{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,13]],"date-time":"2026-02-13T13:42:04Z","timestamp":1770990124868,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":62,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,8,25]]},"DOI":"10.1145\/3708821.3710817","type":"proceedings-article","created":{"date-parts":[[2025,8,13]],"date-time":"2025-08-13T06:33:18Z","timestamp":1755066798000},"page":"1016-1031","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Your Control Host Intrusion Left Some Physical Breadcrumbs: Physical Evidence-Guided Post-Mortem Triage of SCADA Attacks"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4403-5745","authenticated-orcid":false,"given":"Moses","family":"Ike","sequence":"first","affiliation":[{"name":"Sandia National Laboratories, Livermore, California, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0575-9089","authenticated-orcid":false,"given":"Keaton","family":"Sadoski","sequence":"additional","affiliation":[{"name":"Sandia National Laboratories, Livermore, California, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-0556-6070","authenticated-orcid":false,"given":"Romuald","family":"Valme","sequence":"additional","affiliation":[{"name":"Sandia National Laboratories, Albuquerque, New Mexico, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-8701-9211","authenticated-orcid":false,"given":"Burak","family":"Sahin","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-7302-0178","authenticated-orcid":false,"given":"Saman","family":"Zonouz","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, Georgia, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2761-1277","authenticated-orcid":false,"given":"Wenke","family":"Lee","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, Georgia, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,8,24]]},"reference":[{"key":"e_1_3_3_2_2_2","unstructured":"[n. d.]. ATTACK for Industrial Control Systems. https:\/\/collaborate.mitre.org\/attackics\/index.php\/Main_Page"},{"key":"e_1_3_3_2_3_2","unstructured":"[n. d.]. How Digital Detectives Deciphered Stuxnet the Most Menacing Malware in History. https:\/\/www.wired.com\/2011\/07\/how-digital-detectives-deciphered-stuxnet\/"},{"key":"e_1_3_3_2_4_2","unstructured":"[n. d.]. The Inside Story of How Stuxnet Was Discovered. https:\/\/gizmodo.com\/the-incredible-tale-of-stuxnet-a-weapon-for-the-digita-1656811897"},{"key":"e_1_3_3_2_5_2","unstructured":"[n. d.]. Memory Obfuscation Benchmarks. https:\/\/github.com\/tum-i4\/obfuscation-benchmarks"},{"key":"e_1_3_3_2_6_2","unstructured":"[n. d.]. MYSCADA SCADA Automation and HMI Solutions. https:\/\/www.myscada.org\/en\/"},{"key":"e_1_3_3_2_7_2","unstructured":"[n. d.]. Next Gen PLC Training. https:\/\/factoryio.com"},{"key":"e_1_3_3_2_8_2","unstructured":"[n. d.]. NVD CVE-2012-1830 Detail. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2012-1830"},{"key":"e_1_3_3_2_9_2","unstructured":"[n. d.]. Operation Technology Cyber Attack Database. https:\/\/icsstrive.com"},{"key":"e_1_3_3_2_10_2","unstructured":"[n. d.]. Prevent intrusion and maintain network integrity with Data Diodes. https:\/\/advenica.com\/en\/cds\/data-diodes"},{"key":"e_1_3_3_2_11_2","unstructured":"[n. d.]. Recommended Practice: Creating Cyber Forensics Plans for Control Systems. https:\/\/www.cisa.gov\/uscert\/sites\/default\/files\/recommended_practices\/Forensics_RP.pdf"},{"key":"e_1_3_3_2_12_2","unstructured":"[n. d.]. Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability. https:\/\/www.cisa.gov\/uscert\/sites\/default\/files\/recommended_practices\/final-RP_ics_cybersecurity_incident_response_100609.pdf"},{"key":"e_1_3_3_2_13_2","unstructured":"[n. d.]. RISI Online Incident Database. https:\/\/www.risidata.com\/Database"},{"key":"e_1_3_3_2_14_2","unstructured":"[n. d.]. Simulation and Model Based Design. https:\/\/www.mathworks.com\/products\/simulink.html"},{"key":"e_1_3_3_2_15_2","unstructured":"[n. d.]. Trans-Alaska pipeline spill. https:\/\/www.risidata.com\/Database\/Detail\/trans-alaska_pipeline_spill"},{"key":"e_1_3_3_2_16_2","unstructured":"[n. d.]. Trans-Alaska pipeline spill. https:\/\/en.wikipedia.org\/wiki\/Trans-Alaska_Pipeline_System"},{"key":"e_1_3_3_2_17_2","unstructured":"[n. d.]. W32.Stuxnet Dossier. https:\/\/www.wired.com\/images_blogs\/threatlevel\/2011\/02\/Symantec-Stuxnet-Update-Feb-2011.pdf"},{"key":"e_1_3_3_2_18_2","unstructured":"[n. d.]. What is ICS-CERT. https:\/\/www.cisa.gov\/uscert\/sites\/default\/files\/Monitors\/ICS-CERT_Monitor_Jul-Aug2011.pdf"},{"key":"e_1_3_3_2_19_2","unstructured":"[n. d.]. WIN32\/INDUSTROYER: A new threat for industrial control systems. https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2017\/06\/Win32_Industroyer.pdf"},{"key":"e_1_3_3_2_20_2","unstructured":"Basem Al-Madani Ahmad Shawahna and Mohammad Qureshi. 2019. Anomaly detection for industrial control networks using machine learning with the help from the inter-arrival curves. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/1911.05692 (2019)."},{"key":"e_1_3_3_2_21_2","volume-title":"30th USENIX Security Symposium","author":"Alrawi Omar","year":"2021","unstructured":"Omar Alrawi, Moses Ike, Matthew Pruett, Ranjita\u00a0Pai Kasturi, Srimanta Barua, Taleb Hirani, Brennan Hill, and Brendan Saltaformaggio. 2021. Forecasting Malware Capabilities From Cyber Attack Memory Images. In 30th USENIX Security Symposium."},{"key":"e_1_3_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/AINS.2017.8270432"},{"key":"e_1_3_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243781"},{"key":"e_1_3_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3295453.3295454"},{"key":"e_1_3_3_2_25_2","unstructured":"Sebastian-Emilian Banescu. 2017. Characterizing the Strength of Software Obfuscation Against Automated Attacks. Ph.\u00a0D. Dissertation. Technische Universitat Munchen."},{"key":"e_1_3_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.22"},{"key":"e_1_3_3_2_27_2","doi-asserted-by":"crossref","unstructured":"Alvaro\u00a0A Cardenas and Reihaneh Safavi-Naini. 2012. Security and privacy in the smart grid. Handbook on securing cyber-physical critical infrastructure (2012) 637\u2013654.","DOI":"10.1016\/B978-0-12-415815-3.00025-X"},{"key":"e_1_3_3_2_28_2","unstructured":"Defense\u00a0Use Case. 2016. Analysis of the cyber attack on the Ukrainian power grid. Electricity Information Sharing and Analysis Center (E-ISAC) (2016)."},{"key":"e_1_3_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.14236\/ewic\/ICS2015.5"},{"key":"e_1_3_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.14236\/ewic\/ICS2016.16"},{"key":"e_1_3_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23265"},{"key":"e_1_3_3_2_32_2","unstructured":"Lars Fischer Mathias Uslar Doug Morrill Michael Doring and Edwin Haesen. 2018. Study on the evaluation of risks of cyber-incidents and on costs of preventing cyber-incidents in the energy sector. European Commission: Berlin Germany (2018)."},{"key":"e_1_3_3_2_33_2","doi-asserted-by":"crossref","unstructured":"David Formby and Raheem Beyah. 2019. Temporal execution behavior for host anomaly detection in programmable logic controllers. IEEE Transactions on Information Forensics and Security 15 (2019) 1455\u20131469.","DOI":"10.1109\/TIFS.2019.2940890"},{"key":"e_1_3_3_2_34_2","volume-title":"NDSS","author":"Formby David","year":"2016","unstructured":"David Formby, Preethi Srinivasan, Andrew\u00a0M Leonard, Jonathan\u00a0D Rogers, and Raheem\u00a0A Beyah. 2016. Who\u2019s in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems.. In NDSS."},{"key":"e_1_3_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23313"},{"key":"e_1_3_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3167132.3167305"},{"key":"e_1_3_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1145\/3140241.3140254"},{"key":"e_1_3_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664277"},{"key":"e_1_3_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134081"},{"key":"e_1_3_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23349"},{"key":"e_1_3_3_2_41_2","doi-asserted-by":"crossref","unstructured":"Amin Hassanzadeh Amin Rasekh Stefano Galelli Mohsen Aghashahi Riccardo Taormina Avi Ostfeld and M\u00a0Katherine Banks. 2020. A review of cybersecurity incidents in the water sector. Journal of Environmental Engineering 146 5 (2020) 03120003.","DOI":"10.1061\/(ASCE)EE.1943-7870.0001686"},{"key":"e_1_3_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.2172\/1505628"},{"key":"e_1_3_3_2_43_2","first-page":"362","volume-title":"2023 IEEE Symposium on Security and Privacy (SP)","author":"Ike Moses","year":"2022","unstructured":"Moses Ike, Kandy Phan, Keaton Sadoski, Romuald Valme, and Wenke Lee. 2022. SCAPHY: Detecting Modern ICS Attacks by Correlating Behaviors in SCADA and PHYsical. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 362\u2013379."},{"key":"e_1_3_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372318.3372324"},{"key":"e_1_3_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/INDIN.2015.7281725"},{"key":"e_1_3_3_2_46_2","doi-asserted-by":"crossref","unstructured":"David Kushner. 2013. The real story of stuxnet. ieee Spectrum 50 3 (2013) 48\u201353.","DOI":"10.1109\/MSPEC.2013.6471059"},{"key":"e_1_3_3_2_47_2","doi-asserted-by":"crossref","unstructured":"Jae-Myeong Lee and Sugwon Hong. 2020. Keeping host sanity for security of the SCADA systems. IEEE Access 8 (2020) 62954\u201362968.","DOI":"10.1109\/ACCESS.2020.2983179"},{"key":"e_1_3_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196546"},{"key":"e_1_3_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978299"},{"key":"e_1_3_3_2_50_2","volume-title":"Cybersecurity for industrial control systems: SCADA, DCS, PLC, HMI, and SIS","author":"Macaulay Tyson","year":"2011","unstructured":"Tyson Macaulay and Bryan\u00a0L Singer. 2011. Cybersecurity for industrial control systems: SCADA, DCS, PLC, HMI, and SIS. CRC Press."},{"key":"e_1_3_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/SAI.2014.6918252"},{"key":"e_1_3_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23043"},{"key":"e_1_3_3_2_53_2","doi-asserted-by":"crossref","unstructured":"Thomas Miller Alexander Staves Sam Maesschalck Miriam Sturdee and Benjamin Green. 2021. Looking back to look forward: Lessons learnt from cyber-attacks on Industrial Control Systems. International Journal of Critical Infrastructure Protection 35 (2021) 100464.","DOI":"10.1016\/j.ijcip.2021.100464"},{"key":"e_1_3_3_2_54_2","unstructured":"Hector\u00a0Rolando Ocampo. 2021. Municipal Governments and the Need for Cybersecurity. Ph.\u00a0D. Dissertation."},{"key":"e_1_3_3_2_55_2","volume-title":"Intrusion Detection System of industrial control networks using network telemetry","author":"Ponomarev Stanislav","year":"2015","unstructured":"Stanislav Ponomarev. 2015. Intrusion Detection System of industrial control networks using network telemetry. Louisiana Tech University."},{"key":"e_1_3_3_2_56_2","unstructured":"Yan Shoshitaishvili Ruoyu Wang Christopher Salls Nick Stephens Mario Polino Audrey Dutcher John Grosen Siji Feng Christophe Hauser Christopher Kruegel and Giovanni Vigna. [n. d.]. SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis."},{"key":"e_1_3_3_2_57_2","doi-asserted-by":"crossref","unstructured":"Alexander Staves Tom Anderson Harry Balderstone Benjamin Green Antonios Gouglidis and David Hutchison. 2022. A cyber incident response and recovery framework to support operators of ICS and Critical National Infrastructure. International Journal of Critical Infrastructure Protection (2022) 100505.","DOI":"10.1016\/j.ijcip.2021.100505"},{"key":"e_1_3_3_2_58_2","doi-asserted-by":"crossref","unstructured":"Barnaby Stewart Luis Rosa Leandros\u00a0A Maglaras Tiago\u00a0J Cruz Mohamed\u00a0Amine Ferrag Paulo Simoes and Helge Janicke. 2017. A novel intrusion detection mechanism for scada systems which automatically adapts to network topology changes. EAI Endorsed Transactions on Industrial Networks and Intelligent Systems 4 10 (2017).","DOI":"10.4108\/eai.1-2-2017.152155"},{"key":"e_1_3_3_2_59_2","unstructured":"Keith Stouffer Joe Falco and Karen Scarfone. 2008. NIST special publication 800-82: Guide to industrial control systems (ICS) security. Gaithersburg MD: National Institute of Standards and Technology (NIST) (2008)."},{"key":"e_1_3_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978388"},{"key":"e_1_3_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1109\/CIT.2012.119"},{"key":"e_1_3_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00034"},{"key":"e_1_3_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/iThings\/CPSCom.2011.34"}],"event":{"name":"ASIA CCS '25: 20th ACM Asia Conference on Computer and Communications Security","location":"Hanoi Vietnam","acronym":"ASIA CCS '25","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 20th ACM Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3708821.3710817","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,13]],"date-time":"2025-08-13T07:26:13Z","timestamp":1755069973000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3708821.3710817"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,24]]},"references-count":62,"alternative-id":["10.1145\/3708821.3710817","10.1145\/3708821"],"URL":"https:\/\/doi.org\/10.1145\/3708821.3710817","relation":{},"subject":[],"published":{"date-parts":[[2025,8,24]]},"assertion":[{"value":"2025-08-24","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}