Cyber-physical systems (CPS) are at the intersection of digital technology and engineering domains, rendering them high-value targets of sophisticated and well-funded cybersecurity threat actors. Prominent cybersecurity attacks on CPS have brought attention to the vulnerability of these systems, and the soft underbelly of critical infrastructure reliant on CPS. Security modelling for CPS is an important mechanism to systematically identify and assess vulnerabilities, threats, and risks throughout system lifecycles, and to ultimately ensure system resilience, safety, and reliability. This literature review delves into state-of-the-art research in CPS security modelling, encompassing both threat and attack modelling. While these terms are sometimes used interchangeably, they are different concepts. This article elaborates on the differences between threat and attack modelling, examining their implications for CPS security. A systematic search yielded 428 articles, from which 15 were selected and categorised into three clusters: those focused on threat modelling methods, attack modelling methods, and literature reviews. Specifically, we sought to examine what security modelling methods exist today, and how they address real-world cybersecurity threats and CPS-specific attacker capabilities throughout the lifecycle of CPS, which typically span longer durations compared to traditional IT systems. This article also highlights several limitations in existing research, wherein security models adopt simplistic approaches that do not adequately consider the dynamic, multi-layer, multi-path, and multi-agent characteristics of real-world cyber-physical attacks.

翻译：信息物理系统（CPS）处于数字技术与工程领域的交叉点，使其成为资金充足且技术高超的网络安全威胁行为者的高价值目标。针对CPS的著名网络安全攻击已引起人们对其脆弱性的关注，以及依赖CPS的关键基础设施的软肋。CPS安全建模是一种重要机制，可系统识别和评估系统整个生命周期中的漏洞、威胁和风险，并最终确保系统韧性、安全性和可靠性。本文献综述深入探讨了CPS安全建模的最新研究，涵盖威胁建模和攻击建模。尽管这些术语有时可互换使用，但它们是不同的概念。本文详细阐述了威胁建模与攻击建模之间的差异，并探讨了它们对CPS安全的影响。通过系统检索获得428篇文章，从中筛选出15篇并归类为三个簇：专注于威胁建模方法、攻击建模方法及文献综述的文章。具体而言，我们旨在审视当前存在哪些安全建模方法，以及它们如何应对实际网络安全威胁和CPS特定攻击者能力，贯穿CPS生命周期（其通常比传统IT系统持续时间更长）。本文还指出了现有研究的若干局限性，其中安全模型采用简单化方法，未能充分考虑现实网络物理攻击的动态、多层、多路径和多主体特性。