Made byBobr AI

IIoT Cyberattacks & Cybersecurity Testbeds: Literature Review

A systematic literature review of 159 studies on Industrial IoT cyberattacks, simulation testbeds, and the experimental gap in threat modeling.

#iiot#cybersecurity#testbed#industrial-iot#cyberattack#intrusion-detection#scada#security-research
Watch
Pitch
Academic Conference Presentation | April 2026

Exploring IIoT Cyberattacks
and Cybersecurity Testbeds

A Systematic Literature Review

Author Affiliation University of Cincinnati, USA
Review Scope ACM — 159 Primary Studies Reviewed
Databases Used:
IEEE Xplore
ACM Digital Library
Scopus
Made byBobr AI

Presentation Outline

1
Introduction & Motivation
2
Related Work
3
Methodology — SLR Protocol
4
Results: Cyberattacks (RQ1)
5
Results: Testbed Tools (RQ2)
6
Discussion & Conclusion
Made byBobr AI

Introduction & Motivation

The IIoT Revolution

Interconnected industrial devices boosting efficiency and automating processes

Integrates legacy OT with modern IT/IoT technologies

Spans energy, water, manufacturing, healthcare, and agriculture sectors

The Cybersecurity Threat

Increased interconnectivity expands the attack surface dramatically

A single compromised node can cascade across entire industrial ecosystems

Economic impact: billions lost annually in downtime, fines, and recovery

RQ1: What cyberattacks against IIoT systems are simulated using cybersecurity testbeds?

RQ2: What tools and frameworks are used for designing a cybersecurity testbed for IIoT?

Made byBobr AI

Related Work & Research Gap

Prior Attack Taxonomies

Berger et al. (2020)

Multi-layer taxonomy

↳ Abstract, not linked to testbeds

Panchal et al. (2018)

Architectural attack categories

↳ Ignores IT/OT convergence

Krishna et al. (2021)

IoT/IIoT threats

↳ Lacks industrial context

Prior Testbed Studies

Alves et al. (2018)

Modular virtual SCADA testbed

↳ No link to threat taxonomy

Al-Hawawreh & Sitnikova (2020)

Brownfield IIoT testbed

↳ Not generalizable

THE RESEARCH GAP

Attack taxonomies and testbed implementations have evolved in isolation.
This SLR bridges the gap by directly linking attack categories to testbed capabilities and experimental reproducibility.

Made byBobr AI
SLR Methodology

Methodology — SLR Protocol

Systematic Literature Review based on Kitchenham Guidelines

Data Sources

Search Date
November 22, 2025
Stage 1
1,398
Articles

Initial Search

703 IEEE
635 Scopus
60 ACM

Stage 2
463
Retained

Dup & Title
Screening

Excluding duplicates and irrelevant studies

Stage 3
247
Retained

Abstract
Screening

Filtered by relevance to IIoT

Final Stage
159
Studies

Full-Text
Assessment

Selected for methodologies

Inclusion Criteria

Peer-reviewed journal articles & conference papers
Written in English
(Published 2010–2025)
IIoT/ICS cybersecurity + testbed component
Clear methodology & reproducible findings
Made byBobr AI

RQ1: Cyberattacks Simulated in IIoT Testbeds

Top 20 Cyberattacks Simulated in IIoT Cybersecurity Testbeds

Denial of Service (DoS)
20
Man-in-the-Middle (MitM)
15
False Data Injection (FDI)
10
Replay Attacks
8
Data Tampering
5
ARP Spoofing
5
Pass Cracking / Brute Force
4
Network Reconnaissance
3
Data Modification
3
Command Injection
3
Malware Infection
2
Jamming Attack
2
Eavesdropping
2
Phishing
2
Side-channel Attack
2
Device Compromise
2
Privilege Escalation
2
Routing Attack
2
Masquerade Attack
2
Ransomware
2
Frequency of Mention in Primary Studies (n=159)

Software & Data Integrity

FDI, memory manipulation, command injection

Advanced Persistent Threats

Multi-stage, spear phishing, lateral movement

Network Attacks

DoS, MitM, replay, jamming, protocol exploits

Malware & Social Engineering

Ransomware, backdoor, phishing

Made byBobr AI

Attack Classification Deep Dive

Software & Data Integrity Attacks

{False Data Injection (FDI) — most simulated (energy/power grids)}
{Memory manipulation (PLC control logic)}
{Firmware rewriting attacks (persistent unauthorized behavior)}
{Unauthorized command injection (breaks SCADA processes)}
{Service disruption: ramp attacks, load tripping, electricity bidding}
Note: Well-covered in energy sector; underrepresented in healthcare & agriculture

Advanced Persistent Threats (APTs)

{Multi-stage, long-duration, targeted campaigns}
{Spear-phishing → lateral movement → false command injection}
{MITRE ATT&CK framework for ICS applied (PS81)}
{Zero-day exploits, time synchronization attacks, insider threats}
Note: Severely underrepresented in testbeds due to complexity

Network Attacks

{DoS variants: TCP SYN Flood, Slowloris, ping-of-death, ICMP flood}
{MitM using Ettercap & Wireshark on Modbus, DNP3, IEC 61850}
{Replay & delay attacks (lack of message authentication in ICS protocols)}
{Protocol-based: Modbus, DNP3, IEC 61850 GOOSE exploits}
Note: Most prevalent — enabled by network virtualization platforms

Malware & Phishing

{WannaCrypt ransomware on brownfield IIoT testbed}
{Backdoor malware, Stuxnet-inspired firmware attacks}
{Phishing & social engineering: require human-in-the-loop}
Note: Lowest testbed representation due to safe deployment complexity
Made byBobr AI

RQ2: Tools & Technologies for IIoT Testbeds

Top Tools Mentioned Across Primary Studies
Wireshark
7
RTDS (Real-Time Digital Simulator)
5
Sensors
5
Phasor Measurement Units (PMU)
4
Raspberry Pi
4
PLCs
3
IEDs
3
OPAL-RT
3
Actuators
3
Metasploit
2
Mininet
2
Docker
2
Frequency of Mention
Simulation & Modeling
GNS3, MATLAB Simulink, OPAL-RT, NS-3, RTDS
Virtualization
Docker, VMware, OpenStack, Kali Linux
Development Platforms
Python, Raspberry Pi, Arduino, LabVIEW
Network & Security
Wireshark, Nmap, Metasploit, IDS, VPN
ML & Analytics
Hadoop, LSTM, ARIMA, KNN, Neural Networks
Made byBobr AI
Key Finding

The Alignment Gap

Well-Covered
Attacks

Theoretical Threat
Taxonomy

  • Advanced Persistent Threats (APTs)
  • Insider threats
  • Cross-layer manipulations
  • Long-duration stealth campaigns
  • Social engineering / phishing
  • Hardware-level attacks

Testbed Experimental
Coverage

  • Network-based attacks
    (DoS, MitM, replay)
  • Protocol exploits
    (Modbus, DNP3)
  • False Data Injection
  • Basic malware scenarios

Feasibility Bias

Technical feasibility, not threat realism, drives which attacks are studied.

Strategic Threat Gap

APTs, insider attacks, cross-layer campaigns remain largely unsimulated.

ML Integration Gap

Anomaly detection evaluated in isolation, not in full attack lifecycles.

Made byBobr AI

Discussion: Implications & Future Directions

Implications for the Field

Testbeds Shape Research Priorities

Experimental affordances determine which threats are empirically explored, creating feedback loops between feasibility and perceived risk

Underestimated Systemic Vulnerabilities

Current testbeds likely underestimate threats requiring longitudinal and cross-layer experimentation

Need for Integrated Framework

Threat taxonomy and testbed architecture should be interdependent layers in a unified research model

Underrepresented Sectors

Healthcare, agriculture, and water sectors critically underserved by current testbed research

Future Research Directions

Next-Gen Testbed Architectures

Hybrid physical + virtual, hardware-in-the-loop for timing-sensitive processes

Human-in-the-Loop Modeling

Enable insider threat and social engineering simulation

AI-Driven Threat Detection

Embed ML/anomaly detection in full attack lifecycle simulations

Sector-Specific Testbeds

Water, healthcare, agriculture IIoT scenarios

Made byBobr AI

Conclusion

This SLR synthesized 159 primary studies to classify IIoT cyberattacks and identify testbed tools. The core finding: a structural misalignment exists between theoretical attack taxonomies and what is experimentally reproduced in cybersecurity testbeds.

📋

159 primary studies reviewed across IEEE Xplore, ACM, and Scopus (2010–2025)

⚔️

4 attack categories classified: Integrity Attacks, APTs, Network Attacks, Malware

🔧

5 tool categories identified: Simulation, Virtualization, Development, Security, ML/Analytics

⚠️

Critical gap: Network attacks dominate testbeds; APTs, insider threats, cross-layer attacks remain underrepresented

Limitations

Findings limited to published peer-reviewed literature; proprietary testbed implementations not captured. Only reported capabilities analyzed, not direct experimental validation.

Questions? contact@uc.edu
Made byBobr AI
Bobr AI

DESIGNER-MADE
PRESENTATION,
GENERATED FROM
YOUR PROMPT

Create your own professional slide deck with real images, data charts, and unique design in under a minute.

Generate For Free

IIoT Cyberattacks & Cybersecurity Testbeds: Literature Review

A systematic literature review of 159 studies on Industrial IoT cyberattacks, simulation testbeds, and the experimental gap in threat modeling.

Exploring IIoT Cyberattacks<br/>and Cybersecurity Testbeds

A Systematic Literature Review

University of Cincinnati, USA

Academic Conference Presentation | April 2026

ACM — 159 Primary Studies Reviewed

IEEE Xplore

ACM Digital Library

Scopus

Presentation Outline

Introduction & Motivation

Related Work

Methodology — SLR Protocol

Results: Cyberattacks (RQ1)

Results: Testbed Tools (RQ2)

Discussion & Conclusion

Introduction & Motivation

The IIoT Revolution

Interconnected industrial devices boosting efficiency and automating processes

Integrates legacy OT with modern IT/IoT technologies

Spans energy, water, manufacturing, healthcare, and agriculture sectors

The Cybersecurity Threat

Increased interconnectivity expands the attack surface dramatically

A single compromised node can cascade across entire industrial ecosystems

Economic impact: billions lost annually in downtime, fines, and recovery

<strong style="color:#00d2ff;">RQ1:</strong> What cyberattacks against IIoT systems are simulated using cybersecurity testbeds?

<strong style="color:#00d2ff;">RQ2:</strong> What tools and frameworks are used for designing a cybersecurity testbed for IIoT?

Related Work & Research Gap

Prior Attack Taxonomies

Berger et al. (2020)

<strong style="color: #ffffff; font-weight: 600;">Multi-layer taxonomy</strong><br/><br/><span style="color: #00d2ff;">↳ Abstract, not linked to testbeds</span>

Panchal et al. (2018)

<strong style="color: #ffffff; font-weight: 600;">Architectural attack categories</strong><br/><br/><span style="color: #00d2ff;">↳ Ignores IT/OT convergence</span>

Krishna et al. (2021)

<strong style="color: #ffffff; font-weight: 600;">IoT/IIoT threats</strong><br/><br/><span style="color: #00d2ff;">↳ Lacks industrial context</span>

Prior Testbed Studies

Alves et al. (2018)

<strong style="color: #ffffff; font-weight: 600;">Modular virtual SCADA testbed</strong><br/><br/><span style="color: #00d2ff;">↳ No link to threat taxonomy</span>

Al-Hawawreh & Sitnikova (2020)

<strong style="color: #ffffff; font-weight: 600;">Brownfield IIoT testbed</strong><br/><br/><span style="color: #00d2ff;">↳ Not generalizable</span>

THE RESEARCH GAP

Attack taxonomies and testbed implementations have evolved in isolation.<br/><strong style="font-weight: 700; color: #ffffff;">This SLR bridges the gap by directly linking attack categories to testbed capabilities and experimental reproducibility.</strong>

Methodology — SLR Protocol

Systematic Literature Review based on Kitchenham Guidelines

SLR Methodology

1,398

463

247

159

RQ1: Cyberattacks Simulated in IIoT Testbeds

Attack Classification Deep Dive

Software & Data Integrity Attacks

<b style="color: #ffffff;">False Data Injection (FDI)</b> — most simulated (energy/power grids)

<b style="color: #ffffff;">Memory manipulation</b> (PLC control logic)

<b style="color: #ffffff;">Firmware rewriting attacks</b> (persistent unauthorized behavior)

<b style="color: #ffffff;">Unauthorized command injection</b> (breaks SCADA processes)

<b style="color: #ffffff;">Service disruption:</b> ramp attacks, load tripping, electricity bidding

Well-covered in energy sector; underrepresented in healthcare & agriculture

Advanced Persistent Threats (APTs)

Multi-stage, long-duration, targeted campaigns

Spear-phishing → lateral movement → false command injection

MITRE ATT&CK framework for ICS applied (PS81)

Zero-day exploits, time synchronization attacks, insider threats

Severely underrepresented in testbeds due to complexity

Network Attacks

<b style="color: #ffffff;">DoS variants:</b> TCP SYN Flood, Slowloris, ping-of-death, ICMP flood

MitM using Ettercap & Wireshark on Modbus, DNP3, IEC 61850

Replay & delay attacks (lack of message authentication in ICS protocols)

<b style="color: #ffffff;">Protocol-based:</b> Modbus, DNP3, IEC 61850 GOOSE exploits

Most prevalent — enabled by network virtualization platforms

Malware & Phishing

WannaCrypt ransomware on brownfield IIoT testbed

Backdoor malware, Stuxnet-inspired firmware attacks

Phishing & social engineering: require human-in-the-loop

Lowest testbed representation due to safe deployment complexity

RQ2: Tools & Technologies for IIoT Testbeds

Key Finding

The Alignment Gap

Feasibility Bias

Technical feasibility, not threat realism, drives which attacks are studied.

Strategic Threat Gap

APTs, insider attacks, cross-layer campaigns remain largely unsimulated.

ML Integration Gap

Anomaly detection evaluated in isolation, not in full attack lifecycles.

Discussion: Implications & Future Directions

Testbeds Shape Research Priorities

Experimental affordances determine which threats are empirically explored, creating feedback loops between feasibility and perceived risk

Underestimated Systemic Vulnerabilities

Current testbeds likely underestimate threats requiring longitudinal and cross-layer experimentation

Need for Integrated Framework

Threat taxonomy and testbed architecture should be interdependent layers in a unified research model

Underrepresented Sectors

Healthcare, agriculture, and water sectors critically underserved by current testbed research

Next-Gen Testbed Architectures

Hybrid physical + virtual, hardware-in-the-loop for timing-sensitive processes

Human-in-the-Loop Modeling

Enable insider threat and social engineering simulation

AI-Driven Threat Detection

Embed ML/anomaly detection in full attack lifecycle simulations

Sector-Specific Testbeds

Water, healthcare, agriculture IIoT scenarios

Conclusion

<strong style="color: #00d2ff;">This SLR synthesized 159 primary studies</strong> to classify IIoT cyberattacks and identify testbed tools. The core finding: a structural misalignment exists between theoretical attack taxonomies and what is experimentally reproduced in cybersecurity testbeds.

<strong style="color: #ffffff;">159 primary studies reviewed</strong> across IEEE Xplore, ACM, and Scopus (2010–2025)

<strong style="color: #ffffff;">4 attack categories classified:</strong> Integrity Attacks, APTs, Network Attacks, Malware

<strong style="color: #ffffff;">5 tool categories identified:</strong> Simulation, Virtualization, Development, Security, ML/Analytics

<strong style="color: #ffffff;">Critical gap:</strong> Network attacks dominate testbeds; APTs, insider threats, cross-layer attacks remain underrepresented

Findings limited to published peer-reviewed literature; proprietary testbed implementations not captured. Only reported capabilities analyzed, not direct experimental validation.

Questions?

contact@uc.edu

  • iiot
  • cybersecurity
  • testbed
  • industrial-iot
  • cyberattack
  • intrusion-detection
  • scada
  • security-research