CPS foundations
Definition, properties, application domains, history, architecture, components, autonomy, reliability, safety, security, modeling, control, data, digital twins, and data-driven methods.
00
Lecture Map
These are the major blocks you should remember.
Network-security analysis
Why traffic viewing is insufficient, goals of analysis, network architecture, IT vs OT, assets, channels, observation points, data sources, methods, tools, and common analytical mistakes.
Physical environment and protection
What the physical environment includes, physical trust boundaries, zones, properties of a protected environment, data sources, threat models, analytical methods, and practical tools.
01
Core CPS Concepts
A cyber-physical system combines sensing, computation, networking, and physical action into one operational loop.
What is a CPS?
A cyber-physical system is a system where physical objects and processes are connected to computational elements through data networks. It does not only process information. It observes the real world, makes decisions, and changes real conditions.
Real-time operation
Timing matters. A correct decision that arrives too late may be useless or dangerous.
Feedback loop
The system constantly receives data about the effect of its actions and adjusts its behavior.
Hybrid behavior
CPS combines discrete logic, software, and protocols with continuous physical processes such as movement, temperature, pressure, and current.
Autonomy and adaptation
Many CPS can measure, decide, and control without constant human input, while adapting to noise, load changes, failures, and new operating conditions.
Reliability and resilience
CPS must tolerate faults through diagnostics, redundancy, safe degradation, and failure detection because software errors can become physical hazards.
Context sensitivity
The system reacts to real operating conditions such as location, temperature, human presence, environmental changes, and mode of operation.
Predictability and verifiability
In critical applications, behavior should be analyzable, modelable, and testable before deployment.
Scalability
A CPS may be a single device or a distributed infrastructure such as a plant, transport system, or energy network.
01A
Where CPS Appears
The lectures repeatedly show that different industries share the same engineering pattern: sensing, computation, communication, control, and physical effect.
Industry 4.0
Machines, sensors, controllers, MES/SCADA, predictive maintenance, digital twins, adaptive quality control, and human-robot collaboration.
Autonomous transport
Cameras, lidars, radars, localization, planning, braking, steering, and strict timing requirements.
Digital health
Connected medical devices, remote monitoring, clinical decision support, and cyber risk with direct therapeutic consequences.
Smart buildings
HVAC, lighting, access control, energy optimization, and continuous feedback between sensing and building controls.
Logistics
RFID, vision, AGV/AMR platforms, conveyors, routing logic, throughput constraints, and worker-safety implications.
Energy and robotics
Smart grids, DER, microgrids, robotic cells, collaborative robots, and distributed autonomous platforms.
01B
Embedded vs IoT vs CPS
The lectures treat these as related but not identical ideas. Mixing them is a common mistake.
Embedded System
Specialized computation inside a device.
The key question is: what function does this device perform? It may be isolated and does not have to be networked.
IoT
Connected devices and data exchange.
The key question is: how does the device communicate, report, and integrate with a platform or service?
CPS goes further: the key question is how digital
logic, communication, and physical process form one coordinated
closed loop with timing, control, and safety constraints.
02
Safety vs Security
The distinction is basic, and exam questions often hinge on it.
Safety
The system should not harm people, equipment, or the environment.
Safety focuses on preventing dangerous physical outcomes, even when failures, mistakes, or unexpected conditions occur.
Security
The system should resist intrusion, tampering, spoofing, and misuse.
Security focuses on protecting data, nodes, commands, and trust relationships from malicious interference.
In CPS these are linked: a digital attack can cause physical damage, and a physical intervention can compromise digital trust.
02A
CPS Architecture and Components
The lectures repeatedly return to the same architecture: object, sensing, communication, computation, and actuation.
Physical object
The real process being measured and influenced.
Sensors
Collect state from the physical environment.
Communication
Transfers telemetry, commands, and coordination data.
Controllers and logic
Interpret data, compute actions, and manage operating modes.
Actuators
Apply physical change in the world.
Important engineering point: each block adds its
own uncertainty, delay, failure modes, and constraints. A CPS is
never just code running on ideal hardware.
02B
Modeling, Control, and Data
Lecture 1 expands far beyond basic definitions. These concepts are central if you need to explain CPS as an engineering discipline rather than a buzzword.
Modeling
- Builds a formal representation of the system or process.
- Supports prediction, design, verification, and validation.
- Must be adequate to the task, not just detailed.
- Includes dynamic, logical, structural, and statistical models.
Control
- Targets desired system behavior.
- Uses feedback, target variables, and control actions.
- Must account for disturbances, delay, and uncertainty.
- Should be judged at the level of the whole control loop.
Data
Telemetry plus evidence
CPS data includes measurements, events, configuration changes, and incident traces. Quality depends on timing, semantics, and traceability, not only volume.
Digital Twin
Operational representation
A digital twin is more than a model. It is a practical digital representation connected to the system and useful across the life cycle.
AI Limits
Useful, but not magic
Data-driven methods help with anomaly detection and complex patterns, but they do not replace physical understanding, verification, or engineering discipline.
03
Network Security in CPS
Network analysis is not just packet watching. It is structured investigation of how the system communicates and whether those communications support safe control.
1. Define the context
Analysis needs a specific object: a segment, a control loop, or a group of nodes. Traffic without context is only raw data.
2. Define normal behavior
You must know which nodes are expected, which protocols are allowed, who may initiate connections, and when traffic is normal.
3. Detect attacks and anomalies
Not every anomaly is an attack, but most attacks appear as deviations from the expected network profile.
4. Reconstruct incidents
Traffic traces help reveal what happened, which nodes were involved, and how the event may have affected control.
5. Evaluate resilience
The goal is architectural understanding: identify unnecessary connections, weak segmentation, critical dependencies, and excessive attack surface.
Main idea: in a cyber-physical system, network
analysis becomes analysis of control security. A delay, spoofed
address, unauthorized connection, or blocked command can affect the
real physical process, not only data systems.
03A
Network Architecture in CPS
Lecture 2 treats the network as a layered operational environment, not a flat cable diagram.
Field level
Sensors and actuators near the process. Traffic is often short, cyclical, and highly deterministic.
Controller level
PLC, RTU, and local controllers. This segment is critical because it directly shapes process behavior.
SCADA / HMI
Monitoring, operator interaction, visualization, and engineering workflows.
Server contour
Historians, databases, logging, application services, and integration functions.
External and cloud links
Remote services, platform integrations, vendor support, and wider attack surface.
IT and OT
Different priorities, lifecycles, timing assumptions, and risk models, but increasingly connected.
03B
Observation Points and Data Sources
The lectures emphasize that what you can conclude depends on where you observe from.
Observation points
- Switch port mirroring
- Network TAP
- Firewall logs
- NetFlow / IPFIX
- IDS / IPS sensors
- Host and application logs
Why each is partial
- Mirroring depends on configuration quality.
- TAP is accurate but only sees its position.
- Firewalls show boundaries, not full semantics.
- Flow data shows structure, not payload detail.
- IDS/IPS depends on signatures, tuning, and context.
- Logs may be incomplete or compromised.
03C
Tools and Common Mistakes
Lecture 2 spends a lot of time on methodology, not just tool names.
Packet capture
Best for detail and investigation, expensive for scale.
Flow analysis
Best for communication structure and baselining.
IDS / IPS
Useful for known threats and suspicious interactions.
SIEM / NDR
Correlation and behavior analysis across broader telemetry.
Analysis without architecture
Looking for threats without knowing the system design.
No baseline or OT context
Misclassifying legitimate operations or missing real risk.
Recurring warning from the lectures: do not collect
traffic “just in case” without a clear analytical purpose. In CPS,
overload, blind spots, encryption, and OT-specific constraints limit
what network analysis can honestly prove.
04
Physical Environment as Part of Security
In CPS, physical security is broader than doors and guards. The material environment is part of observability, controllability, and trust.
What belongs to the physical environment?
- Site perimeter and territory
- Buildings and rooms
- Control cabinets, racks, and panels
- Sensors and actuators
- Cables and power lines
- Service ports and local interfaces
- Power supply and backup sources
- Temperature, humidity, dust, vibration, and EMI conditions
Why is it security-relevant?
- A moved or miscalibrated sensor creates false data.
- A manipulated actuator may execute commands incorrectly.
- An exposed service port can bypass logical controls.
- Weak cable routes create hidden intervention points.
- Power disruption can break monitoring and control.
- Poor environmental conditions can trigger dangerous failures.
Operability
The system can function.
Equipment, power, connectivity, and local infrastructure must be physically available and stable.
Observability
The system can see what is happening.
Access events, cabinet opening, service actions, and conditions in the field need monitoring and documentation.
Controllability
The system can influence the process correctly.
Commands only matter if actuators, sensors, power, cabling, and local modes preserve the intended control path.
04A
Zones and Physical Trust Boundaries
Lecture 3 does not stop at listing objects. It models physical space as a multi-zone architecture with unequal access meaning.
Outer perimeter
First barrier, but never sufficient by itself.
Controlled territory
Approach paths, outdoor equipment, and distributed assets.
Building / process area
General physical presence does not equal critical access.
Technology rooms / control rooms
Rooms where access starts to imply direct system influence.
Cabinet / field component level
The most local and often most critical trust boundary.
Main idea: access to a building is not equivalent
to access to a cabinet. Access to a cabinet is not equivalent to
touching a field sensor. Physical trust is layered.
04B
Threat Model for the Physical Environment
The lecture builds from structure to consequences. Threats are important because of how they affect observation and control.
Unauthorized physical access
Entry to a critical zone or point without proper authority.
Device theft or substitution
Loss of hardware, hidden interfaces, or malicious replacement.
Cable or connector damage
Breaks communication, power, or trusted measurement paths.
Sabotage
Intentional physical interference with equipment or conditions.
Power disruption
Directly affects availability, visibility, and control.
Service-port misuse
Maintenance interfaces used to bypass normal digital controls.
Environmental degradation
Heat, dust, moisture, vibration, and EMI can become security-relevant.
Insider or contractor misuse
Legitimate presence combined with illegitimate action.
Cabinet interference
High-impact local access to controllers, ports, power, and wiring.
04C
Physical Analysis Methods and Tools
Lecture 3 lays out a proper analytical toolbox, not only a list of barriers and devices.
Methods
- Zonal analysis
- Access-point analysis
- Critical-asset analysis
- Intrusion and sabotage scenario analysis
- Correlation of physical and digital events
Tools and data sources
- Access-control systems
- Video surveillance
- Tamper and intrusion sensors
- Environmental monitoring
- Power telemetry
- Equipment inventory and service logs
- Cabinet-state monitoring
- Correlation systems for physical and digital events
Methodological point: no single tool gives full
understanding. A protected physical environment is one where
barriers, monitoring, documentation, and analysis work together.
05
Useful Vocabulary
A larger term set drawn from the long-form lectures. Use search to filter by concept, layer, or method.
Cyber-Physical System (CPS)
A system that tightly links computation, communication, and physical processes.
Feedback Loop
A cycle where the system measures the result of its action and adjusts the next action.
Real-Time Operation
Behavior where correct timing is essential, not only correct logic.
Sensor
A device that measures the physical world and provides data to the system.
Actuator
A component that turns digital decisions into physical action.
Anomaly
A deviation from normal behavior that may be caused by an attack, fault, or misconfiguration.
Attack
A malicious action intended to compromise confidentiality, integrity, availability, or control safety.
Observability
The ability to see and interpret what is happening in the system and its environment.
Controllability
The ability of the system to influence the physical process as intended.
Segmentation
Division of the network into controlled zones to reduce risk propagation.
Redundancy
Extra components or paths that allow the system to keep working during failures.
Service Port
A local interface used for maintenance or diagnostics that can become a critical security point.
Embedded System
A specialized computing system built into a device to perform a specific function.
Internet of Things (IoT)
A network of connected devices focused on communication, sensing, and platform integration.
Actuation
The execution of a computed command in the physical world.
Telemetry
Data describing the state of an object, process, or infrastructure component.
Traceability
The ability to track where data came from and how it changed through the system.
Data Quality
The usefulness of data with respect to accuracy, timeliness, consistency, and meaning.
Digital Twin
A practical digital representation of a real system connected to its life cycle and operation.
Co-simulation
The coordinated use of several models or simulators to represent one complex system.
Verification
Checking whether a model or system has been built correctly against its specification.
Validation
Checking whether a model or system corresponds adequately to the real target process.
Target Variable
A parameter the system tries to keep within desired bounds.
Disturbance
An internal or external influence that pushes the system away from its target behavior.
Stability
The ability of a system to preserve or recover acceptable behavior after disturbance.
Availability
The property of being operational and accessible when needed.
Resilience
The ability to absorb disruption, adapt, and continue operating acceptably.
Fail-safe
A mode that restricts or stops operation to maintain physical safety.
Fail-soft
A degraded mode where the system keeps partial functionality instead of complete shutdown.
OT
Operational technology: systems directly involved in monitoring and controlling physical processes.
IT
Traditional information technology focused on business data, services, and user systems.
SCADA
Supervisory Control and Data Acquisition systems for centralized monitoring and control.
HMI
Human-Machine Interface used by operators to observe and influence the system.
PLC
A Programmable Logic Controller used for local industrial automation and control.
RTU
A Remote Terminal Unit used to collect data and execute control in distributed systems.
Historian
A system that stores time-series operational data for analysis and traceability.
NetFlow / IPFIX
Flow-level metadata sources that describe who communicated, when, and how much.
Network TAP
A dedicated hardware observation point for passively copying network traffic.
IDS / IPS
Systems that detect, and sometimes block, suspicious or malicious network behavior.
SIEM
A platform that aggregates and correlates logs and security events from many sources.
NDR
Network Detection and Response focused on behavior-based detection in network telemetry.
Baseline
A defined model of expected network or system behavior used to judge anomalies.
Physical Trust Boundary
A boundary where crossing from one physical area to another changes the level of trust and risk.
Protection Zone
A physical area analyzed as a distinct security space with its own access meaning and critical assets.
Tamper Event
An event indicating unauthorized opening, interference, or state change in a protected component.
Environmental Monitoring
Monitoring of operating conditions such as temperature, humidity, dust, vibration, or electromagnetic effects.
Inventory
A structured record of which physical assets exist, where they are, and what role they serve.
Sabotage
Intentional physical interference meant to degrade, stop, or distort system operation.
Operating Envelope
The set of conditions within which the system is expected to function acceptably.
Robustness
The ability of a model or controller to remain effective under uncertainty and imperfect data.
06
Shortest version to memorize
- CPS integrates software, networks, and physical processes.
- Its behavior depends on sensing, control, communication, modeling, and timing.
- Embedded systems and IoT overlap with CPS, but CPS is about closed-loop physical control.
- Network security in CPS is really security of observation, control, and process stability.
- Normal behavior must be defined before anomalies can be judged.
- Physical infrastructure and access zones are part of the security model, not just background infrastructure.