The literature review is focused on identifying the most prominent concepts present in current models, infrastructures and frameworks, from over 90 academic, government and industry papers, reports, and technical notes, published predominately between 2010 and 2020. In our search for data records, we used predominately Google Scholar and the Web of Science Core Collection. For selecting the academic literature, we found Google Scholar more flexible when adding more search terms. For example, when adding multiple terms in the Web of Science Core Collection, with the Boolean: AND, the search results are limited. We searched for TOPIC: (artificial intelligence) AND TOPIC: (industrial internet of things) AND TOPIC: (internet of things) AND TOPIC: (cyber physical systems) AND TOPIC: (industry 4.0). This search on the Web of Science Core Collection produced only 25 data records. If only one of the Booleans: AND is changed to OR, then the data records change to hundreds of thousands, but its relevance to the correlated topics diminishes, and focus is placed on the one topic searched with the Boolean: OR. We repeated the same search with Google Scholar, with all topics TOPIC: (artificial intelligence) AND TOPIC: (industrial internet of things) AND TOPIC: (internet of things) AND TOPIC: (cyber physical systems) AND TOPIC: (industry 4.0). The same search on Google Scholar produced 20,700 data records. Hence, to ensure the relevance to all of the topics we investigated, of our selected data records, we used predominately the Google Scholar search engine. Since both databases contain articles from the same journals, and Google Scholar search engine is more effective in search queries on many topics, using Booleans, we considered this as valid argument for selecting the most relevant data records.
Since the existing CPS architecture that we reviewed and tried to update was published in 2015, we tried to include literature predominately from the time period between 2015 and 2020. However, some of the most important literature from 2010 to 2020 is also included, and for inclusiveness, a very few articles from before 2010 are included in the review. Considering the purpose of this review was to update our understanding of CPS architecture, we didn’t conduct a historic analysis of all relevant literature. Instead, we considered that the CPS architecture from 2015 included knowledge from historic literature, and our aim was to update that knowledge with the most recent findings on CPS architecture.
Concepts that are recognised as most prominent, are categorised following the grounded theory approach for categorising emerging concepts [7]. This process is detailed in the ‘Methods’ chapter. As a result of following the [7] research approach arguing that ‘all you see is data’, the categorising of most prominent concepts identified from over 90 different sources, the emerging categories of concepts are diverse in research nature. Throughout the paper, the reader meets terms related to: (1) economic potential; (2) cognitive design; (3) risk engineering; (4) correlation effect; (5) cognitive feedback; (6) ‘unrecognised and outdated data. These 6 terms, are just examples of the plethora of different terms and concepts that emerge from our literature review on the topic of cyber physical system architecture. We categorised these terms and concepts, and redesigned the exiting 5 levels of cyber physical system architecture - or 5C (Figure 1)..
The grounded theory method is applied to categorise these diverse terms and concepts, to the existing architecture that comprises 5 levels of cyber physical systems or 5C (Figure 1).. The grounded theory approach is used to categorise these new terms and concepts, emerging form the literature review, and organised into cascading hierarchies of actions (in Table 1),, presented as summary maps. The importance of these diverse concepts and the relationship between seemingly unrelated concepts, is what coheres to the design of the proposed hierarchical cascading approach (in Figure 2)..
The complexity of the literature coherent design, becomes more explicit with examples that are presented throughout the paper. The examples place the paper within the experiential and cultural practice of engineering. Here we present one explicit example of how the research questions that are drawn from the literature review, are then included to drive new finding and contributions on the identified gaps in existing literature. The first example is used to drive conceptual and theoretical underpinnings of the research gap. This example from literature derives findings that the exact economic impact of cognitive CPS infrastructure remains to be determined [8], although cognitive CPS systems will represent a large percentage of future ICT application in industry [9]. This situation presented in this example requires a new approach for integrating the physical and cyber subsystems of cognitive CPS. The new approach needs to provide an overall understanding of the design, development, and evolution of cognition in CPS, and needs to integrate theories of artificial intelligence, control of physical systems, as well as their interaction with humans.
Such approach is especially needed for developing nations that lack an I4.0 strategies, but also for more developed countries—such as the UK and USA. The UK has been ranked as the overall global cyber superpower followed by the US [10]. It is also reported that the UK and US are strongly protected to withstand digital infrastructure cyber-attacks, which is crucial in developing a resilient digital economy. However, in the index quantifying industrial applications in digital infrastructure key sectors, the UK drops down to the 5th place and the US to the 3rd place. This seems to be partly due to the UK and US lagging behind other countries in terms of harnessing economic value from the I4.0 [10]. This could be caused by the lack of cognitive abilities in the Internet of Things (IoT) deployment [11].
The literature review continues with identifying, categorising and relating emerging concepts to the conceptual and theoretical underpinnings of the arguments that cohere to the conceptual framework design.
3.1 Values and risks from intrusive autonomous self-building connected technologies (IoT, Edge computing) in cyber physical systems
One of the main drives for artificial intelligence in cyber physical systems is value creation. Our society is driven by social-economic values. Organisational goals are always based on some form of values. For example, governmental and non-governmental sectors are driven by the development of societal values. Private organisations are often driven by economic values. One of the main drives for value creation is the emerging new data streams that enable understanding of new events in real-time, and predicting future events. This new and emerging data comes at volumes that only AI can process with low-latency. Since this value emerges from cyber physical systems, it becomes inevitable that autonomous AI will evolve in economic and societal decision making.
This process is already in motion, triggered by the enormous economic potential for hyper-connected economy. Literature recognises that important future business opportunities lay in the networking potential of digital economy [12]. The infrastructure for smart manufacturing technology could create large cost savings for manufacturers [13] and enable faster development of economies of scale [14]. Industrial Internet, or ‘Industry 4.0,’ supports a finer granularity and control to meet individual customer requirements, creates value opportunities [15]–[18], increases resource productivity, and provides flexibility in business processes [19]. The integration of cognitive cyber-physical capabilities into IIoT arguably requires a new process for integrating physical and cyber subsystems—including an overall understanding of the cognitive design, development, and evolution of CPS and IIoT. Gaining such understanding may require consolidation of IIoT theories for control of physical systems and the interaction between humans and CPS [9], [20], [21].
On the other hand, the US National Institute of Standards and Technology (US NIST) deliberately stays away from formalising any process model in this space [22], [23]. Instead, their recent Framework for Cyber Physical Systems proposes sets of artefacts and activities that could be considered by organisations in the deployment of CPS. These proposals are the result of formal ontologies of digital artefacts and their interactions with the exterior world. The US NIST identifies three main views on CPS that encompass identified responsibilities in the systems engineering process: conceptualisation, realisation, and assurance. Each of these three views corresponds to fundamental processes in the life of cognitive CPS, respectively: (1) Models of CPS (design), (2) the CPS itself (implementation), and (3) CPS Assurance (validation). The trade-offs between different instantiations of these processes as well as between critical aspects such as Security, Safety, Business, and Privacy need to be understood. In this context, Risk Engineering is proposed as an activity embedded in the design, development and lifecycle of the future CPS and IoT systems [24]. This assumes that cyber risk is just one instantiation of risk for an organisation or product, and therefore should be subject to the higher processes of compliance and regulation in each domain. Building on this understanding of risk, a cognitive feedback approach is need for formalising compositional ways to reason about cyber risks in an I4.0 context. For example, what we could do to understand and measure the systemic IIoT risk, is to create a requirement for automatic sharing of cyber-attacks data records, between IIoT supply chains. If IoT connected devices are reporting the standalone risks of a sole company, this would enable supply chain participants to understand and differentiate between stand alone and systemic cyber risk. However, when IoT connected devices start reporting on standalone risks of a sole company, this could create duplicate data records, collection of irrelevant data records, and many other complications. Hence, the cyber-attack reporting, needs to include an element of cognition, possibly in the fog computing layer, because it would be challenging to implement cognition in the edge computing systems.
3.2 Argument for cognitive analytics
The arguments for cognitive feedback approach emerge from the inherent risk in integrating the physical with the cyber world, where cyber risk environment is constantly changing [25], and estimated loss of cybercrime varies greatly [26], [27]. The real impact of cyber risk remains unknown [28], mainly due to lack of suitable probabilistic data and lack of a universal, standardised impact assessment framework [24], [29]. To develop such a framework, accumulated risk needs to be quantified in real-time and shared across technology platforms [30]. This requires a dynamic understanding of the network risk. In addition, new risk elements that require cognitive analytics also need to be quantified, such as intellectual property of digital information [31] and the impact of media coverage [32].
3.3 Review on existing cyber risk analytics
The Cyber Value at Risk (CvaR) model [33], represents an attempt to understand the economic impact of cyber risk for individual organisations. CVaR provides cyber risk measurement units, value analysis methods related to the cost of different cyber-attacks type [34], and proof of concept methods that are based on data assumptions. Given the lack of data needed to validate the CvaR model, these studies calculate the economic impact based on organisations’ ‘stand-alone’ cyber risk and therefore ignore the correlation effect of sharing infrastructure and information and the probability of cascading impacts, which represents a crucial element of I4.0. These limitations of the CvaR model are of great concern, e.g. in sharing cyber risk in critical infrastructure [35]. Critical infrastructures are vital for strong digital economies, but issues of synchrony, components failures, and increasing complexity demand development and elaboration of new rigorous CPS methods [36]. In the absence of a common reference point of cyber risks, existing cyber risk assessment methodologies have led to inconsistencies in measuring risk [37], which negatively affects the adaptation of I4.0. Assessment of IIoT cyber risk in I4.0 should be based on a system that enables cognitive assessment of the cyber network risk, not only the stand-alone cyber risks [38] of a sole company [39].
3.4 Review of financial assessment of cyber risk from CPS
In early literature, existing financial models have been proposed to assess information security investment [40]–[42]. However, cyber risk covers more elements than information security financial cost, such as brand reputation [43] or intellectual property [44]. In terms of modelled economic and financial impact of massive cyber-attacks, additional questions emerge in relation to the impact on public sector, rethinking of business processes, growth in liability risk, and mitigation options [45]. Such economic evaluations trigger a debate between limited economic lifespans of digital assets, and value in inheriting ‘out of date’ data [46]. In an I4.0 context, cyber risks are not simply associated with machines and products that store their knowledge and create a virtual living representation in the network [47] but also to the global flows and markets they are part of.