The Four Pillars of CPS Security Architecture in Manufacturing
Cyber-physical system (CPS) security architecture for critical manufacturing infrastructure organises around four distinct technical pillars, each targeting a different layer of the attack surface: digital twin-based anomaly detection, access control and PLC runtime monitoring, physical signal overlay networks, and automated security configuration generation. This four-pillar structure emerges directly from an analysis of more than 30 patent records spanning nine jurisdictions — the United States, European Patent Office, WIPO, Japan, Korea, China, Canada, Brazil, and Australia — filed between 2019 and 2026.
The dataset reveals that no single architecture is sufficient. Attacks on manufacturing CPS can originate at the digital protocol layer, at the physical signal layer, within PLC execution runtimes, or through misconfigured security policies introduced during engineering. Each pillar addresses one of these vectors, and the most robust deployments layer all four. As standards bodies including IEC and NIST continue to develop frameworks for operational technology (OT) security, the patent record provides a forward-looking view of where commercial and academic innovation is concentrating.
A cyber-physical system integrates computational elements — software, networks, control logic — with physical processes and actuators. In critical manufacturing, CPS includes industrial control systems (ICS), programmable logic controllers (PLCs), distributed control systems (DCS), and the sensors and actuators they govern. A cyberattack on a CPS can therefore produce direct physical consequences: equipment damage, production disruption, or safety incidents.
The dominant assignee by volume in this patent dataset is Siemens Aktiengesellschaft, which holds multiple active and pending patents centred on digital-twin-based manipulation detection. Other significant contributors include AO Kaspersky Lab, Fisher-Rosemount Systems, Omron Corporation, Mitsubishi Electric, ABB Switzerland, Mission Secure Inc., and academic institutions including Chungbuk National University and Zhejiang University.
CPS security architecture for critical manufacturing encompasses four primary technical approaches: digital twin-based anomaly detection, overlay and defense-in-depth security for process control networks, automated security configuration generation and PLC-level monitoring, and simulation platforms and honeypot architectures for vulnerability assessment and penetration testing.
Digital Twin-Based Manipulation Detection: The Dominant Paradigm
Digital twin parallelism is the most technically sophisticated and commercially active approach to real-time CPS security in manufacturing: a Digital-Twin-Unit (DTU) runs alongside the live system, continuously comparing replicated sensor/actor-signal-information (SASIrp) against live signals to identify manipulation — whether from a cyberattack or manual interference — without requiring any modification to the CPS itself. Siemens Aktiengesellschaft has prosecuted this architecture across at least six patent records spanning EP, WO, and US jurisdictions, with filings progressing from 2022 foundational applications through to active EP grants and pending US applications as recently as 2025.
Siemens Aktiengesellschaft’s Digital-Twin-Unit (DTU) architecture for CPS security runs a parallel digital replica of the live cyber-physical system, cyclically comparing replicated sensor/actor-signal-information (SASIrp) against live signals to detect cyberattacks or manual manipulation in real time — a method that requires no modification to the production CPS.
A critical refinement in Siemens’ patent family is the inclusion of an environmental model that accounts for external and ambient conditions when evaluating signal deviations. In a 2024 US pending filing, the architecture specifies that a manipulation is only confirmed if, after discounting environmental model impacts, a significant deviation remains. This design choice is essential in manufacturing environments where temperature, mechanical load, and throughput variance regularly affect sensor readings — preventing false positives that would otherwise erode operator trust in the detection system.
“A manipulation is only confirmed if, after discounting environmental model impacts, a significant deviation remains — a design choice essential in manufacturing environments where ambient conditions regularly affect sensor readings.”
The digital twin concept extends beyond reactive detection into continuous system improvement. Siemens’ 2022 EP filing on optimising CPS system artifacts proposes iteratively improving the quality of CPS design, implementation, validation, and documentation by monitoring interface usage patterns. This positions digital twin technology not merely as a surveillance instrument but as a continuous hardening engine — reducing the attack surface introduced through software complexity over the operational lifetime of the system.
Telefonaktiebolaget LM Ericsson extends the paradigm further through an intent-based safety policy layer. Rather than comparing raw sensor telemetry directly, their 2022 patent proposes that a safety component checks combined sensor data from all available CPS sensors against predefined intent-based safety policies — policies that encode desired operational state invariants. This abstraction layer is particularly valuable in complex manufacturing settings where rule-based threshold comparisons are insufficient to capture systemic or multi-vector threats.
Explore the full Siemens digital-twin patent family and map competing CPS security architectures in PatSnap Eureka.
Analyse CPS Patents in PatSnap Eureka →PLC Monitoring, Access Control, and Process Network Defense
At the operational technology (OT) layer, the programmable logic controller (PLC) is the critical enforcement point for CPS security in manufacturing — because PLCs control physical actuators, exploitation of PLC execution vulnerabilities can cause direct physical harm, not merely data loss. The patent record reveals three distinct architectural strategies addressing this layer: deception-based access control, runtime execution monitoring, and physical signal overlay networks.
AO Kaspersky Lab has developed an architecturally novel access control system in which a security tool analyzes messages transiting the CPS, injects fictitious messages to test whether correct authorization data is returned, and uses a monitoring rule to alter functional CPS module states upon detection of unauthorized access. This deception-based authorization verification — active in the European Patent Office as of 2021 — embeds probing directly into the production CPS network rather than relying on passive traffic inspection, closing a gap that purely observational tools leave open.
AO Kaspersky Lab’s CPS access control system injects fictitious messages into the production CPS network to verify authorization responses, then uses a monitoring rule to alter functional module states upon detecting unauthorized access — an active deception-based approach distinct from passive traffic inspection.
Separately, AO Kaspersky Lab targets PLC execution runtime vulnerabilities through a security module that continuously monitors PLC runtime execution — including inter-module interactions and OS resource access — to detect exploitation of runtime vulnerabilities such as those found in systems like CoDeSys RTE. This 2021 active patent addresses a threat vector that perimeter-only defenses structurally cannot reach: an attacker who has already penetrated the network perimeter and is manipulating PLC execution from within.
Mission Secure Inc.’s overlay architecture installs monitoring devices that observe physical-level signal information — including analog signaling from sensors — to detect unauthorized variances in operational parameters. This approach captures attacks that manipulate physical signals below the digital protocol layer, a threat vector that purely software-centric security architectures miss entirely.
ABB Switzerland addresses the configuration complexity barrier that leaves many industrial deployments misconfigured. Their 2025 CN pending patent uses engineering data (first data) and topological model data (second data) of a distributed control system (DCS) to automatically generate security configurations through a policy generator. By eliminating reliance on expert manual configuration — a persistent source of human error in OT deployments — this approach addresses a systemic vulnerability that no amount of detection capability can compensate for if the underlying configuration is flawed. As noted in frameworks published by ISA, misconfiguration remains one of the primary root causes of OT security incidents.
Fisher-Rosemount Systems addresses the broader architectural convergence of IT and OT infrastructure. Their 2025 JP pending patent proposes a transport network that securely communicates between containerized software modules in an application layer and physical hardware in the field — an architecture designed for cloud-managed industrial control where computational fabric may be hosted remotely. This anticipates the security challenges that arise when cloud orchestration layers manage security policy for field devices in distributed manufacturing environments.
Attack Simulation, Penetration Testing, and Honeypot Architectures
Testing CPS security before and during deployment is essential in manufacturing contexts where testing on live production systems is dangerous or cost-prohibitive — a constraint that has driven a distinct body of innovation around simulation platforms, honeypot architectures, and built-in red-team capabilities. The patent record identifies five institutions advancing this space, each targeting a different dimension of the testing problem.
The Governing Council of the University of Toronto has patented a methodology in which a virtual instance of a CPS — comprising a physical layer and a cyber layer — is constructed and operated as a honeypot to attract and analyze real cyberattack payloads. The architecture generates a safety set defined by control barrier functions and projects whether incoming attack payloads would force the CPS to exit that safety set, triggering a safety action only when genuine risk is projected. This 2026 CA pending patent is significant because it allows attack intelligence to be gathered without exposing the production CPS to real risk — bridging honeypot techniques from IT security into the OT context.
“A virtual CPS honeypot generates a safety set defined by control barrier functions and projects whether incoming attack payloads would force the system to exit that safety set — enabling threat intelligence collection without exposing production manufacturing systems to real risk.”
China’s Strategic Support Force Information Engineering University has developed an automated security testing approach specifically for black-box CPS environments — scenarios where system logs and network traffic are unavailable. Their 2024 CN active patent extracts control application programs from the target CPS, builds a shadow system in an offline environment, infers input-output causal relationships through dynamic testing, and constructs attack test sets targeting different physical process parameters. This approach is directly relevant to legacy manufacturing facilities where documentation is incomplete — a realistic constraint given that most critical manufacturing assets cannot be replaced on a security-driven schedule.
Black-box CPS security testing — as developed by China’s Strategic Support Force Information Engineering University in a 2024 active patent — enables automated attack test case generation for legacy manufacturing systems without requiring access to system logs or network traffic, by extracting control application programs and building a shadow system in an offline environment.
Zhejiang University has proposed a real-time co-simulation platform for active distribution network CPS that integrates power hardware-in-the-loop simulation, communication system in-loop simulation, and penetration testing components within a unified framework. This platform architecture enables security researchers to assess cascading failure scenarios that span both the power grid and communication network layers simultaneously — a capability particularly relevant to manufacturing environments with embedded power generation or substation infrastructure.
Omron Corporation applies attack simulation directly within the production controller environment. Their 2022 JP active patent includes attack pattern creation means that derive attack patterns from the actual security setting information of the controller system, and attack execution means that run those attacks against the controller to evaluate whether configured security functions respond appropriately. This constitutes a built-in red-team capability embedded at the controller level — an approach that keeps security validation continuous rather than periodic.
Chungbuk National University addresses the security of multi-CPS collaboration through a formal interaction specification framework. Their 2021 KR active patent uses Failure Mode and Effect Analysis (FMEA) results from individual CPSs, generates integrated specifications for collaborative missions, and verifies safety across interacting CPS boundaries. This is particularly relevant to manufacturing ecosystems where multiple automated systems — robots, conveyors, inspection systems — must collaborate safely, as the ISO 10218 robotics safety standards increasingly require formal verification of collaborative system interactions.
Map the full competitive landscape of CPS security simulation and honeypot patents with PatSnap Eureka’s AI-powered patent intelligence.
Explore Full Patent Data in PatSnap Eureka →Key Innovators and the Model-Based Security Convergence
Siemens Aktiengesellschaft is the unambiguous dominant innovator in CPS security architecture within this patent dataset, holding at least six patent records across EP, WO, and US jurisdictions on digital-twin-based manipulation detection alone. Their portfolio demonstrates a systematic multi-jurisdiction filing strategy — prosecuting the same core technology across European and North American markets — with filings progressing from 2022 foundational applications through to active EP grants and US pending applications as recently as 2025. This indicates strong commercial intent aligned with Siemens’ industrial automation product lines.
AO Kaspersky Lab is the second most commercially active entity in the dataset, with active patents targeting both CPS access control and PLC runtime monitoring. Their approach spans both passive monitoring and active deception-based architectures, indicating a comprehensive OT security product strategy that addresses multiple attack vectors within a single product line.
Fisher-Rosemount Systems and ABB Switzerland represent the process automation incumbents moving toward cloud-integrated, auto-configured security architectures. This trajectory reflects an industry-wide trend toward IT/OT convergence — one that organisations including the European Union Agency for Cybersecurity (ENISA) have identified as introducing new attack surfaces that require architectural rather than point-solution responses.
Mission Secure Inc. represents a specialist OT security vendor focused exclusively on physical signal-layer monitoring — addressing attack vectors that IT-derived security tools structurally cannot detect because they operate below the digital protocol layer. Among academic and government institutions, the Chinese Strategic Support Force Information Engineering University and Zhejiang University are advancing black-box testing and co-simulation methodologies that are applicable to hardening existing legacy CPS infrastructure. The University of Toronto introduces the honeypot paradigm to the CPS domain, bridging proven IT security techniques into the OT context.
The most significant trend across the entire dataset is the convergence toward model-based security: using digital twins, shadow systems, and simulation platforms to generate security intelligence without requiring access to live production systems. This approach reduces risk during security assessment, enables continuous monitoring post-deployment, and is particularly applicable to legacy manufacturing infrastructure where direct system access is constrained. The progression from Siemens’ 2022 foundational filings to the University of Toronto’s 2026 honeypot architecture demonstrates that model-based security is not a single technique but a design philosophy increasingly shared across commercial, academic, and government innovators in this space.
For R&D teams and IP professionals working in industrial cybersecurity, the patent landscape signals that competitive differentiation will increasingly depend on the sophistication of the model — the fidelity of the digital twin, the completeness of the environmental model, the accuracy of the control barrier function — rather than on the detection algorithm itself. Teams using platforms such as PatSnap’s IP intelligence tools can track prosecution status across these patent families in real time, identifying white spaces and competitive threats before they crystallise into granted rights.