ress.2016.06.007.

[9]????????? ‘Common ICS Cybersecurity Myth #1: The Air Gap’. Accessed: Oct. 23, 2023. [Online]. Available: https://gca.isa.org/blog/common-ics-cybersecurity-myth-1-the-air-gap

[10]???????? ‘How COVID-19 affects OT Security’, Applied Risk. Accessed: Oct. 28, 2023. [Online]. Available: https://applied-risk.com/resources/covid19-ot-security

[11]???????? G. Murray, M. N. Johnstone, and C. Valli, ‘The convergence of IT and OT in critical infrastructure’, Aust. Inf. Secur. Manag. Conf., 2017, doi: 10.4225/75/5A84F7B595B4E.

[12]???????? T. Limba, T. Pl?ta, K. Agafonov, and M. Damkus, ‘Cyber Security Management Model for Critical Infrastructure’, J. Entrep. Sustain. Issues, 2017, doi: 10.9770/jesi.2017.4.4(12).

[13]???????? M. M. El-Dyasty and A. A. Elamer, ‘The Effect of Auditor Type on Audit Quality in Emerging Markets: Evidence From Egypt’, Int. J. Account. Inf. Manag., 2020, doi: 10.1108/ijaim-04-2020-0060.

[14]???????? Ruth ?stgaard Skotnes, ‘Standardization of cybersecurity for critical infrastructures’, Nov. 2019, doi: https://doi.org/10.4324/9780429290817-10.

[15]???????? L. Coventry and D. B. Branley, ‘Cybersecurity in Healthcare: A Narrative Review of Trends, Threats and Ways Forward’, Maturitas, 2018, doi: 10.1016/j.maturitas.2018.04.008.

[16]???????? M. P. Barrett, ‘Framework for Improving Critical Infrastructure Cybersecurity Version 1.1’, NIST, Apr. 2018, Accessed: Oct. 28, 2023. [Online]. Available: https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11

[17]???????? M. Tvaronavi?ien?, T. Pl?ta, S. D. Casa, and J. Latvys, ‘Cyber Security Management of Critical Energy Infrastructure in National Cybersecurity Strategies: Cases of USA, UK, France, Estonia and Lithuania’, Insights Reg. Dev., 2020, doi: 10.9770/ird.2020.2.4(6).

[18]???????? R. Kour, R. Karim, and A. Thaduri, ‘Cybersecurity for Railways – A Maturity Model’, Proc. Inst. Mech. Eng. Part F J. Rail Rapid Transit, 2019, doi: 10.1177/0954409719881849.

[19]???????? I. Mugarza, J. L. M. Flores, and J. L. Montero, ‘Security Issues and Software Updates Management in the Industrial Internet of Things (IIoT) Era’, Sensors, 2020, doi: 10.3390/s20247160.

[20]???????? L. Hadlington, ‘Human Factors in Cybersecurity; Examining the Link Between Internet Addiction, Impulsivity, Attitudes Towards Cybersecurity, and Risky Cybersecurity Behaviours’, Heliyon, 2017, doi: 10.1016/j.heliyon.2017.e00346.

[21]???????? M. Al-Ma’aitah, ‘Investigating the Drivers of Cybersecurity Enhancement in Public Organizations: The Case of Jordan’, Electron. J. Inf. Syst. Dev. Ctries., 2022, doi: 10.1002/isd2.12223.

[22]???????? N. Chowdhury, E. Nystad, K. Reeg?rd, and V. Gkioulos, ‘Cybersecurity Training in Norwegian Critical Infrastructure Companies’, Int. J. Saf. Secur. Eng., 2022, doi: 10.18280/ijsse.120304.

[23]???????? C. Nobles, ‘Stress, Burnout, and Security Fatigue in Cybersecurity: A Human Factors Problem’, Holistica – J. Bus. Public Adm., 2022, doi: 10.2478/hjbpa-2022-0003.

[24]???????? L. A. Gordon, M. P. Loeb, W. Lucyshyn, and L. Zhou, ‘The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective’, J. Account. Public Policy, 2015, doi: 10.1016/j.jaccpubpol.2015.05.001.

[25]???????? M. Sallos, A. Garcia-Perez, D. Bedford, and B. Orlando, ‘Strategy and Organisational Cybersecurity: A Knowledge-Problem Perspective’, J. Intellect. Cap., 2019, doi: 10.1108/jic-03-2019-0041.

[26]???????? A. Garcia-Perez, M. Sallos, and P. Tiwasing, ‘Dimensions of Cybersecurity Performance and Crisis Response in Critical Infrastructure Organisations: An Intellectual Capital Perspective’, J. Intellect. Cap., 2021, doi: 10.1108/jic-06-2021-0166.

[27]???????? K. K. Millett, E. d. Santos, and P. Millett, ‘Cyber-Biosecurity Risk Perceptions in the Biotech Sector’, Front. Bioeng. Biotechnol., 2019, doi: 10.3389/fbioe.2019.00136.

[28]???????? T. Wu, J. F. P. Disso, K. Jones, and A. I. Campos, ‘Towards a SCADA Forensics Architecture’, 2013, doi: 10.14236/ewic/icscsr2013.2.

[29]???????? Z. Masood, M. A. Z. Raja, N. I. Chaudhary, K. M. Cheema, and A. H. Milyani, ‘Fractional Dynamics of Stuxnet Virus Propagation in Industrial Control Systems’, Mathematics, 2021, doi: 10.3390/math9172160.

[30]???????? M. K. Choi, C. Y. Yeun, and P. H. Seong, ‘A Novel Monitoring System for the Data Integrity of Reactor Protection System Using Blockchain Technology’, Ieee Access, 2020, doi: 10.1109/access.2020.3005134.

[31]???????? A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson, ‘A Secure Control Framework for Resource-Limited Adversaries’, Automatica, 2015, doi: 10.1016/j.automatica.2014.10.067.

[32]???????? A. Nourian and S. E. Madnick, ‘A Systems Theoretic Approach to the Security Threats in Cyber Physical Systems Applied to Stuxnet’, Ieee Trans. Dependable Secure Comput., 2018, doi: 10.1109/tdsc.2015.2509994.

[33]???????? G. Corbò, C. Foglietta, C. Palazzo, and S. Panzieri, ‘Smart Behavioural Filter for SCADA Network’, 2017, doi: 10.1007/978-3-319-52569-3_9.

[34]???????? A. Ashok, A. Hahn, and G. Manimaran, ‘Cyber-Physical Security of Wide-Area Monitoring, Protection and Control in a Smart Grid Environment’, J. Adv. Res., 2014, doi: 10.1016/j.jare.2013.12.005.

[35]???????? H. Orojloo and M. A. Azgomi, ‘A Method for Modeling and Evaluation of the Security of Cyber-Physical Systems’, 2014, doi: 10.1109/iscisc.2014.6994036.

[36]???????? A.-H. Mohsenian-Rad and A. Leon-Garcia, ‘Distributed Internet-Based Load Altering Attacks Against Smart Power Grids’, Ieee Trans. Smart Grid, 2011, doi: 10.1109/tsg.2011.2160297.

[37]???????? V. Mancuso, A. J. Strang, G. J. Funke, and V. Finomore, ‘Human Factors of Cyber Attacks’, Proc. Hum. Factors Ergon. Soc. Annu. Meet., 2014, doi: 10.1177/1541931214581091.

[38]???????? S. Atkins and C. Lawson, ‘An Improvised Patchwork: Success and Failure in Cybersecurity Policy for Critical Infrastructure’, Public Adm. Rev., 2021, doi: 10.1111/puar.13322.

[39]???????? M. Carr, ‘Public-Private Partnerships in National Cyber-Security Strategies’, Int. Aff., 2016, doi: 10.1111/1468-2346.12504.

[40]???????? T. Bovaird, ‘Public–Private Partnerships: From Contested Concepts to Prevalent Practice’, Int. Rev. Adm. Sci., 2004, doi: 10.1177/0020852304044250.

[41]???????? H. Thapliyal and S. P. Mohanty, ‘Physical Unclonable Function (PUF)-Based Sustainable Cybersecurity’, Ieee Consum. Electron. Mag., 2021, doi: 10.1109/mce.2021.3065857.

[42]???????? M. Steen and T. J. Weaver, ‘Incumbents’ Diversification and Cross-Sectorial Energy Industry Dynamics’, Res. Policy, 2017, doi: 10.1016/j.respol.2017.04.001.

[43]???????? A. J. Choudhury, P. Kumar, M. Sain, H. Lim, and H. Jae-Lee, ‘A Strong User Authentication Framework for Cloud Computing’, 2011, doi: 10.1109/apscc.2011.14.

[44]???????? P. ?ebrowski, A. C. Vieira, and A. Mancuso, ‘A Bayesian Framework for the Analysis and Optimal Mitigation of Cyber Threats to Cyber‐Physical Systems’, Risk Anal., 2022, doi: 10.1111/risa.13900.

[45]???????? S. Li, T. Tryfonas, and H. Li, ‘The Internet of Things: A Security Point of View’, Internet Res., 2016, doi: 10.1108/intr-07-2014-0173.

[46]???????? D. P?hn and W. Hommel, ‘Computer Security’, 2020, doi: 10.1007/978-3-030-66504-3.

[47]???????? E. Viganò, M. Loi, and E. Yaghmaei, ‘Cybersecurity of Critical Infrastructure’, 2020, doi: 10.1007/978-3-030-29053-5_8.

[48]???????? R. Shandler, M. L. Gross, S. Backhaus, and D. Canetti, ‘Cyber Terrorism and Public Support for Retaliation – A Multi-Country Survey Experiment’, Br. J. Polit. Sci., 2021, doi: 10.1017/s0007123420000812.

[49]???????? R. Messnarz, D. Ekert, G. Macher, A. Much, T. Zehetner, and L. Aschbacher, ‘Experiences With the Automotive SPICE for Cybersecurity Assessment Model and Tools’, J. Softw. Evol. Process, 2022, doi: 10.1002/smr.2519.

[50]???????? J. D’Arcy, A. Hovav, and D. F. Galletta, ‘User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach’, Inf. Syst. Res., 2009, doi: 10.1287/isre.1070.0160.

[51]???????? S. Kumar, ‘The Missing Piece in Human-Centric Approaches to Cybernorms Implementation: The Role of Civil Society’, J. Cyber Policy, 2021, doi: 10.1080/23738871.2021.1909090.

[52]???????? T. G. Calderon and L. Gao, ‘Cybersecurity Risks Disclosure and Implied Audit Risks: Evidence From Audit Fees’, Int. J. Audit., 2020, doi: 10.1111/ijau.12209.

[53]???????? P. Rosati, F. Gogolin, and T. Lynn, ‘Audit Firm Assessments of Cyber-Security Risk: Evidence From Audit Fees and SEC Comment Letters’, Int. J. Account., 2019, doi: 10.1142/s1094406019500136.

[54]???????? A. Fedele and C. Roner, ‘Dangerous Games: A Literature Review on Cybersecurity Investments’, J. Econ. Surv., 2021, doi: 10.1111/joes.12456.

[55]???????? X. Wang, Y. Han, C. Wang, Q. Zhao, C. Xu, and M. Chen, ‘In-Edge AI: Intelligentizing Mobile Edge Computing, Caching and Communication by Federated Learning’, Ieee Netw., 2019, doi: 10.1109/mnet.2019.1800286.

[56]???????? D. Bhamare, M. Zolanvari, A. Erbad, R. Jain, K. M. Khan, and N. Meskin, ‘Cybersecurity for Industrial Control Systems: A Survey’, Comput. Secur., 2020, doi: 10.1016/j.cose.2019.101677.

[57]???????? H. Kim, ‘Security and Vulnerability of SCADA Systems Over IP-Based Wireless Sensor Networks’, Int. J. Distrib. Sens. Netw., 2012, doi: 10.1155/2012/268478.

[58]???????? A. Yeboah-Ofori and S. Islam, ‘Cyber Security Threat Modeling for Supply Chain Organizational Environments’, Future Internet, 2019, doi: 10.3390/fi11030063.

?

?

?

?

?

?

?