Cyber Security Challenges and Solutions in Critical Infrastructure: A Systematic Review of Threat Spectrum, Systemic Vulnerabilities, and Multi-Level Protection Strategies
Abstract
Digital transformation has increased operational efficiency infrastructure critical, but at the same time also open new loophole against attack increasingly complex and destructive cyberspace. This study aims to identify spectrum threat cyber targeting infrastructure critical, analyzing vulnerability accompanying systemic, as well evaluate strategy multi-level protection used in mitigation risk cyber. Using approach qualitative through review methods systematically, this study examines 20 primary sources in the form of scientific journals, policy reports, and studies. case international published 2015–2024. The research results revealed that threats such as ransomware, Advanced Persistent Threats (APT), attacks AI -based, and zero-day exploits are becoming a form of attack dominant, with energy, health, and communications sectors as the main targets. Vulnerabilities systemic found in aspects of old technology that is not updated, governance weaknesse, as well as low awareness cyber at the level operational. Strategy effective protection nature layered, including perimeter security, access management, data encryption, training awareness, to response incidents and system recovery. This study recommends integration strategy adaptive, data -based protection risk, and supported by policies strong national to strengthen resilience cyber sector infrastructure critical.
References
Adegbite, A., Akinwolemiwa, D., Uwaoma, P., Kaggwa, S., Akindote, O., & Dawodu, S. (2023). Review of cybersecurity strategies in protecting national infrastructure: Perspectives from the USA. Computer Science & IT Research Journal, 4(3), 200–219. https://doi.org/10.51594/csitrj.v4i3.658
Ahmad, A., Webb, J., Desouza, K., & Boorman, J. (2019). Strategically-motivated advanced persistent threat: Definition, process, tactics and a disinformation model of counterattack. Computers & Security, 86, 402–418. https://doi.org/10.1016/j.cose.2019.07.001
Ani, U., Watson, J., Nurse, J., Cook, A., & Maples, C. (2019). A review of critical infrastructure protection approaches: Improving security through responsiveness to the dynamic modeling landscape. IET Conference Proceedings, 6, 1–15. https://doi.org/10.1049/cp.2019.0131
Boyson, S. (2014). Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation, 34(7), 342–353. https://doi.org/10.1016/j.technovation.2014.02.001
Cardenas, A. A., Amin, S., & Sastry, S. (2011). Research challenges for the security of control systems. In Proceedings of the 3rd Conference on Hot Topics in Security (HotSec) (Vol. 6, pp. 1–6).
Coventry, L., & Branley-Bell, D. (2018). Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas, 113, 48–52. https://doi.org/10.1016/j.maturitas.2018.04.008
European Union Agency for Cybersecurity. (2022). Threat landscape for supply chain attacks. ENISA. https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
García-Pérez, A., Sallos, M., & Tiwasing, P. (2021). Dimensions of cybersecurity performance and crisis response in critical infrastructure organizations: An intellectual capital perspective. Journal of Intellectual Capital, 24(2), 465–486. https://doi.org/10.1108/jic-06-2021-0166
Guillén, J., Rey, A., & Casado‐Vara, R. (2021). Propagation of the malware used in APTs based on dynamic Bayesian networks. Mathematics, 9(23), 3097. https://doi.org/10.3390/math9233097
Gunawan, Y., & Pane, M. (2024). Responsibility for excessive infrastructure damage in attacks: Analyzing Russia's attack in Ukraine. Petita Journal of Science Studies Law and Sharia, 9(1). https://doi.org/10.22373/petita.v9i1.213
Hadžiosmanović, D., Bolzoni, D., & Hartel, P. H. (2012). A survey of insider attack detection research. Computers & Security, 34, 45–59. https://doi.org/10.1016/j.cose.2013.10.007
Hafiz, M. (2024). Impact of digital economy on social welfare in Indonesia. Franchise, 1(2). https://doi.org/10.61590/waralaba.v1i2.143
Hermawan, A. (2024). Peeking gap between the potential and challenges of big data in services guarantee social employment in Indonesia. Jamsostek, 2(2), 185–206. https://doi.org/10.61626/jamsostek.v2i2.59
Hurst, W., Merabti, M., & Fergus, P. (2014). A survey of critical infrastructure security. In Critical Infrastructure Protection (pp. 127–138). Springer. https://doi.org/10.1007/978-3-662-45355-1_9
IBM Security. (2023). Threat intelligence index 2023. IBM X-Force. https://www.ibm.com/reports/threat-intelligence
ISO/IEC. (2016). ISO/IEC 27035: Information security incident management. International Organization for Standardization.
Jadidi, Z., Pal, S., Hussain, M., & Nguyen, K. (2023). Correlation-based anomaly detection in industrial control systems. Sensors, 23(3), 1561. https://doi.org/10.3390/s23031561
Katrakazas, P., & Papastergiou, S. (2024). A stakeholder needs analysis in cybersecurity: A systemic approach to enhancing digital infrastructure resilience. Businesses, 4(2), 225–240. https://doi.org/10.3390/businesses4020015
Lu, P., Hu, T., Hao, W., Zhang, R., & Wu, G. (2021). G-CAS: Greedy algorithm-based security event correlation system for critical infrastructure networks. Security and Communication Networks, 2021, 1–13. https://doi.org/10.1155/2021/3566360
Malihah, L. (2022). Challenges in efforts to overcome the impact of climate change and support sustainable economic development: A review. Journal of Development Policy, 17(2), 219–232. https://doi.org/10.47441/jkp.v17i2.272
Microsoft. (2020). Zero trust security model. https://docs.microsoft.com/en-us/security/zero-trust/
Mkhwanazi, T., & Futcher, L. (2024). National critical information infrastructure protection through cybersecurity: A national government perspective. Proceedings of the 19th International Conference on Cyber Warfare and Security (ICCWS), 555–564. https://doi.org/10.34190/iccws.19.1.1987
National Institute of Standards and Technology. (2020). Framework for improving critical infrastructure cybersecurity (Version 1.1). NIST. https://www.nist.gov/cyberframework
Organisation for Economic Co-operation and Development. (2019). Good governance for critical infrastructure resilience. OECD. https://www.oecd.org/governance/good-governance-for-critical-infrastructure-resilience.htm
Putri, E., & Wisudanto, W. (2017). Structure financing development infrastructure in Indonesia to support economic growth. Science and Technology Journal of Proceedings Series, 3(5). https://doi.org/10.12962/j23546026.y2017i5.3136
Radoglou-Grammatikis, P., Dalamagkas, C., Laggas, T., Zafeiropoulou, M., Atanasova, M., Zlatev, P., … & Sarigiannidis, P. (2022). False data injection attacks against low voltage distribution systems. In Proceedings of the IEEE Global Communications Conference (GLOBECOM) (pp. 1856–1861). https://doi.org/10.1109/globecom48099.2022.10000880
Radoglou-Grammatikis, P., Sarigiannidis, P., Giannoulakis, I., Kafetzakis, E., & Panaousis, E. (2019). Attacking IEC-60870-5-104 SCADA systems. In Proceedings of the IEEE World Congress on Services. https://doi.org/10.1109/services.2019.00022
Radoglou-Grammatikis, P., Sarigiannidis, P., Iturbe, E., Rios, E., Martinez, S., Sarigiannidis, A., … & Ramos, F. (2021). Spear SIEM: A security information and event management system for the smart grid. Computer Networks, 193, 108008. https://doi.org/10.1016/j.comnet.2021.108008
Rubio, J., Román, R., Alcaraz, C., & Zhang, Y. (2018). Tracking advanced persistent threats in critical infrastructures through opinion dynamics. In International Conference on Critical Information Infrastructures Security (pp. 555–574). Springer. https://doi.org/10.1007/978-3-319-99073-6_27
Saluky, S. (2018). Overview of artificial intelligence for smart government. Information Technology Engineering Journals (ITEJ), 3(1), 8–16. https://doi.org/10.24235/itej.v3i1.22
SANS Institute. (2018). The importance of cybersecurity awareness training. https://www.sans.org/white-papers/importance-cybersecurity-awareness-training/
Settanni, G., Skopik, F., Shovgenya, Y., Fiedler, R., Kaufmann, H., Gebhardt, T., … & Pentikäinen, H. (2015). A blueprint for a pan-European cyber incident analysis system. Proceedings of the International Conference on Cyber Security (ICS 2015). https://doi.org/10.14236/ewic/ics2015.9
Sitanggang, M. (2024). Comparative analysis of cyber sovereignty in Southeast Asian countries, Australia, and New Zealand. Journal of Social and Science, 4(7), 653–664. https://doi.org/10.59188/jurnalsosains.v4i7.1477
Sun, C., Tang, Z., & Liu, D. (2017). Research on the integrated security supervision technology of cyber-physical systems in substations. Destech Transactions on Computer Science and Engineering (CMEE). https://doi.org/10.12783/dtcse/cmee2016/5311
Villalón-Huerta, A., Ripoll, I., & Marco-Gisbert, H. (2024). Provisioning the external infrastructure for cyberspace operations: A spotlight on Russian APT groups. International Journal of Information Security Science, 13(2), 1–32. https://doi.org/10.55859/ijiss.1431064
Wang, G., Cui, Y., Wang, J., Wu, L., & Hu, G. (2021). A novel method for detecting advanced persistent threat attacks based on belief rule base. Applied Sciences, 11(21), 9899. https://doi.org/10.3390/app11219899
World Bank. (2021). Cybersecurity capacity review: Securing critical infrastructure in developing economies. https://www.worldbank.org/cybercapacity
Yu, K., Tan, L., Mumtaz, S., Al-Rubaye, S., Al-Dulaimi, A., Bashir, A., … & Khan, F. (2021). Securing critical infrastructures: Deep-learning-based threat detection in IIoT. IEEE Communications Magazine, 59(10), 76–82. https://doi.org/10.1109/mcom.101.2001126
Zetter, K. (2015). Countdown to zero day: Stuxnet and the launch of the world's first digital weapon. Crown Publishing Group.
Copyright (c) 2025 Journal La Multiapp
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
