Cyber Risk Assessment for Cyber-Physical Systems: A Review of Methodologies and Recommendations for Improved Assessment Effectiveness

Cyber-Physical Systems (CPS) integrate physical and embedded systems with information and communication technology systems, monitoring and controlling physical processes with minimal human intervention. The connection to information and communication technology exposes CPS to cyber risks. It is crucial to assess these risks to manage them effectively. This paper reviews scholarly contributions to cyber risk assessment for CPS, analyzing how the assessment approaches were evaluated and investigating to what extent they meet the requirements of effective risk assessment. We identify gaps limiting the effectiveness of the assessment and recommend real-time learning from cybersecurity incidents. Our review covers twenty-eight papers published between 2014 and 2023, selected based on a three-step search. Our findings show that the reviewed cyber risk assessment methodologies revealed limited effectiveness due to multiple factors. These findings provide a foundation for further research to explore and address other factors impacting the quality of cyber risk assessment in CPS.