|
Asiri, Mohammed
2025.
Identifying indicators of compromise against cyber-attacks
in industrial control systems.
PhD Thesis,
Cardiff University.
Item availability restricted. |
![[thumbnail of Mohammed Asiri, PhD, Thesis]](https://orca.cardiff.ac.uk/style/images/fileicons/application_pdf.png "Mohammed Asiri, PhD, Thesis") |
PDF (Mohammed Asiri, PhD, Thesis)
- Accepted Post-Print Version
Restricted to Repository staff only until 14 January 2027 due to copyright restrictions. Available under License Creative Commons Attribution Non-commercial No Derivatives. Download (18MB) |
|
PDF (Cardiff University Electronic Publication Form)
Restricted to Repository staff only Download (306kB) |
Abstract
Industrial Control Systems (ICSs) underpin critical infrastructure yet face escalating cyber-physical threats. Despite a decade of incident-response efforts, operators still lack a systematic way to recognize early evidence that an intrusion has crossed from cyber networks to safety-critical processes. In our thesis, we investigated how Indicators of Compromise (IoCs) enhance threat detection through systematic identification, empirical evaluation, and quantitative impact assessment. We synthesized literature examining over 150 sources to identify 13 ICS-specific IoCs spanning both cyber and physical domains. These include control logic modifications, historian read anomalies, and industrial protocol irregularities. We mapped each indicator to documented attack patterns, establishing a taxonomy bridging IT security with industrial operations. Surveys with 52 ICS security professionals revealed gaps between theoretical capabilities and operational realities. Network-based IoCs proved universally valuable (100% high importance), while field device data showed extreme volatility (96.9%). Human analysts remained essential, with 95% supporting human-in-the-loop approaches despite alert fatigue. Barriers included inadequate logging, organizational silos, and cognitive overload from cyber-physical interdependencies. We developed ARCSG, an integrated co-simulation framework combining network emulation, control system simulation, and power system modeling. It captured Modbus TCP communications with sub-millisecond precision. In false command injection scenarios, ARCSG detected unauthorized operations and correlated them with physical anomalies, demonstrating scalable IoC extraction across domains. We introduced four quantitative metrics measuring operational degradation: System Control Reach Coverage, Structural Controllability Index, Structural Observability Margin, and Substation Observability Score. Validation through three attack scenarios on IEEE 39-bus systems revealed severe impacts. False command injection caused 32.6% observability degradation and an 800% increase in observable islands. Load redistribution reduced controllability by 40.2% while creating deceptive metric improvements. False data injection compromised 53.6% of measurements while masking fragmentation. Our work establishes foundations for operationally grounded cyber-physical security and provides practitioners with deep insight into threat detection, incident analysis, and industrial decision-making.
| Item Type: | Thesis (PhD) |
|---|---|
| Date Type: | Completion |
| Status: | Unpublished |
| Schools: | Schools > Computer Science & Informatics |
| Subjects: | Q Science > QA Mathematics > QA75 Electronic computers. Computer science Q Science > QA Mathematics > QA76 Computer software |
| Funders: | Saudi Government Scholarship |
| Date of First Compliant Deposit: | 14 January 2026 |
| Date of Acceptance: | 12 January 2026 |
| Last Modified: | 15 Jan 2026 09:12 |
| URI: | https://orca.cardiff.ac.uk/id/eprint/183892 |
Actions (repository staff only)
 |
Edit Item |
Download Statistics
Download Statistics