{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T16:28:24Z","timestamp":1777652904478,"version":"3.51.4"},"reference-count":237,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"3","license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100000266","name":"UK Engineering and Physical Sciences Research Council (EPSRC) funded iCASE Ph.D.","doi-asserted-by":"publisher","award":["EP\/R511936\/1"],"award-info":[{"award-number":["EP\/R511936\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]},{"name":"U.K. Defence Science and Technology Laboratory"},{"name":"U.K. Ministry of Defence"},{"DOI":"10.13039\/501100000266","name":"EPSRC","doi-asserted-by":"publisher","award":["EP\/N033957\/1"],"award-info":[{"award-number":["EP\/N033957\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]},{"name":"PETRAS National Centre of Excellence for IoT Systems Cybersecurity"},{"DOI":"10.13039\/501100000266","name":"U.K. EPSRC","doi-asserted-by":"publisher","award":["EP\/S035362\/1"],"award-info":[{"award-number":["EP\/S035362\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Commun. Surv. Tutorials"],"published-print":{"date-parts":[[2023]]},"DOI":"10.1109\/comst.2023.3264680","type":"journal-article","created":{"date-parts":[[2023,4,11]],"date-time":"2023-04-11T17:35:37Z","timestamp":1681234537000},"page":"1705-1747","source":"Crossref","is-referenced-by-count":49,"title":["A Survey on Industrial Control System Digital Forensics: Challenges, Advances and Future Directions"],"prefix":"10.1109","volume":"25","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5232-2381","authenticated-orcid":false,"given":"Marco","family":"Cook","sequence":"first","affiliation":[{"name":"School of Computing Science, University of Glasgow, Glasgow, U.K"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7996-6216","authenticated-orcid":false,"given":"Angelos","family":"Marnerides","sequence":"additional","affiliation":[{"name":"School of Computing Science, University of Glasgow, Glasgow, U.K"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chris","family":"Johnson","sequence":"additional","affiliation":[{"name":"School of Electronics, Electrical Engineering and Computer Science, Queens University Belfast, Belfast, U.K"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0939-378X","authenticated-orcid":false,"given":"Dimitrios","family":"Pezaros","sequence":"additional","affiliation":[{"name":"School of Computing Science, University of Glasgow, Glasgow, U.K"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2011.67"},{"issue":"3","key":"ref2","doi-asserted-by":"crossref","first-page":"30","DOI":"10.1016\/j.tej.2017.02.006","article-title":"How cyber-attacks in ukraine show the vulnerability of the U.S. power grid","volume":"30","author":"Sullivan","year":"2017","journal-title":"Electr. J."},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1061\/(asce)ee.1943-7870.0001686"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.22662\/ijemr.2019.3.2.013"},{"key":"ref5","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.ijcip.2021.100464","article-title":"Looking back to look forward: Lessons learnt from cyber-attacks on industrial control systems","volume":"35","author":"Miller","year":"2021","journal-title":"Int. J. Crit. Infrastruct. Protect."},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/EWDTS.2019.8884472"},{"issue":"3336","key":"ref7","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1016\/S0262-4079(21)00899-X","article-title":"How do we solve the problem of ransomware?","volume":"250","author":"Sparkes","year":"2021","journal-title":"New Sci."},{"key":"ref8","volume-title":"Shaping Europes digital future\u2013European Commission","year":"2020"},{"key":"ref9","volume-title":"Cyber-security: What regulators are saying around the world","author":"Chance","year":"2020"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2014.06.007"},{"key":"ref11","first-page":"98","article-title":"Developing cyber forensics for SCADA industrial control systems","volume-title":"Proc. Int. Conf. Inf. Security Cyber Forensics (InfoSec) Soc. Digit. Inf. Wireless Commun","author":"Stirland"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3295453.3295454"},{"issue":"3","key":"ref13","doi-asserted-by":"crossref","first-page":"37","DOI":"10.3390\/jsan9030037","article-title":"Cyber\u2013Physical systems forensics: Today and tomorrow","volume":"9","author":"Mohamed","year":"2020","journal-title":"J. Sensor Actuator Netw"},{"key":"ref14","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1016\/j.ijcip.2015.02.002","article-title":"A survey of cyber security management in industrial control systems","volume":"9","author":"Knowles","year":"2015","journal-title":"Int. J. Crit. Infrastruct. Protect"},{"key":"ref15","doi-asserted-by":"crossref","first-page":"156","DOI":"10.1016\/j.ress.2015.02.008","article-title":"A survey of approaches combining safety and security for industrial control systems","volume":"139","author":"Kriaa","year":"2015","journal-title":"Rel. Eng. System Safety"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1177\/1550147718794615"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2020.2987688"},{"key":"ref18","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2019.101677","article-title":"Cybersecurity for industrial control systems: A survey","volume":"89","author":"Bhamare","year":"2020","journal-title":"Comput. Secur"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26502-5_2"},{"issue":"9","key":"ref20","doi-asserted-by":"crossref","first-page":"1043","DOI":"10.3390\/electronics10091043","article-title":"A comprehensive survey on cyber-physical smart grid testbed architectures: Requirements and challenges","volume":"10","author":"Smadi","year":"2021","journal-title":"Electronics"},{"issue":"4","key":"ref21","doi-asserted-by":"crossref","first-page":"1809","DOI":"10.3390\/app11041809","article-title":"Cyber ranges and testbeds for education, training, and research","volume":"11","author":"Chouliaras","year":"2021","journal-title":"Appl. Sci"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2021.3094360"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2014.12.005"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.6028\/nist.sp.800-82r3"},{"key":"ref25","volume-title":"Operational technologies","year":"2017"},{"key":"ref26","volume-title":"Programmable Controllers"},{"key":"ref27","volume-title":"Programmable Controllers Part 3: Programming Languages"},{"key":"ref28","volume-title":"Programmable Controllers Part 6: Functional Safety"},{"key":"ref29","first-page":"15","volume-title":"Components of Industrial Control Systems","author":"Sullivan","year":"2016"},{"key":"ref30","volume-title":"SIMATIC HMI KTP900 basic","year":"2022"},{"key":"ref31","volume-title":"Siemens S7-300 PLC","year":"2022"},{"key":"ref32","volume-title":"What is SCADA system?","year":"2022"},{"key":"ref33","volume-title":"All about siemens variable frequency drives (VFDs)","year":"2022"},{"key":"ref34","volume-title":"Yokogawa-gauge pressure","year":"2022"},{"issue":"2","key":"ref35","doi-asserted-by":"crossref","first-page":"141","DOI":"10.1016\/0166-3615(94)90017-5","article-title":"The purdue enterprise reference architecture","volume":"24","author":"Williams","year":"1994","journal-title":"Comput. Ind"},{"key":"ref36","volume-title":"Secure architecture for industrial control systems","author":"Obregon","year":"2015"},{"key":"ref37","article-title":"A road map for digital forensic research: Report from the first digital forensic research workshop (DFRWS)"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-15506-2_1"},{"key":"ref39","volume-title":"Information Technology\u2014Security Techniques\u2014Guidelines For Identification, Collection, Acquisition and Preservation of Digital Evidence"},{"key":"ref40","volume-title":"Information Technology\u2014Security Techniques\u2014Guidelines for the Analysis and Interpretation of Digital Evidence"},{"key":"ref41","volume-title":"Information Technology\u2014Security Techniques\u2014Incident Investigation Principles and Processes","year":"2015"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-46578-3_66"},{"issue":"3","key":"ref43","first-page":"1","article-title":"A ten step process for forensic readiness","volume":"2","author":"Rowlingson","year":"2004","journal-title":"Int. J. Digit. Evidence"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-72367-9_2"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2019.2962586"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3106426.3106518"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2019.2940713"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/WF-IoT.2014.6803194"},{"issue":"2","key":"ref49","first-page":"1","article-title":"A Formalization of digital forensics","volume":"3","author":"Leigland","year":"2004","journal-title":"Int. J. Digit. Evidence"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.5120\/19971-1856"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-88523-0_7"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.4108\/eai.21-4-2016.151158"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-73697-6_9"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-02312-5_9"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1049\/cp.2013.1720"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99277-8_18"},{"key":"ref57","article-title":"A forensic taxonomy of SCADA systems and approach to incident response","volume-title":"Proc. Int. Symp. ICS & SCADA Cyber Secur. Res. (ICS-CSR)","author":"Peter"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/CyberSecurity49315.2020.9138879"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1109\/ICC45855.2022.9838968"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2012.325"},{"key":"ref61","article-title":"D7.1 preliminary report on forensic analysis for industrial systems","author":"Patzlaff","year":"2013"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.15394\/jdfsl.2015.1211"},{"key":"ref63","volume-title":"Applied Cyber Security and the Smart Grid: Implementing Security Controls Into the Modern Power Infrastructure","author":"Knapp","year":"2013"},{"key":"ref64","first-page":"1147","article-title":"A new EPICS device support for S7 PLCs","volume-title":"Proc. 14th Int. Conf. Accel. Large Exp. Phys. Control Syst"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2022.102483"},{"key":"ref66","volume-title":"Desktop operating system market share worldwide","year":"2020"},{"key":"ref67","volume-title":"Global PLC market share as of 2017, by manufacturer","year":"2017"},{"issue":"2","key":"ref68","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1016\/j.ijcip.2013.04.004","article-title":"Firmware modification attacks on programmable logic controllers","volume":"6","author":"Basnight","year":"2013","journal-title":"Int. J. Crit. Infrastruct. Protect"},{"key":"ref69","doi-asserted-by":"crossref","first-page":"26","DOI":"10.1016\/j.diin.2017.06.005","article-title":"Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc series 90-30","volume":"22","author":"Denton","year":"2017","journal-title":"Digit. Investigat"},{"key":"ref70","volume-title":"Can we learn from SCADA security incidents?","year":"2013"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.14236\/ewic\/ICSCSR2013.2"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99277-8_19"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-75462-8_16"},{"key":"ref74","first-page":"27","article-title":"A cyber forensic taxonomy for SCADA systems in critical infrastructure","volume-title":"Proc. Int. Conf. Crit. Inf. Infrastruct. Secur"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/HASE.2012.9"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.14236\/ewic\/ICS2015.8"},{"issue":"17","key":"ref77","doi-asserted-by":"crossref","first-page":"5501","DOI":"10.3390\/en14175501","article-title":"Cyber risks to critical smart grid assets of industrial control systems","volume":"14","author":"Liu","year":"2021","journal-title":"Energies"},{"key":"ref78","first-page":"59","volume-title":"Vulnerability Assessment of Cyber Security for SCADA Systems","year":"2018"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.2998983"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2015.7346923"},{"key":"ref81","volume-title":"Debate over IT, OT and control systems security"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2016.331"},{"issue":"5","key":"ref83","first-page":"46","article-title":"Maintaining a good reputation...even when under attack","volume":"32","author":"Carcano","year":"2019","journal-title":"Aluminium Int. Today"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1145\/3212687.3212866"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1088\/1757-899X\/569\/4\/042030"},{"key":"ref86","volume-title":"Security for Industrial Automation and Control Systems"},{"key":"ref87","volume-title":"Security for Industrial Automation and Control Systems","year":"2018"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2017.4251102"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-35764-0_5"},{"key":"ref90","volume-title":"Good practice forensics readiness guideline","year":"2015"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1201\/b13869"},{"key":"ref92","first-page":"178","article-title":"A framework for incident response in industrial control systems","volume-title":"Proc. 12th Int. Joint Conf. E-Bus. Telecommun. (ICETE)","volume":"4","author":"Schlegel"},{"key":"ref93","volume-title":"ICS410: ICS\/SCADA security essentials","year":"2022"},{"key":"ref94","volume-title":"Professional development in control systems Cyber-security.","year":"2022"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1109\/THS.2008.4534496"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1145\/2047456.2047464"},{"key":"ref97","article-title":"Critical infrastructure and control systems security curriculum","year":"2008"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2013.55"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1145\/3018981.3018984"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-70395-4_13"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-04537-1_15"},{"key":"ref102","volume-title":"General Requirements for the Competence of Testing and Calibration Laboratories","year":"2017"},{"key":"ref103","doi-asserted-by":"crossref","first-page":"163","DOI":"10.1016\/j.diin.2019.01.009","article-title":"Tool testing and reliability issues in the field of digital forensics","volume":"28","author":"Horsman","year":"2019","journal-title":"Digit. Investigat"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920307"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1145\/1368506.1368516"},{"issue":"6","key":"ref106","first-page":"71","article-title":"A study: Volatility forensic on hidden files","volume":"2","author":"Safitri","year":"2013","journal-title":"Int. J. Sci. Res"},{"key":"ref107","volume-title":"Forescout","year":"2022"},{"key":"ref108","volume-title":"Nozomi networks","year":"2022"},{"key":"ref109","volume-title":"Microsoft defender for IoT","year":"2022"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1109\/BigData.2017.8258360"},{"key":"ref111","volume-title":"Wireshark","year":"2022"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1007\/0-387-36891-4_22"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-75462-8_9"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1504\/IJSN.2008.017222"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2009.160"},{"key":"ref116","first-page":"618","article-title":"Snort IDS for SCADA networks","volume-title":"Proc. Int. Conf. Secur. Manage","author":"Valli"},{"key":"ref117","volume-title":"Opentext security, encase forensic","year":"2022"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1145\/2808705.2808716"},{"issue":"2","key":"ref119","first-page":"44","article-title":"Developing a state of the art methodology & toolkit for ICS\/SCADA forensics","volume":"1","author":"Betts","year":"2016","journal-title":"Int. J. Ind. Control Syst. Secur"},{"key":"ref120","volume-title":"Lime: Linux memory extractor","year":"2022"},{"key":"ref121","volume-title":"FTK imager\u2013evidence acquisition tool.","year":"2022"},{"key":"ref122","volume-title":"Forensic toolkit (FTK) digital investigations.","year":"2022"},{"key":"ref123","volume-title":"Belkasoft, evidence Center","year":"2022"},{"key":"ref124","volume-title":"The sleuth kit (TSK)","author":"Carrier"},{"key":"ref125","volume-title":"SweetScape Software, 101 editor","year":"2022"},{"key":"ref126","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2006.01.003"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1109\/HST47167.2019.9032919"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1109\/Trustcom.2015.358"},{"key":"ref129","first-page":"73","volume-title":"SCADA system forensic analysis within IIoT","author":"Eden","year":"2017"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2021.301196"},{"key":"ref131","volume-title":"Doors of durin: The veiled gate to siemens S7 silicon","author":"Abbasi","year":"2019"},{"key":"ref132","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2010.01.005"},{"key":"ref133","first-page":"1","article-title":"Exploiting siemens simatic S7 PLCs","volume-title":"Proc. Black Hat","author":"Beresford"},{"issue":"1","key":"ref134","doi-asserted-by":"crossref","first-page":"17","DOI":"10.1016\/S1361-3723(10)70112-3","article-title":"Fighting forensics","volume":"2010","author":"Mansfield-Devine","year":"2010","journal-title":"Comput. Fraud Secur"},{"issue":"4","key":"ref135","first-page":"79","article-title":"Exploring the use of PLC debugging tools for digital forensic investigations on SCADA systems","volume":"10","author":"Wu","year":"2015","journal-title":"J. Digit. Forensics Secur. Law"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-48737-3_7"},{"key":"ref137","volume-title":"PLC-logger","year":"2022"},{"key":"ref138","volume-title":"Libmodbus","year":"2022"},{"key":"ref139","volume-title":"LibPlcTag","year":"2022"},{"key":"ref140","volume-title":"MODBUS-TCP client","year":"2022"},{"key":"ref141","volume-title":"Nodes7","year":"2022"},{"key":"ref142","volume-title":"Plcscan","author":"Searle","year":"2022"},{"key":"ref143","volume-title":"Pycomm","year":"2022"},{"key":"ref144","volume-title":"Pylogix","author":"Peterson","year":"2022"},{"key":"ref145","volume-title":"Snap7","author":"Nardella","year":"2022"},{"key":"ref146","volume-title":"ICs mem collect","author":"Triplett","year":"2022"},{"key":"ref147","doi-asserted-by":"publisher","DOI":"10.1145\/3176258.3176319"},{"key":"ref148","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-30215-3_20"},{"key":"ref149","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-26601-1_9"},{"key":"ref150","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2022.301336"},{"key":"ref151","doi-asserted-by":"publisher","DOI":"10.5120\/7765-0844"},{"key":"ref152","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-70395-4_4"},{"key":"ref153","doi-asserted-by":"publisher","DOI":"10.1117\/12.2179796"},{"key":"ref154","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-67208-3_5"},{"key":"ref155","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-28752-8_7"},{"key":"ref156","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2020.2980921"},{"key":"ref157","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-45355-1_2"},{"key":"ref158","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23142"},{"key":"ref159","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.ijcip.2019.100306","article-title":"Detecting control system misbehavior by fingerprinting programmable logic controller functionality","volume":"26","author":"Stockman","year":"2019","journal-title":"Int. J. Crit. Infrastruct. Protect"},{"key":"ref160","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-03964-0_14"},{"key":"ref161","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26567-4_5"},{"key":"ref162","doi-asserted-by":"publisher","DOI":"10.1109\/MWC.2017.1800132"},{"key":"ref163","doi-asserted-by":"publisher","DOI":"10.1145\/2542049"},{"key":"ref164","doi-asserted-by":"publisher","DOI":"10.1145\/1541880.1541882"},{"key":"ref165","doi-asserted-by":"publisher","DOI":"10.1109\/ISDFS49300.2020.9116298"},{"key":"ref166","first-page":"1","volume-title":"Cyber Forensics With Machine Learning","author":"Shahzad","year":"2020"},{"key":"ref167","doi-asserted-by":"publisher","DOI":"10.1023\/B:AIRE.0000045502.10941.a9"},{"key":"ref168","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2017.8228713"},{"key":"ref169","doi-asserted-by":"publisher","DOI":"10.1109\/ICPHYS.2018.8387655"},{"key":"ref170","doi-asserted-by":"crossref","first-page":"125","DOI":"10.1016\/j.diin.2016.04.005","article-title":"CuFA: A more formal definition for digital forensic artifacts","volume":"18","author":"Harichandran","year":"2016","journal-title":"Digit. Investigat"},{"key":"ref171","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-19513-6_7"},{"key":"ref172","doi-asserted-by":"publisher","DOI":"10.1109\/CICT.2013.6558230"},{"key":"ref173","doi-asserted-by":"crossref","first-page":"209","DOI":"10.1016\/B978-0-12-374267-4.00005-7","article-title":"Chapter 5 - windows forensic analysis","volume-title":"Handbook of Digital Forensics and Investigation","author":"Pittman","year":"2010"},{"key":"ref174","doi-asserted-by":"publisher","DOI":"10.1002\/wfs2.1322"},{"key":"ref175","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40385-4_10"},{"key":"ref176","first-page":"142","article-title":"Forensic readiness for SCADA\/ICS incident response","volume-title":"Proc. 4th Int. Symp. ICS SCADA Cyber Secur. Res. (ICS-CSR)"},{"key":"ref177","doi-asserted-by":"publisher","DOI":"10.3390\/en12132598"},{"key":"ref178","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2017.06.012"},{"key":"ref179","doi-asserted-by":"publisher","DOI":"10.15394\/jdfsl.2014.1169"},{"issue":"21","key":"ref180","first-page":"253","article-title":"SCADA live forensics: Real time data acquisition process to detect, prevent or evaluate critical situations","volume":"9","author":"Taveras","year":"2013","journal-title":"Eur. Sci. J"},{"key":"ref181","doi-asserted-by":"publisher","DOI":"10.1145\/2843043.2843047"},{"key":"ref182","volume-title":"IoT Fundamentals: Networking Technologies, Protocols, and Use Cases for the Internet of Things","author":"Hanes","year":"2017"},{"key":"ref183","first-page":"1","article-title":"Control logic forensics framework using built-in Decompiler of engineering software in industrial control systems","volume":"33","author":"Qasim","year":"2020","journal-title":"Forensic Sci. Int. Digit. Investigat"},{"key":"ref184","volume-title":"MITRE ATT&CK for Industrial Control Systems: Design and Philosophy","author":"Alexander","year":"2020"},{"key":"ref185","doi-asserted-by":"publisher","DOI":"10.14236\/ewic\/ICSCSR2013.3"},{"key":"ref186","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-45355-1_5"},{"issue":"6","key":"ref187","first-page":"29","article-title":"W32. stuxnet dossier","volume":"5","author":"Falliere","year":"2011","journal-title":"White Paper Symantec Corp., Secur Resp"},{"issue":"4","key":"ref188","doi-asserted-by":"crossref","first-page":"638","DOI":"10.3390\/jcp1040032","article-title":"Insights into organizational security readiness: Lessons learned from cyber-attack case studies","volume":"1","author":"Quader","year":"2021","journal-title":"J. Cybersecur. Privacy"},{"issue":"4","key":"ref189","doi-asserted-by":"crossref","first-page":"971","DOI":"10.3390\/fi4040971","article-title":"The cousins of Stuxnet: Duqu, flame, and gauss","volume":"4","author":"Bencs\u00e1th","year":"2012","journal-title":"Future Internet"},{"key":"ref190","doi-asserted-by":"publisher","DOI":"10.1080\/18335330.2012.653198"},{"key":"ref191","volume-title":"Black Ice: The Invisible Threat of Cyber-Terrorism","author":"Verton","year":"2003"},{"key":"ref192","volume-title":"Tangled Web: Tales of Digital Crime From the Shadows of Cyberspace","author":"Power","year":"2000"},{"key":"ref193","doi-asserted-by":"publisher","DOI":"10.1109\/TSG.2019.2921245"},{"issue":"1","key":"ref194","first-page":"10","article-title":"Ransomware: Evolution, mitigation and prevention","volume":"13","author":"Richardson","year":"2017","journal-title":"Int. Manage. Rev"},{"issue":"9","key":"ref195","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/S1353-4858(16)30086-1","article-title":"Ransomware attacks: Detection, prevention and cure","volume":"2016","author":"Brewer","year":"2016","journal-title":"Netw. Secur"},{"key":"ref196","first-page":"1","article-title":"Out of control: Ransomware for industrial control systems","volume-title":"Proc. RSA Conf","volume":"4","author":"Formby"},{"key":"ref197","volume-title":"\"Notpetya technical analysis-A triple threat: File encryption, MFT encryption, credential theft","author":"Sood","year":"2019"},{"key":"ref198","doi-asserted-by":"publisher","DOI":"10.2172\/1505628"},{"key":"ref199","volume-title":"Notpetya technical analysis\u2013A triple threat: File encryption, MFT encryption, credential theft","author":"Sood","year":"2019"},{"key":"ref200","doi-asserted-by":"publisher","DOI":"10.1109\/NOTERE.2015.7293513"},{"key":"ref201","volume-title":"Crashoverride: Reassessing the 2016 ukraine electric power event as a protection-focused attack","author":"Slowik","year":"2019"},{"key":"ref202","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2021.3106669"},{"key":"ref203","first-page":"1","article-title":"TRITON: The first ICS cyber attack on safety instrument systems","volume-title":"Proc. Black Hat USA","volume":"2018","author":"Di Pinto"},{"key":"ref204","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS.2016.7502992"},{"key":"ref205","doi-asserted-by":"publisher","DOI":"10.3390\/s21113901"},{"key":"ref206","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2020.3034595"},{"key":"ref207","first-page":"1","article-title":"IoT Botnet forensics: A comprehensive digital forensic case study on Mirai botnet servers","volume":"32","author":"Zhang","year":"2020","journal-title":"Forensic Sci. Int. Digit. Investigat"},{"key":"ref208","volume-title":"Anatomy of the triton malware attack","author":"Stoler","year":"2018"},{"key":"ref209","first-page":"16","article-title":"Defending against firmware cyber attacks on safety-critical systems","volume-title":"Proc. 35th Int. System Safety Conf","author":"Johnson"},{"key":"ref210","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2020.102717"},{"key":"ref211","doi-asserted-by":"crossref","first-page":"317","DOI":"10.1016\/j.patcog.2018.07.023","article-title":"Wild patterns: Ten years after the rise of adversarial machine learning","volume":"84","author":"Biggio","year":"2018","journal-title":"Pattern Recognit"},{"key":"ref212","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.3037500"},{"key":"ref213","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3437513"},{"key":"ref214","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom50675.2020.00121"},{"key":"ref215","first-page":"44","article-title":"Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem","volume-title":"Proc. 6th Annu. Digit. Forensic Res. Workshop (DFRWS)","volume":"3","author":"Harris"},{"key":"ref216","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2010.5495491"},{"key":"ref217","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2012.2205568"},{"key":"ref218","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2012.452"},{"key":"ref219","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2011.115"},{"key":"ref220","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2015.2494502"},{"key":"ref221","volume-title":"Machine learning in cyber-security-problems, challenges and data sets","author":"Amit","year":"2018"},{"key":"ref222","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cose.2020.102092","article-title":"A survey of machine learning techniques in adversarial image forensics","volume":"100","author":"Nowroozi","year":"2021","journal-title":"Comput. Secur"},{"key":"ref223","first-page":"1","article-title":"Quantifying the need for supervised machine learning in conducting live forensic analysis of emergent configurations (ECO) in IoT environments","volume-title":"Forensic Sci. Int. Rep","volume":"2","author":"Kebande","year":"2020"},{"key":"ref224","first-page":"53","article-title":"A comparison of machine learning techniques for file system forensics analysis","volume":"46","author":"Mohammad","year":"2019","journal-title":"J. Inf. Secur. Appl"},{"key":"ref225","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3278527"},{"key":"ref226","volume-title":"Industrial network market shares 2019 according to HMS.","year":"2019"},{"key":"ref227","doi-asserted-by":"publisher","DOI":"10.1016\/j.procir.2022.05.030"},{"key":"ref228","doi-asserted-by":"publisher","DOI":"10.1002\/sec.698"},{"key":"ref229","doi-asserted-by":"publisher","DOI":"10.1109\/CSCI49370.2019.00230"},{"key":"ref230","doi-asserted-by":"publisher","DOI":"10.1145\/3360664.3360668"},{"key":"ref231","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.pmcj.2019.101048","article-title":"ICS-BlockOpS: Blockchain for operational data security in industrial control system","volume":"59","author":"Maw","year":"2019","journal-title":"Pervasive Mobile Comput"},{"key":"ref232","doi-asserted-by":"publisher","DOI":"10.1109\/ICECA.2018.8474838"},{"key":"ref233","doi-asserted-by":"publisher","DOI":"10.14236\/ewic\/ics2015.11"},{"key":"ref234","volume-title":"Information Technology\u2014Security Techniques\u2014Information Security Management Systems","year":"2018"},{"key":"ref235","doi-asserted-by":"publisher","DOI":"10.1109\/PES.2010.5590215"},{"key":"ref236","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781139169288"},{"key":"ref237","first-page":"305","volume-title":"Responding to Attacks on Industrial Control Systems and SCADA Systems","author":"Honkus","year":"2016"}],"container-title":["IEEE Communications Surveys &amp; Tutorials"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9739\/10226436\/10100622.pdf?arnumber=10100622","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,10,18]],"date-time":"2024-10-18T03:00:55Z","timestamp":1729220455000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10100622\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"references-count":237,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.1109\/comst.2023.3264680","relation":{},"ISSN":["1553-877X","2373-745X"],"issn-type":[{"value":"1553-877X","type":"electronic"},{"value":"2373-745X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023]]}}}