Cyber-Physical Power System (CPPS): A Review on Modeling, Simulation, and Analysis With Cyber Security Applications

Cyber-Physical System (CPS) is a new kind of digital technology that increases its attention across academia, government, and industry sectors and covers a wide range of applications like agriculture, energy, medical, transportation, etc. The traditional power systems with physical equipment as a core element are more integrated with information and communication technology, which evolves into the Cyber-Physical Power System (CPPS). The CPPS consists of a physical system tightly integrated with cyber systems (control, computing, and communication functions) and allows the two-way flows of electricity and information for enabling smart grid technologies. Even though the digital technologies monitoring and controlling the electric power grid more efficiently and reliably, the power grid is vulnerable to cybersecurity risk and involves the complex interdependency between cyber and physical systems. Analyzing and resolving the problems in CPPS needs the modelling methods and systematic investigation of a complex interaction between cyber and physical systems. The conventional way of modelling, simulation, and analysis involves the separation of physical domain and cyber domain, which is not suitable for the modern CPPS. Therefore, an integrated framework needed to analyze the practical scenario of the unification of physical and cyber systems. A comprehensive review of different modelling, simulation, and analysis methods and different types of cyber-attacks, cybersecurity measures for modern CPPS is explored in this paper. A review of different types of cyber-attack detection and mitigation control schemes for the practical power system is presented in this paper. The status of the research in CPPS around the world and a new path for recommendations and research directions for the researchers working in the CPPS are finally presented.

. Structure of the cyber-physical system. environments and built from control systems and embedded systems to monitor and regulate the physical power system in real time. CPPSs are designed as a structure of interacting elements with physical input and output. This is not about adding computing and communication techniques to conservative inventions where both sides maintain distinct individualities. This is about the integration of computing and networking with physical power systems to generate novel innovations in science, technical skills, and creations. Cyber is an integration of communication, computation, and control systems. Physical means natural and human-made power systems that are governed and managed by the physics regulations and functioning in constant time. In CPPSs, the cyber and physical systems are those firmly incorporated at all stages and dimensions. CPPS uses embedded computers and networks to compute, communicate, and organize physical power system actions. Simultaneously, a CPPS receives feedback on how physical power system events impact computations and vice versa as shown in Fig. 1. Just as the Internet facilitates a way for the humans to interact with each other, CPPSs will transform in a way, how we interact with the physical power system world around us. To enable standard communication link between heterogeneous systems, CPPS-Interconnection Protocol is used. This protocol is mainly designed for special CPSs such as CPPSs, which require overall instruction and performance guarantee for cyber physical interaction. The main objective of this protocol is to offer CPPSs heterogeneity at three different levels: function interoperability, policy regulation, and performance assurance. Later, the transport protocol services used in the design of CPS-Interconnection Protocol. As an intellectual challenge, CPPS is about the intersection, not the union of the physical power system and the cyber. It is not adequate to individually understand the physical power system components and the computational components. We must instead understand their interaction as shown in Fig. 2. The design of such systems, therefore, requires understanding the joint dynamics of computers, software, networks, and physical power systems.
does not only depend on power flow in the physical system but also depends on information flow in the cyber system, i.e., Information and Communication Technology (ICT). Even though the cyber system ensures efficient, safe, and secure operation for the power grid, the power blackouts occurred in the power grid history is mainly due to the failure of the cyber system.
The main drawback of CPPS is the cyber-attack and cybersecurity problem. The CPPS is a big heterogeneous networked transmission and distribution system with a huge load that has a chance of entering of a cyber-attack. The components of the cyber systems are severely vulnerable to external cyber threats and cyber-attacks through cyber connections due to the flaw in cybersecurity features. Since the cyber-attack does not damage the physical power system directly, but once coordinated with a physical attack, it creates the same impact as physical damage and leads to system instability. Therefore, it is necessary to review the various cyber-attacks and cybersecurity measures in CPPS.
Researchers around the world have conducted various research on CPPS from different perspectives [26]- [28]. The main characteristic of CPPS are the strong interdependency between the cyber and physical systems. The authors have investigated the impacts of various cyber contingency on a physical system using the model-based method [29]- [31]. With the development of synchrophasor technology for wide-area monitoring and control of CPPS, the cyberattacks are increasing nowadays [32]- [34]. The authors did extensive research on the analysis of different types of cyber-attacks like denial-of-service attack, false data injection attack, and man-in-the-middle attack in CPPS and shown the jeopardize of stability [35]- [37]. To protect the complex power grid control networks of CPPS, it is necessary to perform the risk and vulnerability assessment under cyber-attacks [38]- [40]. The various methods of risk [41]- [44] and vulnerability assessment [45]- [48] from the component level to system-wide impacts, with cyber model assessment and physical model assessment, are performed. Substantial work on cyber-attack detection and mitigation for CPPS by monitoring the network traffic of the Supervisory Control and Data Acquisition (SCADA)/Phasor Measurement Unit (PMU) system in the power system control centre was performed in [49]- [52].
It forms the overall cybersecurity feature for the CPPS, which is entirely different from the traditional information security with advanced data analytics and machine learning algorithms. It can able to distinguish the normal and attack activities in the cyber systems. The research interest of designing Wide-Area Damping Controller (WADC) for damping inter-area oscillations in the large-scale CPPS considering the cyber-attack on the physical power system is increased nowadays [53]- [55]. The cyber-physical attack resilient Wide-Area Control (WAC) technique aims to enhance the stability of CPPS at an earlier stage before the system reaches the blackout condition [56], [57]. It is designed to be adaptive to the continuous expansion of the modern CPPS considering the cyber contingencies on the physical power system with its high dimensionality and complex interconnection structure.
Nowadays, more researchers working in the field of CPPS, especially to analyze the stability of CPPS in the control system point of view. It is necessary to analyze the electric power grid as a whole cyber-physical social system, i.e., integrated physical and cyber (control, communication, and computing) part with cybersecurity features. The traditional method of modelling, simulation, and analysis of electric power system operation is entirely based on the physical part of the power grid. This no longer supports the future CPPS research and development. Also, it is difficult to assess the impact of cyber contingency on physical power systems for the safe operation of CPPS. The integration and the unification of cyber and physical systems are needed to optimize the configuration of the cyber side for ensuring the safe and secure operation of the electric power grid. In recent years it is difficult to see the literature survey on different types of modelling, simulation, and analysis methods with cybersecurity applications for CPPS. Therefore, it is necessary to review the different types of modelling, simulation, and analysis methods available for reflecting the characteristics of cyber and physical systems in CPPS. In this review paper, different types of cyber and physical system integrated modelling methods, and simulation software packages are presented. The different types of cyberattacks and cybersecurity measures for CPPS also reviewed. The status of CPPS in the developed countries and research directions & recommendations in CPPS are finally presented. Fig. 3 shows the structure of this survey.
The remainder of this paper is organized as follows: The different types of modelling methods that cover the physical and cyber part of CPPS are presented in Section II. Section III presents the different types of software used for the modelling and simulation of CPPS. Section IV discusses the different types of cyber-attacks and cybersecurity measures for CPPS. The status of the CPPS in the developed countries is presented in Section V. Section VI gives the outlook of future CPPS. Section VII discusses the current issues and research directions. Finally, the conclusion is given in Section VIII.

II. MODELLING OF CPPS
The main characteristics of CPPS modelling are the tight interaction between the physical and cyber systems at different time, space, and scales. The physical system is dynamic that consists of a generator, transformer, transmission line, load, etc. are physically connected with energy flow. In contrast, the cyber system is a static system that consists of cyber components connected through a communication network with information flow. The complex interaction between the physical and cyber system in CPPS act as a critical point of failure with both the systems are in different topologies. In the large-scale CPPS, the failure of one system leads to catastrophic cascading failure in the overall system. The performance of the one system heavily depends upon another system, i.e., interdependent nature of cyber and physical systems. The comparison between the characteristics of the cyber system and the physical system is shown in Table 1.
Both physical and cyber system has its uncertainties independently. The integration of renewable energy into the physical system, which is stochastic in nature, affects the steady-state operating condition of the power flow in the system. In cyber systems, the cyber-attacks on control, computing, and communication functions alter the information flow. These uncertainties are unpredictable, which increases the risk of safe and secure operation of the power system. The interaction characteristics of the physical and cyber systems complicate the modelling of CPPS. Therefore, it is necessary to develop the modelling framework for a critical understanding of complexity and interdependency in CPPS and analyze in terms of both qualitative and quantitative approaches between physical and cyber systems. This will help to prevent the spreading of catastrophic cascading failure events in a networked CPPS.
The modelling of CPPS is broadly classified into three categories.
(A) CPPS Interconnection Modelling (the act of physical and cyber system in a distinct manner) (B) CPPS Interaction Modelling (effect of physical and cyber systems has on each other) (C) CPPS Interdependent Modelling (degree of physical and cyber systems depends on each other)

A. CPPS INTERCONNECTION MODELLING (THE ACT OF PHYSICAL AND CYBER SYSTEM IN A DISTINCT MANNER)
In this modelling, the CPPS is modelled by the interconnection of a physical system, cyber system, and the system need to interconnect them. The physical system consists of physical components of the power system needs to be monitored and controlled. The cyber system consists of a computational algorithm that involves a control or communication algorithm. The systems need to interconnect the physical and cyber systems are Analog to Digital Converter (ADC), Digital to Analog Converter (DAC), and Digital Networks. The hybrid dynamical system theory is used to model the CPPS, which consists of differential equations to represent the continuous-time behaviour of the physical system and difference equations to represent the discrete behaviour of cyber systems, converters, and digital networks [58]. It captures the mixed behaviour of continuous, discrete systems & their interconnections in CPPS.

1) PHYSICAL COMPONENTS MODELLING
The physical system is a continuous-time system modelled by a differential equation with a time parameter t that parameterizes the variables of the system, i.e., the state of the system [58]- [60]. The mathematical equation of the physical system is given in equation (1) and (2). Let z represents the state of the physical system with R n P as the Euclidean space for state space, u ∈ R m P represents the input signal for the physical system, y ∈ R r P represents the output of the physical system defined by the output function h.
In specific applications, it is necessary to limit the values of state and input to the physical system. In that case, the values are constrained to the set C P .

2) CYBER COMPONENTS MODELLING
The function of cyber components is to executing the algorithms, perform the computations, and transmitting the data over the digital networks. The state variables of the cyber components are discrete values that are updated at the discrete events taken from the discrete sets rather than from a continuum [58], [61], [62]. The mathematical equation of the cyber system is given in equation (3) and (4). Let η ∈ ϒ represents the state of the cyber system with R n C as the Euclidean space for the state space, ν ∈ V ⊂ R m C represents the input signal for the cyber system, ζ ∈ R r C represents the output of the cyber system defined by the output function K , which is the function of the input and the state (ν, η).
In specific applications, it is necessary to limit the values of state and input to the cyber system. In that case, the values are constrained to the set D C . The mathematical modelling of the cyber components in the cyber system is as follows.

a: PURE FINITE STATE MACHINES
The Finite State Machine (FSM) is a computational model that expresses the relationship between input and state of the system. It is used to represent the control execution flow (or) simulation of a sequential logic in many applications. At every value of the input, the state and output of the FSM are updated. The states, inputs, and outputs of the FSM taking the values from the discrete sets and updated at discrete transitions when triggered by its inputs. Let ν denotes the inputs take the value from the set , q denotes the states take the value from the set Q, r denotes the outputs takes the value from the set , and q 0 denotes the initial value of the state of FSM. The output function is given by K : Q → and the transition function is given by δ : Q × → Q. When the input ν ∈ is applied to the FSM, a transition occurs from the initial state q 0 ∈ Q of the FSM to a new state by q 1 = δ(q 0 , v). The FSM output is updated to k (q 1 ) after the transition and this transition mechanism in FSM is represented mathematically by the difference equation in equation (5).
This model is similar to the cyber components model given in equation (3) and (4) In certain applications, the transition occurs in FSM based on the conditional structure, for instance, the transition is triggered in the FSM when the input ν < 0. The conditional structure is a Boolean expression; if its evaluation gives true condition, the transition is enabled, and if it was false it would be aborted. The mathematical modelling of FSM with transition according to the conditional structure is defined by, let the function Q × × → R be the testing function for the transition condition for each state q ∈ Q. Assume that the conditional structure (q, ν, ζ ) designed to satisfy for the value of less than or equal to zero as given in equation (6) otherwise not satisfied. The transition triggered in FSM based on the conditional structure ( ) model is given by This model is similar to the cyber components model in equation (3) and (4)

c: MODELLING OF COMPUTER COMPUTATIONS AND DISCRETE-TIME ALGORITHMS
There are two types of computations, one-shot computation, and iterative computation. The computation model is represented in a discrete-time system with ν as the input of the model, and the output of the computation model is ζ . The mathematical model of the one-shot computation is given by where the functionK represents the modelling of the computation being performed. This model is similar to the cyber components model in equation (3) and (4), with η = ∅, ϒ = ∅, ν = , D C = ν, G C = ∅, K =K . The iterative computation technique requires a number of steps to perform the computation. It is defined as a discrete-time system with additional variables as m ∈ R n c −1 and the counter as k ∈ {0, 1, 2, . . . k * } , k * ∈ {0, 1, 2, . . .} =: N that performs k * iterations to produce the final outcome of the computations. Denoting η= [m T K ] T as the state of the computation model, ν as the input signal andK as the function performing the iterative computation, the computational model is given by The model represented in the eqn (8) is similar to the cyber components model in equation (3) and (4) The difference equations are used to model the discrete-time algorithms. The discrete-time feedback controller can be designed by discretizing the continuous-time controller designed by the continuous-time system design tools or designing the discrete-time feedback controller directly. The discrete-time algorithm can be written as where G C is obtained by discretizing the continuous-time control algorithm.

3) MODELLING OF THE INTERFACE SYSTEM BETWEEN CYBER AND PHYSICAL COMPONENTS
The model represents the behaviour of the cyber and physical system has different dynamics: the cyber system has discrete dynamics while the physical system has a continuous dynamic. The interfaces are used to interconnect the cyber and physical systems and convert the signals appropriately [58], [63], [64]. The mathematical model of the interfaces used to interconnect the cyber and physical system, and finally, the cyber system, physical system, and interfaces are interconnected to define the complete model of CPS.

a: ANALOG TO DIGITAL CONVERTER (ADC)
ADC is a sampling device or sensor which provides the information measured from the physical system to the cyber system. The main function of ADC is to sample the output (y) of the physical system at a sampling rate of T * s then the samples are sent to the embedded computer in the cyber system. The model of ADC has two states, sample state and timer state. If the timer attains the sampling time of T * s the timer is reset to zero, and the sampler state is updated with the recent VOLUME 8, 2020 output from the physical system. The mathematical model of the sampling device is given in equation (10) and (11) where τ s ∈ R ≥0 denotes the timer state, m s ∈ R r P denotes the sample state, and v s ∈ R r P denotes the input of the sampling device. In the practical ADC, a time delay exists between the triggering of ADC to sample its input and update its output called ADC acquisition time. This time delay reduces the number of samples per second to be sampled by the ADC. In addition to this, the digital output value of ADC is stored in a sample state finite length digital words, which causes the quantization effect. This model omits the quantization effects and ADC acquisition time, but these can be included in the model if needed.

b: DIGITAL TO ANALOG CONVERTER (DAC)
The DAC converts the digital signal into an analog signal for their use in the physical system. The Zero-Order Hold (ZOH) model is a commonly used model for the DAC, which updates its output at discrete instants of time periodically and held constant in between the updates until the new information is available at the next sampling time. The mathematical modelling of the DAC as ZOH is given in the equation (12) and (13), which is similar to the equation (10) and (11).
Let τ h ∈ R ≥0 be the timer state, m h ∈ R r C be the sample state, and v h ∈ R r C be the inputs of the DAC. The operation of DAC is as follows: if τ h ≥ T * h , the state of the timer is reset to zero, and the sample state is updated with the new input v h (output of the embedded computer in the cyber system).

c: DIGITAL NETWORKS
The transfer of information between the cyber and physical systems (or) between the subsystems of a cyber system occurs over a digital network. It bridges all the subsystems and components and transmits the sampled information at discrete-time instants. If the triggering condition is satisfied, the information provided at its input is transmitted over the digital network and stores that information until the new information arrives. Let assume the information was transformed over the digital communication network at the time instants The mathematical model of the digital network is given in equation (14) and (15).
At every t i , the information v N available at the input side of the communication link is transferred over the digital network. The internal variable m N is updated for each transmission event and keeps the information at the output of the network and remains constant between the communication events. The internal variable m N not only maintains the recently transmitted information but also previously transmitted information. This digital network is an interface between a cyber and physical system that interconnects the continuous and discrete dynamics. The model of the digital network is represented by the combination of both difference and differential equations by hybrid inclusions method. This is usually employed in CPS for modelling the digital network as given in equation (16) where λ denotes the state, w denotes the input signal, ψ denotes the output, F I denotes the continuous dynamics on C I , and G I denotes the discrete dynamics on D I of the digital interface.

4) COMBINING MODELS OF CYBER AND PHYSICAL COMPONENTS
The complete mathematical modelling of the CPS is obtained by the interconnection of the models of individual cyber and physical components with interfaces [58], [65], [66]. Fig. 4 shows the feedback interconnection modelling of CPS. The individual models of the CPS are interconnected to obtain the complete mathematical model of CPS, which combines the continuous and discrete dynamics through combinations of differential and difference equation form or hybrid inclusion form.

B. CPPS INTERACTION MODELLING (EFFECT OF PHYSICAL AND CYBER SYSTEMS HAS ON EACH OTHER)
The interaction between cyber and physical systems plays a significant role in the efficient control of CPPS. In the past research works, the assumptions about the interactions phenomena in CPPS are left implicitly or unspecified in the system design. This leads to catastrophic failure in the safety-critical systems like CPPS. It is necessary to explicitly specify the assumptions of interactions and integrate the interaction model with the design of CPPS to ensure the safety of the system. In this section, the different types of CPPS interaction model are presented. From the literature review, the CPPS interaction model is broadly classified into four types, as shown in Fig. 6. They are i) Graphical Model ii) Mechanism Model iii) Probabilistic model and iv) Simulation Model.

1) GRAPHICAL MODEL
The graphical model gives the visualization-based relationship between the physical and cyber systems. It helps to construct the structure of the electric power grid and supports to analyze the operation of the power grid from the various attacks. The following section gives the different types of graphical modelling methods, quantitative analysis of variables involved in each model, and theories of individual models with graphical illustration are presented as follows.

a: GRAPH THEORY-BASED MODEL
In CPPS, the electrical power system components like generator, circuit breaker, protective relay, and loads are connected through transmission lines, whereas the cyber system consists of cyber components are connected through the communication networks. In order to monitor and control CPPS, it is assumed that each component in the physical system is integrated with the cyber node. It transmits the component state information to the remote-control centre through routers and switches, as shown in Fig. 5. Once the information is received in the control centre, the information is processed, and the control signal is generated then sent through the routers to the control devices like Flexible AC Transmission System (FACTS) devices, etc.
Given that the one-on-one relationship between the physical system and the cyber system, the failure of the physical or cyber systems affects other systems or vice versa. The graph theory-based method would be the best method to study the internal relations between the physical and cyber systems in CPPS. A graph consists of a set of vertices (V ) and edges (E). Based on the principle of graph theory technique the physical components are considered as vertices V p and the transmission line connecting the physical components are considered as an edges E p which form the directed sparsely connected graph, G p = (V p , E p ) [67]- [69]. Similarly, the cyber components like routers, servers, computing clusters in cyber systems are considered as vertices V c and the wireless/wired communication between the cyber components is considered as an edges E c which form the directed sparsely connected graph G c = (V c , E c ) [70], [71]. Fig. 7 represents the example of graph theory-based modelling of CPPS. The vertices are energy storage devices, while the edges represent the energy flow (power flow) between the two vertices.
The edges are represented as a directional arrow to indicate the positive power flow as P in i for i ∈ {1, 2} from the head vertex V head j to the tail vertex V tail j . The V s ∈ R N s and V t ∈ R N t denotes the source and sink vertices, respectively [72]. In the cyber system, the vertices are data nodes, while the edges represent the information flow between the two vertices [26]. The edges are represented as a directional arrow to indicate the information flow as I in i for i ∈ {1, 2}, as shown in Fig. 7. The power system contingency like transmission line outage is represented by the removal of edges in the graph G p whereas the removal of the vertex V c represents the failure of the cyber node from the graph G c . The graphical model of a CPPS is represented as a directed topology graph. The physical and cyber system state variables are considered as a ''data node,'' and the information flow between the physical and cyber system is considered as an ''information edge.'' The graph theory model is integrated with the dynamic system theory model to analyse the effect of cyber disturbances on the power system components [73].

b: FINITE STATE MACHINE (FSM) MODEL
FSM or Finite State Automata, or simply called as a State Machine, is a mathematical model of the computation. The FSM found in many applications that perform the predetermined sequence of actions based on the sequence of the events presented to the FSM. It is at any one of the states from the list of a finite number of states at any given time. It changes from one state to another state when triggered by the inputs: the change of one state to another state is called state transition. There are two types of FSM: Deterministic FSM (DFSM) and Non-Deterministic FSM (NDFSM) [74]. A five-element tuple represents a deterministic FSM: where Q represents the finite set of states, is a finite nonempty input, δ is a series of transition functions, q 0 represents the initial state, and F is the set of accepting (final) states. There must be one transition for each state when the input is given from the set . The DFSM is represented in Fig. 8. Similar to DFSM, the NDFSM is represented by an above five-element tuple. Unlike DFSM, NDFSM has multiple transitions for each state for input from the set . Additionally, NDFSM has a null transition represented by ε, which allows the machine to transition from one state to another state without reading the input from the set . The NDFSM is shown in Fig. 9. VOLUME 8, 2020  In the CPPS, the state transition occurs in both physical and cyber systems for different events under different conditions [75], [76]. The FSM generates the State Chart Diagram (SCD) for cyber and physical systems, which represents the dynamic behaviour of the system through state transitions throughout its life cycle. SCD is used to make the power system operation process clear and visible and analyze the critical interactions in CPPS qualitatively. In [49], the usual sequential order of the control commands is modelled as   The false sequential logic attack on the SCADA system changes the control commands as {t i+1 , t i }. The detailed analysis of how this attack perturbs the behaviour of the physical system can be obtained by SCD. In [39], the FSM is used to enhance the performance of the aircraft electrical distribution system by reconfiguring the control strategy under different operating conditions and fault scenarios [77]. The advanced features of FSM modelling of CPPS are flexible to model the interactions, easy to move from abstract to code execution, low processor overhead, and easy determination of reachability of a state.

c: PETRI NET MODEL
The Petri net is a mathematical modelling language for the distributed and parallel system to describe the state changes and transitions that occur in the system. It is a class of discrete-event dynamic system which represents the relationship between events, conditions, and its control behaviour in a large-scale system. The Petri net model is the best suitable language tool to study the interaction phenomena between the continuous nature of the physical system and the discrete nature of the cyber system in CPPS [78], [79]. Petri net is a graph-based model to illustrate the control behaviour of CPPS exhibiting the asynchronous, concurrency, and distributed event characteristics in their operation. The FSM can be converted into the Petri net model and vice versa to investigate the cascading failure in the system [80]. The Petri net model consists of four fundamental components, such as place, transition, arc, and token, as shown in Fig. 10. The place is represented graphically as a circle, transitions as a bar, arcs are directed line segments, and tokens as dots. The places (P) are used to represent the components and their state in CPPS. The transitions (T) consisting of input functions (I) and Output functions (O) are used to describe the discrete events in CPPS that may result in different states. The arcs denote the relationship that exists between the places and transitions. Finally, the tokens are used to define the active state of the Petri net, which forms the marking of the net (MP). VOLUME 8, 2020 The initial marking of places is referred to as MP 0 . Each place has either zero tokens (or) some integer number of tokens. An example Petri net graph is shown in Fig. 11 can be described by the mathematical model using the previous notation as [81]: The cyberattack or cyber intrusion in CPPS is a stochastic event rather than a deterministic event. The stochastic event can be modelled by the stochastic Petri net model by introducing the stochastic time-varying delay parameter between enabling and firing conditions of the state transition mechanism [82]. The analysis of the impacts of cyberattacks on CPPS is based on the tokens in the Petri net model, which are indistinguishable. Therefore, coloured Petri net (CPN) model is used to analyse and identify the type of cyberattack on CPPS. In CPN, each token is appended with a data value called a token colour, which describes the data type and its complex operations so that the cyberattacks can be detected by a unique identity in the model [83]. A stochastic CPN model is proposed to analyze the cyberattacks on large-scale CPPS and described the threat propagation process in CPPS quantitatively [84]. In [85], a hierarchical method-based construction of the Petri net model for a large-scale power system is proposed. Many smaller Petri nets are constructed separately for each subsystem through different domain experts.
The Petri net model describing the phenomena of blackout occurred in the U.S. and Canada on August 14, 2003, is shown in Fig. 12. It represents a coordinated cyber-attack occurred initially on units control system (P 1 ) and finally, the propagation of failure causes the Sammis-star line outage and other transmission line outages in northern Ohio (P 6 ). The main drawback of the Petri net model is modelling of the large-scale CPPS is very difficult due to an increase in the size of the state-space, and also the computation time increases exponentially with the increase of the system size.

d: NETWORK ATTACK MODEL
In the last decade, the CPPS adopting more advanced ICTs to improve the operating efficiency and reliability of the system. The ICTs are more vulnerable to cyber-attacks launched by malicious insiders or national cyber attackers and therefore cause serious cybersecurity problems in the CPPS. The cyber-attack on CPPS refers to the attack behaviours performing an organized action of tracking the communication network or control commands without permission and exploiting the vulnerability of the system to destroy or limit its function. These cyber-attacks degrade the smart grid performance and leads to system blackouts. Due to the complex interaction characteristics between the physical and cyber systems, the failure of the cyber network creates serious consequences in the physical system. The behaviour of the CPPS may be changed due to the network attacks and make the system in an unsafe condition that damages the system. Therefore, it is necessary to review the different types of cyber-attack model for CPPS to analyze the impacts of cyber-attacks and its consequences on weakening the CPPS functions such as safety, stability, and economy of the system through modelling and simulation approaches. The cyber-attack model helps to understand and evaluate the resilience of CPPS against cyber-attack. The power system engineers use this model: i) To identify the problem from the level of component and subsystem and respond to the cyber-attack on CPPS in advance ii) To improve the situation awareness and protect the CPPS from the future cyber-attacks iii) To evaluate the security status of a cyber domain of the power grid and iv) To design and develop more resilient CPPS. The following section presents the different types of network attack modelling in CPPS.

2) ATTACK TREE
The attack tree shows all the possible paths for cyberattacks in the power system in a graphical manner. It helps to provide a different way of cyber network intrusion and describes the process of cyber-attack structurally and intuitively [86], [87]. The vulnerability and risk assessment of critical parts of the CPPS can be done by the attack tree method [88], [89]. In [86], the attack tree model was deployed to construct the cyber-physical threat model with respect to the power system contingencies. However, the attack tree method is suitable only for modelling a restricted type of attack and not suitable for modelling simultaneous attacks or coordinated attack scenarios on multiple components. In [90], the attack tree is transformed into the Stochastic Petri Net (SPN) model for the effective capturing of the network attack. Fig. 13 represents the attack tree for smart grid applications [91]. Level 1 represents the constant power delivery to the customer without any disturbance. Level 2 represents the physical system consequences that lead to the power grid blackout; for instance, changes in reference value of exciter and prime mover into abnormal values. Level 3 represents the cyberattacks on CPPS that lead to physical consequences. By compromising the SCADA and Remote Terminal Unit (RTU), the attacker controls the exciter and prime mover, affecting the power generating system. Finally, level 4 represents the attack technique to perform the attack.

3) ATTACK GRAPH
The attack graph represents the behaviour of an attacker and explores the different ways that the attacker can exploit the system vulnerabilities to attain the desired state. An attack graph consists of a collection of attack scenarios in the computer networks, whereas each scenario represents the sequence of actions performed by an attacker to intrude into the system with a particular goal of service interruption, access to the confidential database, access to the main host, etc. This model utilizes the information of the network topology and calculates the probability of flaw that can be identified by an attacker to implement the intrusion and penetration. The system operator uses the attack graphs to identify the suitable security measures to defend their systems. If the size of the network is increasing, an automatic generation method is applied by the attack graph model to identify the network flaws for modelling of large-scale complex network attack behaviour. The attack graph model is used to perform the security assessment for the power systems control unit [92]. The automatic generation method is combined with an attack graph model to quantitatively evaluate the impact of cascading failures in the CPPS [93]. The Bayesian attack graph model is used to assess the attack procedure and the likelihood of compromise of the cyber components in smart grid systems with the consideration of uncertainty in cyber-attacks [94]. The attack graph model is useful for the operators to analyze the patterns of sequential cyber topological attacks in identifying the critical cyber-attacks thereby cascading outages can be avoided in the CPPS [267]. The attack graph serves various applications like intrusion detection, security defence, network security, and forensic analysis, etc. Overall, it gives a bird's eye view of every attack scenario in CPPS that can lead to a critical security breach. The advantage of the attack graph is taking into account of local vulnerabilities through the interaction effects and global vulnerabilities through interconnection effects and very much useful for security analysis of power control systems. The calculation of system vulnerabilities based on the connection model of the attack graph is shown in Fig. 14. The connection model of the attack graph includes serial, parallel, and series-parallel complex. Table 2 highlights the main characteristics of different schemes in attack graph modelling for cyber-physical systems, and Table 3 presents the detailed taxonomy of network attack models [98], [114].
The vulnerability function of the state (S) transfer is defined as; where c represents the equivalent cost of attacks, C represents the equivalent cost of attacks after achieving the objective, λ represents the vulnerability factor which expresses the difficult level of a successful attack [92]. The state transfer (cyber-attack) becomes more complicated when λ becomes smaller. If the value of the function P v (c) becomes bigger, the vulnerability of the target system becomes bigger; therefore, the probability of successful cyber-attacks on CPPS becomes higher. The mathematical model of vulnerabilities is defined as follows: a) Serial Model P s (c) = P(C 1 + C 2 + . . . + C n ≤ c) where ∀i = j → λ i = λ j , n ≥ 2.

c) Series-Parallel complex model:
Traversing through all the paths from the initial state to the target state, each and every feasible path is a serial model, and the calculation between each feasible path from the initial state to the final state is treated as a parallel model.

4) STATE TRANSITION DIAGRAM
In this model, the behaviour of an attack is modelled as a Markov decision process (model checking prediction method) similar to the methods based on attack graphs. In the Markov process, the states are unobservable (hidden); hence we cannot observe the state of the model directly, but the output of the model depends on the current state.  The Markov model predicts the attack behaviour considering the probability of the state transition of the system under different attack behaviours for evaluating the system vulnerabilities [30], [117]. This model describes all the types of attacks and meet the detection requirements of CPPS. Also, the multiple system states, the attack behaviour that leads to change in the system state, and the changing trend in the system states can be captured clearly and exactly by using this model. Markov models are well suited for intrusion detection and attack prediction even in the case of unobservable states & transitions and do not require the complete state information of the system. Fig. 15 shows an example of a Markov model for attack prediction, which is visualized as a graph [118]. It represents four states of attack progress from a normal state to a successful compromise (cyber-attack). The attack sequence consists of different classes such as enumeration, host & service probing, exploitation, etc. Based on the attack sequences, we can predict the next state of an attacker and can find the most likely path from the present state mode. From the most likely path, the actions of the attacker can be predicted, and a probability threshold is assigned for each attack path to avoid the false positive so that the lowest probability is discarded and such paths are not evaluated for further actions.

5) MECHANISM MODEL
The combination of continuous event dynamic behaviour system and discrete event static behaviour system, the mixture of energy flow and information flow, and the interactions between the cyber and physical systems in CPPS can be analysed by using the mechanism models.

a: ANALYTICAL MODEL
In the CPPS, both power devices and cyber devices are energized by independent power supplies for reliability considerations. The interaction characteristics between the cyber and physical system in CPPS is influenced by the impacts of the cyber network reliability (i.e.) influencing the power measurement signals and control signal information. If an attacker initiates an attack, for example, false data injection attacks the attacker can control the IEDs, RTU, SCADA, etc. and tamper the critical information about the status of the power grid through synchronized measurement data, oscillatory monitoring results, electricity regulation pricing, and state estimation reports, etc. In the analytical model framework, the cyber network failure is generally considered as a data fluctuation (bad data, outlier, missing data, etc.) relevant to some function of the power system and implement a specific power system  application analysis corresponding to the changes in measurement information of CPPS. Table 4 lists some analytical models of power system applications under cyber-attacks.
The PMU is a device used to estimate the real-time voltage and current phasor values of CPPS using a common time source through a Global Positioning System (GPS) for synchronization. The PMU is an essential element in the Wide-Area Measurement System (WAMS) of CPPS for monitoring, protection, and control applications. Using the phasor values (magnitude and angle of voltage and current), VOLUME 8, 2020 we can capture the wide-area snapshot of the CPPS and realtime behavior of the power system. The applications of PMU in power systems are voltage stability monitoring, oscillation stability analysis, state estimation, wide-area monitoring & control, var optimization, blackout analysis, real-time electricity pricing, and transmission line fault detection, etc.
Using the time-synchronized data from PMU, we can build the analytical model and analyze the impact of cyber network attacks on the function module [119]. The analytical model can also be built to analyze the tampered data on power system measurements on voltage stability, Automatic Generation Control (AGC), and power system frequency control [120], [121]. Besides, the analytical model can also be used to assess the loss of revenue quantitatively when the confidential data is tampered from the power system measurements by setting the analytical model to parameters such as the electricity price information and revenue of the power system operator [122].
In CPPS, the actual data is first gathered in the WAC centre. After performing the data cleansing operation and removing the ambient disturbances by state estimator, the corresponding data is used by the other advanced power system applications. The advanced cyber-attacks performed by the attacker easily bypasses the bad data detection and identification module from the state estimator, which can eliminate only ambient disturbances. The false data injection attack effectively bypasses the intrusion monitoring and detection system and tamper the confidential data coming from the state estimator. This impacts the performance of the power system application module, which is solely based on these data sources. By developing the analytical model for CPPS state estimation, the impacts of cyber-attacks on state estimation results can be assessed quantitatively [123], [124], and the performance of the function module can be evaluated quantitatively based on these changes in the state estimation results. Regarding cyber-attacks, the state estimation model can use both AC power flow and the DC power flow. In the case of the AC power flow model, the process takes more time and does not converge to the optimal global solution [69], [125], [126]. On comparing the results of ac power flow with dc power flow in state estimation model for cyber-attack analysis, it indicates that the attacker using the dc model for a specific type of false data injection attack at the RTU level introduces more errors in the measurements which triggers the bad data monitoring and detection mechanism. But in the case of the AC power flow model, the non-linear equations of the state estimation model are robust to this type of attack, which is advantageous to the system operator only if the attacker does not know system data, which would allow the attacker to perform the attack analysis. If an attacker is well aware of the system data, then he could be able to execute an attack that is unnoticed through AC state estimation [127].

b: DYNAMIC SYSTEM BASED MODELS
In the CPPS stability analysis, the physical system is modelled by differential equations with energy flow, and the difference equations model the cyber system with information flow. The perturbation effect on the physical system from the cyber system is modelled by the stimulant of the generator states (frequency and angle) in the rotor swing equation of the generator. In [126], an attacker constructed the attack vector for stealth cyber-attack to control the synchronous generator in the cyber controlled Distributed Energy Resources (DERs) to continuously maintain the physical instability of the smart grid. The CPPS can be modelled as a closed-loop dynamic system through constructing the dynamic models of the power system components such as exciter, power system stabilizer, prime mover, synchronous generator, High Voltage Direct Current (HVDC) and FACTS devices, with an interaction between information flow and energy flow. The closedloop system analysis is performed for WADC of CPPS.  It utilizes the measurements from PMU, but the communication delays between the PMU and the control centre are significant, which affects the CPPS stability. In [127], [128], the authors have utilized the delay-dependent stability analysis method for eigenvalue analysis of CPPS. The CPPS is modelled by the directed graph method, and using the dynamic system equation, the state information of each power node is determined [73]. If the cyber-attacks have triggered in CPPS, the state variation of the power node can be evaluated by numerical simulation.

c: VARIABLE STRUCTURE SYSTEM MODEL
The status of the circuit breaker switches decides the topology of CPPS. If the attacker attacks the power system switches the topology of the power grid is changed continuously, and its dynamics depend upon the value of switching signals. The variable structure theory is used to identify the weakness of the CPPS when the switching attack signals reconfigure the grid. It captures the interactions between the cyber and physical systems in CPPS effectively and demonstrate how the switching vulnerability disrupts the operations of CPPS within a short period. In the Fig. 16 it represents when the power system switches change its position between Z 1 (load1) and Z 2 (load2) it stimulates the effect of changing system dynamics between f 1 (x, t) and f 2 (x, t) respectively [129].
In [130], the authors have demonstrated the distributed smart grid attack on CPPS to destabilize the power system components using variable structure system theory. The attacker controls the multiple circuit breaker within a power system through cyber intrusion to destabilize the synchronous generator by state-dependent breaker switching. They utilize the localized state information to identify the sliding surface of the CPPS then destroy the stability condition of a particular sliding mode, which triggers the transient instability condition of the targeted synchronous generator. The attacker intrudes through a single breaker then reaches multiple and coordinated switch-case attacks, which leads to a stealthier and wide-area cascading failure. In [32], the authors have designed the optimal partial feedback based switching data injection attacks for CPPSs. The goal of an attacker is to manipulate the control signals, and alter the attack locations persistently to degrade the CPPS performance with a minimum cost. Using convex relaxation and pontryagin's maximum principle the authors have proved that for all the optimal switch inputs a switching condition can be derived to select the optimal attack locations.

d: MULTI-AGENT SYSTEM MODEL
With the increasing number of integrations of DERs into CPPS, the distribution characteristics of the CPPS become very clear, the power system operators exchanging the data among them very, and the control scheme becomes of great significance. The traditional centralized mode of control is very difficult and inefficient to control the different types of DERs in the CPPS. The centralized control scheme requires the complete mathematical model of the CPPS. With the continuous expansion of the modern CPPS, the design of a single centralized controller for various DERs have a chance to failure, since no other sources to control the system, the CPPS becomes unstable. The cost of implementing the centralized controller is very high [16]. This motivates to develop a multiagent-based control for CPPS, which solves the cooperative optimization problem of various DERs integration into CPPS. In the multi-agent system model, each physical entity is monitored by an agent and communicates with other agents for interchanging the information to attain the common objective.
In [131], the authors had investigated the goal-based Holonic Multi-Agent System (HMAS) for optimal operation of CPPS by reactive power control method at solar photovoltaic installations. Using the same HMAS, the state estimation of CPPS can also be performed by leveraging the different measurements from smart meters. In [132], the authors have presented the multi-agent-based security enhancement of protection schemes in CPPS by detecting and identifying the cyber threats on protection systems of power grids. The multi-agent model utilizes the properties of physical and cyber systems in CPPS to distinguish the cyber-attacks from the physical faults and thereby to improve the cybersecurity and stability. In [55], the authors have proposed the multi-agent-based cyber-physical control framework for transient stability enhancement. In this framework, a cyber-physical delay resilient controller is designed, which adapts its structure depending on the value of latency and the state of the cyber component in CPPS. In [133], the authors have investigated the application of a distributed averaging based integral (DAI) controller for CPPS. The uncertainties of the cyber and communication layer and their effect on robustness and performance were considered. Based on these uncertainties, a delay-dependent condition for robust stability of DAI controlled CPPS concerning communication delays, link failures, and packet loss is derived.

6) PROBABILISTIC MODEL
The probabilistic models are classified into two types, such as uncertainty model and the game-theoretic model. In CPPS, both physical and cyber systems events are probabilistic in nature. These events occurring in the physical and cyber systems cannot be narrated exactly. In such a situation, the uncertainty model can be used to describe the behaviour of CPPS. Meanwhile, the CPPS operation involves various stakeholders, making important decisions under uncertain conditions. If the interactions exist among the multiple decision-making stakeholders for the operation of CPPS, each one of them implements their strategy for their benefits depending upon the existing information. The game-theoretic type models are used to describe this kind of probabilistic situation.

a: UNCERTAINTY MODEL
The interactions between the physical and cyber systems in CPPS are uncertain, which includes the direct and indirect impacts of cyber system unreliability through cyber-attacks on power systems [137] as well as through the malfunctioning of the cyber systems [135], [138], [139] in wide-area monitoring and protection systems. The degradation of the performance of the cyber system may be due to many reasons such as failure of power source to cyber systems, time synchronization error among the cyber systems, breakdown of ICTs and improper configuration of SCADA, etc.
The cyber systems can be modelled by three methods, namely Reliability Block Diagram (RBD) method, discrete Markov Decision Process (MDP), and Semi Markov Process (SMP). The RBD method is a practical method for constructing the reliability model for cyber systems. In [134], the RBD method is used to calculate the cyber system reliability quantitatively, and a multi-state Markov chain method is used to analyze the effects of cyber systems failures on the power system components. In [30], the cyber-attacks are modelled by the discrete MDP and generate all the possible attack scenarios. The attacker uses the same Markov process to perform the state transition. Once it is successful, the attacker gets the rewards with a certain probability. Then estimating the current security state of the system using this Markov process model and combined with cyber intrusion and detection system alerts. In [117], the cyber-attacks on SCADA systems are modelled as SMP. In addition to that, the time delay and time-varying delay in the communication system, including the traffic delay with Probability Distribution Function (PDF), minimum deterministic delay, and processing delay with PDF, are adopted deeply into the modelling of the communication system [18]. In [134], the impacts of cyber layer failure (protection and monitoring failure) are added to the reliability evaluation of the power system components. A multi-state Markov chain model is used to build the structure of electrical components considering the topology of the cyber layer with its reliability functions and actual protection and monitoring strategies simultaneously. From the complete model of CPPS, the reliability information of each component and subsystems in CPPS are collected. Then the probability table (P-Table) is used to express the system reliability [137], [138], and the state transition diagram is used to model the state transition probability of each component in the CPPS [135], [139]. In addition to that, a Bayesian structure can also be used for reliability assessment of CPPS by Bayesian network probabilistic reasoning [136].

b: GAME-THEORETIC MODEL
In recent years the cyberattacks on the physical power system are increasing the attention worldwide. The attackers target the ICTs of CPPS through cyberattacks, and the defenders tried to protect the power system using a cyber-attack detection and mitigation scheme. The attack detection and mitigation game-theoretical model is used to model the cyberphysical interaction process and also applied for risk, vulnerability, and threat analysis. The defenders involved in the operation of CPPS makes their decisions for their benefits in a competitive situation by allocating limited resources. The competitive relationship among the participants of CPPS can be modelled as a Colonel Blotto Game [117], Zero-Sum Game [142], and Stochastic Game [141]. In [143], the authors investigated the vulnerability analysis of CPPS under terrorist VOLUME 8, 2020 threat, assuming the attacker knows the complete information about CPPS. The problem is formulated as a mixed-integer nonlinear bilevel program with upper and lower level optimization. In the upper level of optimization, the terrorist tries to maximize the damage to the power systems, which is measured in terms of the level of load shedding. On the other hand, in the lower level of optimization, the power system operator tries to minimize the damage by optimal operation of the power system and capable of modifying the network topology in case of severe cyber-attacks. In [144], the authors analysed the bi-level model of coordinated cyberphysical attacks on power systems. This two-step cyberattacks comprising topology-preserving attacks and load redistribution attacks, ensuring the bad data measurements are undetectable. In [145], the authors investigated the security assessment of electricity distribution networks with vulnerable DERs nodes. The game-theoretical model is used to model a 3-stage defender-attacker-defender (DAD) trilevel optimization problem. In stage 1, the defender chooses the cybersecurity measures to secure a subset of DERs node; in stage 2, the attacker compromises the vulnerable DERs nodes, and, in stage 3, the defender responds by taking a controlling action by the rescheduling of loads [146].
From the past research works, the game-theoretic model assumes that the level of attacker and defender are the same, and their actions also similar. Practically this assumption is invalid; the attacker observes the defender cybersecurity framework then decides the attack countermeasures. This asymmetric behavior between the attacker and defender can be modelled as a static infinite Stackelberg game-theoretic model [147]. Using this model, the interactions between the different security agents can be represented in the cyber layer, and for the physical layer, the full-information H-infinity min-max control with packet drops is modelled by the Stackelberg game model. In the dynamic attack detection and mitigation scheme, the game is not finished at once and using the same attack structure, the attack persists many times. In this regard, the attacker's history is recorded and analysed then the decisions can be taken based on the attacker's actions. This process be continued as long as the attacker and defender are opposed to each other in their long-term interest. This interaction between cyber attackers and physical defenders can be modelled as an iterated game model in CPPS, where the results are completely different from the one-time game [140]. Almost the previous game-theoretical model analysis assumes that the control is optimal, and the physical systems dynamics model is accurate. In CPPS, the dynamics of the physical systems are usually modelled by differential equations with energy flow, and the cyber systems are modelled by difference equations with information flow. In [126], the authors have proposed a differential game-theoretic model to demonstrate the worst-case attack by an attacker to disrupt the transient stability of CPPS by leveraging the control over DERs, with the consideration of full dynamics of the power system.

7) SIMULATION MODEL
The continuous nature of the physical system and the discrete nature of the cyber system complicates the research in CPPSs. The simulation model supports the power system operators to realize the integrated modelling of the dynamic behaviour of the continuous system and static behaviour of the discrete system. The software used for building the simulation model of the power system is discussed in detail in Section III.

C. CPPS INTERDEPENDENT MODELLING (DEGREE OF PHYSICAL AND CYBER SYSTEMS DEPENDS ON EACH OTHER)
The CPPS consists of a large number of physical devices and cyber devices which form a large-scale interdependent complex system. The interface relationship between the cyber and physical devices is modelled as interdependent modelling of CPPS, which changes over time. The interdependent CPPS is divided into the three-layer structure, namely the physical layer, cyber layer, and interface-mapping layer, as shown in Fig. 17. The physical layer node represents the generator, transformer, substation, etc., and the transmission lines in the electric power grid network are represented as a physical layer edge. The cyber layer nodes composed of computational systems, communication equipment's and control algorithms where its main function is to monitor and control CPPS. The network edges represent the communication links between the cyber nodes. There are two types of interdependencies in CPPS based on cyber layer nodes, namely one-to-one interdependency and one-to-multiple interdependency [148]. In the one-to-one interdependency, each physical node is monitored (sensing the status of the physical node) and controlled (issuing the control commands) by the single cyber node [149]. Then the control centre collects the information from the distributed cyber nodes. In the one-to-multiple interdependencies, each physical node is monitored by more than one cyber node, which is very much useful for securing the data against cyber-attacks [150].
In [151], the interdependent modelling of CPPS is used to analyze the effects of cyber-attack and defense in smart city applications. A smart city integrates several interdependent CPS that operate in a coordinated manner to achieve the global objective of the city's residents. These large-scale interdependent CPS are more vulnerable to cyber-attacks due to these interdependencies, which can be lead to cascading failures and serious effects on the city. A novel approach is proposed to allocate the security resources for the various cyber components of an interdependent CPS to protect the system against cyber-attacks. In case the attacker not aware of the CPS interdependencies, the defender can have a higher payoff compared to the case in which the attacker knows the complete information. In [152], a realistic model called HINT (Heterogeneous Interdependent NeTworks) is proposed to study the evolution of cascading failures in the interdependencies between the power grid and the communication network taking into account the heterogeneity of the networks as well as their complex interdependencies. Using this model, the failure propagation is accurately forecasted and improved the network robustness. A quantitative analysis of the impact of interdependency on power system vulnerability is proposed in [153] considering the strong coupling between the power grid and the communication system. A reliability modelling of the smart grid is developed considering the cyber-physical interdependencies among the components and shown that the flawed cyberinfrastructure results in lower reliability of the smart grid compared to the conventional power grid with less advanced control [154]. In [268], based on the interdependence between the cyber and physical networks, a risk area prediction model for CPPS is developed using dependent markov chain. Then the crossadaptive gray wolf optimization algorithm is utilized to optimize the prediction model to accurately reflect the actual system risk propagation process. In [155], based on the network interdependencies relation and physical layer operation, the modelling of cascading failures and its mitigation in the CPPS is presented. The CPPS is modelled as an interdependent complex network-based model incorporating the physical layer power flow analysis, cyber layer information, edge capacity checks, delay analysis, transmission analysis, and indirect interaction mechanism between the two layers. The physical and cyber layer usually operates without the interdependencies from the other. Since the two layers are different in topology and operational relations, it is necessary to consider the interdependency effect and should apply the mitigation strategies simultaneously in both layers.
The cyber-physical coupling failure in the strong interdependent CPPS increases the risk of smart grids when the physical outages remedial control is failed due to a simultaneous cyber-side failure. In this situation, to enhance the robustness of smart grids concerning the possible cyber-physical coupling failures, the critical information about the CPPS should be transmitted through a reliable path to ensure its accessibility. A CPS robust routing model with cyberphysical sensitivity-based information flow is proposed.
It improves the performance and robustness in power flow corrective control on comparing with conventional routing based shortest-path model [156].

III. SOFTWARE TOOLS FOR MODELLING AND SIMULATION OF CPPS
The CPPS is a complex system with the large-scale integration of renewable sources (e.g., PV, Wind), Controllable Loads (e.g., Smart Building, Electric Vehicle (EV), Batteries, Heat Pumps, etc.), Digitization of Power System (e.g., AMI), Multi-domain grid (ICT, Heat, Gas, Electricity) with strong interconnection and interaction effects. The efficient operation of CPPS depends upon the close interactions between the power system and cyber systems [157]. A holistic approach for CPPS is needed for a comprehensive analysis of interdependent subsystems. The inclusion of the cyber system model with the power system model is important for the analysis of complex CPPS involving the dynamics of both the systems for reliable power delivery to the critical infrastructure [158]. The individual domain of the CPPS can be modelled and simulated by continuous-time based power system simulation tools and discrete-event based cyber system simulation tools, as listed in Table 5. However, the CPPS necessitates an integrated system design for an in-depth analysis of the interdependencies of ICTs and power systems, which can be done by the co-simulation tools.
The co-simulation framework involves the joint simulation of simulations in the power system domain and the cyber system domain in a holistic test-case. It shows the realistic behavior of CPPS in faulty and extreme conditions with strict considerations on latency and stability. Using the co-simulation tool, we can understand the impact of cyberattacks on the physical power system operation, whereas the independent simulation tool supports either the communication network or the power system but not both together. Thus, the cyber-physical co-simulator supports exploring the effects of cyber-attacks on power system dynamics and operation. The cyber-physical co-simulation tools listed in Table 5 are useful for the assessment of the cyber-physical security for CPPS, which simulates the power system and communication system together. This tool identifies the vulnerable states of CPPS, bad measurements, and then aids the power system operator at the control center to take appropriate actions to minimize the effect of the cyber-attack on smart grid operation.
Much industrial-grade software tools are available for electric power systems and cyber system simulation, as listed in Table 5. A wide range of power system simulation tools are available for various aspects of power systems, and the cyber systems are generally modelled as a computer network for simulation purposes; therefore, network simulation tools are used for cyber system simulation. The researchers can use the open-source simulators for CPPS, e.g., OMNeT++, NS-2, and NS-3, or commercial simulators, e.g., OPNET.
In [159], the researchers had developed the co-simulation framework by combining OpenDSS and OMNeT++ for power system simulations and communication networks to examine the wide-area monitoring and control applications. In [160], the co-simulation framework is developed for simulating the power routing algorithm in microgrid application by combining OMNeT++ with Real-Time Digital Simulator (RTDS). In [161], the authors presented the event-driven co-simulation scheme utilizing network simulator NS2 and OpenDSS for simulation of CPPS. In [162], the co-simulation environment INSPIRE (Integrated Co-simulation of Power and ICT systems for Real-Time Evaluation) with high-level architecture is proposed for realizing a combined simulation of both ICT and power systems. It focuses on analyzing the real-time performance of wide-area monitoring, protection, and control (WAMPAC) applications. It applies a co-simulation of a continuous time-based power system simulator (DIgSILENT PowerFactory), a communication network simulator (OPNET), and continuous time-based WAMPAC applications modelled in MATLAB, JAVA, GNU R, and C++. In [163], an information flow-based co-simulation model is proposed to analyze the interdependencies between information and energy flows and obtaining the quantitative relation between them. Using this quantitative relation, the planning and operation of cyber systems are performed. In [164], the co-simulation platform utilizes OpenDSS and OPNET for power system simulator and cyber network simulator for testing different communication technologies. Based on DIgSILENT Power Factory as a power system simulator and OMNeT++ and INET framework as a cyber network simulator, a co-simulation environment is developed in [165] for analyzing the impacts of communication delay and failure. Another co-simulation environment named Greenbench presented in [166], which utilizes PSCAD and OMNeT++ for power and cyber system simulation to evaluate the impact of data-centric threats. In [167], a power system and communication network co-simulation framework are proposed using a global event-driven mechanism (GECO) using PSLF and NS2 simulators. It improves the practical investigation of the smart grid and enhances the wide-area measurement and control schemes. The MATLAB Simulink and OPNET are integrated to study the ICT impacts on the reliability of WAMS applications [168]. In [169], the Virtual Test Bed (VTB) software is integrated with OPNET called VPNET for simulating the remotely controlled power electronic devices in the system. The electric power and communication synchronizing simulator (EPOCHS) [170] are a combination of PSLF (commercial electric simulator) and NS-2 (open-source communication network simulator) used for most of the smart grid co-simulation applications. EPOCHS are used to understand the impacts of a communication system on a smart grid relevant to wide-area monitoring, security, and management applications.

IV. CYBER ATTACKS AND CYBER SECURITY IN CPPS
The electric power grid is one of the most important critical infrastructures of the nation and also the best example of the cyber-physical system. It is fully monitored and controlled by advanced information and communication technologies, which involve the tight integration of computation, communication, control, and human factors. Even though the digital technologies monitoring and controlling the electric power grid more efficiently and reliably, the power grid is vulnerable to cybersecurity risk and involves the complex interdependency between cyber and physical systems. The cyber-attack on the physical power system affects the secure operation of the power system by changing the information flow. The initial physical attacks on the power system are difficult to detect in the large-scale CPPS once it is successfully coordinated with cyber-attacks. The subsequent cyber-attacks mask these physical attacks, which tend to trigger a cascading failure across the electric power grid system. Therefore, it is necessary to analyse the various cyber-attacks and cybersecurity measures in CPPS. The cyber-attack is a major concern to the critical infrastructure like the electric power grid in which most of the R&D activities are giving maximum priority to cybersecurity research globally. From the technical literature, it is inferred that there is a wide range of advanced cyber-attacks created for the system like a power grid with monitoring, controlling, and protecting function, as shown in Table 6.  . The world economic forum ranked large-scale cyber-attack as fifth among the risks to happen in the next ten years [178]. The history of the cyber-attacks alerts the entire world to protect their critical infrastructure of the nation. Table 6 lists out the major incidents reported in the energy sector [179]. The electric power grid is a big networked transmission and distribution system with a huge load that has a chance of entering of a cyberattack. The disruption of electricity creates a loss of billions of money in the country, which directly affects the economy of the nation and also the GDP growth in the modern global markets with private attackers. Therefore, it is necessary to develop the indigenous firewalls/cybersecurity measures against the cyber-attacks with innovative, resilient control algorithms.

B. CYBER SECURITY FOR CPPS
The CPPS needs cybersecurity at multiple levels, namely information security, ICTs infrastructure security, and application-level security [180]. From the past research works it is identified that the traditional information technology (IT) security features are not suitable for CPPS and certain research areas in cybersecurity for CPPS is identified as: (i) Cyberattack risk modelling and risk mitigation, (ii) Attack-resilient monitoring, protection and control algorithms, (iii) Defence against coordinated cyber-attacks, (iv) AMI infrastructure security, and (v) Simulation models. The cybersecurity of the power grid consists of Cyber-attack -Detection, Mitigation, Prevention, and Resilience, which is the most of R & D's need for the emerging CPPS. The main goal of cybersecurity research for the smart grid is to develop an integrated risk modelling framework that combines physical system dynamics as well as cyber system dynamics. Then the model is utilized to assess the impact of a cyberattack on the power system in terms of loss of load, stability problem, economic loss, or equipment damage. Following the risk assessment, the next important task is to develop indigenous cybersecurity algorithms to protect the power system from various cyber-attacks, including intrusion-based attacks, denial-of-service attacks, malware-based attacks, and coordinated attacks. The risk from the cyberattack is evaluated by the product of threats, system vulnerabilities, and their resulting impact, as shown in equation (24).
The threat can be defined as the presence of potential attacks, their motivation, and available resources. The vulnerability of the CPPS depends on the grid's cyber advanced supporting infrastructure. Typically, it consists of software, protocols, networks, and other resources to support the monitoring, protection, and control functions. The impact on the CPPS is determined by how the various cyber vulnerabilities impact the grid's various power applications to control the physical system. The cyber-attack on CPPS greatly differs from the traditional cyber-attack on IT systems. While attacker techniques have closely resembled traditional attacks, their ability to impact the grid is heavily dependent on the power system applications or control functions supported by those systems. Fig. 18 shows how the cyber-attack would impact the CPPS [180]. The first step of an attacker is to degrade the availability, integrity, or confidentiality of some portion of the cyber system supporting for CPPS. The degradation impacts some of the power applications/control functions used to support the grid. The attackers ability to manipulate the control functions would then directly lead to the physical system impact.
The power system is generally divided into three major domains, namely, Generation, Transmission, and Distribution. Each domain has its control of specific machines/ devices, protocols, and communication signals. Therefore, each control system has its threats, vulnerabilities, and impact on CPPS operations. Table 7 presents the classification of control loops based on the domains in CPPS [180]. Fig. 19 shows the cybersecurity life-cycle model for attack resilient Wide-Area Monitoring Protection and Control (WAMPAC) applications in the power grid through a huband-spokes model integrating attack deterrence, attack prevention, attack detection, attack mitigation, attack resilience, and attack forensics [56].
Attack Deterrence: The ability of the defender to positively influence the potential adversary not to carry out attacks.

Attack Prevention:
The ability of the defender to prevent attacks on the system through risk assessment, risk mitigation, cybersecurity technologies, etc.
Attack Detection: The defender should detect the attack in online/offline mode.
Attack Mitigation: The defender should apply the suitable mitigation technique to maintain the operational status of the system without any violation or degradation in the performance, security, or stability of the grid.
Attack Resilience: If an attack occurs in the system, the system must have adequate resiliency to maintain the operational status of the system, perhaps at a degraded level of performance, security, or stability. Attack Forensics: Forensic analysis is useful to determine the originator and source of the attack, which helps to determine future attacks.
Finally, each spoke of the hub-and-spoke model highlights the innovative cyber-security approaches with efficient technologies and enabling scientific tools to prevent the succession of attacks along the cybersecurity life cycle. Fig. 20 presents the research issues and potential solutions for attaining attack resilience at the infrastructure layer for WAMPAC [56]. Fig. 21 presents the research issues and potential solutions for attaining attack resilience at the application layer for WAMPAC [56]. For both the layers, various issues are listed across the various domains, namely online attack detection, mitigation, resilience, and offline risk assessment & attack prevention. Table 8 lists out the taxonomy of cyber-attack and cybersecurity in CPPS. It should be noted that a coordinated attack also possible where the multiple attacks are combined to enhance the attacking behaviour in CPPS further.

V. CPPS IN THE DEVELOPED COUNTRIES
The CPPS is considered as a next-generation power grid that allows the two-way flow of electricity and information to create a wide distributed automated electrical power delivery network. The CPPS grid is also called a smart power grid, future grid, intelligent grid, inter grid is an enhancement of the 21 st -century power grid of the world [248]. The CPPS uses two-way flow, computational intelligence and cyber-secure communication technologies in an integrated manner across the generation, transmission, distribution, and utilization of the electrical power capable of delivering the power in more efficient ways and responds to the wide range of events & conditions anywhere in the grid for the safe, resilient, reliable, sustainable and efficient operation of the power grid. The concept of CPPS started from the idea of a smart grid with the abstraction of AMI that helps to improve the energy efficiency, Demand Side Management (DSM), developing self-healing grid, and resilient grid protection, etc. However, the new demand requirements urged the power industries, government, and research organizations to rethink and expand the scope of the smart grid to CPPS. The United States Energy Independence and Security Act of 2007 directed to the National Institute of Standards and Technology (NIST) to coordinate the research activities to attain the objectives of smart grid systems and devices. According to the report from NIST [249], the requirements and benefits of the smart grid are the following: • Enhancing power quality and reliability; • Effective utilization of facility and preventing construction of back-up power plants; • Improving the efficiency and capacity of existing electric power networks; • Enhancing resilience and reliability to disturbances; • Enabling predictive maintenance and self-healing responses to system disruption; • Facilitating the expanded deployment of renewable power sources; • Accommodating centralized and distributed power sources; • Automating operation and maintenance; • Enabling EV and renewable power sources to reduce greenhouse gas emissions; • Avoiding the operation of the inefficient power plant during peak usage periods to reduce oil consumption; • Presenting opportunities for grid modernization; • Enabling the transition to new energy storage options and plug-in EVs; • Increasing customer choice; • Enabling new services, products, and markets. With the above benefits of the smart grid, the NIST released another report [250] on the CPS by joint work between the smart grid working group and CPSs working group for the energy domain. From this report the main characteristics of CPS that support for the efficient operation of CPPS that goes beyond conventional product, system, and application are • The combination of the physical and the cyber, and their interconnectedness, is essential to CPS.
• A CPS maybe a System of Systems (SoS).
• Emergent behaviours are to be expected of CPS due to the heterogeneous nature of CPS composition.
• CPS needs a methodology to ensure interdependency, dealing with prominent effects, and managing evolution.
• CPS may be designed for multi-purpose applications.
• CPS is noted for enabling cross-domain applications.
• CPS potential impact on the physical system and their interconnectedness with them raised the concern about trustworthiness.
• CPS should be freely composable.
• CPS must be able to accommodate continuous and discrete computational models. • CPS must also support different modes of communication.
• The heterogeneity and interdependency of CPS lead them to exhibit a wide range of complexity.
• Cyber and Physical system time synchronization is a sensitive component to CPS, and its centralized architecture is a major concern.
• CPS is characterized by the interaction between the cyber and physical systems with their operating environment. To promote the smart grid/CPPS deployment activities, government, industry, academia, and research organizations had spent a lot of money and efforts in pilot projects, smart grid programs, and field studies. To help the readers about the recent progress in CPPS, we summarized the major projects, programs & trials related to the smart grid/CPPS is presented in Table 5. It covers Smart Meter, AMI, Transmission Grid, Micro Grid, DERs, EV, and Integrated Systems, etc. From Table 9, it is inferred that most of the countries had spent a significant investment for deployment of Smart Grid/CPPS technologies and applications, but their integration is the new challenge.

VI. OUTLOOK OF THE FUTURE CPPS
In general, the CPPS is a complex networked system that has impacted the way electrical energy generated, transmitted, and utilized. The electrical energy systems have evolved through the years from the conventional power systems to the smart grid and further explored CPSs in energy (CPSE) with the consideration of primary energy and end-use energy phases, as shown in Fig. 22 [265].
The future energy systems need a holistic approach (systems-of-systems) for modelling, simulation, and analysis. The various power grid blackouts occurred in worldwide are due to the malfunctioning of the grid components (generator, transmission lines, load buses, communication facilities, etc.) and the increasingly stringent constraints on carbon emissions regulations, market volatility. To prevent the systemwide blackouts, it requires ICTs at a level higher than the existing smart grid can offer. The CPPS has already advanced than the smart grid environment and serves to be more reliable for the holistic (systems of systems) approaches to the smart grid problem, but it has not gone far enough. The future energy systems should consider the coordination of various generalized environmental factors, social factors, economic factors, human behaviors, as well as hybrid research framework with different time and scales. This involves the varieties of large data with hidden relationships in the complex economical, technological, social, and environmental dimensions.
The economic and societal potential of CPPS can be realized by a new concept of Cyber-Physical-Social Systems (CPSS). The CPSS lies at the intersection of the physical electric power systems, the cyber system market and    control layer, and social residential end-users, as shown in Fig. 23 [266]. The CPSS encompasses the physical system, ICTs infrastructure, human behavior, and changes the way people interact with the complex interdependent systems. The general concepts of CPSS are shown in Fig. 23, in which the Social System plays a critical part in such an interdependent system. Social Systems include customer behaviors, policy, regulation, and economics. The new concept of CPSS in the energy sector comprises primary energy, secondary energy, and end-user energy in a broader framework but not limited to, other essential factors to be considered such as intermittent DERs, influence of market operations, transition in primary energy sources and end-user behaviors [265]. The enabling technologies for CPPS development are the Internet VOLUME 8, 2020     of Things, Big data, Cloud Computing, Network Systems, etc. For the CPSSE, the additional enabling technologies includes economics, social science, environmental science, cognitive science, psychology, and political science. This enhances the CPSS in the energy system, and it can be seen as a part of the journey from the power system to the smart grid, CPSE to CPSSE, as shown in Fig. 21. The driving force in CPSSE is induced by the interaction between them, which is much more powerful than the individual and internal driving forces of energy systems, information systems, and human societies. All these factors are critical for the successful implementation of CPSS in energy future.

VII. CURRENT ISSUES AND RESEARCH DIRECTIONS
• The impact of the communication network effects such as latency, outliers, missing data, etc on performance, reliability, and security of the CPPS may be considered. This area of research is emerging and likely to see more contributions in the near future.
• The traditional CPPS communication networks have been designed to cover separate parts rather than the whole power grid. Therefore an interconnected communication network for generation, transmission, and distribution to be designed and its network topology should be optimized considering 5G technology.
• The traditional deterministic type N-1 contingency analysis was not suitable for CPPSs. Therefore stochastic cyber-physical contingency analysis should be developed and analysed for the CPPS. More research is needed in this area.
• In cybersecurity for CPPS, fast authentication is an open problem and there is a wide scope for this research work.
• Developing the testbed for CPPS to analyse the effects of cyber events such as communication failures and cyber-attacks due to single or coordinated failures on the physical power system for the specific application is another emerging research area. The testbed 5G technology can be demonstrated for future CPPSs and also we can include other types of energy systems such as heat, gas, etc.
• Estimating the cost of cyber attacks on CPPS at the national level for critical infrastructure protection is an important research area in the economic analysis of power systems.
• An advanced data-driven method with machine learning applications for CPPS in power system control area is emerging. It includes the hybrid data fusion of cyber and physical systems to monitor the stability of CPPS.
• Analysing the impact of the integration of renewable energy systems and electric vehicles in CPPS. Based on this a cyber-physical security analytics should be developed for the holistic cyber-physical transactive energy systems.
• Cyber resilience is the ability of CPPS to prepare, respond, and recover when cyber attacks happen. In addition to power system resilience the cyber system resilience also should be considered for developing control and operation methods and planning strategies to improve power grid resilience against physical and cyber events. A cyber-physical resilience metrics, evaluation methods, development of universally accepted standard definitions are needed for CPPS and there is a wide-scope for this research topic.

VIII. CONCLUSION
CPPS is a new technology that integrates cyber systems and physical power systems to achieve high efficiency and performance. In recent years, research studies on CPPS modelling, simulation, and analysis have gained considerable attention. A grand challenge in CPPS research is the development of models that elegantly interface the continuous-time characteristics of the physical system with the discrete-time characteristics of the cyber system. A review on modelling methods, simulation tools, cyber-attack types, cyber-attack detection and mitigation countermeasures in CPPS are summarized in this paper. The major contributions to the review of CPPS are highlighted as follows: • This study mainly summarizes the CPPS modelling methods considering the impacts of cyber-attacks on power system control, power system stability, types of cyber-attacks, from the viewpoints of topology, mechanism, probability, and simulation. The unified framework for modelling of physical and cyber components in the CPPS is presented in Section II.
• The softwares corresponding to the CPPS for modelling and simulation of a physical system and cyber system and co-simulation tools are discussed elaborately. Different types of software for modelling and simulation of complex CPPS are presented in Section III. The co-simulation software includes and combines knowledge in multiple domains to consider the CPPS holistically.
• Cyber-physical security is the core of modern CPPS. In Section IV, we have presented a systematic and comprehensive review of the state-of-the-art in the field, ranging from cyber-attack types, defense strategies, to a wide range of challenges and opportunities. As CPPS has become one of the economic and technological developments around the globe, this survey provides critical insights into enhancing cybersecurity for CPPS by maintaining the integrity of the CPPS under complex cyber-attacks. To this end, we have reviewed the cyber-security issues in CPPS, which included attack detection, mitigation techniques, risk analysis threat modelling, and vulnerability assessment for cyber systems.
• We have surveyed the recent ongoing and completed research projects on CPPS in world-wide countries and briefly discussed in the Section V.
• The outlook of future CPPS focuses on CPSS with the integrated modelling framework utilizing a unified computing framework that is discussed elaborately in Section VI.
• Finally we have presented the current issues and research directions for the researchers those who are working in the CPPS research areas in Section VII.
The modelling methods, simulation softwares, cyber-attacks, and cybersecurity measures discussed in this paper imparts strong support for the secure and safe operation of the CPPS. An intensive analysis of simultaneous attacks on multiple targets is discussed elaborately. All the three modelling methods of CPPS considered both the power flow and information flow. In summary, there is no doubt that the emergence of CPPS leads to more efficient power system operations in the future, provides better services, and eventually revolutionize our daily lives. From the survey result, it was seen that this CPPS research area is growing exponentially in terms of publications, especially in recent years; this confirms that the researchers are more interested in exploring results, theories, and technologies. We hope this survey welcomes the other researchers to enter this emerging area. The future of CPPS addressed CPSSs associating CPSs with the social world, which is an important research topic that contributes to the construction of the future smart power system. It should be noted that only crucial research works are reviewed and summarized in this paper. However, there are some shortcomings in these modeling, simulation, and analysis. For instance, the specific topology of the communication network and transmission mechanism types in the information and communication network are not considered. By neglecting the steady-state and transient characteristics of CPPS subsystems the current research has only a theoretical significance. The modeling methods, simulation tools, cybersecurity applications, and performance evaluation are simulation-based approaches. To understand the complex behavior of CPPS, it is very difficult to model all the subsystems in simulation platforms. Therefore the construction of the CPPS testbed will further help the researchers, academicians, and industrialists to explore the in-depth knowledge of CPPS. Therefore, developing a testbed for CPPS that takes the actual power flow and information flow into consideration is the main problem to be solved in the near future. Based on this CPPS testbed, it is more appropriate to analyze and evaluate the three different types of modeling methods of CPPSs. In addition to that, cyber-attacks, cybersecurity algorithms, digital forensic analysis, risk assessment, attack modeling and defense can be demonstrated by organizing a co-simulation setup for CPPS and it becomes relatively crucial. Also, the major challenge is the design of large-scale CPPS and its implementation in real-world applications like the Wide-Area Monitoring and Control System (WAMCS).