{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,4]],"date-time":"2026-03-04T17:32:23Z","timestamp":1772645543576,"version":"3.50.1"},"reference-count":54,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"am","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"name":"U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response (CESER)."}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2025]]},"DOI":"10.1109\/tifs.2025.3607241","type":"journal-article","created":{"date-parts":[[2025,9,8]],"date-time":"2025-09-08T17:43:39Z","timestamp":1757353419000},"page":"10173-10188","source":"Crossref","is-referenced-by-count":1,"title":["Identifying Adversarial Cyber-Activity in Operational Technology Environments Using Bayesian Networks"],"prefix":"10.1109","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2023-0255","authenticated-orcid":false,"given":"Lee T.","family":"Maccarone","sequence":"first","affiliation":[{"name":"Sandia National Laboratories, Albuquerque, NM, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5749-9576","authenticated-orcid":false,"given":"Dennis M.","family":"Buede","sequence":"additional","affiliation":[{"name":"ITA International, Newport News, VA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8629-9810","authenticated-orcid":false,"given":"Scott T.","family":"Bowman","sequence":"additional","affiliation":[{"name":"Idaho National Laboratory, Idaho Falls, ID, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9128-9441","authenticated-orcid":false,"given":"Pawel","family":"Ambrozewicz","sequence":"additional","affiliation":[{"name":"ITA International, Newport News, VA, USA"}]},{"given":"Charles D.","family":"Burdick","sequence":"additional","affiliation":[{"name":"ITA International, Newport News, VA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5893-2703","authenticated-orcid":false,"given":"J.","family":"Connor Grady","sequence":"additional","affiliation":[{"name":"Sandia National Laboratories, Albuquerque, NM, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-2900-4351","authenticated-orcid":false,"given":"Shaw X.","family":"Wen","sequence":"additional","affiliation":[{"name":"Idaho National Laboratory, Idaho Falls, ID, USA"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"Cybersecurity for the Operational Technology Environment (CyOTE)","year":"2024"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.2172\/2006367"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.6028\/nist.sp.800-82r3"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.23919\/CISTI58278.2023.10211415"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2023.3238664"},{"key":"ref6","first-page":"9","article-title":"OT cyber security frameworks comparison tool (CSFCTool)","volume-title":"Proc. ITASEC","author":"Murino"},{"key":"ref7","volume-title":"Protecting Critical Infrastructure From Cyber Threats","author":"Romps","year":"2021"},{"issue":"1","key":"ref8","doi-asserted-by":"crossref","first-page":"190","DOI":"10.3390\/s22010190","article-title":"A layered middleware for OT\/IT convergence to empower industry 5.0 applications","volume":"22","author":"Patera","year":"2021","journal-title":"Sensors"},{"key":"ref9","first-page":"1","article-title":"Language-theoretic data analysis to support ICS protocol baselining","volume-title":"Proc. 44th IEEE Symp. Secur. Privacy","author":"Weaver"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2836950"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1002\/widm.1306"},{"key":"ref12","volume-title":"ICS Matrix","year":"2022"},{"key":"ref13","volume-title":"Enterprise Matrix","year":"2023"},{"key":"ref14","volume-title":"Mobile Matrix","year":"2023"},{"key":"ref15","volume-title":"D3FEND","year":"2023"},{"key":"ref16","first-page":"1","article-title":"Patterns of report relevance","volume-title":"Proc. 3rd UAI Bayesian Model. Appl. Workshop","author":"Mahoney"},{"issue":"1","key":"ref17","doi-asserted-by":"crossref","first-page":"273","DOI":"10.1016\/0004-3702(94)00092-1","article-title":"On the hardness of approximate reasoning","volume":"82","author":"Roth","year":"1996","journal-title":"Artif. Intell."},{"key":"ref18","volume-title":"Introduction to Bayesian Networks","author":"Jensen","year":"1997"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1201\/b10391"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1016\/b978-012370477-1.50021-9"},{"key":"ref21","volume-title":"Artificial Intelligence: A Modern Approach","author":"Russell","year":"2010"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/w-ficloud.2016.29"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-88771-5"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-10181-1_16"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/acsac.2009.21"},{"key":"ref26","first-page":"1","article-title":"A cyber attack modeling and impact assessment framework","volume-title":"Proc. 5th Int. Conf. Cyber Conflict (CYCON)","author":"Kotenko"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/ATNAC.2017.8215355"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-70290-2_7"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.101659"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2019.02.045"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/1456362.1456368"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3568562.3568591"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1016\/j.pnucene.2020.103479"},{"key":"ref34","article-title":"The industrial control system cyber kill chain","author":"Assante","year":"2015"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.6028\/nist.sp.800-150"},{"key":"ref36","article-title":"IOA vs IOC","author":"Baker","year":"2022"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/tps-isa62245.2024.00075"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1016\/S0004-3702(99)00062-4"},{"key":"ref39","volume-title":"Testimony of Joseph Blount, President and Chief Executive Officer Colonial Pipeline Company","year":"2021"},{"key":"ref40","article-title":"Hackers breached colonial pipeline using compromised password","author":"Turton","year":"2021"},{"key":"ref41","volume-title":"A Message to Our Customers and Those Who Depend on Us","year":"2021"},{"key":"ref42","article-title":"Cyberattack forces a shutdown of a top U.S. pipeline operator","author":"Sanger","year":"2021"},{"key":"ref43","article-title":"A closer look at the DarkSide ransomware gang","author":"Krebs","year":"2021"},{"key":"ref44","volume-title":"DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized","year":"2021"},{"key":"ref45","article-title":"Colonial hack: How did cyber-attackers shut off pipeline?","author":"Tidy","year":"2021"},{"key":"ref46","volume-title":"Ransomware Attack Shuts Down Colonial Pipeline","year":"2021"},{"key":"ref47","article-title":"The Colonial Pipeline cyberattack: A comprehensive timeline","author":"Goodchild","year":"2021"},{"key":"ref48","article-title":"Colonial Pipeline hack explained: Everything you need to know","author":"Koetsier","year":"2021"},{"key":"ref49","volume-title":"The State of IT Security in Germany 2014","year":"2014"},{"key":"ref50","article-title":"Cyberspace becomes second front in Russia\u2019s clash with NATO","author":"Riley","year":"2022"},{"key":"ref51","article-title":"Penetrate, exploit, disrupt, destroy: The rise of computer network operations as a major military innovation","author":"Wiener","year":"2016"},{"key":"ref52","volume-title":"First Campaign Ends After 21 Years: Europe\u2019s Biggest Blast Furnace to Be Modernized","year":"2014"},{"key":"ref53","volume-title":"Europe\u2019s Biggest Blast Furnace Relit: \u2019Schwelgern 2\u2019 Producing Iron Again","year":"2014"},{"key":"ref54","article-title":"Cyber-attacks to industrial control systems since Stuxnet: A systematic review","author":"Buchanan","year":"2022"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"https:\/\/ieeexplore.ieee.org\/ielam\/10206\/10810755\/11153698-aam.pdf","content-type":"application\/pdf","content-version":"am","intended-application":"syndication"},{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/10206\/10810755\/11153698.pdf?arnumber=11153698","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T05:29:13Z","timestamp":1759987753000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11153698\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":54,"URL":"https:\/\/doi.org\/10.1109\/tifs.2025.3607241","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"value":"1556-6013","type":"print"},{"value":"1556-6021","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]}}}