Cyberattacks on a data centre can be costly. Cyberattacks on a power grid, water treatment plant, or medical device can be catastrophic. As societies become more reliant on systems that deeply integrate software with physical machinery, the question of how to defend them has become more pertinent than ever.
These systems, known as cyber-physical systems (CPS), include power grids, industrial control systems, transportation systems, and increasingly, renewable energy infrastructure. Unlike conventional IT systems, where breaches mainly affect data, failures in CPS can cascade into physical damage, service disruption, and safety risks.
Much of today’s cybersecurity thinking, however, remains rooted in assumptions that no longer hold, according to Huang Shaofei, a Doctor of Engineering (EngD) candidate at Singapore Management University (SMU).
“Traditional cybersecurity approaches often overlook the complex interdependencies among computational logic, control mechanisms, and physical system dynamics, resulting in insufficient defences within mission-critical cyber-physical environments,” he explains.
In two recent papers, Shaofei and his research team tackled this problem from complementary angles. The first paper examined the current state of CPS security modelling across research and practice. Meanwhile, the second paper proposed a way to support decision-making during live cyber-physical incidents, when time, information, and options are all constrained.
Why existing security models have fallen short
The first paper, “Security Modelling for Cyber-Physical Systems: A Systematic Literature Review”, painted a sobering picture of the current practice. While threat modelling—anticipating risks during system design—is an established concept, attack modelling—understanding how real adversaries exploit systems in operation—has seen less adoption in risk assessment and security design. Even when such models existed, they were found to be static, rarely updated, and ill-suited to systems designed to operate for decades.
“What surprised me most from this literature review was how simplistic many models still are, despite the sophistication of real attacks,” Shaofei reveals. “Attacks on CPS have evolved dramatically over the past decade to become multi-stage and adaptive. Yet, many organisations still rely on security assumptions made when CPS was first deployed.”
Given the dynamic nature of CPS environments, this disconnect between academic models and real-world practice must be addressed. Treating security as a one-off design exercise leaves operators exposed to threats that were never anticipated at the outset.
Shaofei’s review paper argued for a more integrated approach that would link early-stage threat modelling with operational attack modelling, including CPS security within a unified lifecycle framework.
Making decisions under pressure
Shaofei’s second paper, “Bayesian and Multi-Objective Decision Support for Real-Time Incident Mitigation in Critical Infrastructure”, moved from diagnosis to response. Instead of asking how to eliminate risk entirely, he explored a more realistic solution: how should operators act when an attack is already unfolding?
In CPS environments, every mitigation decision involves trade-offs. Isolating a compromised component may reduce cyber risk but could interrupt essential services or introduce new safety hazards. Applying a patch might close one vulnerability while destabilising legacy hardware elsewhere.
Shaofei’s proposed framework uses Bayesian networks to model how vulnerabilities, assets, and hazards are causally linked. As new evidence emerges, such as an exploited vulnerability or anomalous system behaviour, the model updates its assessment of risk in real-time. It evaluates portfolios of countermeasures, weighing their combined effects on attack likelihood, physical impact, and system availability.
A key challenge the paper addressed was uncertainty. While current common vulnerability scoring systems offer useful signals, each has blind spots, especially in CPS environments where proprietary or undocumented vulnerabilities are common. To address this, Shaofei’s framework produces risk estimates that reflect both known and unknown factors by combining multiple scoring approaches using Bayesian confidence calibration.
The team also evaluated the framework using three scenarios: a solar photovoltaic inverter system, the 2015 Ukrainian power grid attack, and a generic railway signalling system. Despite their differences, common patterns surfaced. Effective mitigation consistently involved disrupting early entry points in attack paths, while attempting to secure everything at once produced diminishing returns.
Importantly, it was found that the framework would be fast enough to be operationally useful. “Our framework generates recommendations as quickly as 45 seconds for a single optimisation run on an Intel Core i7 processor. Meanwhile, newer, high-end hardware could enable even faster execution through parallelised Bayesian inference and optimisation,” says Shaofei.
Shaofei (2nd from right), who is currently pursuing a Doctor of Engineering programme at SMU, had received the SG Digital Scholarship in 2024.
From theory to operational fix
Shaofei’s background as a practitioner has shaped both studies. Having spent years in cybersecurity leadership roles, he is acutely aware that security decisions in CPS cannot be separated from operational realities.
“My practitioner background, grounded in consequence-focused risk management and systems engineering discipline, underscores the importance of designing cybersecurity as an enabler of operational continuity and safety assurance, instead of an isolated technical function,” shares Shaofei, who is currently pursuing SMU’s EngD programme. Through the programme, he is transitioning from a practitioner to an innovator developing critical solutions backed by research.
As digital threats grow more sophisticated, cybersecurity leadership can no longer rely on static playbooks. It demands professionals who can bridge engineering, data, and decision science — translating theory into operational impact.
That philosophy underpins SMU’s approach. “Through programmes like EngD and the Master of IT in Business (MITB), we encourage our students to tackle real-world, high-stakes problems through rigorous academic methodology and practical insight,” says Associate Professor of Computer Science (Practice) Shar Lwin Khin, who also serves as Director of the Cybersecurity track in the MITB programme.
The impact is circular and intentional. “Research like Shaofei’s directly shapes our curriculum,” he adds, “with his models being translated into case studies and lab modules for our MITB-Cybersecurity students.”
In this way, innovation does not sit apart from teaching; it strengthens it. From developing adaptive, consequence-aware security tools to embedding them into the curriculum, SMU advances cybersecurity by equipping leaders who are prepared to not only respond to evolving threats, but also design systems that stay ahead of them.
Take the next step towards building technical skills needed to tackle these challenges with the SMU Master of IT in Business (MITB) Cybersecurity track. Apply for the MITB programme today.
