This paper presents a methodology for constructing a multi-layered information security system for cyberphysical systems (CPS), addressing modern challenges related to hybrid and post-quantum threats. The concept is based on five stages: threat probability assessment, preventive modeling, game-theoretical analysis, implementation of post-quantum cryptographic mechanisms (LDPC-based CCS), and multicontour security architecture development. The effectiveness of protection is evaluated using KPI(eff), KPIeffinv, and KPInorm indicators, particularly in the context of mobile wireless technologies (LoRa, Sigfox, LTE-M, NB-CPS). A modification of the GoBack-N protocol is proposed to enhance functional efficiency in wireless memory channels. The proposed models can be applied in the development of secure CPS for critical infrastructure and industrial IoT systems.
cryptographic algorithms, this approach offers a robust foundation for the creation of resilient and effective cybersecurity systems.
Specifically, the study proposes a five-stage methodology for constructing a multi-contour security system for CPS, which includes: assessing the probability of threat realization; forming preventive models based on the Lotka-Volterra equations; evaluating system effectiveness using game-theoretical models; constructing integrated mechanisms for ensuring confidentiality, integrity, and authenticity of information; and developing security strategies based on attacker resources. This structured process enables a systematic and adaptive approach to securing information circulating in CPS.
A central component of the proposed methodology is the use of post-quantum cryptographic systems — in particular, code-based cryptosystems (CCS) utilizing LDPC (low-density parity-check) codes, which enable cryptographic transformations with high performance and moderate energy consumption. This is especially relevant for wireless mobile technologies used in resourceconstrained environments, such as LoRa, Sigfox, LTE-M, and NB-CPS, which are widely adopted in low-power wide-area networks (LPWAN). The research demonstrates that implementing cryptosystems based on LDPC codes significantly increases the overall effectiveness of security systems while maintaining acceptable levels of latency and energy consumption.
Special attention is given to modeling the interaction between the adversary and the CPS defense system. To this end, mathematical tools such as game theory are applied, enabling analysis of conflict scenarios and determination of optimal behavioral strategies under constrained resources. The Lotka-Volterra “predator-prey” model has been adapted to cybersecurity tasks, incorporating the hybrid nature and synergy of threats, as well as the financial and computational capabilities of the adversaries.
The study also presents a methodology for calculating the functional efficiency of CPS, considering the probability of packet delivery, packet size, delivery time, system resilience, and more. This methodology forms the basis for KPI-based security analysis, supporting economic justification for the implementation of security technologies and ensuring the reliable operation of CPS in highthreat environments.
Thus, the conceptual framework presented in this work combines advanced techniques in mathematical modeling, post-quantum cryptography, and intelligent risk assessment. It provides the foundation for implementing an effective, flexible, and resilient information protection system for CPS in a time of rapid technological progress and increasingly sophisticated cyber threats. The relevance of this topic is confirmed by the growing number of cyber incidents affecting critical infrastructure, the need to adapt to novel threats (including those emerging with the development of quantum technologies), and the high demands for reliability, energy efficiency, and uninterrupted operation of CPS across various domains of human activity.
The creation of large critical infrastructure systems and the intensification of research into the dynamics of CPS require constant improvement and updating of the current apparatus for modeling and controlling dynamic systems [1, 2; 3; 4, 5, 6]. Recently, the center of gravity of research has shifted towards the development of a methodology for dynamic systems with changing parameters. The use of methods for analyzing such systems allows us to dramatically expand the range of tasks to be solved.
Based on research [
It includes five stages [
To determine the probability of the impact of threats on CPS, we use an expert approach to forming a threat classifier. To form an expert assessment, we use a modification of the threat classifier, which is implemented programmatically at the link https://skl.sspu.sumy.ua/threat.
To obtain an assessment of the current state of information security based on the proposed concept of a two-circuit information protection system CPS, let us assume that “1” corresponds to the maximum level of security provided by the security system as a whole, and “0” corresponds to the absence of the required level of information protection.
To determine the probability of a threat being realized with the limiting capabilities of protection A and the limiting capabilities of attack B, we will use the probability density function of the random variable x – F(x). The specified probability is determined by the difference F(B)–F(A), where A is the limiting level of capabilities of the defense side, B is the limiting level of capabilities of the attack side.
Threats to security components CS
BS
IS
EXTERNAL SAFETY CIRCUIT Protocol Lora/CCC Niederreiter ІoТ device
Encryption/Deciption ССС Niederreiter modifying
LDPC-code
Server TrCPSS ESLRA = Tri | (PiA − CiA ) 0Tri Tr TrLCPS = arg max TrlTrCD Kl Kl
D A Model taking into account the relationships between prey species and predator species Assessment of the intensity of changes in the level of security
SECURITY ASSESSMENT OF CYBERPHYSICAL SYSTEMS based on a finitCeFSstate machine H
Formation of the security level transition function Very Low SI 0,2
Low Middle High Critical 0,2 SI 0,4 0,4 SI 0,6 0,6 SI 0,8 0,8 SI 1,0 ССС Niederreiter on LDPC, МЕС, Loss-making codes Security level B А
Secret key a1, , an Session key |V1|, |V2|
H, X, P, D Key data generation Protocol
Hx = X × G × P × D i
SX = e × HXT
SX Encryption
X-1, P-1, D-1 SX = cX* × HXT c` = cX* × D-1 × P-1 c` = i` × G + e` e = e` × P × D Deciphering i
The level of security is defined as the share of those resources protected from cyberattacks as (1) (2) S = F ( B) − F ( A) =
B −
1 2
1 t− 2 e dt − 2
A −
1 2
1 t− 2 e2 dt.
To ensure the security of the entire protection system, we take into account the threats of the
internal and external contour:
– threats of the internal contour taking into account hybridity and synergy [
WsCynPeSrSg ESL Au
WsCynPeSrgESL Inv , HSMSecret keys of CCC key selection generator
CCC
Key generator (Niederreiter ССС) Cyberspace platform 3 2
wireless communication channels
1 coder/decoder (Niederreiter ССС ) Sensors, sensors, CPS elements
Service Cloud Сloud computing
Encoder (Niederreiter ССС)
Outer contour wireless communication
channels coder/decoder (Niederreiter ССС)
wireless communication
channels wireless communication channels
LPWAN alternatives (e.g., Sigfox, LTE-M,
NB-CPS
Inner contour (3) (4)
Cybersystems Platform
Analysis of the classification of attackers allows us to form the set {Hj} CPS ISL, which determines
the levels of influence on the CPS of the internal circuit, as well as the set {Hj} CPS ESL, which
determines the levels of influence on the CPS of the external circuit. We determine the weight
coefficient of the attacker's "danger" by the formula [
N i=1
ICCPSS i = ( iICS iCРS ) prj rmotiv , iCPSS ISL = WcCpPSS ISL WcCasPhSS ISL
T CPSS ISL , CPSS ESL = WcCpPSS ESL WcCasPhSS ESL i
T CPSS ESL – opportunity weights offender for CPS ISL and CPS ESL (in accordance);
– the offender's computing resources
– economic opportunities of attackers.
The data on the criteria and indicators of expert assessment of its detection are given in the works
[
Stage 2. Formation of models of preventive measures based on the Lotka-Volterra model [
Development of evolving CPS security models, taking into account the computational capabilities and the direction of targeted cyberattacks.
The number of objects representing attack targets, taking into account their hybridity, can be represented as follows:
N1 = Q N1Ci AiC + N1Ii AiI + N1Ai AiA + , i=1 + N Au AAu + N Aff AAff
1i i 1i i
When implementing the algorithm, it is assumed that the parties to the conflict determine the
criticality of cyber threats, which are economically feasible to carry out and/or which need to protect
information resources (CPS), first of all. The birth rate of “victims” α is proposed to be used from [
Weighting coefficient evaluation indicators CiРS Ci РS Category Critical
High Average
Low
Very low The coefficient of possibility of preventive measures is represented as:
WcCpPS
(5) rmotiv
In [
These elements form the basis of a taxonomy of games and their models. Models built on game theory help to identify a number of relevant tasks for ensuring key aspects of security: confidentiality, integrity, availability and authenticity.
Stage 4. Building integrated mechanisms to ensure confidentiality, integrity, authenticity and
reliability of CPS information resources [
To provide basic services, it is proposed to use Niederreiter CCS, which are discussed in detail in
[
The formation of the public key for the Niederreiter CCS is carried out by multiplying the masking matrices by the generating or verification matrices:
H LDPCu = X u H LDPCu Pu , u {1, 2,..., r}.
Xai The syndromic sequence is transmitted to the communication channel:
S * = ( en ) H LDPC T .
Xai where is an additional session key for each information packet. A specific algorithm is used for Niederreiter CCS.
On the receiver side, the authorized user, knowing the masking matrices, applies a fast soft decoding algorithm for decryption.
The use of post-quantum asymmetric cryptosystems allows achieving the required level of security in providing security services. The use of LDPC codes allows for easy integration of mobile wireless technologies based on IEEE802.XX standards.
At stage 5, the state is determined and strategies are formed for building multi-circuit protection systems.
It is proposed to divide the CPS into two subsystems: security and infrastructure. The inner loop of the CPS provides the necessary set of services and functionality, while the outer loop is a management system (MS) built on the basis of a synthesis of wireless networks and cloud technologies. (7) (8)
This approach facilitates the synthesis of internal and external circuits, taking into account the operational efficiency, energy efficiency and relative security of each of them. In addition, it allows you to objectively assess the threats of each circuit, taking into account the computing resources and financial capabilities of attackers. Fig. 1–2 presents a structural diagram of the concept of two-circuit security CPS.
Based on the research conducted, a comprehensive indicator of CPS functional efficiency has been proposed, which allows assessing the overall performance and reliability of the system, taking into account security, confidentiality, economic costs, and quality of service.
To build a model of a complex indicator of CPS functional efficiency taking into account the proposed factors, it is necessary to determine how each of them affects the overall efficiency of the system and combine them into a formula.
The methodology for assessing the functional efficiency of data transmission based on a complex indicator allows you to obtain emergent properties, taking into account the synthesis of a complex indicator of the effectiveness of investments in the security of CPS information resources, the results of the assessment of modern threats in CPS, their hybridity and synergy, as well as the results of an express assessment of the stability and efficiency of the software (or software-hardware) implementation of cryptographic algorithms.
Calculating the efficiency indicator KPI(eff) and taking into account the parameters, the calculation for each technology requires normalization of the parameters.
B – security system stability for the chosen strategy
To calculate the comprehensive indicator of the effectiveness of investments in ensuring the security of information resources in LPWAN, KPIeffinv, a normalized multifactor approach can be used. The calculation uses parameters such as energy efficiency, power consumption, and security system stability, which can affect the security of information resources.
The coefficient of the comprehensive indicator of the effectiveness of security investments KPIeffinv (LPWAN) can be represented as a weighted sum of normalized factors:
KPIeffinv = w1 w4
Bi Bi max
P
P max + ... + wт + w2
Bn Bn max ,
Ef Ef max + w3(1 −
Ed
) + Ed max (10) w 1,m, B i, Ef – energy efficiency.
Ed – energy consumption.
Bi – stability of the security system. wi – weighting factors (determine the importance of each factor).
Parameters marked max are the maximum possible values for normalization. All weighting factors are equal to 0.25.
To calculate the efficiency indicators KPI(eff), it is necessary to use the changed degree of information secrecy when applying crypto-code constructions on the proposed LDPC codes, allowing to provide an integrated increase in the level of reliability (due to error correction properties), efficiency (compatible with symmetric cryptography algorithms in terms of cryptographic conversion speed) and the required level of energy consumption, the results of comparative studies on the criteria of efficiency, energy consumption. Synthesis with the proposed technologies based on CCS (NSCC) will allow not only to provide the required level of the main criteria of modern wireless networks, but also to fundamentally change the methodological foundations of building security systems.
Thus, Lora technologies with post-quantum protection algorithms - crypto-code constructions with LDPC codes, which allow building asymmetric and/or hybrid cryptosystems (LoRa HSCC and LoRa CCC) allow ensuring the necessary level of efficiency in the post-quantum period. This takes into account not only the possibility of counteracting targeted (mixed) attacks with signs of hybridity and synergy (the possibility of integration with social engineering methods), but also increasing the level of reliability and the possibility of their use in smart technologies with limited energy-intensive requirements. To increase the functional efficiency indicator KPI(eff) CPS, it is proposed to use data exchange management protocols that will ensure the necessary indicators: data transmission efficiency, noise immunity and security.
One such protocol is the Go-Back-N loopback data exchange control protocol, which allows for the required level of functional efficiency of the CPS.
KPI(eff)
1 0.5
To evaluate the CPS of continuous frame feedback control, the efficiency is calculated as follows
[
The generalized formula has the following form:
KPI (eff _GBN ) = B P (1 − Pretry) KPIeffin KPInorm, (11) where Pr etry factor takes into account the probability of retransmission of packets in the event of an error. This factor is critical for “Go-Back-N” because it must take into account the probability that an error could lead to a retransmission.
To calculate KPI(eff) by the Return-to-N method for channels with memory taking into account the probability of packet errors, taking into account the probability of an error within a packet, the mathematical expectation of the length of the packet errors, and the standard deviation of the values given in Table 3, we will use the following modified formula
KPI ( eff _ GBN _mem ) = ( (1 − ( where Ре – probability of an error in the package.
E(L) – mathematical expectation of the length of the error packet.
σ(L) – standard deviation of the error packet length, which takes into account the variability in the number of packets that can be lost due to errors.
(
– cumulative distribution function of the normal distribution (Laplace function), which takes into account the probability of an error in the batch (the closer the function value is to 1, the greater the probability that errors will be detected and corrected).
Analysis of Fig. 3 and Table 3 shows that the use of crypto-code structures with LDPC codes (LoRa CCC with LDPC codes) and hybrid crypto-code structures with LDPC codes (LoRa CCC with LDPC codes) increase the complex efficiency index by an order of magnitude by providing security services (confidentiality, integrity and authenticity of data). However, in the conditions of using a full-scale quantum computer and additional use of the damage algorithm (multi-stream cryptography), the complex efficiency index decreases by 9% (LoRa HCCC with LDPC codes KPIeff is 0.7505, and LoRa CCC with LDPC codes KPIeff is 0.5273), but at the same time the required level of security is ensured.
KPI(effGBN_LoraCCC) KPI(effGBN_LoraНCCC)
KPI(effGBN_EC-GSM-CPS) KPI(effGBN_NB-CPS) KPI(effGBN_Lora) KPI(effGBN_LTE)
KPI(effGBN_Sigfox)
The channel model with memory provides a more “objective” model of real communication channels, as it takes into account the possibility of packetization of errors in the channel. The results shown in Fig. 4 and Table 3 confirm that the complex efficiency indicator, as well as the channel model without memory, increases by 10% (LoRa HSCC with LDPC codes KPIeff is 0.917235, and LoRa CCC with LDPC codes KPIeff is 0.644446). However, the necessary level of security is ensured, which in the conditions of the emergence of a full-scale quantum computer (post-quantum period) and the action of targeted (mixed) attacks with signs of hybridity and synergy provides the necessary level of security of the CPS infrastructure elements.
The proposed methodology for assessing the flow state of an automated data transmission system via wireless communication channels provides an increased level of objectivity in assessing not only targeted attacks (taking into account the financial, computational and human capabilities of the attacker). In addition, it provides an analysis of critical points (points of possible unauthorized penetration into the infrastructure), as well as the ability to counter cyberattacks based on special mechanisms, taking into account the security levels that are defined.
This study presents a comprehensive methodology for constructing a multi-contour information security system for cyber-physical systems (CPS), addressing the current challenges associated with hybrid and post-quantum threats. The proposed approach is strategically significant for the protection of infrastructure operating in a dynamic technological landscape characterized by rapid growth in wireless communication and computing technologies.
The methodology is structured around five interrelated stages: assessing the probability of threat realization, modeling preventive measures using the Lotka–Volterra equations, applying gametheoretical models to evaluate protection strategies, implementing post-quantum cryptographic mechanisms based on LDPC codes, and designing an adaptive multi-contour CPS security architecture. This transition from reactive to proactive cybersecurity management ensures both realtime threat mitigation and systemic resilience.
The first stage introduces a method for estimating the likelihood of threat implementation using a probability density function that compares the defensive and offensive capabilities. The model considers both external and internal threats and incorporates hybrid and synergistic characteristics of attacks, offering a robust and realistic assessment framework. This dual-contour perspective enables the differentiation between system-level vulnerabilities and network-level exposures.
At the second stage, preventive actions are modeled through a modified Lotka–Volterra system, traditionally used to represent “predator-prey” dynamics. This model allows the representation of economic and computational resources available to both attackers and defenders. Key coefficients (α, β, γ, φ) reflect the aggressiveness, resilience, and scalability of both threats and defensive mechanisms, providing a simulation framework for developing rational defense prioritization.
The third stage employs game theory to analyze the interactions between attackers and system administrators, allowing the definition of optimal (pure or mixed) strategies under conditions of uncertainty and limited resources. This approach is particularly useful for modeling real-time decision-making and enables the elimination of non-viable defense scenarios in complex adversarial environments.
In the fourth stage, the research focuses on designing cryptographic mechanisms that ensure confidentiality, integrity, authenticity, and trustworthiness of transmitted data. The study justifies the use of CCC Niederreiter built on LDPC codes, which demonstrate high efficiency, fault tolerance, and low computational overhead. These cryptosystems are compatible with resource-constrained mobile and wireless devices and provide resilience to attacks from quantum computing.
The fifth and final stage proposes a dual-contour architectural model for CPS, separating the system into operational (internal) and managerial (external) subsystems. The internal contour manages service delivery and real-time control, while the external contour integrates wireless and cloud-based technologies for remote administration and communication. This division ensures layered security and allows for differentiated risk assessment and mitigation strategies for each subsystem.
In addition to the architectural framework, the paper introduces a novel method for evaluating CPS functional efficiency under adversarial conditions. The proposed KPI(eff) metric aggregates parameters such as data delivery probability, packet size, delivery time, security robustness, and energy efficiency. It was demonstrated that the integration of LDPC-based cryptographic mechanisms in LoRa wireless technologies significantly improves these performance indicators compared to other LPWAN alternatives (e.g., Sigfox, LTE-M, NB-CPS).
Furthermore, the study assesses the impact of modifying the Go-Back-N protocol for wireless channels with and without memory. It was shown that accounting for retransmission probabilities and packet error rates improves reliability and bandwidth utilization in noisy environments, thus enhancing communication stability.
The major scientific contribution of this work lies in the formalization of a layered security strategy for CPS using mathematical threat behavior models, advanced cryptographic techniques, and real-time efficiency evaluation tools. This approach provides a framework for adaptive security systems that not only defend against external intrusions but also dynamically respond to evolving threats and self-correct their operations.
The findings of this research are applicable to the design of secure CPS across a range of industries, including smart grids, industrial automation, e-health, intelligent transport systems, military technology, and smart cities. They also open new avenues for future studies in adaptive selforganizing cybersecurity mechanisms, hybrid cryptographic systems, and resistance to adversarial AI and quantum computing-based attacks.
In conclusion, the proposed methodology increases the overall efficiency of CPS security systems by 4.78% (based on KPI calculations) and lays the foundation for a paradigm shift from passive defense to emergent security governance. In an era where digital resources are strategic assets, such an approach ensures sustainable, secure, and intelligent operations of next-generation CPS. Declaration on Generative AI The authors have not employed any Generative AI tools.