{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,27]],"date-time":"2026-03-27T20:10:32Z","timestamp":1774642232555,"version":"3.50.1"},"reference-count":64,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2020,12,15]],"date-time":"2020-12-15T00:00:00Z","timestamp":1607990400000},"content-version":"vor","delay-in-days":349,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,1,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>We perform a detailed survey and analysis of the most significant attacks, which have targeted industrial control systems over the past decade, based on detailed incident reports from scientific and non-traditional resources. This work is the first that considers together a comprehensive set of real-world cyber-attacks with the purpose of deriving a set of common features focusing particularly on the process control network. Each attack is decomposed to provide a comprehensive overview followed by a discussion of the commonalities identified across attacks. To achieve this, each attack is modelled using Attack Trees with Sequential AND, and mapped to the industrial control system Cyber Kill Chain. We focus on the methods of intrusion rather than the identification of actors. This article can be read in two parts: first, an analysis of each attack, and secondly a discussion of the derived commonalities. The resulting commonalities can be used to develop improved detection strategies to detect modern adversarial techniques and tactics.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaa020","type":"journal-article","created":{"date-parts":[[2020,12,15]],"date-time":"2020-12-15T06:15:30Z","timestamp":1608012930000},"source":"Crossref","is-referenced-by-count":16,"title":["Decomposition and sequential-AND analysis of known cyber-attacks on critical infrastructure control systems"],"prefix":"10.1093","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6267-7530","authenticated-orcid":false,"given":"Peter","family":"Maynard","sequence":"first","affiliation":[{"name":"Centre for Secure Information Technologies, Queen\u2019s University, University Road, Belfast, GB BT7 1NN, UK"}]},{"given":"Kieran","family":"McLaughlin","sequence":"additional","affiliation":[{"name":"Centre for Secure Information Technologies, Queen\u2019s University, University Road, Belfast, GB BT7 1NN, UK"}]},{"given":"Sakir","family":"Sezer","sequence":"additional","affiliation":[{"name":"Centre for Secure Information Technologies, Queen\u2019s University, University Road, Belfast, GB BT7 1NN, UK"}]}],"member":"286","published-online":{"date-parts":[[2020,12,15]]},"reference":[{"key":"2020121501134480000_tyaa020-B1","author":"Dragos"},{"key":"2020121501134480000_tyaa020-B2","author":"Dragos","year":"2017"},{"key":"2020121501134480000_tyaa020-B3","author":"ICS-CERT","year":"2012"},{"key":"2020121501134480000_tyaa020-B4","first-page":"225","volume-title":"Handbook of Big Data and IoT Security","author":"Grooby"},{"key":"2020121501134480000_tyaa020-B5","author":"Robinson"},{"key":"2020121501134480000_tyaa020-B6","author":"Kovacs"},{"key":"2020121501134480000_tyaa020-B7","first-page":"1","author":"Kriaa","year":"2012"},{"key":"2020121501134480000_tyaa020-B8","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1109\/MSP.2011.67","article-title":"Stuxnet: dissecting a Cyberwarfare Weapon","volume":"9","author":"Langner","year":"2011","journal-title":"IEEE Secur Privacy"},{"key":"2020121501134480000_tyaa020-B9","author":"Assante","year":"2015"},{"key":"2020121501134480000_tyaa020-B10","doi-asserted-by":"crossref","first-page":"339","DOI":"10.1007\/978-3-319-18467-8_23","volume-title":"ICT Systems Security and Privacy Protection","author":"Jhawar","year":"2015"},{"key":"2020121501134480000_tyaa020-B11","author":"Schneier"},{"key":"2020121501134480000_tyaa020-B12","author":"Popov"},{"key":"2020121501134480000_tyaa020-B13","author":"CPNI"},{"key":"2020121501134480000_tyaa020-B14","author":"Stouffer"},{"key":"2020121501134480000_tyaa020-B15","volume-title":"Robust Control System Networks","author":"Langner","year":"2011"},{"key":"2020121501134480000_tyaa020-B16","doi-asserted-by":"crossref","DOI":"10.1016\/B978-1-59749-645-2.00003-3","volume-title":"Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems","author":"Knapp","year":"2011"},{"key":"2020121501134480000_tyaa020-B17","first-page":"2015","article-title":"Dumb Crypto in Smart Grids: Practical Cryptanalysis of the Open Smart Grid Protocol","volume-title":"IACR Cryptol","author":"Jovanovic","year":"2015"},{"key":"2020121501134480000_tyaa020-B18","volume-title":"2nd ACM Workshop on Cyber-Physical Systems Security and Privacy","author":"Jardine","year":"2016"},{"key":"2020121501134480000_tyaa020-B19","author":"Luchs"},{"key":"2020121501134480000_tyaa020-B20","first-page":"51","author":"Miller"},{"key":"2020121501134480000_tyaa020-B21","doi-asserted-by":"crossref","first-page":"1039","DOI":"10.1109\/JPROC.2015.2512235","article-title":"The cybersecurity landscape in industrial control systems","volume":"104","author":"McLaughlin","year":"2016","journal-title":"Proc IEEE"},{"key":"2020121501134480000_tyaa020-B22","first-page":"1","author":"Lamp","year":"2017"},{"key":"2020121501134480000_tyaa020-B23","first-page":"1","volume-title":"2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe)","author":"Khan","year":"2017"},{"key":"2020121501134480000_tyaa020-B24","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1080\/23742917.2016.1252211","article-title":"Review of cybersecurity issues in industrial critical infrastructure: manufacturing in perspective","volume":"1","author":"Ani","year":"2017","journal-title":"J Cyber Secur Technol"},{"key":"2020121501134480000_tyaa020-B25","doi-asserted-by":"crossref","first-page":"101677","DOI":"10.1016\/j.cose.2019.101677","article-title":"Cybersecurity for industrial control systems: a survey","volume":"89","author":"Bhamare","year":"2020","journal-title":"Comput Secur"},{"key":"2020121501134480000_tyaa020-B26","first-page":"380","author":"Zhu"},{"key":"2020121501134480000_tyaa020-B27","author":"Mateski"},{"key":"2020121501134480000_tyaa020-B28","author":"Kotheimer"},{"key":"2020121501134480000_tyaa020-B29","author":"Ross"},{"key":"2020121501134480000_tyaa020-B30","author":"Byres"},{"key":"2020121501134480000_tyaa020-B31","first-page":"291","volume-title":"Computer Safety, Reliability, and Security, Number 9338 in Lecture Notes in Computer Science","author":"Arnold","year":"2015"},{"key":"2020121501134480000_tyaa020-B32","volume-title":"Principles of Security and Trust (POST), Lecture Notes in Computer Science","author":"Arnold","year":"2014"},{"key":"2020121501134480000_tyaa020-B33","doi-asserted-by":"crossref","first-page":"363","DOI":"10.1109\/JSYST.2012.2221853","article-title":"The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures","volume":"7","author":"Sommestad","year":"2013","journal-title":"IEEE Syst J"},{"key":"2020121501134480000_tyaa020-B34","doi-asserted-by":"crossref","first-page":"659","DOI":"10.1016\/j.cose.2010.02.002","article-title":"A probabilistic relational model for security risk analysis","volume":"29","author":"Sommestad","year":"2010","journal-title":"Comput Security"},{"key":"2020121501134480000_tyaa020-B35","first-page":"1","author":"Holm"},{"key":"2020121501134480000_tyaa020-B36","author":"Caltagirone"},{"key":"2020121501134480000_tyaa020-B37","article-title":"PrEP: a framework for malware and cyber weapons (December 20, 2013). The Journal of Information Warfare, Vol.13, No.1, February 2014, Available at SSRN: https:\/\/ssrn.com\/abstract=2343798 or 10.2139\/ssrn.2343798","author":"Herr,"},{"key":"2020121501134480000_tyaa020-B38","author":"Hentunen","year":"2014"},{"key":"2020121501134480000_tyaa020-B39","author":"Hentunen","year":"2014"},{"key":"2020121501134480000_tyaa020-B40","author":"Lucian Constantin"},{"key":"2020121501134480000_tyaa020-B41","author":"Symantec","year":"2014"},{"key":"2020121501134480000_tyaa020-B42","author":"Erik Hjelmvik"},{"key":"2020121501134480000_tyaa020-B43","author":"Harpes"},{"key":"2020121501134480000_tyaa020-B44","author":"Rrushi"},{"key":"2020121501134480000_tyaa020-B45","author":"ICS-CERT"},{"key":"2020121501134480000_tyaa020-B46","author":"Constantin"},{"key":"2020121501134480000_tyaa020-B47","author":"BSI","year":"2014"},{"key":"2020121501134480000_tyaa020-B48","author":"Lee"},{"key":"2020121501134480000_tyaa020-B49","first-page":"1","article-title":"Duqu: A Stuxnet-like malware found in the wild","volume":"14","author":"Bencs\u00e1th","year":"2011","journal-title":"CrySyS Lab Tech Rep"},{"key":"2020121501134480000_tyaa020-B50","author":"Schneier"},{"key":"2020121501134480000_tyaa020-B51","author":"Zetter"},{"key":"2020121501134480000_tyaa020-B52","first-page":"465","author":"Maynard","year":"2016"},{"key":"2020121501134480000_tyaa020-B53","author":"Kaspersky"},{"key":"2020121501134480000_tyaa020-B54","author":"ICS-CERT","year":"2016"},{"key":"2020121501134480000_tyaa020-B55","author":"Lee"},{"key":"2020121501134480000_tyaa020-B56","author":"Beach-Westmoreland"},{"key":"2020121501134480000_tyaa020-B57","author":"Zetter","year":"2017"},{"key":"2020121501134480000_tyaa020-B58","author":"Yasinskyi","year":"2017"},{"key":"2020121501134480000_tyaa020-B59","author":"ESET"},{"key":"2020121501134480000_tyaa020-B60","author":"ICS-CERT"},{"key":"2020121501134480000_tyaa020-B61","author":"Johnson"},{"key":"2020121501134480000_tyaa020-B62","author":"ICS-CERT"},{"key":"2020121501134480000_tyaa020-B63","first-page":"205","author":"Lim"},{"key":"2020121501134480000_tyaa020-B64","author":"Assante","year":"2018"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa020\/34903569\/tyaa020.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa020\/34903569\/tyaa020.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,12,15]],"date-time":"2020-12-15T06:15:35Z","timestamp":1608012935000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaa020\/6034412"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,1]]},"references-count":64,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,1,1]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaa020","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2020]]},"published":{"date-parts":[[2020,1,1]]},"article-number":"tyaa020"}}