Key points are not available for this paper at this time.
Cross‐layer forensic investigation is addressed for Industrial Internet of Things (IIoT) device attacks in Critical Infrastructure (CI) applications. The operational motivation for cross‐layer investigation is provided by the desire to directly correlate bit‐level network anomaly detection with physical layer (PHY) device connectivity and/or status (normal, defective, attacked, etc.) at the time of attack. The technical motivation for developing cross‐layer techniques is motivated by (a) having considerable capability in place for Higher‐Layer Digital Forensic Information exploitation—real‐time network cyberattack and postattack analysis, (b) having considerably less capability in place for Lowest‐Layer PHY Forensic Information exploitation—the PHY domain remains largely under exploited, and (c) considering cyber‐physical integration as a means to jointly exploit higher‐layer digital and lowest‐layer PHY forensic information to maximize investigative benefit in IIoT cyber forensics. A delineation of higher‐layer digital and lowest‐layer PHY elements is provided for the standard network Open Systems Interconnection model and the specific Perdue Enterprise Reference Architecture commonly used in IIoT Industrial Control System/Supervisory Control and Data Acquisition applications. A forensics work summary is provided for each delineated area based on selected representative publications and provides the basis for presenting the envisioned cross‐layer forensic investigation. This article is categorized under: Digital and Multimedia Science > Cyber Threat Intelligence Digital and Multimedia Science > IoT Forensics
Rondeau et al. (Tue,) studied this question.