Towards Resilience by Design: Systematic Review of Critical Infrastructure Protection Against Systemic Risks

Critical Infrastructures (CI) are essential cyber-physical systems providing vital services to society, with key examples including the energy, transport, and health sectors. Our work focuses specifically on the risks emerging from the deep integration of information and communication technologies (ICT) within these infrastructures. While we exclude purely physical threats like natural disasters, our scope addresses the operational and systemic risks that can originate in or propagate through the cyber domain to impact physical operations. These inherent interdependencies create systemic risks prone to cascading effects across sectors, a threat that traditional risk management struggles to address. This gap requires a fundamental shift in strategy from traditional protection to 'Resilience by Design. This approach focuses not just on preventing failures, but on proactively embedding the capacity to adapt and recover when they inevitably occur. This Systematic Literature Review (SLR) bridges this gap by synthesizing 41 primary research articles (2017–2025) to build a coherent framework for CI protection against systemic risk. The central finding is that effective protection requires moving beyond traditional methods and embedding resilience across the entire incident lifecycle. We consolidate the literature into an integrated framework organized around three critical stages: 1) pre-incident preparedness, 2) during-incident response, and 3) post-incident recovery. For each stage, we identify key strategies, trends, and research gaps. Unlike previous reviews that focus on fragmented aspects of risk, this study is the first to systematically structure CI protection around a holistic, three-stage resilience lifecycle. It offers a clear roadmap for developing robust strategies capable of managing the complex, interconnected nature of modern infrastructure.