Cyber-Security of Industrial Internet of Things in Electric Power Systems

Electric Power Systems (EPSs) are among the most critical infrastructures of any society, since they significantly impact other infrastructures. Recently, there has been a trend toward implementing modern technologies, such as Industrial Internet of Things (IIoT), in EPSs to enhance their real-time monitoring, control, situational awareness, and intelligence. This movement, however, has exposed EPSs to various cyber intrusions that originate from the IIoT ecosystem. Statistics show that 38% of reported attacks have been against power and water infrastructure, and so far at least 91% of power utilities have experienced a cyber-attack. The cyber-security problem is even more severe for IIoT applications in EPSs due to the vulnerabilities and resource limitations of such applications. Thus, based on the above statistics, it is necessary to investigate the vulnerabilities of IIoT-based applications in EPSs, identify probable attacks and their consequences, and develop intrusion prevention and detection approaches to secure IIoT systems. On this basis, this paper first elaborates on the applications of IIoT-based systems in EPSs, and evaluates their security challenges. Afterwards, it comprehensively reviews various cyber-attacks against IIoT-assisted EPSs, with a particular focus on attack entry points and adversarial methods. Finally, efforts to prevent cyber-intrusions against IIoT systems in EPSs are explained, and different attack detection techniques are discussed.

The most important differences between conventional and 30 IoT-based networks, in terms of their security, are as follows: 31 • The first and foremost distinction between traditional 32 and IoT networks is related to the resourcefulness of 33 end devices [4]. IoT networks often includes embedded 34 devices, such as Radio-Frequency Identification (RFID) 35 and sensor nodes, with resource constraints. They are 36 often equipped with little memory, low computational 37 power, little disc space, and minimal power consump-38 tion. Thus, IoT systems require lightweight safeguards 39 to balance security with available resources [5]. How-40 ever, the conventional networks consist of a variety of 41 computers, servers, and devices. Thus, sophisticated and 42 multi-factor security methods may support conventional 43 networks without considering any resource limitations. 44 • Objectives: IoT is usually deployed to improve pro-105 ductivity, health, and safety. IIoT, however, is usually less 106 user-centric and concentrates more on increasing security 107 and efficiency. Thus, in contrast to IoT, IIoT is an industrial 108 process that is not utilized by general consumers in their 109 individual lives [11]. 110 • End devices: IoT and IIoT systems usually use differ-111 ent devices as they both have different focuses and objec-112 tives. IIoT devices are built to provide their users with data 113 on equipment, and these devices are integrated with the 114 existing equipment, instead of working alone. In contrast, 115 IoT devices-such as smartphones, smartwatches, and smart 116 thermostats-are often employed in the daily life, and can be 117 used independently [12]. 118 • Risk of failure: The risk of failure in IoT devices is 119 relatively low as these devices are only applied on a small 120 scale. Typically, IoT devices are not utilized for restorative 121 practices that pose a threat when they fail. In contrast, failure 122 of IIoT devices is more hazardous, since IIoT is linked to an 123 industrial system [13]. 124 • Development needs: IoT manufacturers aim to develop 125 technologies to suit the user's daily life. Hence, IoT devel-126 opment concentrates more on improving the comfort of its 127 users. In contrast, IIoT development usually emphasizes on 128 creating new devices that efficiently improve the operation 129 of its consumers [14]. 130 • Compatibility with legacy systems: IoT devices don't 131 have to be compatible with legacy systems. These devices are 132 not designed with backward compatibility as they often work 133 independently. In contrast, IIoT devices should be compatible 134 with the legacy systems and equipment in manufacturing 135 plants, since most IIoT devices assist the legacy systems in 136 offering digital information and receiving IT system com-137 mands [14]. EPSs can bring about potential economic, social, and envi-215 ronmental benefits. 216 Cyber-security, however, is a growing challenge for EPSs, 217 since it directly impacts their reliability and overall cost. 218 Statistics reveals that, so far, (i) 91% of power generating 219 companies have been the victims of cyber-attacks; (ii) cyber-220 attacks against electricity and water suppliers account for 221 38% of all identified threats; and (iii) 61% of oil and gas 222 suppliers, which provide power generation companies with 223 their required fuel, are not able to detect sophisticated cyber-224 attacks [20]. As these statistics demonstrate, EPSs are highly 225 vulnerable to cyber attacks, and are attractive targets for 226 adversaries. On the other hand, integration of IIoT in EPSs 227 can intensify this problem due to the inherent vulnerabilities 228 and resource limitations of IIoT systems. Therefore, it is 229 crucial to investigate the cyber-security challenges of IIoT-230 based applications in EPSs, and take necessary measures to 231 secure such systems. 232 The remainder of this paper is organized as follows: 233 Section II elaborates on integration and applications of IIoT 234 systems in EPSs; Section III explains major IIoT architec-235 tures for EPSs; cyber-security challenges and requirements of 236 IIoT-based applications in EPSs are discussed in section IV; 237 Section V reviews cyber-attacks against different layers of 238 IIoT systems in EPSs; security enhancement measures for 239 IIoT-aided applications are described in section VI; and the 240 paper is concluded in Section VII.

242
IIoT networks in EPSs use smart devices to collect data from 243 the grid through a cyber layer. This data is then used to operate 244 the grid more efficiently, and to serve the customers better. 245 Thus, connectivity and interoperability are two important 246 features of IIoT networks, which lead to higher standard 247 procedures and services. The following subsections elaborate 248 on major applications of IIoT systems in EPSs, which are also 249 shown in Fig. 1. IIoT systems-which are a combination of cloud-based ana-252 lytics, IT, and Operational Technology (OT) technologies-253 can be implemented for different applications in the power 254 generation process to improve the operator's situational 255 awareness using the real-time data coming from power plants. 256 This enhanced situational awareness can improve the oper-257 ation of power plants, facilitate integration of renewable 258 energy, and enhance the timely/predictive maintenance of 259 generating units. Some of the applications of IIoT systems 260 in electric power generation are as follows. The first application of IIoT systems is to optimize the fuel 263 mix of different types of generating units. This task is of high 264 importance, since there is a wide range of generating units 265 in a power network, which are becoming increasingly diver-266 sified [21]. Thus, integration of IIoT systems in EPSs can 267 distribute investment costs and other activities [18]. Addition-303 ally, small-scale energy resources are not taken into account 304 for market participation in the national or regional levels. 305 Furthermore, conventional markets are unable to cope with 306 renewable energy resources in real-time due to their stochas-307 tic nature [26]. Thus, a new IIoT-based information-driven 308 infrastructure is needed to boost the productivity of power 309 markets by considering new components, such as local energy 310 generation units [27]. 311

312
It is imperative to increase the penetration level of renewable 313 energy resources in future EPSs. These sources of energy, 314 however, are intermittent in nature, and are highly dependent 315 on environmental factors; for instance, the speed and direc-316 tion of the wind affect the generation of wind power plants, 317 and solar irradiation impacts the output power of photovoltaic 318 cells. To improve the efficiency of such resources and the 319 reliability of the entire grid, IIoT systems can be used to 320 ensure a constant supply of safe, economical, and reliable 321 energy IIoT-based systems in smart grids is controlling and monitor-388 ing of battery-powered devices, thus distributing the energy 389 more efficiently [36]. 390 Additionally, IIoT-enabled loads, storage devices, and 391 renewable generating units have enabled customers to gen-392 erate a part or the entire of their required energy locally, and 393 even to trade the surplus energy with the network. In this con-394 text, intelligent loads share their data-such as their demand, 395 power consumption, and the time of use-to optimize their 396 power consumption and cost. Energy storage devices, such 397 as batteries and electric vehicles, are also used to deal with 398 uncertainties and the intermittent nature of generating units, 399 as well as to participate in demand response programs [22]. 400 Moreover, in an IIoT-enabled smart grid, all assets con-401 nected to the grid can interact with each other to ensure that 402 the distribution of energy is perfectly managed whenever and 403 wherever it is required. In such a smart grid, the operator is 404 notified before any acute problem occurs, thus an appropriate 405 corrective or preventive action can be taken in advance. For 406 example, exceeding the demand over the grid's capacity can 407 be detected by real-time monitoring of loads and generating 408 units. Thus, the energy consumption of flexible loads can 409 be rescheduled to a time when demand is expected to be 410 lower. Additionally, dynamic pricing models can be used to 411 decrease the consumption or increase the generation during 412 peak hours [37]. In general, electric energy consumption can be divided into 415 four categories: residential, commercial, industrial, and trans-416 portation. The following discusses how IoT/IIoT can be used 417 to manage the energy consumption in residential and indus-418 trial loads.

419
Residential loads include, but are not limited to, lighting, 420 appliances, and water heaters, as well as Heating, Ventilation, 421 and Air Conditioning (HVAC) systems. IoT systems can be 422 used to manage energy consumption of the appliances and 423 lighting systems. For instance, IoT/IIoT systems can notify 424 customers when their energy consumption exceeds the stan-425 dard level. Additionally, IoT/IIoT-based home energy man-426 agement systems can monitor the energy usage to schedule 427 and run some flexible loads, e.g. some appliances, during 428 low-demand hours. This contributes significantly to the effi-429 cient use of electrical energy and reducing greenhouse gas 430 emissions [36]. Moreover, given that HVAC energy consump-431 tion accounts for half of the total energy consumption in most 432 buildings, IoT/IIoT-based HVAC management systems are 433 critical for managing electric energy and its cost in buildings. 434 For instance, such systems can determine unoccupied spaces 435 in buildings, and manage the operation of the HVAC system 436 in these spaces.

437
Industrial loads can be also managed by using IIoT-based 438 systems. For instance, by monitoring each component and its 439 consumption, the components that consume more energy than 440 expected can be detected. Additionally, quality control can be 441 performed by using an agile and flexible IIoT system that rec-442 ognizes failures in real-time. These IIoT systems lead to a bet-443 ter management of components, detecting and fixing faults, 444 The network layer embraces the communication system-482 which is assisted by numerous telecommunication networks 483 as well as the Internet-to transfer the information acquired 484 by IIoT devices at the perception layer to the application 485 layer via the telecommunication networks. The core network, 486 which can be the Internet, oversees the routing, information 487 transmission, and control functions. The IIoT management 488 and information centers are also in this layer [41].

489
The application layer is a combination of IIoT technologies 490 and industrial practices/expertise to enable a wide range of 491 IIoT-assisted EPS applications. This layer is responsible for 492 processing information that is received from the network 493 layer and using it for real-time monitoring, controlling, and 494 debugging of IIoT devices. Information sharing and security 495 are two important services in the application layer [41].

497
A four-layer architecture for IIoT-aided applications in EPSs 498 consists of terminal, field network, communication, and mas-499 ter station system layers, as shown in Fig. 2-(b). The ter-500 minal and field network layers in this architecture form the 501 perception layer of the three-layer IIoT structure; the remote 502 communication layer corresponds to the network layer; and 503 the master station system layer is equivalent to the appli-504 cation layer. This architecture is the most common one for 505 EPSs, which can be used for various applications, such as 506 (i) power plant operation (e.g., for monitoring of pollutant 507 and gas discharge, and controlling generation equipment), 508 (ii) state monitoring for transmission lines (e.g., ambient 509 condition, ice covering, temperature, sag), (iii) substation 510 equipment operation and control (e.g., state monitoring of 511 substation equipment and environment safety), (iv) power 512 distribution automation, and (v) consumption manage-513 ment (e.g., in advanced metering infrastructure and smart 514 homes) [42].

516
A five-layer architecture ( Fig. 2-(c)), which consists of user, 517 energy management, market, communication, and regulatory 518 layers, is proposed in [43] for Transactive Energy Systems 519 VOLUME 10, 2022 (TESs). The user layer consists of applications that benefit 520 from the IIoT structure. The energy management layer opti-521 mizes the system operation to control congestions, improve 522 the reliability, reduce system failures, and minimize frelarly, the communication and market layers correspond to the 537 network and perception layers of the three-layer architecture, 538 respectively.

540
The purpose of cyber-security is to protect IIoT assets and 541 privacy, and to reduce security risks that emanate from the 542 cyber layer. New cyber-security technologies are constantly 543 emerging to make systems more secure. However, developing  The term device security refers to preventing a device (e.g.,  whereas software availability is the ability to provide service 563 anywhere and anytime [44]. To secure an IIoT system and 564 prevent unwanted malicious actions, a main step is to ensure 565 that all devices are secure and trustworthy [45]. Trust man- and prediction-based ones [46]. Policy-based mechanisms 571 use a set of policies to identify trust. In certificate-based 572 approaches, trust is determined by using public or private 573 keys and digital signatures. Recommendation-based systems 574 utilize prior information to define trust. However, if there 575 is no prior information, prediction-based methods can be 576 used [46].

578
Data security means protecting the confidentiality, integrity, 579 and/or availability of IIoT data. This type of security is 580 applicable to all devices, no matter if they send, receive or 581 store data. IIoT devices in EPSs monitor the physical envi-582 ronments and transmit the collected data through the network. 583 However, this transmitted data is exposed to different security 584 threats like eavesdropping and altering. To secure data in the 585 context of IIoT, the confidentiality and integrity of the data 586 must be preserved [45]. Data confidentiality is the process of 587 hiding private information from unauthorized objects. Stan-588 dard encryption mechanisms cannot be implemented directly 589 for improving the confidentiality of data in IIoT systems, 590 since some IIoT devices have limited resources [47]. Data 591 integrity ensures that the received data has not been altered or 592 modified during transmission. Integrity involves maintaining 593 the consistency, accuracy, and trustworthiness of data. Several 594 cryptographic hash algorithms (e.g. MD5 [48] and SH1 [49]) 595 are used to ensure data integrity. However, most of these 596 mechanisms cannot be implemented in IIoT systems, since 597 IIoT devices are inherently resource-constrained [50]. Avail-598 ability means that the data remains available to authorized 599 users at all times. If an attacker compromises the availabil-600 ity of data, the users are prevented from accessing crucial 601 information, or the system is brought to a halt. The most 602 important intrusion that can target the availability of data is a 603 DoS attack.

605
Connectivity is a critical component of any IIoT network. 606 To address this need, several different protocols (e.g., Blue-607 tooth, WiFi, Zigbee, Z-Wave) may be utilized within a single 608 IIoT system to account for environmental limitations and 609 increase the reliability of IIoT communications. Choosing 610 the right communication protocol and medium depends on 611 (i) the configuration of the physical system, e.g., a high 612 distance between devices obliges using long-range commu-613 nication protocols; (ii) IIoT tasks, e.g., real-time applications 614 require higher connectivity capabilities; and (iii) computing 615 resources of devices, e.g., power-constrained devices may 616 require low-power communication protocols such as Blue-617 tooth Low Energy (BLE), ZigBee and LTE-M. In order 618 to address the communication needs of IIoT systems in 619 EPSs, standardization groups such as the IEEE and the 620 Internet Engineering Task Force (IETF) have developed 621 IoT/IIoT-specific communication protocols, such as IEEE 622 802.15.4e, 6LoWPAN, and LoRa [51], [52]. On the other 623 hand, to establish a secure communication between IIoT 624 devices, an authentication process is required to authorize 625 only the legitimate devices to access the systems or their 626 information. Access control is a security feature that verifies 627 is the process of validating a user's identity using login  systems, as well as through the physical layer. An attacker 695 with access to the input/output ports of an IIoT object can 696 change the parameters of devices and cause unwanted oper-697 ations. Moreover, using these ports, cyber-attacks can take 698 the control of devices, manipulate their firmware, and inject 699 codes that cause them to act maliciously or even to be 700 destroyed [61]. The change of firmware might also include a 701 downgrade to previous versions, where known vulnerabilities 702 exist. In such a condition, an adversary can benefit from the 703 known vulnerabilities and take the control of devices. Attack-704 ers can also learn the specification and sensitive information 705 of an IIoT system using unattended devices. For instance, 706 attackers can remove the storage of a device to extract its 707 data and also learn about the connections of devices in the 708 network to plan for the next stages of an attack, or gather 709 information about other devices that communicate with the 710 targeted device.    Compromising the integrity of data by deliberate injection 788 of false information is categorized as an FDIA. Generally 789 speaking, in an FDIA, the data that is gathered by IIoT devices 790 is manipulated to portray a fake condition in the underlying 791 system or hide an event. In this attack, an adversary can 792 also take advantage of the limited error rate tolerance of the 793 system, and gradually raise the effect of false data such that 794 the attack remains unnoticed. FDIAs in cyber-controlled net-795 works have a significant effect on the system's performance, 796 and can result in a system failure [67]. In FDIAs, even a small 797 portion of false data can disrupt the entire IIoT system. Thus, 798 adversaries can optimize their attacks to reach the intended 799 goal with the minimum adversarial efforts, so keeping the 800 attack stealthy [66]. In the physical layer, this type of attack 801 can be launched by manipulating sensors physically. In this type of attack, secret information is collected from 804 communication nodes and devices. Corrupted devices in an 805 IIoT system, including compromised nodes, may leak the sys-806 tems' traffic and expose confidential information [68]. Addi-807 tionally, network eavesdropping-which is often referred 808 to as network snooping or sniffing-occurs when attackers 809 exploit insecure or vulnerable networks to access the data 810 transmitted between two devices. This attack is among the 811 most common ones in wireless communication. Similar to poor/malicious updates for the perception layer, 876 malign updates to applications and servers may trigger secu-877 rity problems, such as data leakage, data loss, and unwanted 878 control. It is worth mentioning that this attack can also target 879 the physical layer when the adversary physically inserts some 880 malicious codes into an IIoT device. This can happen, for 881 instance, by attaching a malicious gadget to the target node 882 and, on occasion, rewriting the target's operating system. 883 Structured Query Language (SQL) injection is a type of code 884 injection attack to acquire administrator access to databases 885 by exploiting vulnerabilities in the victim's network 886 infrastructure. Cloud services have inherent security problems, which are 889 manifest in IIoT systems as well [66]. Since IIoT devices 890 rely on service providers to keep their data safe, the most 891 difficult task in establishing cloud-based services is to secure 892 data. Confidentiality, integrity, authorization, data availabil-893 ity, and privacy are among the features that a cloud service 894 should maintain. Data breaches, data loss, integrity viola-895 tions, and unauthorized access are all possible consequences 896 of a cloud's improper data handling. If an attack occurs while 897 transmitting data over the cloud network, it can be considered 898 as an attack on the network layer; however, an attack is against 899 the application layer if this layer is compromised to target the 900 cloud.

902
To control an IIoT service, many applications use login pages 903 that can be targeted with brute-force attacks in order to find 904 out the user names listed on an application or a device. 905 These attacks will lead to either username enumeration or 906 user lockout due to failed trials [60], [74]. Username leakage 907 can damage the privacy of users and help to initiate other 908 attacks. The same attack can occur against cloud services 909 as well. The authentication process and procedures used for 910 cloud-based services are often extremely susceptible and fre-911 quently attacked. Numerous cloud services continue to rely 912 on single-factor authentication and straightforward username 913 and password specifications. Thus, attackers can utilize this 914 vulnerability to their advantage while attempting to interrupt 915 services or steal information from a company that utilizes 916 cloud computing services.

918
Viruses and Worms can be injected into IIoT applications 919 using, for instance, backdoor methods, which essentially 920 bypass the main authorization system, embedded for devel-921 opers or maintenance intentions. Primarily, default passwords 922 and out-of-date interfaces lead to backdoor exposures [75]. 923 In contrast to computer viruses, which need a host in order 924 to thrive, computer worms are able to thrive on their own 925 and propagate more quickly. A viruse can replicate itself and 926 VOLUME 10, 2022 spread from one IIoT device to another. It infects each system 927 by embedding itself in a variety of applications and running 928 the code when a user starts utilizing the infected software.

929
With the aid of this malicious application, the adversary may 930 steal information, create botnets, and harm the host machine.

931
A worm, however, spreads over a network by looking for 932 a vulnerable operating system. It operates on the system to 933 cause damage to their host networks by, for instance, over-    insufficient access control are important vulnerabilities of 979 the network layer which can be exploited by attackers for 980 malicious purposes. Moreover, networking protocols that per-981 form packet routing and transmission at this layer are also 982 breeding grounds for security problems. Therefore, these 983 vulnerabilities attract attackers to the network layer. Major 984 attacks against this layer are summarized as follows.

994
As described in previous sections, the compromised nodes 995 or devices can send large unwanted data traffic, so that the 996 gateways or routers become unreachable and critical services 997 become disabled [82]. Due to the wide deployment of net-998 working protocols, DoS and DDoS attacks are very common 999 on the IIoT network layer. Another reason for abundance 1000 of DoS and DDoS attacks against this layer is that IIoT 1001 systems may use the networking protocols and media-for 1002 communication and data sharing-that are already used in 1003 other networks, so the same vulnerabilities threaten IIoT 1004 ecosystems as well.

1006
Spoofing occurs when an attacker succeeds to pretend itself 1007 as a legitimate source and gains control over a data stream, 1008 such as GPS and network time protocol (NTP) [64]. This 1009 attack is carried out by disguising the attacker's identity and 1010 pretending as a trusted source instead. This type of attack 1011 often leads to data leakage, and can be leveraged to design 1012 more sophisticated attacks. . An attacker can insert mali-1016 cious packets into the network such that they appear authentic 1017 and be hard to detect. Additionally, using an FDIA in the 1018 network layer, an attacker can manipulate existing packets by 1019 changing their header and data. In more sophisticated FDIAs, 1020 an attacker can replace the packets previously recorded dur-1021 ing an event with the actual ones, so faking the event when it 1022 is not actually happening [57], [58]. It should be mentioned 1023 that since IIoT networks do not often enjoy sophisticated 1024 authentication protocols, FDIAs in these networks are easier 1025 to perform. 1026

1027
This type of threat is the most destructive routing attack in 1028 an IIoT paradigm, in which messages/communications in a 1029 its neighboring nodes that an update is available. The nodes 1083 that received the advertisement would then proceed to check 1084 whether they have the new version or not; if not, they would 1085 broadcast a request to receive the updates from the server. The 1086 nodes need to authenticate that the received update packets 1087 are from a legitimate source [57]. 1088

1089
Manufacturers of the majority of IIoT devices do not often 1090 supply security fixes for customers, or even the customers do 1091 not put in enough efforts to install the security updates. As a 1092 result, a huge number of IIoT devices have been deployed 1093 with known vulnerabilities [90]. Patching all devices in a 1094 timely manner is essential for securing the IIoT system, 1095 since it removes vulnerabilities and therefore reduces the risk 1096 of attacks against industrial processes [91]. Thus, internal 1097 mechanisms for patching vulnerabilities, without waiting for 1098 the next scheduled maintenance time, must be reinforced in 1099 many firms [92]. Manufacturers must also provide security 1100 fixes for all their devices on a regular basis throughout the 1101 prolonged lifespan of such devices. Automated patch instal-1102 lation may make this procedure easier for a large number 1103 of IIoT devices. Patching industrial systems, on the other 1104 hand, usually involves a thorough testing step prior to instal-1105 lation to ensure that the patch is compatible with the present 1106 configuration. To enhance safety and limit the possibility of 1107 process downtime, the National Institute of Standards and 1108 Technology (NIST) advises regression testing as a part of 1109 a systematic patch management approach [93]. Addition-1110 ally, the Internet Engineering Task Force (IETF) on software 1111 updates for IoT offers an automatic firmware upgrade method 1112 for resource-constrained devices in the context of the IoT and 1113 IIoT [94], [95]. This approach ensures a consistent descrip-1114 tion of the relevant entities, security threats, and assumptions 1115 for each update, as well as secure end-to-end transfer of new 1116 firmware to devices.

1117
There are also methods for actively detecting security prob-1118 lems and vulnerabilities in IIoT installations, such as eval-1119 uating IIoT devices during their idle moments or assessing 1120 vulnerabilities using an IIoT network graph [96], [97]. Idle 1121 intervals have little effect on industrial operations, making 1122 them especially helpful for safety-and mission-critical activ-1123 ities [96]. These methods form the first step in identifying 1124 existing security defects and their consequences for the sys-1125 tems, as well as taking appropriate actions, such as isolating 1126 susceptible devices.  The first group of studies concentrates on resource-1193 constrained devices and suggests techniques to mini-1194 mize latency and hence allow lightweight authentication 1195 and encryption in industrial communication settings. For 1196 instance, to allow authentication of resource-constrained 1197 devices, the authors of [105] use a lightweight authentica-1198 tion technique based on only hash and XOR operations. 1199 In this method, smart sensors with secure elements and 1200 routers with trusted platform module are taken into account. 1201 The proposed authentication mechanism is performed in two 1202 steps: (a) the registration phase, in which each smart sen-1203 sor registers with an authentication server and the routers 1204 are given secure pre-shared keys issued by the server; and 1205 (b) the mutual authentication phase, in which the sensor 1206 and the router establish mutual authentication. The second 1207 group of studies concentrates on protecting IIoT commu-1208 nications with other entities, such as cloud services [106], 1209 [107], [108], [109]. These methods use certificateless search-1210 able public-key encryption, which allows for easy key man-1211 agement across a wide number of IIoT devices. The core 1212 concept is that data is encrypted before being sent to a 1213 cloud service, and the encrypted data is searchable, such 1214 that data is only decrypted after being retrieved from the 1215 cloud. Such techniques, however, might endanger the con-1216 fidentiality and integrity of the information, since secrecy 1217 and authenticity of outsourced data cannot be guaranteed 1218 when dealing with an expanding number of devices and 1219 connections [110]. Finally, the last group of studies focuses 1220 on user authentication, and develops techniques for authoriz-1221 ing users to access IIoT devices. For instance, researchers 1222 have proposed an anonymous lightweight user authentica-1223 tion approach for IIoT paradigms [111]. This approach per-1224 forms authentication using personal biometrics, passwords, 1225 and smart cards with the fuzzy extractor to confirm the 1226 user's biometrics. It also includes phases for smart card 1227 revocation, password/biometric update, and IIoT device addi-1228 tion. Additionally, the authors of [112] have developed a 1229 privacy-preserving biometric-based authentication protocol 1230 using elliptic curve cryptography. In this method, when a user 1231 desires to access a node's sensory data, their authentication 1232 should be approved by a gateway and agree on a session 1233 key that will encrypt future interactions. Similarly, a Context 1234 Sensitive seamless Identity Provisioning (CSIP) architecture 1235 is developed in [113] for IIoT devices to validate users. The 1236 CSIP presents a two-part mutual authentication technique 1237 based on hashes and mutual authentication values. dominated by real-time processes and resource-constrained 1300 devices, which are less frequent in traditional IT networks. 1301 Additionally, since not all the data traffic flows via a single 1302 central point, IIoT networks generally require numerous van-1303 tage points for IDSs. Apart from these complications, there 1304 are some privileges for deploying IDSs in IIoT systems. For 1305 example, in contrast to random communication in IT net-1306 works, predictable industrial operations enjoy more regular 1307 network traffic patterns, making identification of anomalies 1308 easier [123]. The following subsections elaborate on available 1309 IDSs for IIoT-based applications in EPSs. Traditionally, IDSs observe and analyze the network for 1312 attacks mainly by looking for attack signatures and traffic, 1313 anomalous activities, or system specifications. Signatures are 1314 patterns that under-attack networks display, and specifica-1315 tions are the rules for valid and correct operation of the 1316 system [124], [125]. Traditional IDSs can be signature-based, 1317 anomaly-based, or specification-based.

1318
Signature-based IDSs attempt to model the malicious 1319 behavior of an attack, i.e., its signature, for detecting them. 1320 Therefore, signature-based IDSs can only detect attacks 1321 whose signatures are known, since they lack the ability 1322 of generalization. Additionally, modeling the signature of 1323 attacks might be challenging in some cases. Anomaly-based 1324 IDSs, on the other hand, detect attacks by probing the behav-1325 iors of nodes, such as their usual message emanations, and 1326 comparing them with previously known valid behaviors. 1327 In fact, an anomaly-based IDS learns the natural behavior 1328 of a system, and detects attacks when the system behavior 1329 deviates from natural. An anomaly-based IDS can be either 1330 model-based-if the attack-free operation can be accurately 1331 modeled by physical equations-or learning-based, if the nat-1332 ural behavior is modeled by using Artificial Intelligence (AI). 1333 It should be noted that only the former type is categorized 1334 as traditional anomaly-based IDS [126]. The system model 1335 used for traditional model-based methods can be (i) differ-1336 ential, algebraic, or a combination of both, (ii) linear or non-1337 linear, and (iii) parameter-varying or -invariant. A model-1338 based anomaly detection method can be used in conjunction 1339 with the traffic information anomaly detection techniques to 1340 improve the attack detection accuracy [127]. Even though 1341 anomaly-based IDSs are able to identify previously unknown 1342 attacks, they have relatively high false alarm rates, since 1343 previously unseen behaviors might be confused with attacks. 1344 A specification-based method is a type of traditional IDS, 1345 which reduces the false alarm rates of anomaly-based detec-1346 tion techniques by distinguishing natural unknown behaviors 1347 of the system from attacks. System specifications, which sig-1348 nify the system's expected behaviors, are key components of 1349 specifications-based IDSs. In this type of methods, abnormal 1350 behaviors of a system are detected as a breach of security. 1351 When sufficient information about a system's behaviors is not 1352 available, a specification source is developed by simulation. 1353 This source is then used to identify intrusions by monitoring 1354 VOLUME 10, 2022 the deviation of system behaviors from simulated attack-free specifications [128].   [133]. More information about supervised ML methods 1380 can be found in [134].  [136]. Recurrent NN (RNN) [137], Long Short Term 1388 Memory (LSTM) [138], and gated recurrent units [139] are 1389 other types of NNs that can be used for detecting attacks in These ML models extract information and hidden patterns 1414 from the raw data without requiring the label of data. Unsu-1415 pervised models that are able to cluster the input data include, 1416 but are not limited to, Principal Component Analysis (PCA) 1417 and K-means Clustering [133]. More information about 1418 semi-supervised ML methods can be found in [134].

1419
• PCA: This unsupervised ML method computes the prin-1420 cipal components of a dataset and usees them to reduce the 1421 dimension of the data. In fact, PCA generates uncorrelated 1422 features from the initial correlated ones to lower the feature 1423 space. Thus, due to its dimension reduction capability, PCA 1424 is appropriate for IIoT systems with massive data. Integrat-1425 ing PCA with other ML techniques can result in stronger 1426 IDSs [142].

1427
• K-means clustering: This approach divides the data into 1428 k clusters and assigns each observation to a cluster whose 1429 mean is nearest to the observation. Hyper-parameter K is 1430 usually selected manually to control the learning process, and 1431 the centroids are found iteratively using some initial random 1432 points. The fact that K-means clustering method does not 1433 require data labels makes it suitable for IIoT dataset, which 1434 is often unlabeled [143]. This family of ML techniques trains the model using a small 1437 amount of labeled data and a large quantity of unlabeled data. 1438 In fact, semi-supervised ML is a special instance of weak 1439 supervision. Semi-supervised techniques are useful when the 1440 costs of labeling are relatively high, and a good learning 1441 accuracy is required. One example of semi-supervised learn-1442 ing is to combine clustering and classification algorithms. 1443 The former method categorizes the most relevant samples 1444 of the and into several clusters, and the latter approach labels 1445 the unlabeled data based on the clusters and uses it to train 1446 the model.   and secure peer-to-peer transaction service model for renew-1517 able energy sources.

1519
IIoT deployment has brought about various opportunities 1520 for EPSs, such as enhancing asset visibility, energy man-1521 agement, and control of distributed generation, as well as 1522 reducing energy losses. However, the security challenges of 1523 IIoT systems have barricaded large-scale deployment of IIoT-1524 based applications in EPSs. This paper, first elaborated on 1525 IIoT-based applications in EPSs, and discussed the most com-1526 mon IIoT architectures for implementing these applications. 1527 It also highlighted the major security requirements of IIoT-1528 based systems. Afterwards, the vulnerabilities of IIoT sys-1529 tems were explained, and the attacks that can take advantage 1530 of such vulnerabilities were classified based on their entry 1531 layer. Additionally, the paper examined various prevention 1532 and detection strategies for addressing the vulnerabilities 1533 of IIoT systems in EPSs and mitigating intrusions before 1534 they damage the system. Finally, to improve the security 1535 of IIoT-based applications in EPSs, possibilities for imple-1536 menting technologies such as Blockchain, ML, and AI were 1537 discussed.

1538
The presented work in this paper can be extended in several 1539 directions. Developing cyber-security solutions for each IIoT-1540 based application in EPSs requires an in-depth analysis of 1541 that application and identifying its cyber-security specifica-1542 tions. Therefor, it is more effective if security enhancement 1543 measures are designed for each IIoT application based on 1544 the features and specifications of that application, rather than 1545 developing generic solutions. Additionally, a suitable solu-1546 tion for securing large scale systems, such as EPSs, is employ-1547 ing the Blockchain. Thus, another potential direction for 1548 future research includes tailoring the Blockchain technology 1549 for IIoT-based applications in EPSs.