CNI makes up the backbone of a nation. The UK Joint Committee, which reviews their national cyber-strategy, discusses their currently designated critical sectors: chemicals, civil nuclear, communications, defence, emergency services, energy, finance, food, government, health, space, transport, and water [44]. These point out that the government must now consider the interdependence complexities. Additionally, each nation has different designations and justifications for their CNIs, leading to them having identified other sectors and sub-sectors within their frameworks [45]. However, they all share similarities across the sectors and sub-sectors, meaning that analysis can be applied across different national-framework structures. These systems are comprised of CPSs, which operate across both physical and cyber domains. These systems have additional capabilities through introduction industrial internet of things (IIoT), giving net capabilities the ability to monitor and control. One of the core principles when conducting cyber-security within CNI architecture is its capable resilience against adverse events. The systems must handle negative events through either system failure or negative events, as the loss of these systems causes a major threat to human life and other long-lasting impacts if disabled.

Smart cities encompass critical systems in city infrastructure being implemented with improvements to interactivity, networking, and monitoring technologies across all aspects of daily life. Some of the technologies, such as internet of things (IoT), allow for integrating networking capabilities across a wide array of devices, with the adoption of sensors to help facilitate data collection for a multitude of purposes. Many governments are beginning to pursue the adoption of SCI. For example, the UK discusses the advantages offered and current progression into smart cities [46]. New and previous aspects will develop telecommunication capabilities, allowing for the transfer of data and individual interactivity between these systems. Cyber-security aspects of SCI, within the much wider field of CNI and critical infrastrucure interdependency (CII) research, are developing the best possible solutions through analytical frameworks through identified metrics to counteract malicious activities. Smart grids are a current development within these systems where their core goal is the inclusion of both utility and customer system interactions. Improvements across a wide array of different areas regarding environmental, reliability, and energy capabilities [47]. However, these enhancements to energy sectors highlight new attack surfaces that further complicate cyber-security implementations and magnify the intensity of preceding vulnerability.

A core aspect of both smart city systems and critical national infrastructure is their inherited interdependence, split across four different dominions physical, cyber, geographical, and logical [48,49]. Being both complex and intertwined, this system of systems can lead to the major issue of cascading failures, where the failure can lead to a rippling effect throughout the national level. First, individual failure can cause other entities to lose functionality and influence, while others, such as cyber-attacks, affect a certain device to control the overall system’s effectiveness. Secondly, the failure of specific SCI or CNI leads to the failure or impacted effectiveness of other CNI sectors within a larger context, causing cascading failure down these relationship webs. Understanding the relationships between the different sectors and sub-sectors is necessary to understand how individual and sector-wide impacts identify the key contributing influences. The application of weighted metrics towards these influences can help provide a comparative perspective across them, allowing a much further in-depth analysis regarding identified CII [50], where threat actors can exploit these newly developed systems and cause these cascading effects throughout their targeted system and affect other key critical infrastructures.

Cyber-security analysis is an important component in developing truly effective defensive mechanisms. There are an array of different threats that target SCI critical sectors, which can be highlighted in cyber-attacks targeting the smart grid. Many traditional threat actors can affect these systems similarly to typical computer systems. However, the impacts that they can make through technologies, such as CPSs, has much higher importance and cause for concern [26]. Modelling both the SCI and its interdependencies is one of the newer research areas, and most proposed methodologies provide a theoretical framework for understanding these complex systems and how threats can propagate and influence the entire ToE. Many different directions of threat modelling can achieve across systems to identify the objects determining their corresponding risk and vulnerabilities, which is used to provide informed decision-making on how best to implement cyber-security. CPS has caused previous typical models to be ineffective against these new systems [51], which has led to the further development of them or the creation of new methodologies through different technologies able to test for casual relationships and multi-layered system architectures. Similar to risk assessment methodologies, the objective depends on the methodology reviewed, where risk regarded to the system is calculated through values associated with resilience and other associated metrics. For example, vulnerability analysis focused methods look toward the success of a malicious cyber-attack against the modelled node. In contrast, risk-based approaches highlight the threat actors’ actions that could affect the system through variables of probability, damage, and likelihood [27]. Both focuses are key to understanding the complex nature regarding SCI, which attributes can be heavily dissected to understand ToEd systems fully.

BN is a probabilistic graphical modelling methodology which is a directed acyclic graph (DAG) [25] that has an array of purposes. First, it can be used to model the complexities of CPSs and has been at the forefront of proposed research methodologies [8]. Second, Bayesian models use nodes representing their conditional probability table (CPT) and their individual directed links between them, which can be used to calculate uncertainty. Third, CPTs are generated through interfacing from either expert opinion or data-based approaches [13]. Finally, these models can be structured through an array of different node types, dynamic complexities, and interactions between each other [52]. These benefits highlight Bayesian approaches as an effective method to understanding the complex intricacies regarding SCI, with the capabilities to MaS the interdependencies [25] regarding CPSs and understanding the relationships between both individual systems and sub-sectors to predict the cascading effects throughout the overall infrastructure.

There are many different alternate variations of BNs, such as dynamic Bayesian networks (DBN)s, which incorporate the concept of time, taking the form of temporal nodes within the model. This methodology can be more extensive in breaking down the targeted system into discrete or continuous temporal variables tracking changes throughout a time series analysis [22]. Its main purpose is to provide probability calculations regarding individual entities and events for distinguishing the probability of effects, such as cyber-attack propagation, impact, and cascading failures [2]. These characteristics highlight Bayesian-based approaches’ potential for providing a pragmatic solution. Developing and synthesising BN threat modelling methodologies have tailored individual characteristics that direct the conclusion provided through the analysis.