pith. sign in

arxiv: 2605.16167 · v1 · pith:CBG6BFONnew · submitted 2026-05-15 · 💻 cs.CR · cs.CY· cs.DC· cs.SE

From Backup Restoration to Minimum Viable Factory Recovery: A Systematization of Ransomware Recovery in Manufacturing Systems

Chun Yin Chiu This is my paper

Pith reviewed 2026-05-20 16:59 UTC · model grok-4.3

classification 💻 cs.CR cs.CYcs.DCcs.SE
keywords ransomware recoverymanufacturing systemsminimum viable factory recoveryrecovery failure modescritical infrastructureIT-OT interdependenciessupply chain dependenciessystematization
0
0 comments X

The pith

Ransomware recovery in manufacturing requires addressing interdependencies beyond backup restoration.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper claims that ransomware recovery in manufacturing cannot be reduced to restoring backups from data archives. Instead, it must address interdependencies among IT systems, operational technology, physical production processes, quality controls, logistics, identity management, and supplier networks. Evidence from literature, standards, and incidents points to nine specific failure modes that block the return to operational capability. By defining Minimum Viable Factory Recovery, the work provides a target for the smallest safe and meaningful production level achievable under current constraints. This matters because it explains why many recovery efforts fall short and offers a structured way to plan for continuity in essential industries.

Core claim

After a ransomware attack, rebuilding servers in a manufacturing plant does not automatically restore the ability to schedule production, authenticate operators, trust engineering data, release products, reconnect operational technology assets, or coordinate with suppliers. The paper identifies nine evidence-backed recovery failure modes that arise from these interdependencies: dependency blindness, untrusted restore point and backup over-trust, identity trust collapse, lack of proof-of-recovery, unsafe OT reconnection, segmentation assumption failure, capability mismatch, unmanaged degraded operation, and supplier dependency failure. It proposes Minimum Viable Factory Recovery as the 1small

What carries the argument

Minimum Viable Factory Recovery (MVF Recovery): the smallest safe, trusted, and operationally meaningful production capability resumable under dependency, evidence, identity, data, network, OT, and supplier constraints. It functions as the analytical objective that reframes recovery from full restoration to the minimal viable state.

If this is right

  • Recovery planning must include strategies for identity trust collapse and supplier coordination.
  • Organizations should derive a recovery lifecycle to benchmark progress toward full production.
  • Focus shifts to managing degraded operations and preventing unsafe reconnections of OT assets.
  • Evidence anchors from incidents and standards provide calibration for capability-centric approaches.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • This framework could extend to recovery planning in other sectors with similar IT-OT couplings, such as utilities or transportation.
  • Future work might test the nine failure modes against additional real-world case studies for completeness.
  • Adopting MVF Recovery could lead to standardized metrics for assessing manufacturing resilience post-attack.

Load-bearing premise

The PRISMA-guided multivocal review of literature, standards, threat frameworks, incident material, and evidence anchors accurately and comprehensively identifies the recovery failure modes without significant coverage gaps or source selection bias.

What would settle it

A documented manufacturing ransomware incident where full production capability was restored solely through server and backup restoration, without addressing any of the nine identified failure modes, would falsify the central claim.

read the original abstract

Ransomware recovery in critical manufacturing infrastructure is not only a backup-restoration problem. Production capability depends on coupled information-technology, operational-technology, physical-process, quality, logistics, identity, and supplier systems. After ransomware, a plant may rebuild servers yet remain unable to schedule work, authenticate operators, trust engineering workstations, release product, reconnect OT assets, or coordinate suppliers. This paper reframes manufacturing ransomware recovery as a critical-infrastructure continuity and interdependency problem. We conduct a PRISMA-guided multivocal review of academic literature, standards and government guidance, threat frameworks, public incident material, and verified full-text/source-page evidence anchors. The review identifies nine evidence-backed recovery failure modes: dependency blindness, untrusted restore point and backup over-trust, identity trust collapse, lack of proof-of-recovery, unsafe OT reconnection, segmentation assumption failure, capability mismatch, unmanaged degraded operation, and supplier dependency failure. We then introduce Minimum Viable Factory Recovery (MVF Recovery): the smallest safe, trusted, and operationally meaningful production capability that can be resumed under current dependency, evidence, identity, data, network, OT, and supplier constraints. MVF Recovery is an analytical objective rather than a claim of full recovery, implementation, or safety certification. The paper derives a recovery lifecycle and benchmarking directions as secondary outputs. The contribution is an evidence-calibrated foundation for capability-centric ransomware recovery in critical manufacturing infrastructure.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that ransomware recovery in manufacturing systems is not solely a backup-restoration problem because production depends on coupled IT, OT, physical-process, quality, logistics, identity, and supplier systems. Using a PRISMA-guided multivocal review of academic literature, standards, government guidance, threat frameworks, and public incident material with verified evidence anchors, the authors identify nine evidence-backed recovery failure modes (dependency blindness, untrusted restore point and backup over-trust, identity trust collapse, lack of proof-of-recovery, unsafe OT reconnection, segmentation assumption failure, capability mismatch, unmanaged degraded operation, and supplier dependency failure). They introduce Minimum Viable Factory Recovery (MVF Recovery) as the smallest safe, trusted, and operationally meaningful production capability under current constraints, and derive a recovery lifecycle plus benchmarking directions as secondary outputs.

Significance. If the nine failure modes are robustly supported by the reviewed sources, this systematization provides a valuable evidence-calibrated foundation for capability-centric ransomware recovery in critical manufacturing infrastructure. The multivocal PRISMA approach, which incorporates standards and incident reports alongside academic literature, is a strength that grounds the work in practical constraints rather than abstract models. Introducing MVF Recovery as an analytical objective rather than a full-recovery claim offers a pragmatic shift away from IT-centric views, with potential to inform incident response planning and standards development in cyber-physical manufacturing systems.

major comments (2)
  1. [§3 (Multivocal Review Methodology)] §3 (Multivocal Review Methodology): The central claim that the nine failure modes are 'evidence-backed' and that backup restoration alone is insufficient rests on the review having captured relevant interdependencies without material gaps. The manuscript describes the PRISMA process at a high level but does not include an explicit mapping (e.g., table or appendix) of sources to each failure mode, particularly for OT reconnection and supplier coordination cases that are often sparsely documented in public incidents. This detail is load-bearing for validating the reframing and for readers to assess selection bias or coverage limitations.
  2. [§5 (MVF Recovery Definition)] §5 (MVF Recovery Definition): MVF Recovery is positioned as the smallest safe, trusted, and operationally meaningful production capability under current constraints. However, the criteria for determining 'meaningful' and 'safe' are not operationalized with concrete metrics or decision procedures, which weakens its utility as a repeatable analytical objective across different manufacturing contexts and directly affects the practicality of the derived recovery lifecycle.
minor comments (2)
  1. [Abstract and §4] The abstract and §4 listing of the nine failure modes would be clearer with a summary table that includes one-sentence descriptions and primary evidence types (academic, standard, or incident) for each mode.
  2. [§5] Terminology for 'MVF Recovery' is used consistently but could be introduced with a short formal definition box or equation-like statement to aid readers unfamiliar with the concept.

Circularity Check

0 steps flagged

No significant circularity in this systematization review

full rationale

The paper performs a PRISMA-guided multivocal review of external academic literature, standards, government guidance, threat frameworks, and public incident reports to identify nine recovery failure modes and to define MVF Recovery as an analytical objective. No equations, fitted parameters, or first-principles derivations appear; the central claims rest on synthesis of independent external sources rather than any self-referential reduction, self-citation chain, or renaming of author-defined quantities. The work is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central contribution rests on the assumption that the multivocal review is sufficiently comprehensive to identify all load-bearing failure modes and that the MVF concept adds practical value as an objective without requiring immediate empirical validation or implementation details.

axioms (1)
  • domain assumption The PRISMA-guided multivocal review of academic literature, standards, government guidance, threat frameworks, and verified incident material comprehensively identifies the relevant recovery failure modes in manufacturing ransomware incidents.
    Invoked to support the identification of the nine specific failure modes listed in the abstract.
invented entities (1)
  • Minimum Viable Factory Recovery (MVF Recovery) no independent evidence
    purpose: Defines the smallest safe, trusted, and operationally meaningful production capability that can be resumed under current dependency, evidence, identity, data, network, OT, and supplier constraints.
    Introduced as an analytical objective rather than a claim of full recovery or certified implementation.

pith-pipeline@v0.9.0 · 5788 in / 1543 out tokens · 62498 ms · 2026-05-20T16:59:18.510022+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

  • IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear
    ?
    unclear

    Relation between the paper passage and the cited Recognition theorem.

    The review identifies nine evidence-backed recovery failure modes: dependency blindness, untrusted restore point and backup over-trust, identity trust collapse, lack of proof-of-recovery, unsafe OT reconnection, segmentation assumption failure, capability mismatch, unmanaged degraded operation, and supplier dependency failure. We then introduce Minimum Viable Factory Recovery (MVF Recovery)

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

87 extracted references · 87 canonical work pages

  1. [1]

    Overview and interpretation of evidence counts This section answers RQ1 by presenting nine evidence-backed recovery failure modes

    Evidence-Backed Recovery Failure Taxonomy 4.1. Overview and interpretation of evidence counts This section answers RQ1 by presenting nine evidence-backed recovery failure modes. The taxonomy is organized around four recovery problem classes: dependency failures, trust and ver- ification failures, reintegration failures, and operational capability failures...

    work page

  2. [2]

    partialrecovery

    Minimum Viable Factory Recovery 5.1. Motivation Section 4 shows that manufacturing ransomware recovery cannot be judged only by asset avail- ability. The nine failure modes converge on one problem: responders need an objective that repre- sents constrained production capability under uncertainty. MVF Recovery provides that objective. It asks which product...

    work page

  3. [3]

    Purpose The lifecycle translates MVF Recovery into operational stages

    Evidence-Based Recovery Lifecycle 6.1. Purpose The lifecycle translates MVF Recovery into operational stages. It is not intended to replace existing incident response frameworks. Instead, it highlights recovery decisions that are easy to miss when responders focus on rebuilding assets. Each stage addresses one or more failure modes from Section 4. Table 9...

    work page

  4. [4]

    Mission impact assessment What production missions are disrupted? FM07, FM09

    work page

  5. [5]

    Dependency modelling What must exist together to resume a mission? FM01, FM09

    work page

  6. [6]

    Clean-state selec- tion Which restore sources and configurations can be trusted? FM02, FM03

    work page

  7. [7]

    MVF planning Which constrained mission is viable now? FM01, FM07, FM08

    work page

  8. [8]

    Validation and simulation Can the mission be tested before live reconnection? FM04, FM05, FM06

    work page

  9. [9]

    Proof-of-recovery What evidence justifies the restart decision? FM04

    work page

  10. [10]

    Staged reintegra- tion How are systems reconnected safely? FM05, FM06

    work page

  11. [11]

    recovered enough to produce

    Monitored re- sumption How is constrained production monitored and ex- panded? FM07, FM08, FM09 6.2. Stage 1: mission impact assessment Responders first identify which production missions are affected: product lines, batches, order types, customer commitments, quality processes, supplier flows, and logistics steps. This avoids equating system outage lists...

    work page

  12. [12]

    Scope This paper does not release an executable benchmark

    Benchmarking Directions and Evaluation Blueprint 7.1. Scope This paper does not release an executable benchmark. Instead, it outlines benchmarking di- rections for making manufacturing recovery evaluations more explicit. The goal is to avoid future work comparing recovery approaches only by asset count, backup age, or time-to-rebuild. A useful benchmark s...

    work page

  13. [13]

    the MES” or “the domain,

    Discussion, Limitations, and Research Agenda 8.1. Main finding The main finding is that ransomware recovery in critical manufacturing should be judged by restored production capability rather than restored assets. This does not make backups, malware eradication, or system rebuilds unimportant. It means that these activities are intermediate steps toward a...

    work page

  14. [14]

    which assets are back?

    Conclusion Ransomware recovery in critical manufacturing infrastructure is a capability-restoration prob- lem. A factory can rebuild servers, restore backups, or reconnect applications while still being unable to produce safely, validate quality, authenticate operators, coordinate suppliers, or prove that recovered systems are trustworthy. This paper synt...

    work page

  15. [15]

    Cutting the Gordian knot: A look under the hood of ransomware attacks,

    A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda, "Cutting the Gordian knot: A look under the hood of ransomware attacks," inProc. 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2015, pp. 3–24, doi: 10.1007/978-3-319-20550-2_1

    work page doi:10.1007/978-3-319-20550-2_1 2015

  16. [16]

    Selcuk Ulu- agac

    H. Oz, A. Aris, A. Levi, and A. S. Uluagac, "A survey on ransomware: Evolution, tax- onomy, and defense solutions,"ACM Computing Surveys, vol. 54, no. 11s, pp. 1–37, 2022, doi: 10.1145/3514229

    work page doi:10.1145/3514229 2022

  17. [17]

    Ransomware: Recent advances, analysis, challenges and future research directions,

    C. Beaman, A. Barkworth, T. D. Akande, S. Hakak, and M. K. Khan, "Ransomware: Recent advances, analysis, challenges and future research directions,"Computers & Security, vol. 111, Art. no. 102490, 2021, doi: 10.1016/j.cose.2021.102490

    work page doi:10.1016/j.cose.2021.102490 2021

  18. [18]

    19, 2023

    Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, National Security Agency, and Multi-State Information Sharing and Analysis Center,#StopRansomware Guide, updated Oct. 19, 2023. [Online]. Available:https://www.cisa.gov/stopransomware/ra nsomware-guide. Accessed: Apr. 29, 2026

    work page 2023

  19. [19]

    Fisher, M

    B. Fisher, M. Souppaya, W. Barker, and K. Scarfone,Ransomware Risk Management: A Cybersecurity Framework Profile, NISTIR 8374, National Institute of Standards and Technology, Feb. 2022, doi: 10.6028/NIST.IR.8374

    work page doi:10.6028/nist.ir.8374 2022

  20. [20]

    Mitigating malware and ransomware attacks,

    National Cyber Security Centre, "Mitigating malware and ransomware attacks," guidance, updated guidance page. [Online]. Available:https://www.ncsc.gov.uk/guidance/mitigatin g-malware-and-ransomware-attacks. Accessed: Apr. 29, 2026

    work page 2026

  21. [21]

    Ransomware on cyber-physical systems: Taxonomies, case studies, security gaps, and open challenges,

    M. Benmalek, "Ransomware on cyber-physical systems: Taxonomies, case studies, security gaps, and open challenges,"Internet of Things and Cyber-Physical Systems, vol. 4, pp. 186–202, 2024, doi: 10.1016/j.iotcps.2023.12.001

    work page doi:10.1016/j.iotcps.2023.12.001 2024

  22. [22]

    ATT&CKforICSmatrix,

    K. Stouffer, M. Pease, C. Y. Tang, T. Zimmerman, V. Pillitteri, S. Lightman, A. Hahn, S. Saravia, A. Sherule, and M. Thompson,Guide to Operational Technology (OT) Security, NIST Special Publication 800-82 Rev. 3, National Institute of Standards and Technology, Sep. 2023, doi: 10.6028/NIST.SP.800-82r3. [9]MITRE,"ATT&CKforICSmatrix,"MITREATT&CKknowledgebase...

    work page doi:10.6028/nist.sp.800-82r3 2023

  23. [23]

    Inhibit response function, Tactic TA0107,

    MITRE, "Inhibit response function, Tactic TA0107," MITRE ATT&CK for ICS. [Online]. Available:https://attack.mitre.org/tactics/TA0107/. Accessed: Apr. 29, 2026. 39

    work page 2026

  24. [24]

    Impair process control, Tactic TA0106,

    MITRE, "Impair process control, Tactic TA0106," MITRE ATT&CK for ICS. [Online]. Available:https://attack.mitre.org/tactics/TA0106/. Accessed: Apr. 29, 2026

    work page 2026

  25. [25]

    Impact, Tactic TA0105,

    MITRE, "Impact, Tactic TA0105," MITRE ATT&CK for ICS. [Online]. Available:https: //attack.mitre.org/tactics/TA0105/. Accessed: Apr. 29, 2026

    work page 2026

  26. [26]

    Security and Privacy in C ommunication Net- works, vol

    Y. Zhang, Z. Sun, L. Yang, Z. Li, Q. Zeng, Y. He, and X. Zhang, "All your PLCs belong to me: ICS ransomware is realistic," inProc. IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2020, pp. 502–509, doi: 10.1109/TrustCom50675.2020.00074

    work page doi:10.1109/trustcom50675.2020.00074 2020

  27. [27]

    Targeted ransomware: A new cyber threat to edge system of brownfield Industrial Internet of Things,

    M. Al-Hawawreh, F. den Hartog, and E. Sitnikova, "Targeted ransomware: A new cyber threat to edge system of brownfield Industrial Internet of Things,"IEEE Internet of Things Journal, vol. 6, no. 4, pp. 7137–7151, 2019, doi: 10.1109/JIOT.2019.2914390. [15]D.M.Nicol, "Theransomwarethreattoenergy-deliverysystems,"IEEE Security & Privacy, vol. 19, no. 3, pp. ...

    work page doi:10.1109/jiot.2019.2914390 2019

  28. [28]

    Optimizing cyber-resilience in critical infrastructure networks,

    R. Pal, R. X. Sequeira, S. Zeijlmaker, and M. Siegel, "Optimizing cyber-resilience in critical infrastructure networks," inProc. 2024 Winter Simulation Conference (WSC), 2024, pp. 774–785, doi: 10.1109/WSC63780.2024.10838999

    work page doi:10.1109/wsc63780.2024.10838999 2024

  29. [29]

    Digital forensic readiness framework for ran- somware investigation,

    A. Singh, A. R. Ikuesan, and H. S. Venter, "Digital forensic readiness framework for ran- somware investigation," inDigital Forensics and Cyber Crime: 10th International EAI Confer- ence, ICDF2C 2018, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Springer, 2019, pp. 91–105, doi: 10.1007/978-3-...

    work page doi:10.1007/978-3-030-05487-8_5 2018

  30. [30]

    In: 2022 6th International Conference on Infor- mation Technology (InCIT), pp

    P. Nakhonthai and K. Chimmanee, "Digital forensic analysis of ransomware attacks on industrial control systems: A case study in factories," inProc. 2022 6th International Conference on Information Technology (InCIT), 2022, pp. 416–421, doi: 10.1109/InCIT56086.2022.10067356

    work page doi:10.1109/incit56086.2022.10067356 2022

  31. [31]

    Bajpai,Extracting Ransomware’s Keys by Utilizing Memory Forensics, Ph.D

    P. Bajpai,Extracting Ransomware’s Keys by Utilizing Memory Forensics, Ph.D. disserta- tion, Michigan State University, 2020, ProQuest no. 27837280

    work page 2020

  32. [32]

    The economics of ransomware attacks on integrated supply chain networks,

    A. Cartwright and E. Cartwright, "The economics of ransomware attacks on integrated supply chain networks,"Digital Threats: Research and Practice, vol. 4, no. 4, 2023, doi: 10.1145/3579647

    work page doi:10.1145/3579647 2023

  33. [33]

    From attack to adaptation: A case study of capabilities driving digital supply chain recovery,

    R. Pergande, J. Hamann-Lohmer, and R. Lasch, "From attack to adaptation: A case study of capabilities driving digital supply chain recovery,"IEEE Engineering Management Review, early access, 2025, doi: 10.1109/EMR.2025.3568586. 40

    work page doi:10.1109/emr.2025.3568586 2025

  34. [34]

    The threat of ransomware in the food supply chain: A challenge for food defence,

    L. Manning and A. Kowalska, "The threat of ransomware in the food supply chain: A challenge for food defence,"Trends in Organized Crime, 2023, doi: 10.1007/s12117-023-09516-y

    work page doi:10.1007/s12117-023-09516-y 2023

  35. [35]

    Looking back to look forward: Lessons learnt from cyber-attacks on industrial control systems,

    T. Miller, A. Staves, S. Maesschalck, M. Sturdee, and B. Green, "Looking back to look forward: Lessons learnt from cyber-attacks on industrial control systems,"International Journal of Critical Infrastructure Protection, vol. 35, Art. no. 100464, 2021, doi: 10.1016/j.ijcip.2021.100464

    work page doi:10.1016/j.ijcip.2021.100464 2021

  36. [36]

    A cyber incident response and recovery framework to support operators of industrial control systems,

    A. Staves, T. Anderson, A. Balderstone, B. Green, A. Gouglidis, and D. Hutchison, "A cyber incident response and recovery framework to support operators of industrial control systems," International Journal of Critical Infrastructure Protection, vol. 37, Art. no. 100505, 2022, doi: 10.1016/j.ijcip.2022.100505. [25]J.Huang, J.Xu, X.Xing, P.Liu, andM.K.Qure...

    work page doi:10.1016/j.ijcip.2022.100505 2022

  37. [37]

    Enabling per-file data recovery from ransomware attacks via file system forensics and flash translation layer data extraction,

    J. Dafoe, N. Chen, B. Chen, and Z. Wang, "Enabling per-file data recovery from ransomware attacks via file system forensics and flash translation layer data extraction,"Cybersecurity, vol. 7, Art. no. 75, 2024, doi: 10.1186/s42400-024-00287-9

    work page doi:10.1186/s42400-024-00287-9 2024

  38. [38]

    Nelson, S

    A. Nelson, S. Rekhi, M. Souppaya, and K. Scarfone,Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, NIST Special Publication 800-61 Rev. 3, National Institute of Standards and Technology, Apr. 2025, doi: 10.6028/NIST.SP.800-61r3

    work page doi:10.6028/nist.sp.800-61r3 2025

  39. [39]

    Enhancing industrial cybersecurity with virtual lab simulations,

    H. Hmiddouch, A. Villafranca, R. Castro, V. Dubetskyy, and M.-D. Cano, "Enhancing industrial cybersecurity with virtual lab simulations,"International Journal of Advanced Computer Science and Applications, vol. 16, no. 5, pp. 40–50, 2025

    work page 2025

  40. [40]

    Ransomware threat and its impact on SCADA,

    U. J. Butt, M. Abbod, A. Lors, H. Jahankhani, A. Jamal, and A. Kumar, "Ransomware threat and its impact on SCADA," inProc. 12th International Conference on Global Security, Safety and Sustainability (ICGS3), 2019, doi: 10.1109/ICGS3.2019.8688327

    work page doi:10.1109/icgs3.2019.8688327 2019

  41. [41]

    Ransomware impact to SCADA systems and its scope to critical infrastructure,

    J. Ibarra, U. J. Butt, A. Do, H. Jahankhani, and A. Jamal, "Ransomware impact to SCADA systems and its scope to critical infrastructure," inProc. 2019 IEEE 12th Interna- tional Conference on Global Security, Safety and Sustainability (ICGS3), 2019, pp. 1–12, doi: 10.1109/ICGS3.2019.8688299

    work page doi:10.1109/icgs3.2019.8688299 2019

  42. [42]

    Digital forensic analysis of LockBit ran- somware attack on operational technology,

    N. Suk-on, N. Thiratitsakun, and K. Chimmanee, "Digital forensic analysis of LockBit ran- somware attack on operational technology," inProc. 8th International Conference on Information 41 Technology (InCIT), 2024, pp. 624–629, doi: 10.1109/InCIT63192.2024.10810564

    work page doi:10.1109/incit63192.2024.10810564 2024

  43. [43]

    Development of a hybrid exercise for organizational cyber resilience,

    Y. Ota, E. Mizuno, K. Watarai, T. Aoyama, T. Hamaguchi, Y. Hashimoto, and I. Koshi- jima, "Development of a hybrid exercise for organizational cyber resilience," inSafety and Security Engineering IX, WIT Transactions on the Built Environment, vol. 206, WIT Press, 2021, pp. 55–65, doi: 10.2495/SAFE210051

    work page doi:10.2495/safe210051 2021

  44. [44]

    Towards the defini- tion of a security incident response modelling language,

    M. Athinaiou, H. Mouratidis, T. Fotis, M. Pavlidis, and E. Panaousis, "Towards the defini- tion of a security incident response modelling language," inTrust, Privacy and Security in Digital Business, LNCS 11033, Springer, 2018, pp. 198–212, doi: 10.1007/978-3-319-98385-1_14

    work page doi:10.1007/978-3-319-98385-1_14 2018

  45. [45]

    A. J. Staves,Operational Technology Preparedness: A Risk-Based Safety Approach to Scop- ing Security Tests for Cyber Incident Response and Recovery, Ph.D. dissertation, Lancaster Uni- versity, 2023, doi: 10.17635/lancaster/thesis/2111

    work page doi:10.17635/lancaster/thesis/2111 2023

  46. [46]

    Cyber resilience in industrial networks: A state of the art, challenges, and future directions,

    T. N. I. Alrumaih, M. J. F. Alenazi, N. A. AlSowaygh, A. A. Humayed, and I. A. Alablani, "Cyber resilience in industrial networks: A state of the art, challenges, and future directions," Journal of King Saud University - Computer and Information Sciences, vol. 35, no. 9, Art. no. 101781, 2023, doi: 10.1016/j.jksuci.2023.101781

    work page doi:10.1016/j.jksuci.2023.101781 2023

  47. [47]

    Cyber-physical systems security: A systematic review,

    H. Harkat, L. M. Camarinha-Matos, J. Goes, and H. F. T. Ahmed, "Cyber-physical systems security: A systematic review,"Computers & Industrial Engineering, vol. 188, Art. no. 109891, 2024, doi: 10.1016/j.cie.2024.109891

    work page doi:10.1016/j.cie.2024.109891 2024

  48. [48]

    Cyber-physical security vulnerabilities identification and classification in smart manufacturing,

    M. Rahman and M. S. Shafae, "Cyber-physical security vulnerabilities identification and classification in smart manufacturing," arXiv preprint, 2025

    work page 2025

  49. [49]

    Dependency-based security risk assessment for cyber- physical systems,

    M. Akbarzadeh and S. Katsikas, "Dependency-based security risk assessment for cyber- physical systems,"International Journal of Information Security, 2023

    work page 2023

  50. [50]

    Threat modeling of industrial control systems: A systematic literature review,

    S. M. Khalil, H. Bahsi, and T. Korõtko, "Threat modeling of industrial control systems: A systematic literature review,"Computers & Security, vol. 136, Art. no. 103543, 2024, doi: 10.1016/j.cose.2023.103543

    work page doi:10.1016/j.cose.2023.103543 2024

  51. [51]

    Modelling and simulating organizational ransomware recovery: Structure, methodology, and decisions,

    M.-C. Ilau, A. Baldwin, T. Caulfield, and D. Pym, "Modelling and simulating organizational ransomware recovery: Structure, methodology, and decisions,"Journal of Cybersecurity, vol. 11, no. 1, Art. no. tyaf035, 2025, doi: 10.1093/cybsec/tyaf035

    work page doi:10.1093/cybsec/tyaf035 2025

  52. [52]

    JBS USA and Pilgrim’s announce resolution of cyberattack,

    JBS USA, "JBS USA and Pilgrim’s announce resolution of cyberattack," company press release, Jun. 3, 2021. [Online]. Available:https://jbsfoodsgroup.com/articles/jbs-usa-and -pilgrim-s-announce-resolution-of-cyberattack. Accessed: Apr. 29, 2026. 42

    work page 2021

  53. [53]

    JBS USA cyberattack media statement - June 9,

    JBS USA, "JBS USA cyberattack media statement - June 9," company press release, Jun. 9, 2021. [Online]. Available:https://jbsfoodsgroup.com/articles/jbs-usa-cyberattack-m edia-statement-june-9. Accessed: Apr. 29, 2026

    work page 2021

  54. [54]

    Statement on cyber incident,

    Jaguar Land Rover Automotive plc, "Statement on cyber incident," JLR Media Newsroom, Sep. 29, 2025. [Online]. Available:https://media.jaguarlandrover.com/news/2025/09/state ment-cyber-incident-6. Accessed: Apr. 29, 2026

    work page 2025

  55. [55]

    Update on system disruption due to cyberattack (2nd),

    Asahi Group Holdings, Ltd., "Update on system disruption due to cyberattack (2nd)," Newsroom, Oct. 3, 2025. [Online]. Available:https://www.asahigroup-holdings.com/en/new sroom/detail/20251003-0204.html. Accessed: Apr. 29, 2026

    work page arXiv 2025

  56. [56]

    Offline backups in an online world,

    J. L., "Offline backups in an online world," National Cyber Security Centre blog, 2017. [Online]. Available:https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-w orld. Accessed: Apr. 29, 2026

    work page 2017

  57. [57]

    [Online]

    European Union Agency for Cybersecurity,ENISA Threat Landscape 2024, ENISA, 2024. [Online]. Available:https://www.enisa.europa.eu/publications/enisa-threat-landscape -2024. Accessed: Apr. 29, 2026

    work page 2024

  58. [58]

    A brief overview of the main incidents in industrial cybersecurity: Q1 2025,

    Kaspersky ICS CERT, "A brief overview of the main incidents in industrial cybersecurity: Q1 2025," Kaspersky ICS CERT, Jun. 26, 2025. [Online]. Available:https://ics-cert.kasper sky.com/publications/reports/2025/06/26/a-brief-overview-of-the-main-incidents-i n-industrial-cybersecurity-q1-2025/. Accessed: Apr. 29, 2026

    work page 2025

  59. [59]

    Dragos’s 8th annual OT cybersecurity year in review is now available,

    Dragos, "Dragos’s 8th annual OT cybersecurity year in review is now available," Dragos Blog, 2025. [Online]. Available:https://www.dragos.com/blog/dragos-8th-annual-ot-cyber security-year-in-review-is-now-available. Accessed: Apr. 29, 2026

    work page 2025

  60. [60]

    [Online]

    Google Cloud/Mandiant,M-Trends 2025, Google Cloud, 2025. [Online]. Available:https: //cloud.google.com/security/resources/m-trends. Accessed: Apr. 29, 2026

    work page 2025

  61. [61]

    Microsoft defense against ransomware, extortion, and intrusion,

    Microsoft, "Microsoft defense against ransomware, extortion, and intrusion," Microsoft Learn. [Online]. Available:https://learn.microsoft.com/en-us/security/ransomware/. Accessed: Apr. 29, 2026

    work page 2026

  62. [62]

    [Online]

    Cybersecurity and Infrastructure Security Agency,Cross-Sector Cybersecurity Performance Goals, CISA. [Online]. Available:https://www.cisa.gov/cross-sector-cybersecurity-perfo rmance-goals. Accessed: Apr. 29, 2026

    work page 2026

  63. [63]

    Pascoe, S

    C. Pascoe, S. Quinn, and K. Scarfone,The NIST Cybersecurity Framework (CSF) 2.0, NIST 43 Cybersecurity White Paper 29, National Institute of Standards and Technology, Feb. 2024, doi: 10.6028/NIST.CSWP.29

    work page doi:10.6028/nist.cswp.29 2024

  64. [64]

    International Electrotechnical Commission,IEC 62443: Industrial communication networks – Network and system security, IEC 62443 series, Geneva, Switzerland

    work page

  65. [65]

    IEEE Trans- actions on Information Theory29(2), 198–208 (1983).https://doi.org/ 10.1109/TIT.1983.1056650

    D. Dolev and A. C. Yao, "On the security of public key protocols,"IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208, 1983, doi: 10.1109/TIT.1983.1056650

    work page doi:10.1109/tit.1983.1056650 1983

  66. [66]

    Kitchenham and S

    B. Kitchenham and S. Charters,Guidelines for Performing Systematic Literature Reviews in Software Engineering, EBSE Technical Report EBSE-2007-01, Keele University and Durham University, 2007

    work page 2007

  67. [67]

    Page, Joanne E

    M. J. Page et al., "The PRISMA 2020 statement: An updated guideline for reporting systematic reviews,"BMJ, vol. 372, Art. no. n71, 2021, doi: 10.1136/bmj.n71

    work page doi:10.1136/bmj.n71 2020

  68. [68]

    Guidelines for including grey literature and conducting multivocal literature reviews in software engineering,

    V. Garousi, M. Felderer, and M. V. Mantyla, "Guidelines for including grey literature and conducting multivocal literature reviews in software engineering,"Information and Software Technology, vol. 106, pp. 101–121, 2019, doi: 10.1016/j.infsof.2018.09.006

    work page doi:10.1016/j.infsof.2018.09.006 2019

  69. [69]

    Systematic mapping studies in software engineering,

    K. Petersen, R. Feldt, S. Mujtaba, and M. Mattsson, "Systematic mapping studies in software engineering," inProc. 12th International Conference on Evaluation and Assessment in Software Engineering (EASE), 2008, pp. 68–77

    work page 2008

  70. [70]

    Guidelines for snowballing in systematic literature studies and a replication in software engineering,

    C. Wohlin, "Guidelines for snowballing in systematic literature studies and a replication in software engineering," inProc. 18th International Conference on Evaluation and Assessment in Software Engineering (EASE), 2014, Art. no. 38, doi: 10.1145/2601248.2601268

    work page doi:10.1145/2601248.2601268 2014

  71. [71]

    https://doi.org/10.6028/NIST.SP.800-53r5 National Institute of Standards and Technology (NIST)

    Joint Task Force,Security and Privacy Controls for Information Systems and Organizations, NISTSpecialPublication800-53Rev. 5, NationalInstituteofStandardsandTechnology, Sep. 2020, doi: 10.6028/NIST.SP.800-53r5

    work page doi:10.6028/nist.sp.800-53r5 2020

  72. [72]

    S. Rose, O. Borchert, S. Mitchell, and S. Connelly,Zero Trust Architecture, NIST Special Publication 800-207, National Institute of Standards and Technology, Aug. 2020, doi: 10.6028/NIST.SP.800-207

    work page doi:10.6028/nist.sp.800-207 2020

  73. [73]

    Swanson, P

    M. Swanson, P. Bowen, A. W. Phillips, D. Gallup, and D. Lynes,Contingency Planning Guide for Federal Information Systems, NIST Special Publication 800-34 Rev. 1, National Institute of Standards and Technology, May 2010, doi: 10.6028/NIST.SP.800-34r1

    work page doi:10.6028/nist.sp.800-34r1 2010

  74. [74]

    P. A. Grassi, M. E. Garcia, and J. L. Fenton,Digital Identity Guidelines, NIST Spe- cial Publication 800-63-3, National Institute of Standards and Technology, Jun. 2017, doi: 44 10.6028/NIST.SP.800-63-3

    work page doi:10.6028/nist.sp.800-63-3 2017

  75. [75]

    Known Exploited Vulnerabilities Cat- alog,

    Cybersecurity and Infrastructure Security Agency, "Known Exploited Vulnerabilities Cat- alog," CISA. [Online]. Available:https://www.cisa.gov/known-exploited-vulnerabilities -catalog. Accessed: Apr. 29, 2026

    work page 2026

  76. [76]

    Small Business Guide: Response and recovery,

    National Cyber Security Centre, "Small Business Guide: Response and recovery," NCSC guidance. [Online]. Available:https://www.ncsc.gov.uk/collection/small-business-guide /response-and-recovery. Accessed: Apr. 29, 2026

    work page 2026

  77. [77]

    Mitigating ransomware risks in manufacturing and the supply chain: A comprehensive security framework,

    A. Aljoghaiman and V. P. K. Sundram, "Mitigating ransomware risks in manufacturing and the supply chain: A comprehensive security framework,"International Journal of Cyber Criminol- ogy, vol. 17, no. 2, pp. 231–249, 2023, doi: 10.5281/zenodo.4766714

    work page doi:10.5281/zenodo.4766714 2023

  78. [78]

    Walking under the ladder logic: PLC-VBS: A PLC control logic vulnerability scanning tool,

    S. Maesschalck, A. Staves, R. Derbyshire, B. Green, and D. Hutchison, "Walking under the ladder logic: PLC-VBS: A PLC control logic vulnerability scanning tool,"Computers & Security, vol. 127, Art. no. 103116, 2023, doi: 10.1016/j.cose.2023.103116

    work page doi:10.1016/j.cose.2023.103116 2023

  79. [79]

    Vulnerability assessment of industrial control systems for Colonial Pipeline and WannaCry ransomware,

    M. Musluoglu, N. Kunicina, and J. Caiko, "Vulnerability assessment of industrial control systems for Colonial Pipeline and WannaCry ransomware," inProc. IEEE 65th International Sci- entific Conference on Power and Electrical Engineering of Riga Technical University (RTUCON), 2024, doi: 10.1109/RTUCON62997.2024.10830848

    work page doi:10.1109/rtucon62997.2024.10830848 2024

  80. [80]

    Cyber attack on Hydro,

    Norsk Hydro ASA, "Cyber attack on Hydro," 2019. [Online]. Available:https://www.hy dro.com/en/global/media/on-the-agenda/cyber-attack/. Accessed: Apr. 29, 2026

    work page 2019

Showing first 80 references.