Cyber Resilience and Incident Response in Smart Cities: A Systematic Literature Review

: The world is experiencing a rapid growth of smart cities accelerated by Industry 4.0, including the Internet of Things (IoT), and enhanced by the application of emerging innovative technologies which in turn create highly fragile and complex cyber–physical–natural ecosystems. This paper systematically identiﬁes peer-reviewed literature and explicitly investigates empirical primary studies that address cyber resilience and digital forensic incident response (DFIR) aspects of cyber–physical systems (CPSs) in smart cities. Our ﬁndings show that CPSs addressing cyber resilience and support for modern DFIR are a recent paradigm. Most of the primary studies are focused on a subset of the incident response process, the “detection and analysis” phase whilst attempts to address other parts of the DFIR process remain limited. Further analysis shows that research focused on smart healthcare and smart citizen were addressed only by a small number of primary studies. Additionally, our ﬁndings identify a lack of available real CPS-generated datasets limiting the experiments to mostly testbed type environments or in some cases authors relied on simulation software. Therefore, contributing this systematic literature review (SLR), we used a search protocol providing an evidence-based summary of the key themes and main focus domains investigating cyber resilience and DFIR addressed by CPS frameworks and systems. This SLR also provides scientiﬁc evidence of the gaps in the literature for possible future directions for research within the CPS cybersecurity realm. In total, 600 papers were surveyed from which 52 primary studies were included and analysed.


Introduction
Industry 4.0, synonymously known as cyber-physical production systems (CPPSs), is a concept formed in 2011 at the Hannover Fair to describe how cyber-physical systems (CPSs) can be applied within production and manufacturing industries with enabled automation [1][2][3][4]. From the inception of the visionary notion specifically for factories and large-scale enterprises, CPSs' reach have extended beyond production enterprises linking the Industry 4.0 concept with aspects of smart city initiatives [3,4]. Smart cities have evolved and transformed over the past two decades becoming deeply integrated within the society facilitating an interconnected digital environment [3][4][5]. The estimated growth of the urban population is estimated to reach 5 billion by 2030 globally [6]. A variety of definitions for the term "smart city" [7][8][9][10][11][12], its sectors and components [3,[13][14][15][16][17], the variants [8] and concepts of the term "smart" [6,14,[18][19][20][21] have been suggested. The description of smart cities is heterogeneous people through early changes detection [36] or application of digital forensics as a service in the context of smart homes [37]. Furthermore, connected appliances and app-based utility management will become the norm in connected homes [38] whilst automated congestion control, smart traffic lights or parking [39,40] will be part of smart cities' digitalization projects [14]. The cyber challenges in these smart sectors differ but the effect could be just as profound. For example, the ransomware attack against the San Francisco Municipal Transportation Agency's transport service only resulted in financial impact [41]. Accidents caused by cyberattacks including GPS ghosting, hijacking command and control systems, ransomware or attacks targeted at sensors, actuators or controllers could result in serious accidents and increase the pressure on healthcare systems. Digital transformation utilising mobile and emerging technologies such as artificial-intelligence (AI)-enabled networked medical devices or wearable health sensors are identified as enablers for healthcare organisations. However, healthcare does not escape cyberattacks as learnt from the WannaCry incident in May 2017 affecting over 300,000 computers, some of which belonged to 80 National Health Service (NHS) Trusts across the UK [26,32,42].
Due to the attacks becoming more sophisticated and targeted, the countermeasures also need consistency and coordination [5,26,28,32]. Therefore, a new paradigm must address cyber threats and cybercrime. Formulating cyber resilience to counter cybersecurity threats is required to resist cyberattacks and continue to function effectively under adverse conditions [43]. Accepting that not all cyberattacks are avoidable and computer-related crime is on the increase, the IR becomes an important component of CPS security management [32] including the need for digital evidence (DE). Forensic DE gathering must be carried out without compromising the integrity and authenticity of the DE to ensure admissibility in a court of law [44]. Therefore, the cybersecurity paradigm needs to shift to withstand cyberattacks, to function effectively under adverse conditions and support digital forensic investigations by producing DE that is admissible in the court of law. Collaborative practice and interdisciplinary approaches across smart sectors based on threat information sharing could increase situational awareness and help deal with potential threats or incidents more effectively.
Although CPS-related research is an active area, there seems to be substantially less empirical research available on frameworks and systems that address CPS in smart cities. For example, the following study [45] defines its framework as a risk-based approach to reducing cybersecurity risk consisting of three tiers: core, profile and implementation. Another study [46] defines a CPS framework as activities and outputs that support CPS engineering, which provides not a one-size-fits-all approach but a flexible way to address cybersecurity across the physical, cyber and people dimensions. Therefore, to make a meaningful contribution, we use a broad definition for frameworks as a common carefully designed organising structure of multiple approaches [47][48][49]. Furthermore, systems described by the National Institute of Standards and Technology (NIST) as a combined set of complex and coherent elements that constitute a use-case [46] can operate in different smart city sectors creating highly complex systems of systems. Systems can be represented by scientific modelling to describe hypothetical behaviour of phenomena that are challenging to observe directly. To help discover contributions in the literature of the specific research area we include systems to gain a deeper understanding of addressing support for cyber resilience across the physical, cyber and people dimensions in cross-sector applications within smart cities [50,51].
Specifically, concerning frameworks and systems that address cyber resilience and modern digital forensics and incident response (DFIR), there appears to be lack of available systematic literature review (SLR) based on recognised methodology, comprehensive protocols and quality assessment. For instance, to identify how CPS-related frameworks and systems support cyber resilience and to determine the support for modern DFIR in smart cities it is important to conclude what research has been published and systematically review relevant and available studies. Therefore, one of the key objectives of this study is to identify the current gaps in this research area. Overarchingly, the focus of this paper is on reported empirical evidence in existing literature concerning cyber resilience and DFIR support in CPSs across smart city sectors. Traditionally, "resilience" in a mechanical context was the materials' resistance to shock, in the conventional networking context resilience focused on fault tolerance; however, the scope of this term extends to the cybersecurity discipline. In this study, we consider cyber resilience as the ability of the frameworks addressing smart cities to resist cyberattacks across the physical and digital domains regardless of an external or insider attack [43,[52][53][54].
A small number of SLR studies in the realm of CPS have been published. These are outlined to examine the difference between the authors' focus on topics and our research. The author of [55] performed an SLR focusing on smart grid and related cybersecurity. In this study, the author presents results aimed at addressing cybersecurity by identifying all standards which define cybersecurity requirements for smart grids and reviews applicable standards and guidelines. In reference [56], the authors provide analysis to address cybersecurity issues in an Industry 4.0 context and focus on the physical Internet-connected systems. The authors concentrated on four areas, the definition of concepts relevant to Industry 4.0 and cybersecurity, the industrial focus, the characterization of cybersecurity and the management of the cybersecurity issues. Authors in reference [57] presented their SLR findings concerning smart cities focusing on instrumented, interconnected and intelligent systems investigating four areas including security. One of the authors' conclusions was that little was mentioned in the newly emerging security and privacy challenges. Although the studies into this growing area of research provide valuable knowledge consolidation, they answer questions about the wider use of CPS and related cybersecurity. No other SLR on this research topic was found by the authors during the preparation of the study. The focus of our SLR remains specifically on CPS-related cyber resilience and modern DFIR informed by cyber threat intelligence (CTI) to strengthen and accelerate the cyber defence in smart cities. Narrative reviews were found to focus on various Internet of Things (IoT) aspects and applications addressing challenges, threats and solutions. For example, the authors in reference [58] provided a brief review of IoT concepts and models. The paper focused on the IoT network model and related modelling challenges from the interconnections' perspective and briefly discussed the concept of interdependent infrastructure resilience. Another recent study investigated the autonomy, integration and level of intelligence in emerging applications related to CPSs across a range of application domains in smart cities [59] including big data challenges and data and communication security. Further, the authors explored the intelligence and interconnectivity of systems into a shared environment from a simulation perspective. Interestingly, the study concluded that the security of collected data and distributed systems are a persistent challenge that must be continually addressed. They expressed the need to design systems with agility to react to the changing security landscape. A study focusing on the IoT from the edge computing perspective was published in reference [60]. The focus of this study was on improving IoT networks' performance utilising edge computing exploring the relevant confidentiality, integrity and availability strategies. Another survey [61] examined the integration of the IoT and fog/edge computing. The paper clarified the difference between CPSs and the IoT and investigated the relationships and issues affecting the IoT and fog/edge computing; however, the paper's approach remained high-level and general. All the previous studies address broader aspects related to the IoT, but do not specifically investigate CPSs with a focus on improving cyber resilience, the value of CTI-or CPS-specific DFIR support in smart cities. The field of research related to CPSs is still emerging, but the advancement is accelerating. Therefore, a comprehensive SLR is required focusing on ways that current CPSs deal with cyber resilience and DFIR to guide future research. This paper's main aim is to provide a systematic literature review (SLR) that consolidates primary studies' research investigating what empirical evidence has been reported for existing frameworks and systems that address CPS cyber resilience in smart cities. Second, we investigate how current CPS applications address modern DFIR. Finally, we explore existing integration proposals or applications that leverage CPSs across smart city sectors to improve digital forensics. We critically examine existing research and use the insights to conclude with suggestions for future research. The remainder of this paper covers our methodology in Section 2 which also discusses the research questions and the protocol including the data extraction strategy. Section 3 contains the results, analysis and key findings from the included primary studies followed by a discussion in Section 4. Finally, the conclusion and future research suggestions are in Section 5.

Materials and Methods
The aim of this study was achieved with an evidence-based systematic literature review (SLR) as the means to objectively address our research questions. The protocol is based on the SLR guidelines for the computer engineering discipline proposed by Kitchenham and Charters [62]. These guidelines, which aim to present a rigorous and credible methodology, are based on three key phases: planning, conducting and reporting, as demonstrated in Figure 1. We demonstrate the discreet activities in each phase in the subsequent sections to allow replication of findings. Summarily, the core aspects of the systematic review protocol, the key contributions and the research questions are identified within the planning phase. The conducting phase consists of identifying the search strategy including the selection criteria for the primary studies, selection procedure, the search strings and the quality assessment criteria. This phase involves the development of the data extraction strategy, data synthesis and critical analysis. Finally, the information dissemination strategy is considered in the reporting phase. Each phase of the SLR is conducted iteratively to ensure a comprehensive evaluation. To maintain objectivity and mitigate bias, each phase was subject to a review and an approval process between the team before moving onto the next phase.
Smart Cities 2020, 3 FOR PEER REVIEW 5

Materials and Methods
The aim of this study was achieved with an evidence-based systematic literature review (SLR) as the means to objectively address our research questions. The protocol is based on the SLR guidelines for the computer engineering discipline proposed by Kitchenham and Charters [62]. These guidelines, which aim to present a rigorous and credible methodology, are based on three key phases: planning, conducting and reporting, as demonstrated in Figure 1. We demonstrate the discreet activities in each phase in the subsequent sections to allow replication of findings. Summarily, the core aspects of the systematic review protocol, the key contributions and the research questions are identified within the planning phase. The conducting phase consists of identifying the search strategy including the selection criteria for the primary studies, selection procedure, the search strings and the quality assessment criteria. This phase involves the development of the data extraction strategy, data synthesis and critical analysis. Finally, the information dissemination strategy is considered in the reporting phase. Each phase of the SLR is conducted iteratively to ensure a comprehensive evaluation. To maintain objectivity and mitigate bias, each phase was subject to a review and an approval process between the team before moving onto the next phase.

Research Questions and Rationale
The main aim of this research is to identify and present scientific evidence of gaps in current research and help inform the direction for further research. The aim can be achieved by answering the following three research questions (RQs): RQ1: How do existing frameworks and systems that address CPSs in smart cities support cyber resilience and what empirical evidence has been reported? Use cases and application of CPSs have diversified, and complexities of these ecosystems have evolved. In addition to frameworks, we investigate how complex systems support cyber resilience identifying commonalities. Within the many diverse definitions used in existing studies addressing smart cities [7][8][9][10][11][12] and the numerous terminologies used in literature to describe frameworks and systems [51,52,[63][64][65], providing an answer to RQ1 helps us conclude a list of all existing and relevant frameworks and systems that address CPSs in smart cities supporting cyber resilience as defined by the scope of this SLR. RQ2: How do the identified frameworks and systems in smart cities address modern digital forensics and incident response (DFIR)? Application of DFIR in the context of a smart city is a new field of study [37]. Whilst the research focuses on the applications of IoT-enabled CPSs, smart cities are found to be vulnerable to cyberattacks [40]. It is acknowledged that DFIR methodologies are lacking in smart city sectors [17,66] and research suggests that DFIR faces more challenges in smart cities than other forms of digital breach investigations [67]. However, apart from the complexity to the

Research Questions and Rationale
The main aim of this research is to identify and present scientific evidence of gaps in current research and help inform the direction for further research. The aim can be achieved by answering the following three research questions (RQs): RQ1: How do existing frameworks and systems that address CPSs in smart cities support cyber resilience and what empirical evidence has been reported? Use cases and application of CPSs have diversified, and complexities of these ecosystems have evolved. In addition to frameworks, we investigate how complex systems support cyber resilience identifying commonalities. Within the many diverse definitions used in existing studies addressing smart cities [7][8][9][10][11][12] and the numerous terminologies used in literature to describe frameworks and systems [51,52,[63][64][65], providing an answer to RQ1 helps us conclude a list of all existing and relevant frameworks and systems that address CPSs in smart cities supporting cyber resilience as defined by the scope of this SLR.

RQ2:
How do the identified frameworks and systems in smart cities address modern digital forensics and incident response (DFIR)? Application of DFIR in the context of a smart city is a new field of study [37]. Whilst the research focuses on the applications of IoT-enabled CPSs, smart cities are found to be vulnerable to cyberattacks [40]. It is acknowledged that DFIR methodologies are lacking in smart city sectors [17,66] and research suggests that DFIR faces more challenges in smart cities than other forms of digital breach investigations [67]. However, apart from the complexity to the cyberspace, the IoT enabled CPSs to create opportunities to facilitate modern DFIR [44]. RQ2 investigates how the components of the CPS frameworks help address modern DFIR.
RQ3: What are the current cross-sector proposals or applications in smart cities that attempt to utilise interactions in CPSs for the purpose of improving DFIR? This RQ explores the transferable solutions and cross-sector interactions between smart buildings, smart homes, smart healthcare, smart energy and others as illustrated in Figure 2. Despite digitalisation in smart cities, information security strategies are limited to the sector boundary with little evidence of cross-sector information security practice sharing [28]. We draw on the use of the term of cross-sector partnerships in reference [68] as intensive and long-term interactions between organisations from at least two sectors such as business and healthcare. Throughout this study, cross-sector collaborations are used as interactions to adopt, share or coordinate cyber defence practice between at least two different smart city sectors. To address the existing and emerging cyberattacks, transferable and innovative solutions should emerge from individual sectors within a smart environment to support modern digital forensics [28,68]. RQ1, RQ2 and RQ3 help uncover key themes and gaps in current literature and suggestions for future research direction.
Smart Cities 2020, 3 FOR PEER REVIEW 6 cyberspace, the IoT enabled CPSs to create opportunities to facilitate modern DFIR [44]. RQ2 investigates how the components of the CPS frameworks help address modern DFIR. RQ3: What are the current cross-sector proposals or applications in smart cities that attempt to utilise interactions in CPSs for the purpose of improving DFIR? This RQ explores the transferable solutions and cross-sector interactions between smart buildings, smart homes, smart healthcare, smart energy and others as illustrated in Figure 2. Despite digitalisation in smart cities, information security strategies are limited to the sector boundary with little evidence of cross-sector information security practice sharing [28]. We draw on the use of the term of cross-sector partnerships in reference [68] as intensive and long-term interactions between organisations from at least two sectors such as business and healthcare. Throughout this study, cross-sector collaborations are used as interactions to adopt, share or coordinate cyber defence practice between at least two different smart city sectors. To address the existing and emerging cyberattacks, transferable and innovative solutions should emerge from individual sectors within a smart environment to support modern digital forensics [28,68]. RQ1, RQ2 and RQ3 help uncover key themes and gaps in current literature and suggestions for future research direction. The PICOC (population, intervention, comparison, outcomes, context) criteria as demonstrated in Table 1 is used from an engineering point of view, as proposed by Kitchenham and Charters [62] to frame the research questions effectively.

PICOC Criteria Criteria Description Population
Frameworks addressing smart cities Intervention Digital forensic incident response (DFIR) frameworks that support cyber resilience Comparison Frameworks addressing cyber resilience Outcomes Scope, technique, security application and sector of the studies analysed Context Academic research The PICOC (population, intervention, comparison, outcomes, context) criteria as demonstrated in Table 1 is used from an engineering point of view, as proposed by Kitchenham and Charters [62] to frame the research questions effectively.

Primary Studies' Data Sources and the Search Strategy
Digital library (DL) sources for computer science research publications were used. To help answer the RQs, keywords representative of the research topic were pre-defined and a search string was constructed using Boolean operators, key terms and synonyms to fetch all relevant studies. The Boolean operators were limited to AND and OR. The following search string was used: ('Cyber Physical Systems' OR 'Cyber-Physical Systems' OR 'CPS' OR 'Cyber Physical Object' OR 'CPO' OR 'smart device' OR 'IoT device') AND ('cybersecurity' OR 'cybersecurity' OR 'cyber-resilience' OR 'resilience') AND ('smart cities' OR 'smart city') AND ('model' OR 'modeling' OR 'technique' OR 'framework' OR 'information modeling' OR 'modeling technique' OR 'analytical modeling' OR 'reference architecture' OR 'reference model' OR 'Security Solutions' OR 'IoT Architecture').
The DLs used in this SLR were the Institute of Electrical and Electronics Engineers (IEEE), Association of Computing Machinery Digital Library (ACM DL), Science Direct, Web of Knowledge and Scopus. The search string was aligned to the built-in options within the DLs' search engines to filter the results. Where possible, searches were performed to match the search string from the title, abstract, keywords, and the full text. The search of the specified DLs concluded by 5 April 2019 taking into consideration all studies returned by the defined search string published to that date. In addition to the set of studies produced through the search of the DLs, we applied a snowballing approach in our search strategy, as outlined by Wohlin [69], which produced a further set of relevant studies. This was a manual process applied to the studies collected by the pre-identified search criteria until no further studies met the inclusion criteria. Subsequent to identifying studies from the specific data sources using the defined search string, the rest of the protocol outlined in Sections 2.3-2.7 was applied to the studies identified by the initial search.

Selection Criteria
Rigorous inclusion and exclusion criteria, as defined in Table 2, were applied to the produced set of studies from the DLs to ascertain that only relevant studies are retained in response to the research questions. Included studies must satisfy all inclusion criteria. I.e., they must be primary, peer-reviewed, written in English and contain appropriate information on new applications or development of an existing mechanism for cyber resilience, modern DFIR or framework in CPSs, providing empirical findings.

Selection Process
The selection process consisted of three key phases as demonstrated in Figure 3. The authors have critically reviewed this. Smart Cities 2020, 3 FOR PEER REVIEW 8 [37,70,71] did not include an empirical study, references [72][73][74] at the time of review were not peerreviewed publications, reference [75] is not an English language study, reference [76] is a poster, the focuses of references [77][78][79] were not specific to CPS cyber resilience or modern DFIR. Additionally, 10 studies were identified as duplicates and excluded from the final selection list. Snowballing identified an additional 159 studies. After applying the selection process, these studies were reduced to 19 after excluding nine duplicate studies and three PhD theses. The final list of primary studies included in this SLR resulted in 52 articles, as shown in Figure  3.

Quality Assessment
Motivated by the guidance in reference [62], a checklist was developed according to references [80,81] to make sure all included studies satisfy quality assessment (QA) criteria. This evidence-based approach assesses the validity of experimental data and reduces bias. The following QA criteria were applied: Phase 1: CPS. The study must be focused predominantly on CPS security or the application of the CPS framework to a specific cyber resilience problem and appropriately documented.

Validation Process
A random set of 30 primary studies from the pool of studies were selected and had the inclusion/exclusion criteria re-applied to validate the effectiveness and the objectivity of the process application. A further 30 random primary studies were selected from the pool of studies and had the QA criteria applied to validate the effectiveness and the application of the quality assessment process. Phase 0-Keyword Filtering. During this phase, the identified search string was applied to each of the DLs utilised returning a combined result of 441 research studies. These studies were passed through to the next phase.

Data Extraction Strategy
Phase 1-Title, Indexing Keywords, Abstract, and Conclusion Filtering. Following the initial keyword filtering, in phase 0, the titles, indexing keywords, abstracts and conclusion were scrutinised against the inclusion criteria. Studies showing relevance to the research topic were included in the next phase. In this phase, 319 studies were excluded and 122 were put through to the final phase.
Phase 2-Full-Text Filtering. The full texts of the 122 studies were read. After applying the selection criteria in this final phase, some studies were excluded for several reasons. For example, references [37,70,71] did not include an empirical study, references [72][73][74] at the time of review were not peer-reviewed publications, reference [75] is not an English language study, reference [76] is a poster, the focuses of references [77][78][79] were not specific to CPS cyber resilience or modern DFIR. Additionally, 10 studies were identified as duplicates and excluded from the final selection list. Snowballing identified an additional 159 studies. After applying the selection process, these studies were reduced to 19 after excluding nine duplicate studies and three PhD theses.
The final list of primary studies included in this SLR resulted in 52 articles, as shown in Figure 3.

Quality Assessment
Motivated by the guidance in reference [62], a checklist was developed according to references [80,81] to make sure all included studies satisfy quality assessment (QA) criteria. This evidence-based approach assesses the validity of experimental data and reduces bias. The following QA criteria were applied: Phase 1: CPS. The study must be focused predominantly on CPS security or the application of the CPS framework to a specific cyber resilience problem and appropriately documented.
Phase 2: Context. The context of the study must be provided in sufficient detail to accurately interpret the research.
Phase 3: Detail. The framework details are critical to answering RQ1 and RQ2. Sufficient detail about the approach to build the framework and comparison with other approaches must be presented clearly in assisting to answer RQ3.
Phase 4: Data. Sufficient detail about the type of training and test data identified and how the data was acquired, measured and reported must be provided clearly to determine the accuracy of the results reported.

Validation Process
A random set of 30 primary studies from the pool of studies were selected and had the inclusion/exclusion criteria re-applied to validate the effectiveness and the objectivity of the process application. A further 30 random primary studies were selected from the pool of studies and had the QA criteria applied to validate the effectiveness and the application of the quality assessment process.

Data Extraction Strategy
The data extraction was applied to the final 52 primary studies. Initially, the process and format were trialled on a subset of studies before extending the process to all included studies. The data were categorized, stored in a spreadsheet and tabulated using the following characteristics.
Context: year of publication, type of article, application of the study, sector, model type and security approach.
Qualitative data: were recorded including the conclusion and future research directions provided by the authors.
Quantitative data: experiment observations were noted including the technique and dataset source.
To conclude, the protocol used in this SLR process, which is based on Kitchenham and Charters [62] guidelines, was rigorously applied and documented to objectively address the research questions. The resulting set of primary studies after applying the protocol are summarised in Figure 3. Therefore, this SLR consolidates previous research within the defined scope; however the methodology used can be applied iteratively to studies beyond this SLR's defined scope as an extension and update of literature reviews to further expand the scientific body of knowledge.

Primary Studies
Applying our protocol revealed that no primary studies were published before 2011, suggesting that cyber resilience and DFIR addressed by CPS frameworks and systems in smart cities is a recent paradigm. Nevertheless, as Figure 4 shows, there is an upward trend in CPS-related research within smart cities addressing cyber resilience and modern DFIR, which indicates that this has emerged into an active research area. This trend will likely continue as the first quarter (Q1) of 2019 is just over half of the studies published in 2018, as demonstrated in Table 3.
To conclude, the protocol used in this SLR process, which is based on Kitchenham and Charters [62] guidelines, was rigorously applied and documented to objectively address the research questions. The resulting set of primary studies after applying the protocol are summarised in Figure  3. Therefore, this SLR consolidates previous research within the defined scope; however the methodology used can be applied iteratively to studies beyond this SLR's defined scope as an extension and update of literature reviews to further expand the scientific body of knowledge.

Primary Studies
Applying our protocol revealed that no primary studies were published before 2011, suggesting that cyber resilience and DFIR addressed by CPS frameworks and systems in smart cities is a recent paradigm. Nevertheless, as Figure 4 shows, there is an upward trend in CPS-related research within smart cities addressing cyber resilience and modern DFIR, which indicates that this has emerged into an active research area. This trend will likely continue as the first quarter (Q1) of 2019 is just over half of the studies published in 2018, as demonstrated in Table 3.

Keyword Analysis
To help establish common themes amongst the primary studies, a keyword analysis including all 52 primary studies was carried out. The frequency of specific keywords appearing in the primary studies is shown in Table 4. As the table captures, the second most frequently used keyword in the

Keyword Analysis
To help establish common themes amongst the primary studies, a keyword analysis including all 52 primary studies was carried out. The frequency of specific keywords appearing in the primary studies is shown in Table 4. As the table captures, the second most frequently used keyword in the dataset is "System", closely followed by "Security", "Internet of Things" and "Cyber-Physical Systems" (CPSs). This shows an increasing research interest in the security of CPSs in the context of the IoT. Furthermore, the keyword "framework" indicates that it is an active but still emerging area of research interest in the context of CPS cyber resilience and support for DFIR. The dataset also demonstrates that there is a significant disparity in the research interests in "detection" compared to other aspects of CPS security. The keywords used in established investigation models and frameworks to define these investigation phases including "Response", "Recovery" or "Prevention" rank lowest in the dataset. In addition, "Forensics" and "Cyber Resilience" rank also low in the dataset indicating potential areas of further research requirement. The asterisk (*) in this table is used to represent the variants considered during the keyword search: space, dash or continuous word without any space i.e., 'cyber resilience', 'cyber-resilience', 'cyberresilience' and 'cyber security', 'cyber-security', 'cybersecurity'.

Key Themes
Our analysis of the primary studies shows several emerging themes and main focus domains, each of which is discussed within Sections 3.3.1-3.3.7.

Chronological Analysis of Key Events
The purpose of the chronological analysis is to examine the main determinants and the time correlation for the research distribution addressing CPS cyber resilience and modern DFIR in smart cities concerning the defined scope. To achieve this, the primary studies were organised in chronological order and classified depending on the year published and type of publication, as shown in Table 3. The trend shows that the first empirical study concerning this topic is dated from 2011 from a conference proceeding. It is not until 2016 that there is an 8% increase in research for this subject area through conference proceedings as the main outlet for the research publications. By 2017, the number of articles doubled and increased again in 2018. The differentiating factor was the high proportion of journal articles over publications from conference proceedings whilst by the first calendar quarter (Q1) of 2019 and the articles published in journals reached over 75% of studies published throughout the entire 2018.
Further investigating the results from the chronological analysis, the following key years were highlighted as a potential influencing factor concerning the investigated CPS-related research developments: 2011, 2016, 2018.
2011. This year was defined by the Hannover Messe Fair, where the term "Industry 4.0" was born to describe the next industrial revolution, a vision of three German engineers. Whilst the first industrial revolution dates back to the end of the 18th century introducing water and steam power, the second industrial revolution at the turn of the 20th century was centred around mass production using electricity and the third industrial revolution integrated IT and electronics into production systems, the 4th industrial revolution introduces digital processing and implementation of the IoT into production. In this context, the concept and the vision have been established for CPSs for production systems. Industry 4.0, a German origin of the Industry 4.0 term, is used synonymously with cyber-physical production systems [1,82]. In the post-recession output fall, the vision of Industry 4.0 elevated the German manufacturers and economy back into the spotlight [83,84].
2016. The creation of the UK's National Cyber Security Centre (NCSC) as the technical cybersecurity lead was a feature of this year. Furthermore, the investment and economic infrastructure plans announced in the National Infrastructure Delivery Plan in the UK [85] and the announcement of the significant cybersecurity fund as part of the USA's Cybersecurity National Action Plan also took place in 2016 [86]. The World Economic Forum (WEF) was also held in Davos. The WEF used the motto: "Mastering the Fourth Industrial Revolution" [87]. The event was attended by 2500 participants and 40 heads of states from 140 different countries discussing ideas to tackle global challenges sustainably with the aid of technology and the economic impact of Industry 4.0.
2018. In the USA, there was the notable creation of the Cybersecurity and Infrastructure Security Agency (CISA) responsible for national critical infrastructure from physical and cyber threats. Australia released an update for its cybersecurity sector competitiveness plan outlining Australia's significant economic opportunities to become a "global cybersecurity powerhouse" [88]. Despite Industry 4.0 being a global phenomenon, the acceleration of efforts by countries in the race of Industry 4.0 is local to lead the change and be the face of the new digital transformation. This era is characterized by high-capacity and low-latency 5G networks that will catapult digitalisation, which is predicted to create significant opportunities in many economic sectors. Furthermore, in terms of cybersecurity, the NCSC reported on the growing cybercrime threat, recording 34 significant cyberattacks that typically required cross-government responses over two years [42]. The government has explicitly acknowledged the need to improve the resilience of the UK's critical national infrastructure [89]. The consequence of the transformation not having peaked yet results in a continued increase in investment, grants and financial incentives; therefore, research efforts continue [90,91].
Relating the primary studies' trend with the key events, we identify a link between the technological and economic landscape and cyber-resilience-centric research that addresses CPSs in smart cities. From the primary studies, it emerges that the trend in the increase of papers has been influenced by a strategic focus on cybersecurity; improving the cybersecurity defence landscape, including the creation of NCSC and CISA; significant investment in improvements and strengthening of the national critical infrastructures. Coupled with efforts and initiatives exclusively focused on digital transformations to gain economic advantage could explain the surge in research studies published from 2016 onwards.

Cyber Resilience Analysis
To address the question of how existing frameworks and systems that address CPSs in smart cities support cyber resilience, we consider the scope of resilience within the cybersecurity discipline and the evidence reported in the primary studies. To achieve this, the primary studies were organised in order of the reported evidence of how the cyberattacks across the physical and digital domains were addressed and how the external or insider threats were approached.
Although cyber resilience is widely acknowledged by governments including the UK's National Cyber Security Strategy 2016-2021, which promotes the cyberspace resilience by shaping technical standards that govern emerging technologies, promoting best practices and security-by-design [5], the Joint Committee on National Security and Strategy in their report acknowledged that the UK Government must do more to improve the cyber resilience of the critical national infrastructure (CNI) [89]. Cyber resilience has been acknowledged as a challenge in the IoT; President Obama issued an Executive Order (EO) 13636 to strengthen the critical infrastructure cybersecurity resilience. Likewise, improving cyber resilience is at the forefront of the Australian Government [88].
Despite many efforts to define the term "resilience" and although CPS resilience is accepted as an important aspect by the scientific community, governments and industry, it is a multi-dimensional and multi-disciplinary facet that has no clear and uniform definition or performance metrics [92,93]. The term resilience is described by the NIST as "[t]he ability to quickly adapt and recover from any known or unknown changes to the environment through a holistic implementation of risk management, contingency, and continuity planning" [94]. Furthermore, to evaluate CPS resilience, several areas of CPS resilience were studied including policy [95], correlation of resilience on probability and impact of performance under adverse conditions [96] and risk and resilience correlation [93].
The nature of CPSs is multi-dimensional, converging physical and cyber domains in a highly complex ecosystem integrating systems, software, people and services. In our approach to establishing how CPSs in smart cities support cyber resilience, we were able to investigate the primary studies according to specific layers within the TCP/IP model-a standard model used in computer networks, based on modern DFIR general-purpose frameworks-based on adversary type and by the smart sector covered by each study.
Layers were identified with reference to the TCP/IP model described in RFC 1122 [97]. The TCP/IP model consists of four layers which, from the lowest to the highest, are the link layer, the internet layer (network), the transport layer, and the application layer. The primary studies can be categorised into three layers: physical, communication (aligns to the Internet and transport layers of the TCP/IP model) and application. A similar categorization approach was taken by authors [92] to define CPS resilience. For example, the physical layer includes physical faults, component failure and the delivery of the attacks through access within the security perimeter including attacks on CPS controllers, sensors and actuators. The communication category includes communication-environment-based disruptions and attacks like denial of service (DoS), man-in-the-middle (MiM), the user to root type buffer overflow or remote to user ftp write. The application category included false data injection (FDI), malware and other services and cloud storage and web application-based attacks. Some incidents can fit into more than one category [98].
DFIR Support was investigated concerning the phases that form the basic foundation of an IR plan accordingly to general-purpose DFIR frameworks and standards such as the Digital Forensic Research Workshop (DFRWS), Abstract Digital Forensic Model (ADFM), NIST800-61 and ISO/IEC27050, from preparation to post-incident activities to identify how the primary studies address this process.
Adversary Type was identified within each layer, where the threat can be caused by external or internal factors. We consider an internal threat to be a threat by an adversary initiated inside the security perimeter. Such an entity is authorised to access the systems or resources within the security perimeter but acts in a way that is not authorised. Examples include malicious or disgruntled employees or contractors who have direct access and sufficient knowledge of the system or the resource. In contrast, an external threat is initiated by an adversary from outside the security perimeter. Such an entity is not authorised to access or use the systems or resources and gains access through unauthorised or illegitimate attack vectors. We investigate how the primary studies address this aspect; a similar emphasis on this approach was followed by reference [92].
Smart Sectors will leverage CPS performance and resilience differently. CPSs operate across different smart sectors, therefore we identify the smart sectors as reported in the primary studies.
Several studies specifically focus on the applicability of resilience in terms of the CPS's ability to withstand disruptions, recover from and adapt to known and unknown threats, as shown in Table 5. For example, in their approach, reference [40] argued that optimisation between smartness and cyber resilience in a CPS is required for a balance between functionality and cybersecurity without compromising the systems' resilience. In this study, the percolation theory was used as the basis of evaluating the stress caused by disruptions. The authors in reference [99] argued that the absence of common security standards and flexible methods to assess IoT security requires dedicated testbeds to systematically evaluate the devices' resilience under various conditions. The study developed a security testbed framework for the IoT. The testbed consists of standard security testing predominantly based on well-established vulnerability scans and penetration testing methodologies including port scanning, process enumeration, fuzzing and fingerprinting. The advanced testing capabilities of the testbed are based on techniques and tools including machine learning (ML), traffic-based IoT device type identification, automatic anomaly detection and environment simulations. The number of test scenarios demonstrated the effectiveness of the testbed in detecting the IoT devices' resilience against attacks including denial of service (DoS). Another study [100] focused on CPS resilience mechanisms that can be applied during runtime to sustain resilience utilising self-healing structural adaptation. In the following study [101], the authors argued the importance of an interdisciplinary integrated approach between the cyber and physical layers. They asserted that cyber resilience-by-design must address two scopes to achieve overall resilience, the security controls, communication scope and the power engineers' scope to reinforce the weak points during the design. The study proposed an integrated cyber-physical sustainability metric framework to assess CPS cyber resilience. Further analysis investigating possible correlations with the emerging key themes discussed in this paper shows no clear geographical correlation. The studies, categorised in Table 5, except for [101], acknowledged grant funding. Time correlation was observed with a continued trend in the increase of primary studies focusing on cyber resilience in 2018 and Q1 2019. This trend could indicate a response to the emergence of new and diverse types of security-related incidents that have the potential to be damaging and disruptive.
The author in reference [102] argued that the key difference between control and information technology (IT) systems is the control systems' interaction with the physical world and concludes that to withstand cyberattacks, systems should be resilient by design. The author asserts that the risk to control systems is higher due to the exposure and availability of vulnerabilities combined with the increasing motivations and capabilities of the attackers. The paper focuses on sensor attacks and addresses ways of prioritising sensors. Attack types were studied using the Tennessee-Eastman process control system (TE_PCS) model [106]. An automatic response mechanism was introduced based on various system states taking into consideration a false alarm response. The author's main conclusion was the strength of the TE-PCS's design resilience. Although the proposed principles and techniques could be applied to other physical processes and the false positive rate at 1000 simulation cycles was 0%, the automated response may not be appropriate for all control systems. The author cautions of a likely lack of resilience-by-design in large scale control systems which could remain vulnerable to several attack vectors. Further, the author in reference [104] defined a trustworthy service as one which secures against cyberattacks and operates normally despite faults or attacks. The authors proposed an IoT framework to integrate smart water systems (SWSs) with the IoT using a multilayer architecture trustworthy service and proposed that security issues should be addressed systematically by developers during the design and development of each IoT layer. Anomaly behaviour analysis (ABA) intrusion detection system (IDS) methodology was applied to protect the secure gateway from attacks utilising the Smart Water System Testbed. The secure gateway is part of the communication layer. The general detection rate of the ABA-IDS approach was over 90% for 600 packets/second intensity, with less than 3.5% recorded false alarm rate, with the fastest detection of 1 s and the slowest detection of a 4 s interval.
Other studies [52,101] focused on CNI such as power grids whilst urban systems were investigated by reference [40]. In reference [52], the resilience of five classical routing protocols applied in distributed large-scale networks was studied through simulation. Resilient techniques using route diversification were introduced to enhance the protocols' resilience against cyberattacks. The resilience was evaluated based on metrics consisting of five performance parameters which showed promising results. The communication layer was also the focus of [101] study, which proposed a new metric system framework to assess the reliability of large-scale distributed power systems. The author asserts the importance of combining the communication layer's cyber vulnerabilities with the physical layers' resilience for a meaningful assessment of the system sustainability. The following study [40] developed a network efficiency and resilience evaluation method for intelligent transportation systems (ITSs) in response to random and targeted attacks in urban areas. The author maintains that although the use of sensors is beneficial for automation, the infrastructure through their use becomes complex and liable to unknown and little understood vulnerabilities. The article concludes that the system's relative resilience was not sensitive to the levels of disruption. Integrity attacks were investigated by reference [105] proposing a global attack detection system for resilience against attacks on the railway traction systems. Resilience mechanisms that can be applied during runtime and are adaptable to the changing environment were studied by reference [99]. It is argued by reference [40] that the rate of integration of smartness in many systems proliferates at a greater rate than the ability to develop resilience whilst reference [100] identified resilience in the IoT as a significant challenge with research often focused only on one aspect or on a single attribute of resilience. Our results, as shown in Table 6, support this notion, for example, 46% of the primary studies considered the communication layer, whilst only 5% considered all three layers. We found that the communication layer had the most significant incremental trend in 2018, as presented in Figure 5, generally with an utmost focus across the smart industry and smart mobility sectors, Figure 6.     When investigating the adversary type, the results show that 19% of the primary studies considered internal and external threats in their research, as presented in Table 7. In 45% of the studies, the threat type was not sufficiently clarified. However, we observed a continued increase in studies focused on a combination of external and internal threats, as presented in Figure 7, generally with the greatest aggregation of studies in the smart infrastructure and smart mobility sectors ( Figure  8).
Some studies [52] addressed insider threats on smart devices such as smart meters, which can be compromised by an active attacker to disrupt the network communication. The study in addition to considering the compromise of the physical nodes addresses the ability of the protocol to absorb the degradation following an insider attack. In [111], the focus of the study are large-scale distributed CPSs proposing a quantitative cyber-physical security assessment methodology, [136] provides and overview and discusses related risk assessment methods. Another study [99] investigated external threats and articulated that the challenges of the IoT devices provide means for hackers to access such devices. Therefore, the proposed testbed aimed to facilitate the analysis of various types of IoT devices either by using the conventional penetration testing methodology or advanced security testing utilising a machine learning approach. Internal and external faults including malicious activity were addressed by other studies [14,100,129]. In reference [14], the focus of the paper is on a multiple characteristic association (MCA) approach to address cyberattacks and faults in electrical cyber-physical systems and reference [129] utilised an attribute-based time-sensitive and locationcentric access control model consisting of an administrative and an operational component with applicability to remote and local operations. When investigating the adversary type, the results show that 19% of the primary studies considered internal and external threats in their research, as presented in Table 7. In 45% of the studies, the threat type was not sufficiently clarified. However, we observed a continued increase in studies focused on a combination of external and internal threats, as presented in Figure 7, generally with the greatest aggregation of studies in the smart infrastructure and smart mobility sectors ( Figure 8).
Smart Cities 2020, 3 FOR PEER REVIEW 16     Some studies [52] addressed insider threats on smart devices such as smart meters, which can be compromised by an active attacker to disrupt the network communication. The study in addition to considering the compromise of the physical nodes addresses the ability of the protocol to absorb the degradation following an insider attack. In [111], the focus of the study are large-scale distributed CPSs proposing a quantitative cyber-physical security assessment methodology, Ref. [136] provides and overview and discusses related risk assessment methods. Another study [99] investigated external threats and articulated that the challenges of the IoT devices provide means for hackers to access such devices. Therefore, the proposed testbed aimed to facilitate the analysis of various types of IoT devices either by using the conventional penetration testing methodology or advanced security testing utilising a machine learning approach. Internal and external faults including malicious activity were addressed by other studies [14,100,129]. In reference [14], the focus of the paper is on a multiple characteristic association (MCA) approach to address cyberattacks and faults in electrical cyber-physical systems and reference [129] utilised an attribute-based time-sensitive and location-centric access control model consisting of an administrative and an operational component with applicability to remote and local operations.

DFIR Analysis
Digital forensics forms a substantial part of IR in the cybersecurity sector; it is a recognised scientific methodology with a key focus on the process and verifiable conclusions. Although several published digital investigation models outline the steps for investigation by the forensic teams, there is no single uniform IR model. The simplest lifecycle for an investigation model consists of three stages, "acquisition", "analysis" and "reporting". However, with the increased penetration of digital technologies into modern lives, there were several revisions to the investigation stages. The U.S. Department of Justice (DoJ) proposed four-stage process consisting of "acquisition", "identification", "evaluation" and "admission as evidence" [138]; the DFRWS model consists of six phases namely

DFIR Analysis
Digital forensics forms a substantial part of IR in the cybersecurity sector; it is a recognised scientific methodology with a key focus on the process and verifiable conclusions. Although several published digital investigation models outline the steps for investigation by the forensic teams, there is no single uniform IR model. The simplest lifecycle for an investigation model consists of three stages, "acquisition", "analysis" and "reporting". However, with the increased penetration of digital technologies into modern lives, there were several revisions to the investigation stages. The U.S. Department of Justice (DoJ) proposed four-stage process consisting of "acquisition", "identification", "evaluation" and "admission as evidence" [138]; the DFRWS model consists of six phases namely "identification", "preservation", "collection", "examination", "analysis" and "presentation" [139]. The ADFM has expanded the process by three more stages: "preparation", "approach strategy" and "returning evidence" [140]. Due to the evolving sources of digital evidence, the digital and physical environments are closely converged where physical artefacts contain the digital evidence, which is reflected in the Integrated Digital Investigation Process (IDIP) consisting of five stages defined as "readiness", "deployment", "physical crime scene", "digital crime scene" and "review" [141]. Similar to the DFRWS model, the ISO/IEC 27050-3:2017, a general-purpose framework for electronically stored information (ESI) was developed for digital investigations containing seven stages: "identification", "preservation", "collection", "processing", "analysis", "review" and "production". The National Institute for Standards and Technology published an IR procedure NIST 800-61 in response to the frequency of emerging incidents consisting of four stages: "preparation", "detection and analysis", "containment, eradication and recovery" and finally "post-incident activity". In CPSs, IR is a complex, multifaceted problem crossing the physical and cybersecurity boundaries.
The primary studies were classified by their key themes into groups according to the NIST 800-61 IR stages [98]. The studies were determined to have focused predominantly on the detection and analysis stage, as shown in Table 8. Preparation is an important part of the IR. Apart from compiling assets, creating a communication plan, setting metrics or creating an incident plan for each type of incident, security event simulation is also a valuable part of this stage. Simulation or modelling helps identify gaps, determine and optimise which security events and at what trigger should be investigated; therefore, they provide a controlled opportunity to strengthen weaker areas and improve cyber resilience, which we discussed in the previous section. For example, the author in reference [13] proposed a novel framework using Fuzzy Analytic Hierarchy Process to evaluate and rank the cybersecurity challenges in smart cities. Amongst the 9 identified smart sectors (factors) and 32 sub-factors, smart security was rated highest for being influenced by cybersecurity challenges in smart cities. The results of the study placed the sub-factors identified as part of the smart security in the highest priority areas influenced by cybersecurity challenges which were identified as the "surveillance and biometrics" followed by "simulation and modeling" and "intelligent threat detection". Our results show that smart security sector studies do not have a specific focus on cyber resilience aspects, see Table 5. and research focus relates predominantly to the communication layer threats, see Figure 6. A security-by-design (SbD) approach was proposed by reference [48] articulated as a framework to develop a highly secure and trustworthy smart car service and protect them from cyberattacks. The authors argue ABA is a more suitable approach because of the sensors' low computational power and therefore a lack of encryption techniques applicability. The sensor profiling was accomplished by using the discrete wavelet transform (DWT) coefficients and the Euclidean distance was utilised for sensor classification. The presented results demonstrated an up to 95% accuracy for unknown and 98% for known attacks with a low false-positive rate.
Incident Detection and Analysis (IDA) is a key phase in IR because the response cannot be manifested without accurate detection. Although incident detection is considered a reactive approach, there are detectable events that precede an incident. The results from the primary studies show that the highest distribution in the detection and analysis stage of the IR model is in the smart infrastructure sector as shown in Figure 9, and overall 67% of the sampled primary studies focus exclusively on cyberattacks detection, as shown in Figure 10. The author in reference [107] presents a framework for smart homes and smart buildings addressing multiple layers and threat types. The study utilised ABA-IDS to continuously monitor, detect and classify cyberattacks against sensors with high accuracy. The study aimed to extend the methodology to other IoT security frameworks, such as smart water systems [104] and smart grid systems [108]. Both studies rely on ABA-IDS utilising JRip classification algorithm achieving up to 99.8% and 97.18% accuracy on their respective datasets. The ABA-IDS detection and the classification results for reference [107] were similar and in some instances exceeded the results of other state-of-the-art protection systems for smart grids. Different approaches were proposed to enhance the detection of cyberattacks in industrial control systems. For example, a secure water treatment plant often consists of distributed cyber infrastructures that control physical processes.
The author in reference [118] proposed a time automata (TA) approach, whilst another study [64] focused on a hybrid of machine learning combined with a specification-based detection. An orthogonal defence mechanism consisting of several intelligent checkers was used by the author in reference [51].
such as smart water systems [104] and smart grid systems [108]. Both studies rely on ABA-IDS utilising JRip classification algorithm achieving up to 99.8% and 97.18% accuracy on their respective datasets. The ABA-IDS detection and the classification results for reference [107] were similar and in some instances exceeded the results of other state-of-the-art protection systems for smart grids. Different approaches were proposed to enhance the detection of cyberattacks in industrial control systems. For example, a secure water treatment plant often consists of distributed cyber infrastructures that control physical processes. The author in reference [118] proposed a time automata (TA) approach, whilst another study [64] focused on a hybrid of machine learning combined with a specification-based detection. An orthogonal defence mechanism consisting of several intelligent checkers was used by the author in reference [51]. Figure 9. DFIR stages categorisation across smart sectors addressed by the primary studies. In this graph, multiple sectors addressed in a single study are reported individually to preserve sector visibility.

Containment, Eradication and Recovery (CER)
is the part of the process where models and standards differ. Whilst NIST views the CER as a single step, SANS (SysAdmin, Audit, Network, and Security), DFRWS and ISO/IEC 27050-3:2017 view them as separate segments. Furthermore, the terminology used by different frameworks and standards to identify similar steps can vary. The terminology used by NIST 800-61 refers to containment as an aim to stop the attack or threat, eradication removes it stopping cross-systems proliferation and recovery aims to get the system operation returning to business as usual.
Our figures show that only 13% of the primary studies investigate the CER segment of the IR procedure, as shown in Figure 10. For example, the focus of the following study [40] is on increasing the resilience rather than lowering risks to demonstrate system recovery from disruption. The author argues that smart development over resilience may benefit some smart systems to achieve recovery through automation by redistributing the traffic by using alternative routes. This is part of the investigated model's algorithm. However, the limitation of the study is its consideration of large and very large urban areas; therefore, the model's applicability was not tested on smaller urban areas. Furthermore, the modelled scenario captured only a limited set of ITS disruptions, therefore, the Figure 9. DFIR stages categorisation across smart sectors addressed by the primary studies. In this graph, multiple sectors addressed in a single study are reported individually to preserve sector visibility.
Smart Cities 2020, 3 FOR PEER REVIEW 19 effect of disruptions from different cyberattacks compared to those which were tested, and their method of recovery may vary. The author in reference [52] presents an interesting notion of extending the concept of resilience in networking to survivability, fault tolerance and security, however, acknowledges difficulties in defining quantitative metrics. Focusing on the internal threat, the reliance is on the protocol's capacity to absorb the attack under some failure behaviour and the resilient technique provides dynamicity to improve the self-healing capabilities of smart meters.
Another study with a focus on resilience mechanisms [100] proposes achieving self-healing through a structural adaptation approach by substituting failed components as a method of recovery for compromised CPSs. The author asserts that this is achievable provided the compromised component is redundant and can be isolated. The author in reference [107] proposed an IoT security framework and based on the detection of abnormal behaviour, recovery actions can be taken. Other studies acknowledge the elapsed period before IR starts after the attack occurs. For example, the study in reference [135] presents a hybrid solution of distributed and centralised continuously evolving trustbased intrusion detection model aggregating multiple trust data sources to enable an effective inflight network defence. The study claims, that following an abnormal patterns emergence, trust-value triggered IR with active defence is possible. Comparable to the results in Section 2, the results from the primary studies show that research often focused on one aspect of DFIR, see Figure 10. Post-Incident Activity (PIA) is one of the most important phases of the IR process, but it is most often omitted [143]. This phase provides an opportunity to contribute to continuous learning, an evidence-based body-of-knowledge and to form a robust CTI. The IR can be accelerated by having an effective and specific CTI context around an initial indicator [144]. Therefore, a review of what occurred and defining actionable advice that can be used to inform decisions in the IR's preparation phase are important to achieve a closure of the IR process. The PIA has not been addressed by the primary studies.

Data Source Analysis
Through this research, a lack of available real datasets from CPS systems was identified. Although experimentation was carried out, predominantly this was limited to software-based simulations (46%) and simulation infrastructure (42%) by the primary studies, as shown in Figure 11.

Containment, Eradication and Recovery (CER)
is the part of the process where models and standards differ. Whilst NIST views the CER as a single step, SANS (SysAdmin, Audit, Network, and Security), DFRWS and ISO/IEC 27050-3:2017 view them as separate segments. Furthermore, the terminology used by different frameworks and standards to identify similar steps can vary. The terminology used by NIST 800-61 refers to containment as an aim to stop the attack or threat, eradication removes it stopping cross-systems proliferation and recovery aims to get the system operation returning to business as usual.
Our figures show that only 13% of the primary studies investigate the CER segment of the IR procedure, as shown in Figure 10. For example, the focus of the following study [40] is on increasing the resilience rather than lowering risks to demonstrate system recovery from disruption. The author argues that smart development over resilience may benefit some smart systems to achieve recovery through automation by redistributing the traffic by using alternative routes. This is part of the investigated model's algorithm. However, the limitation of the study is its consideration of large and very large urban areas; therefore, the model's applicability was not tested on smaller urban areas. Furthermore, the modelled scenario captured only a limited set of ITS disruptions, therefore, the effect of disruptions from different cyberattacks compared to those which were tested, and their method of recovery may vary. The author in reference [52] presents an interesting notion of extending the concept of resilience in networking to survivability, fault tolerance and security, however, acknowledges difficulties in defining quantitative metrics. Focusing on the internal threat, the reliance is on the protocol's capacity to absorb the attack under some failure behaviour and the resilient technique provides dynamicity to improve the self-healing capabilities of smart meters. Another study with a focus on resilience mechanisms [100] proposes achieving self-healing through a structural adaptation approach by substituting failed components as a method of recovery for compromised CPSs. The author asserts that this is achievable provided the compromised component is redundant and can be isolated. The author in reference [107] proposed an IoT security framework and based on the detection of abnormal behaviour, recovery actions can be taken. Other studies acknowledge the elapsed period before IR starts after the attack occurs. For example, the study in reference [135] presents a hybrid solution of distributed and centralised continuously evolving trust-based intrusion detection model aggregating multiple trust data sources to enable an effective in-flight network defence. The study claims, that following an abnormal patterns emergence, trust-value triggered IR with active defence is possible. Comparable to the results in Section 2, the results from the primary studies show that research often focused on one aspect of DFIR, see Figure 10.
Post-Incident Activity (PIA) is one of the most important phases of the IR process, but it is most often omitted [143]. This phase provides an opportunity to contribute to continuous learning, an evidence-based body-of-knowledge and to form a robust CTI. The IR can be accelerated by having an effective and specific CTI context around an initial indicator [144]. Therefore, a review of what occurred and defining actionable advice that can be used to inform decisions in the IR's preparation phase are important to achieve a closure of the IR process. The PIA has not been addressed by the primary studies.

Data Source Analysis
Through this research, a lack of available real datasets from CPS systems was identified. Although experimentation was carried out, predominantly this was limited to software-based simulations (46%) and simulation infrastructure (42%) by the primary studies, as shown in Figure 11. The infrastructure-based simulations typically relied on testbeds to replicate real-life CPS device settings such as a secure water treatment (SWaT) or water treatment plant (WTreat) testbeds [109,119]. However, in 12% of the studies published between 2018 and early 2019, public scientific datasets like BATADAL [110] or CAIDA [125] were used either solely or in conjunction with software-based simulation. Carrying out experimentation in an isolated environment limits the testing in a number of ways. For example, the unavailability of a current real dataset limits the reflection of the current threat types and limits the full contextualisation of the actual CPS devices' constraining factors such as resources or connectivity disruptions.

Analysis of Primary Studies Cross-Sector Proposals or Applications to Improve Digital Forensics
The purpose of analysing the cross-sector proposals or applications in smart cities is to explore transferable solutions that emerge from individual smart sectors to investigate possible trends and attempts to improve digital forensic investigations. To achieve this, the primary studies were organised accordingly to the smart sector's distribution according to the scope of our research, as shown in Figure 12.
Smart Cities 2020, 3 FOR PEER REVIEW 20 software-based simulation. Carrying out experimentation in an isolated environment limits the testing in a number of ways. For example, the unavailability of a current real dataset limits the reflection of the current threat types and limits the full contextualisation of the actual CPS devices' constraining factors such as resources or connectivity disruptions.

Analysis of Primary Studies Cross-Sector Proposals or Applications to Improve Digital Forensics
The purpose of analysing the cross-sector proposals or applications in smart cities is to explore transferable solutions that emerge from individual smart sectors to investigate possible trends and attempts to improve digital forensic investigations. To achieve this, the primary studies were organised accordingly to the smart sector's distribution according to the scope of our research, as shown in Figure 12. The scientific community focused the research on smart infrastructure, followed by smart mobility and smart security sectors whilst smart healthcare and smart citizen were addressed only by a small number of studies, see Figure 12. Some of the studies address more than one themes, which is taken into consideration. This trend could be explained by the influences of key events such as Industry 4.0 and the maturity of the research of the design principles and enabling technologies in these areas [1] whereas the lack of research within the smart healthcare and smart citizen sector could be impacted by regulatory restrictions, ethical challenges, lack of relevant usable datasets and the current health care models or pathways [145].
The results show that some studies address more than one smart sector [104,120,124,126,133,145] or aim to diversify their future research [39,51,[63][64][65]100,102,111,131,134]. For example, reference [145] explores smart support for independent living of the elderly within the community to maximise their independence whilst maintaining the ability to deal with their complex medical needs across

Analysis of Primary Studies Cross-Sector Proposals or Applications to Improve Digital Forensics
The purpose of analysing the cross-sector proposals or applications in smart cities is to explore transferable solutions that emerge from individual smart sectors to investigate possible trends and attempts to improve digital forensic investigations. To achieve this, the primary studies were organised accordingly to the smart sector's distribution according to the scope of our research, as shown in Figure 12. The scientific community focused the research on smart infrastructure, followed by smart mobility and smart security sectors whilst smart healthcare and smart citizen were addressed only by a small number of studies, see Figure 12. Some of the studies address more than one themes, which is taken into consideration. This trend could be explained by the influences of key events such as Industry 4.0 and the maturity of the research of the design principles and enabling technologies in these areas [1] whereas the lack of research within the smart healthcare and smart citizen sector could be impacted by regulatory restrictions, ethical challenges, lack of relevant usable datasets and the current health care models or pathways [145].
The results show that some studies address more than one smart sector [104,120,124,126,133,145] or aim to diversify their future research [39,51,[63][64][65]100,102,111,131,134]. For example, reference [145] explores smart support for independent living of the elderly within the community to maximise their independence whilst maintaining the ability to deal with their complex medical needs across The scientific community focused the research on smart infrastructure, followed by smart mobility and smart security sectors whilst smart healthcare and smart citizen were addressed only by a small number of studies, see Figure 12. Some of the studies address more than one themes, which is taken into consideration. This trend could be explained by the influences of key events such as Industry 4.0 and the maturity of the research of the design principles and enabling technologies in these areas [1] whereas the lack of research within the smart healthcare and smart citizen sector could be impacted by regulatory restrictions, ethical challenges, lack of relevant usable datasets and the current health care models or pathways [145].
The results show that some studies address more than one smart sector [104,120,124,126,133,145] or aim to diversify their future research [39,51,[63][64][65]100,102,111,131,134]. For example, reference [145] explores smart support for independent living of the elderly within the community to maximise their independence whilst maintaining the ability to deal with their complex medical needs across multiple smart sectors including healthcare, homes and infrastructure. Furthermore, several studies consider developing their research to generalise applicability to other smart sectors and acknowledge the need for framework adaptability as a result of complexity and constant change of interconnected devices [133]. For example, the principles and techniques applied by reference [102] could be applied to other physical processes than the one covered by the study, whilst reference [131] suggest their methods can be applied in a number of CPS domains such as power networks, transportation, oil and natural gas systems.
Although the cyber threat landscape is changing from hobby-hacking to organised cyber-crime, the cyberattacks are becoming more sophisticated, organised and targeted; there is little scientific evidence of attempts for supporting modern digital forensics, cross-organisational information security sharing or coordination [28]. Security practices remain in silos lacking collaborative cyber defences to deal with the increased sophistication and coordination of cyberattacks including advanced persistent threats [4,27]. This assertion is supported by our analysis of primary studies thus far. The transition from more traditional to IoT enabled CPS creates highly complex ecosystems, however, the focus of research is often limited to the boundary of the individual organisation or smart sector.

Typology Analysis
The purpose of the typology analysis is to separate the non-empirical and the empirical studies and to examine their chronological distribution. This analysis helps to better understand if the CPS frameworks and systems supporting cyber resilience or modern DFIR are predominantly academic ideas built on theory or do they emerge based on identified needs or as a result of relevant events.
Cyberattacks are a natural progression of physical attacks; they are more economical, reduce the risk for the attacker and have fewer geographical constraints. Studies from the sample recognised the cybersecurity risk factors that the integration of connected devices, sensors and automation helped by artificial intelligence have on smart ecosystems. In 2011, the focus of an [102] empirical study was attacks on sensor networks and their impact on the process control system. The research study referred to the example of the targeted ICS-based attacks such as the Maroochy Shire Council sewage attacks in Queensland, Australia in 2000; Ohio's 2003 Davis-Besse Slammer worm private network attack and the 2007 Iranian nuclear plant Stuxnet worm attack. The control systems' vulnerability such as Stuxnet and urban migration are also referred to by reference [107]. In 2007, the disruption and economic consequences of a large-scale cyberattack on the USA power grid were studied [108]. Several non-empirical studies investigated the theoretical concepts or potential challenges to be addressed for different aspects of the cyber defences against targeted attacks related to the increased interconnectivity and heterogeneity of the physical and cyber convergence. In 2014, the following study [21] investigated a federated building information system as a method of preventing hostile reconnaissance, managing intellectual property and enabling operational security. The study refers to a 2013 incident in Hackney, London in which a piling rig penetrated the roof of a Network Rail tunnel.
Therefore, the proliferation of digital technologies and the integration of IoT with physical systems expands the scope of forensic science creating a need for new specialised forensic techniques to reduce the backlog, workload and the cost of the forensic investigation process [146]. Digital forensics (DF) has developed as a branch of forensic science alongside the conventional forensic disciplines covering diverse digital technologies that can be exploited by the criminals.
The results presented in Figure 13 demonstrate the chronological trend between surveys, non-empirical and empirical studies. The focus of this SLR is on primary empirical studies. The total of the studies shows that non-empirical studies including the survey-type studies amounted to 64% compared with 36% of the empirical studies of the reviewed samples. Although the number of survey studies consistently increased, a sharp increase of the empirical research is observed during 2017 and a similar surge of the non-empirical studies is observed in 2018. Depending on this evidence, it is possible to argue that this dynamic could be influenced by the key events discussed in Section 1. Furthermore, from the empirical studies, it emerges that the focus of the research was informed by the threats of specific events, driven by the need for defence-in-depth mechanisms and influenced by the implementation of technological innovation and application within smart sectors.

Geographic Analysis
The purpose of the geographic analysis is to support our analysis in previous sections and gain a better understanding of where the research is concentrated, which geographical sectors have interest and opportunities for research addressing CPS-related cyber resilience and DFIR in smart cities. To achieve this, from the primary studies' authorship list, each unique country was recorded and assigned to the continent, as demonstrated in Figure 14. The colour hue represents the frequency of research carried out within the geographic region. The geographic analysis shows that the USA with 23% has the highest number of contributions of reviewed studies, followed by Singapore with 10%, the UK with 8% and Australia with 7% of contributions in the reviewed studies. In terms of continents, Figure 15 shows that Asia is the continent with the highest concentration of the relevant CPS research at 37%, closely followed by Europe at 30% and North America at 26%. Central and South Americas, Australia and Africa are the continents with the lowest number of published studies within the scope of our research.
Smart Cities 2020, 3 FOR PEER REVIEW 22 the threats of specific events, driven by the need for defence-in-depth mechanisms and influenced by the implementation of technological innovation and application within smart sectors.

Geographic Analysis
The purpose of the geographic analysis is to support our analysis in previous sections and gain a better understanding of where the research is concentrated, which geographical sectors have interest and opportunities for research addressing CPS-related cyber resilience and DFIR in smart cities. To achieve this, from the primary studies' authorship list, each unique country was recorded and assigned to the continent, as demonstrated in Figure 14. The colour hue represents the frequency of research carried out within the geographic region. The geographic analysis shows that the USA with 23% has the highest number of contributions of reviewed studies, followed by Singapore with 10%, the UK with 8% and Australia with 7% of contributions in the reviewed studies. In terms of continents, Figure 15 shows that Asia is the continent with the highest concentration of the relevant CPS research at 37%, closely followed by Europe at 30% and North America at 26%. Central and South Americas, Australia and Africa are the continents with the lowest number of published studies within the scope of our research.

Geographic Analysis
The purpose of the geographic analysis is to support our analysis in previous sections and gain a better understanding of where the research is concentrated, which geographical sectors have interest and opportunities for research addressing CPS-related cyber resilience and DFIR in smart cities. To achieve this, from the primary studies' authorship list, each unique country was recorded and assigned to the continent, as demonstrated in Figure 14. The colour hue represents the frequency of research carried out within the geographic region. The geographic analysis shows that the USA with 23% has the highest number of contributions of reviewed studies, followed by Singapore with 10%, the UK with 8% and Australia with 7% of contributions in the reviewed studies. In terms of continents, Figure 15 shows that Asia is the continent with the highest concentration of the relevant CPS research at 37%, closely followed by Europe at 30% and North America at 26%. Central and South Americas, Australia and Africa are the continents with the lowest number of published studies within the scope of our research.

Discussion
Our analysis revealed that in the last decade, CPSs have emerged as a new paradigm and as a result of the increased growth, complexity and heterogeneity of these infrastructures [14,82], the volume and the variety of vulnerabilities and attacks have evolved highlighting the need for defence mechanisms [147], need for cyber resilience and capability to support DFIR [26,29,30,33]. In this paper, the analysis of the primary studies supports our assertion that CPS-related cyber resilience

Discussion
Our analysis revealed that in the last decade, CPSs have emerged as a new paradigm and as a result of the increased growth, complexity and heterogeneity of these infrastructures [14,82], the volume and the variety of vulnerabilities and attacks have evolved highlighting the need for defence mechanisms [147], need for cyber resilience and capability to support DFIR [26,29,30,33]. In this paper, the analysis of the primary studies supports our assertion that CPS-related cyber resilience and DFIR are active research domains. As has been noted in our results analysis, several empirical research studies have focused on CPS-related cyber resilience and DFIR. For example, Table 5 summarises primary studies which focused on aspects of cyber resilience across a number of different smart sectors, whilst a summary of primary studies with focus on DFIR's key stages in smart cities is shown in Table 8. In fact, several empirical research papers studied presented ways to solve real problems [37,122,135,148]. However, despite the importance of cyber resilience and support for DFIR in smart cities, these aspects have not been extensively considered by researchers in the context of CPSs. As we already noted, Figure 7 demonstrates a different level of scientific interest in adversary type research whilst Figure 8 further analyses the phenomena and presents the gaps across specific smart sectors. Furthermore, summarised in Figures 9 and 10, the analysis revealed differences in scientific interest in the DFIR stages with further variations across smart sectors. This poses an important question as to the reason for those differences. However, it is not the aim of this paper to provide the answer but to identify the gaps and present some open challenges and findings that can be used as future research directions [107,149].
The initial keyword searches highlighted that although there is an active research interest in the security of CPSs, frameworks addressing CPS cyber resilience, support for DFIR and their applications for developing cross-smart sector opportunities for collaborative cyber-defence practices are still emerging. Plans for cross-sector applications and diversifying the research to other areas of smart city sectors is often part of the future research direction [99,114,134].
The search criteria identified several non-empirical studies which provide concepts or theoretical bases to problem solutions and survey type studies that focused on consolidating the body of research related to our research scope aspects [21,[55][56][57][58][59]61,150]. Whilst survey type studies are important, enable knowledge consolidation and identify areas of future research directions, several of the selected primary studies were empirical and provided practical solutions to a range of challenges related to cyber resilience and support for DFIR using innovative techniques.
The validation of the proposed solutions of the primary studies within the scope of our research inevitably always depends on carrying out cyberattacks or otherwise adversely impacting the infrastructure. Therefore, any validation must be carried out in a strictly controlled environment to avoid accidental disruption to CNI or compromise to data privacy. Validation can be economically challenging and requires funding to facilitate validations using a realistic simulation environment often involving physical infrastructure [47,51,64,109,119,131,137,142]. Almost three-quarters of the primary studies reported funding supported by research grants, defence or governmental sectors. Notable exceptions included only two primary studies which did not report funding and validated their proposal using infrastructure-based simulation utilising a smart home [129] and smart water system [116] infrastructures. In their current states, mainstream systems may not be equipped with infrastructure to facilitate such testing and would require significant change. Therefore, funding could be a contributing factor to empirical research in this field of study.
In addition to challenges accessing infrastructure-based simulators or testing in a production environment, there is a lack of publicly accessible datasets ( Figure 11). The following study [18] stressed the need for access to public data to enable the successful adoption of technological innovations. To validate Industry-4.0-based proposals, the following study [2] relied on a combination of datasets. The limitation of the dataset used by reference [125] covering malicious IoT devices is the use of the CAIDA darknet datasets which predominantly contain malicious material. Based on the results, the research community appears to lean on software-based simulation using established platforms, predominantly Matlab [39,101,117,118,132], but researchers also utilise UPPAAL [118] and ProModel Process [39] simulators. Therefore, software-based simulations are a frequent choice to test experimental concepts. However, using software-based simulations may not be most suitable in some cases, for example, in smart mobility scenarios involving driving where reactions could be very different in a simulated environment knowing that a simulator can be restarted in a click of a button compared to a non-simulated experiment. This may have profound consequences to the required acceleration of research of cyber defence of CPSs within smart cities since there is reliance on simulators for sufficient presentation of threats compared to reliable decision making in a real-world environment.
Concerning RQ1, during the primary studies' selection process, the researchers observed the availability of studies related to CPS applications. Within those studies, aspects of security may have been mentioned but they were not the focus of the study and often cyber defence was omitted altogether [18]. Moreover, although CPSs proliferate many aspects of modern lives and the demand and need for resilience in CPSs increases [151], the analysis revealed a distinct lack of available empirical research focused on the cyber resilience in the smart healthcare and smart citizen sectors ( Figure 6). Possible reasons include the maturity of the Industry 4.0 technology compared with the smart sectors summarised in Figure 4 [84,85]. Moreover, the scale of media coverage of attacks on CNI like the cyberattack on the Ukrainian power grid [35] or Stuxnet [34] could also contribute to the prominence of the research in those sectors. Likewise, smart-healthcare-and smart-citizen-related research has complex and diverse ethical challenges including privacy and confidentiality concerns [145].
Infrastructure in smart cities consists of a growing number of highly integrated CPSs including traditional devices or entire cities retrofitted with new technologies to facilitate IoT connectivity [4,7,9]. Concerning RQ2, these devices contribute very little to support a systematic DFIR process in smart cities. Therefore, there is a need to develop a process-driven DFIR to deal with the evolving cyber threat landscape, the expanded attack surface and attack vector introduced through IoT connectivity [17,28]. Furthermore, as the sources of evidence evolve, digital evidence is contained within the physical artefacts [44]. For example, image-based evidence can be gained through closed-circuit television (CCTV) surveillance or from social media. Behavioural anomaly detection can be used to detect unauthorised vehicle use through driver profiling [152], detect attacks on smart water systems [104] or unauthorised access within smart workplaces [24].
Digital evidence, similar to physical evidence, seized at a crime scene or following a security incident, is relevant during digital forensic investigations [67]. The majority of the primary studies have researched a subset of an IR process, predominantly focusing on the "detection and analysis" phase ( Figure 10) of an incident utilising different approaches including profile detection, behavioural anomaly, system monitoring or audit analysis [47,48,65,99,100,103,104,108,120,123,124,127]. Whilst incidents' detection is a reactive activity by nature, it is a key enabler for subsequent digital forensic processes, which cannot occur without detection and identification of an incident. However, leaning on Locard's theory, contact between items cause an exchange. Without CPS-specific support for modern DFIR, a forensic investigation from a complex interconnected cyber-physical environment may not extract digital evidence appropriately. Therefore, the important artefacts gathered during the acquisition stage may not be admissible in the court of law because the validity and integrity of the digital evidence is not appropriately maintained. Best practice guides are published-within UK jurisdiction, the Association of Chief Police Officers (ACPO) [153] and, in the US, with the Best Practices for Seizing Electronic Evidence [154]-to support incident practitioners.
In fact, the authors of the following study [37] argue that in some smart sectors such as smart homes, the application of digital forensics is an emerging field of study and asserts that there is a distinct lack of formal methodologies addressing the application of digital forensics in incident responses. Furthermore, recent studies show that the integration of CPSs in smart cities would significantly benefit from a specific forensic methodology as part of forensic preparedness to deal with security incidents [37,66]. However, a lack of consensus and formal process models in the digital forensics field that can be used to determine the reliability of digital evidence in courts is argued by reference [155]. Despite recognition of the importance of SbD by some researchers, our findings show an absence of references to a digital forensic process in response to incidents. Finally, the increasing integration of technology into modern lives and the breadth of digital technologies exploitable by criminals requires extensive research to develop appropriate frameworks.
Concerning RQ3, the significance of the primary studies investigated is that despite the transition from traditional to IoT-enabled environments, our research findings show limited evidence of cross-sector proposals or applications for improving digital forensics. The authors of [28] claim that there is little evidence of cross-organisational information security sharing, structure and coordination. Considering this assertion within the context of CPSs, although researchers recognise the lack of shared practice, efforts are made to expand and improve cyber defence often as part of their future research direction. However, the various attempts to improve the ability to withstand targeted attacks [102] remain within a smart sector; for example, discussions are initiated between groups like the control and security practitioners but very few studies exploit the idea of cross-sector efforts to improve digital forensics. For example, authors of [64] consider their underlying idea applicable to multiple smart sectors which indicates recognition of more integrated approaches. The proposal of authors of [51,133] was to increase the flexibility and application of their system in several different environments. Generally, the explored research focused on developing and improving cyber defences within a single smart sector.
In summary, we draw on the results of the extensive SLR process, present and discuss the outcomes of our findings. Our extensive review showed number of gaps which could provide the basis and create opportunities for future research.

Conclusions
Smart cities are complex networks of connected devices including CPSs which utilise automation and AI to control several key functions. The initial keyword searches for this study highlighted CPSs as an emerging technology that creates an enormous range of possible applications across several smart sectors. It is clear from our SLR that there is an increasing interest in theoretical research and empirical implementations of CPS cyber resilience and support for modern DFIR within smart cities. The key influencing factors include the Industry 4.0 concept, government-led support and initiatives such as the National Cyber Security Strategy in UK [5] or national infrastructure plans [85,88], innovative ideas [36] and incidents [34,156].
Some smart sectors including smart healthcare and smart citizen were addressed only by a small number of studies, see Figure 12; it is critical that future research recognises this limitation. It is also evident that interest is growing in cross-sector proposals and an interdisciplinary approach to solve real-life problems including cybercrime [39,51,[63][64][65][100][101][102]111,131,134]. Going forward, an interdisciplinary approach across smart sectors and aggregated sharing of CTI from multiple sources could increase situational awareness and provide a detailed, real-time and measurable body-of-knowledge to deal with the increased sophistication and coordination of cyberattacks.
We outlined and discussed the cyber threats landscape, particularly asserting that cyberattacks are increasingly more sophisticated, coordinated and targeted including advanced persistent threats (APTs). For example, the primary studies report on attacks that can originate from both within and from outside of the organisation. Having identified that there are limitations of the current IR methods in dealing with APT, we argue that existing efforts are insufficient to address emerging threats and there is a need for a CTI-driven mitigation approach [31]. Therefore, there is much work to be done to prepare for a dynamic threat landscape, strengthen the CPS cyber resilience to have the ability to adapt and operate under adverse conditions and to recover from incidents. For example, future research could focus on applying CTI to modelling attacks on entities' critical functions and underlying systems including its people, processes and technologies. This could help an entity to assess its protection, detection and response capabilities. Therefore, lessons can be gained from the IR lifecycle to minimise disruption and reduce the attack surface. The challenges need to be addressed through innovative solutions to support a modern defence-in-depth strategy.
Additionally, the increasing integration of CPS into modern lives diversifies the scope of forensic science and forensic investigations. Thus, alongside the conventional forensic disciplines, digital forensics has developed as a branch of forensic science covering diverse digital technologies including CPSs which can be exploited by criminals. The majority of the primary studies reported on the detection and analysis phase of the IR process. Therefore, more research is required to investigate the other phases of the IR process. This creates opportunities to reduce the backlog, the workload and the cost of the digital forensic investigation processes. Implementing an evidence-based body-of-knowledge by forming a robust CTI could solve real-life problems. Future work on addressing CPS in smart cities to support modern DFIR should consider integrating CTI into the IR. Such integration could enable faster threat detection, digital forensic investigation, repelling of attacks minimising disruption and escalated response time to prevent adversaries from successfully compromising their target.
Further, we identified a lack of available current publicly accessible real CPS-generated datasets that limit the ability of comparative experiments by other researchers, for example, to test and validate the accuracy of results robustly. Future works could consider addressing this limitation to create a pool of scientific resources. Publicly accessible datasets could accelerate the development of countermeasures against cybersecurity threats strengthening the cyber defence in smart cities to continue to function effectively under adverse conditions [43].

Conflicts of Interest:
The authors declare no conflict of interest.