Abstract
Appearing in the Harvard Business Review in 1958, the formal term "Information Technology" (IT) refers to the combination of hardware, software, services, and infrastructure that delivers data, voice, and video to domestic users. The concept of IT existed before 1958, but the information age in the late 20th century was the beginning of widespread use. The term Operational Technology (OT) emerged in 2006 in a Gartner Group research paper. OT evolved to refer to the software and hardware systems that audit and control devices, processes, and events to ensure the performance of industrial operations like power grids and water treatment facilities. With increased reliance upon IT the field of security and digital forensics grew. OT grew differently with obstacles to capturing data due to the significant requirement of system availability. Developers created several OT testbeds that serve as the playground for researchers to study system data without impacting system availability or operations. The OT testbed's operational data and attack simulations serve as the focal point for continued research to provide OT systems with similar protection as IT systems. OT systems are normally divided into three key operation zones that involve hundreds of components and processes. The first zone is the Enterprise Zone, which closely resembles an IT network. Here is where the Industrial Control Systems (ICS) business network is connected to the larger Internet. ICS forensics differs from conventional IT due to several unique features of real-time operations, proprietary protocols, legacy systems, safety constraints, and limited storage/logs. The second zone is the control zone that operates with safety and reliability as the main priorities. At this point, OT is unlike its IT relative and requires a tailored security solution. The final zone is the field zone or operations zone, which oversees automation and control. Current studies provide simulated OT operational data for testing, with some providing simulated attack behaviors for further research. Most of the previous studies used machine learning or Artificial Intelligence (AI) for comparative analysis of normal and attack-simulated data. Data collected from Hardware-in-the-loop (HIL) Based Augmented ICS (HAI) was collected from a realistic ICS testbed augmented with a simulator that emulates steam-turbine power generation and pumped-storage hydropower generation. Four versions of the dataset have been produced and made public for further research and have been used in competitions to explore alternative methods for anomaly detection in day-to-day operations. Python is the most widely used source in current ICS anomaly research and offers good analytical data; however, an alternative is R Code. R, a language designed for statistical computing and graphics, is particularly suitable for anomaly detection due to its wide range of packages for time-series analysis, clustering, outlier detection, and log correlation. R Code’s core strength is statistical modeling and data visualization, which would enhance ICS data analysis. Specifically, R Code’s anomalize, changepoint, and forecast packages. Anomaly detection in ICS data typically identifying deviations from normal patterns in sensor readings, control commands, or network traffic. The anomalize R Code feature could be used to compare baseline data from any of the datasets to the suspected datasets and detect outliers which would highlight possible attacks or probes. The output would provide a detailed visualization for analysis of normal data to possible attacks (Kumar and Patel, 2021).
Recommended Citation
Roberts-Cooper, Kelly L., "Post-incident Forensic Analysis of Industrial Control Systems (ICS)" (2026). AMCIS 2026 TREOs. 128.
https://aisel.aisnet.org/treos_amcis2026/128