{"paper_id":"4a614a5e-e08d-4c1a-a7f8-66feb300723b","body_text":"Quantitative Validation of Domain-Attributed Cyber Resilience Trajectories for Safety-Critical Systems | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Quantitative Validation of Domain-Attributed Cyber Resilience Trajectories for Safety-Critical Systems Kirsty Perrett, Ian David Wilson This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-9204849/v1 This work is licensed under a CC BY 4.0 License Status: Under Revision Version 1 posted 10 You are reading this latest preprint version Abstract Cyber resilience in safety-critical systems is widely discussed, yet the structural relationships between resilience attributes remain weakly defined and rarely measured in practice. Controls are often implemented as isolated improvements, despite the possibility that strengthening one aspect of performance may leave weakness elsewhere unresolved or introduce new fragilities across the wider system. This paper presents empirical quantitative evidence from two industrial case studies and controlled experimentation on a safety-critical industrial testbed to examine how distinct resilience domains and attributes influence system behaviour during disturbance. Results show that engineering resistance capacity (engineering resilience) primarily governs degradation magnitude, organisational recovery and adaptive capacity (ecological resilience) govern detection latency and recovery duration, and safety operates as a continuous constraint boundary throughout disturbance and recovery rather than as a threshold event triggered only at extremis. Quantitative measurements across adversarial and non-adversarial disruption scenarios demonstrate, within the limits of the experimental setting, that these domains are causally distinct in effect and non-substitutable in outcome: improvements in one phase do not compensate for weakness in another. The findings support a refined five-domain hierarchical taxonomy of resilience attributes and provide empirical grounding for assessing resilience as the measurable trajectory of system performance in safety-critical, cyber-physical environments. Getting resilience right is how we protect not only the systems we depend on today but the people who will depend on them tomorrow. Cyber Resilience Safety-Critical Complex Systems Cyber-Physical Systems Quantitative Metrics Industrial Control Systems Testbed Experimentation Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 1. Introduction Resilience has become a central theme across engineering, ecological, organisational and cybersecurity disciplines (Bagheri 2018; Bruneau 2003; Hollnagel 2006; Holling 1973; NCSC 2022; European Union 2022). In critical infrastructure environments, increasing interdependence between digital control systems and physical processes means that disruptions may propagate rapidly into real-world consequences (Laprie 2008), (Leveson 2011), (Linkov 2014). Such disruptions may be malicious, accidental, insider-driven or environmental in origin. Contemporary regulatory and advisory guidance, including the EU Critical Entities Resilience Directive (European Union 2022), the NCSC Cyber Assessment Framework (NCSC 2022), IEC 62443 (IEC 2018) and NIST SP 800-82 (Stouffer 2023), emphasises resilience but does not specify which attributes are structurally foundational or how they interact under disruption. In practice, organisations frequently implement recognised controls - such as network segmentation, Security Operations Centre (SOC) monitoring and patching - as stand-alone measures. These are good practices but when applied without process context they risk monitoring only the security wrapper rather than the safety-critical process itself. For example, connecting a previously isolated system solely to monitor Operational Technology (OT) security logs and not process telemetry, provides visibility of the wrapper but not the process at risk. A companion paper (anon 2026) proposed that resilience in safety-critical Cyber-Physical Systems (CPS) is not a catalogue of controls but a measurable temporal performance trajectory produced by the structured interaction of causally distinct domains. The model's central structural claim is that each domain exerts dominant influence over a specific phase of the resilience curve: engineering resistance capacity governs how far performance degrades when disturbance occurs; organisational recovery and adaptive capacity governs how quickly disturbance is detected and how rapidly safe operation is restored; and safety functions as a continuous constraint - a boundary condition that frames allowable system behaviour throughout the full resilience trajectory, rather than serving as an event triggered only when limits are exceeded. This paper presents the empirical validation of that trajectory concept, drawing on two industrial case studies and controlled experimentation using a physical safety-critical industrial testbed. It addresses three interrelated gaps in the existing literature: The absence of quantitative evidence that engineering and organisational domain contributions to the resilience trajectory are causally distinct and non-substitutable within controlled experimental conditions. The limited use of physical testbed experimentation to observe and measure domain-specific ownership of specific trajectory phases. The gap between conceptual resilience frameworks and measurable, operationally grounded evidence of attribute interaction, reinforcement and trade-offs. The empirical evidence is used both to validate the trajectory model and to refine a five-domain taxonomy of resilience attributes - spanning safety, engineering/technical, ecological/organisational, governance/management and contextual/systemic domains - that specifies which attributes influence which phase of resilience. 2. Background: The Competing Roots of Resilience Resilience in safety-critical cyber-physical systems carries competing meanings inherited from four distinct intellectual traditions. Materials science established resilience as the restoration of a prior physical state (Timmerman 1981 ; Gordon 1978). Holling ( 1973 ) challenged this fundamentally from ecology, distinguishing engineering resilience - the speed of return to equilibrium - from ecological resilience - the magnitude of disturbance a system can absorb before structural change (Pimm 1984 ). Safety engineering, rooted in constraint-based control theory (Leveson 2004 ; Ashby 1956 ), addressed the prevention of unsafe states rather than recovery or adaptation. Cyber resilience emerged from information security and business continuity, inheriting the restoration logic of engineering resilience without reconciling it with safety constraint or ecological adaptability (NIST 2021; NCSC 2022; Stouffer 2023). These four traditions have converged in practice without being reconciled in theory, producing frameworks in which robustness, adaptability, safety constraint and recovery are treated as equivalent attributes in flat taxonomies, their structural tensions unresolved. A full analysis of this historical divergence and its implications is provided in the companion paper (anon 2026 ). The organising principle that emerges from that analysis - Cyber-Compatibilism - is introduced and developed there and operationalised directly in the empirical work presented here. 3. Theoretical Context and Positioning 3.1 The Cyber-Compatibilism Model The full theoretical development of the Cyber-Compatibilism model is presented in the companion paper (anon 2026 ). In summary, the model integrates three complementary intellectual traditions: engineering resilience, which emphasises robustness, redundancy and recovery (Laprie 2008 ; Leveson 2011 ); ecological resilience, which contributes bounded adaptability and organisational responsiveness within defined safety limits (Holling 1973 ; Walker 2004); and safety resilience, which establishes constraint enforcement and graceful degradation as primary design conditions (Reason 1997 ; Leveson 2004 ). Cyber-Compatibilism is the principle that, although cyber threats and failures are inevitable, systems and operators can preserve meaningful agency through resilience mechanisms that anticipate, withstand, adapt and recover while maintaining continuous safety constraint throughout the disturbance trajectory. A terminological clarification is necessary here. Emerging OT resilience discourse increasingly references adaptive networks and dynamic positioning - technical mechanisms through which network infrastructure automatically reconfigures in response to detected threats, reroutes traffic or adjusts trust boundaries without manual intervention. Despite the term adaptation, these mechanisms sit within engineering resistance capacity rather than organisational adaptive capacity. Their function is to circumvent or hold disruption at the point of occurrence, limiting propagation into the operational process before degradation takes hold. This is a resistance behaviour acting on the disturbance magnitude phase of the trajectory, not the phases that organisational adaptive capacity governs. Conflating technical self-reconfiguration with organisational adaptability obscures which domain owns which phase of the resilience trajectory and risks misattributing the source of resilience improvements in assessment and investment decisions (Chehida 2025; Rabenstein 2022). These approaches nonetheless signal that the field is moving toward the trajectory-aware thinking this paper formalises empirically. Adaptive networking and dynamic positioning increase system complexity, and autonomously reconfiguring systems may satisfy security goals while inadvertently degrading the safety constraint boundary that governs the entire trajectory. A network that reconfigures to contain a detected anomaly but in doing so isolates a safety-critical process telemetry feed does not improve resilience - it removes the visibility on which detection and safe recovery depend, trading one risk for a less visible but more consequential one. This is precisely the kind of trade-off that domain-attributed, consequence-driven resilience assessment is designed to surface, and it is directly evidenced in the experimental findings presented in this paper. 3.2 Fragmented Treatments of Resilience & Measurement Gaps The growing body of cyber resilience research reflects its importance but also exposes substantial fragmentation. Technical, organisational and systemic dimensions are often examined in isolation rather than as part of an integrated whole (Bruneau 2003), (Hollnagel 2006), (Sutcliffe 2003 ), (Madni 2009 ). Standards such as IEC 62443 (IEC 2018) and NIST SP 800 − 82 (Stouffer 2023) provide structured guidance but remain primarily compliance-oriented and do not specify which attributes are foundational or empirically validate their hierarchical dependencies. A consistent limitation across traditions is that attributes are presented as flat lists. Linkov et al. (Linkov 2013) identify core resilience dimensions but provide limited distinction between foundational and dependent characteristics in operational application. Zhang et al. (Zhang 2021) provide a detailed roadmap for resilience in IoT and CPS but their framework remains largely conceptual with limited experimental grounding. Zhao et al. (Zhao 2021) argue for a unified understanding but stop short of resolving how attributes interact or can be measured in practice. Cassottana et al. (Cassottana 2023) confirm in a systematic review that current quantitative CPS resilience frameworks measure resilience as a unified performance curve without domain-attributed causal structure. A recurring issue is that metrics capture outcomes rather than the underlying attributes that generate them. Organisations thereby often equate compliance with resilience, assuming that the presence of monitoring tools or framework-aligned controls implies systemic resilience. This study addresses that gap directly. 3.3 The Trajectory Concept and Domain Attribution The companion paper (anon 2026 ) proposes that resilience in safety-critical CPS is the measurable temporal performance trajectory produced by the structured interaction of three causally distinct domains. The model's primary structural contribution is the explicit mapping of dominant domain influence over specific phases of the resilience curve - a structure that Cassottana et al. (Cassottana 2023) confirm is not commonly explicit in existing quantitative CPS resilience frameworks. Engineering resistance capacity determines the depth of the performance drop when disturbance occurs. Organisational recovery and adaptive capacity govern how quickly that drop is detected and how rapidly recovery proceeds. Safety functions as a continuous constraint - not a threshold to be breached or a parallel domain to be balanced against the others but the boundary condition that governs what adaptive and restorative behaviour is permissible throughout every phase. This is the structural distinction that separates the model from prior multi-dimensional frameworks, including the TOSE decomposition of Bruneau et al. (Bruneau 2003), which address engineering and organisational dimensions in parallel without assigning them dominant influence over trajectory phases of specific curve phases or positioning safety as a continuous constraint over both. The empirical sections that follow test whether this domain attribution holds under controlled disruption conditions. 4. Methodology This research adopted a mixed-methods design combining literature synthesis, taxonomy development, industrial case studies and empirical validation using a physical industrial cyber-physical testbed. The aim was to ensure that resilience attributes were not only conceptually grounded but directly observable and measurable under realistic disruption conditions. Table 1. Research Design Structure Table 1. Research design structure across five sequential phases. 4.1 Literature Synthesis and Taxonomy Framework A structured review across engineering, ecological and cyber resilience domains identified recurring attributes (Bagheri 2018), (Hollnagel 2006), (Holling 1973), (Laprie 2008), (Walker 2004), (Sutcliffe 2003), (Madni 2009), (Linkov 2013). These were consolidated into a hierarchical taxonomy with three levels: primary attributes that directly influence a specific phase of the resilience trajectory; secondary attributes that contribute to those primary mechanisms; and enabling attributes as the practical means through which they are realised. This structuring reflected the observation that resilience emerges from dependency chains rather than independent controls - redundancy contributes to robustness, which in turn constrains degradation magnitude. 4.2 Industrial Case Studies Case Study 1: Process Manufacturing Plant Observations at a process manufacturing facility identified reliance on security-driven overlays including segmentation and monitoring. PLC safety functions were routinely disabled during operational periods. SOC monitoring was restricted to security-layer logs with no integration of process telemetry, meaning disturbances affecting the physical process were invisible to the security monitoring function. Communication gaps between IT and OT teams were persistent. Redundancy had been implemented without sufficient robustness, introducing hidden fragilities and maintenance complexity. Case Study 2: Energy Operator At an energy operator, persistent IP address conflicts masked by network address translation had gone undetected for an extended period. Segmentation governance was poorly defined and remote access through VPN directly into OT equipment was prominent for third-party maintenance support. SOC analysts lacked process context, leading to misclassification of legitimate OT maintenance activity as potentially malicious. The resulting false positive burden eroded analyst confidence and contributed to extended detection latency during genuine disturbance events. Cross-Case Findings Across both cases, security-driven implementations often satisfied audit requirements while introducing fragilities - including uncontrolled remote access and rigid segmentation that increased systemic risk. Communication gaps between IT and OT teams were the most persistent inhibitor of resilience, consistent with patterns documented in prior field investigations (anon 2023b). These observations directly influenced the taxonomy, elevating safety mechanisms to primary status and highlighting communication and process-integrated monitoring as critical enablers. 4.3 Industrial Testbed Design To empirically validate the taxonomy, a physical testbed was constructed to replicate a food-grade heating and mixing process in infant milk formula production. This represented a safety-critical industrial cyber-physical system in which process deviations had direct consequences for product safety. Equipment included a Programmable Logic Controller (PLC), Human-Machine Interface (HMI), process historian, temperature sensors and actuators, a remote-access gateway simulating third-party vendor exposure and SOC log integration. Both network logs and process telemetry were monitored. Safe operating thresholds were explicitly defined: Table 2 Testbed Safe Operating Thresholds Threshold Temperature Implication Nominal operating range 20–25°C Process within specification Warning threshold 25.9°C Operator alert triggered Critical threshold ≥ 26°C Unsafe product condition - safety interlock required Table 2. Safe operating thresholds defining the safety constraint boundary. PLC logic could be configured with or without input validation constraints (PLC Secure Coding Practice), enabling direct experimental manipulation of engineering resistance capacity independent of organisational factors and allowing causal attribution of degradation magnitude to the engineering domain (Fig. 2). Full technical detail on the testbed design and configuration is documented in (anon 2023a). 4.4 Scenarios and Interventions Experiments were structured in three phases. Under the baseline state, safety mechanisms were minimal, SOC monitoring was limited to network logs, robustness was unenhanced and redundancy was unoptimised. Disruption events included both adversarial and non-adversarial scenarios: set-point manipulation, command injection, replay attacks, falsified sensor data, unauthorised remote access and configuration errors. In later trials, subtle process destabilisation was introduced by adjusting PID derivative time parameters to produce oscillatory instability without immediate threshold breach - a scenario specifically designed to test detection of gradual degradation invisible to security-layer-only monitoring. Under the enhanced state, improvements informed by the taxonomy were systematically applied: PLC input validation enabled; segmentation strengthened and correctly governed; process telemetry integrated into SOC monitoring; formalised IT-OT communication protocols established; operator training and escalation procedures implemented; safety interlocks verified and operational. 4.5 Metrics and Refinement Strategy Resilience was assessed using both quantitative and qualitative indicators. Quantitative metrics included: detection latency (Td), time to safe state (Ts), downtime and recovery duration (Tr), product quality deviation (ΔP) and oscillation amplitude under PID manipulation (Ao). Additional metrics such as communication flow efficiency (Ce) were identified as candidates for future experimental refinement but were not formally reported in this study. Qualitative data included operator responses, SOC analyst debriefs and observer notes. Attributes were enabled or disabled selectively to observe their influence, allowing validation of both the hierarchy and interaction patterns (Table 2), (Fig. 3). Table 2. Experimental parameters, CR attributes, domain attribution and resilience outcomes. Domain 1 (Engineering) governs degradation magnitude (DeltaP). Domain 2 (Safety) operates as a continuous constraint floor independently of both other domains. Domain 3 (Organisational) governs detection latency (Td) & recovery duration (Tr). 4.6 Statistical and Temporal Considerations Experiments provided point estimates with inherent variability. In practice, greater variance would be expected due to organisational, environmental and operational factors absent from the testbed. Compressed timelines meant that observed differences represented conservative estimates of real-world benefit, where decision-making and approvals typically introduce additional delays. 4.7 Validity and Limitations The methodology carries acknowledged limitations. The case studies, while grounded in live operational environments, remain sector-specific and were conducted as observational rather than experimental studies; causal claims from the case study component are therefore interpretive and supported by, rather than independent of, the testbed evidence. Observer bias in case studies was mitigated through triangulation of interviews, operational logs and configuration artefacts. The testbed captured representative behaviours but did not model all operational extremes, such as ultra-high-reliability or high-speed control contexts. Despite these limits, the combined approach enabled empirical grounding of the taxonomy and clarified how attributes interact, reinforce and conflict in practice. 5. Results Results are presented across four areas: baseline vulnerability characterisation; effectiveness of resilience enhancements; attribute interaction effects; and refinement of the hierarchical taxonomy. The central analytical focus throughout is whether the trajectory model's domain attribution holds - specifically, whether engineering improvements affect degradation magnitude without affecting recovery duration, whether organisational improvements affect detection and recovery without affecting degradation magnitude and whether safety constraint removal produces unsafe outcomes independently of both. 5.1 Baseline Vulnerabilities Trials under baseline conditions revealed systematic weaknesses when resilience attributes were absent: Unsafe states: set-point manipulation caused breaches of product safety tolerances, with temperatures exceeding the 26°C critical threshold. Control bypass: unauthorised PLC logic changes resulted in overheating and incorrect dosing, replicating vulnerabilities documented in both field case studies. Operator dependency: without deterministic safeguards, anomaly detection relied solely on human vigilance, which proved inconsistent across operators and shift conditions. Delayed detection: mean anomaly detection time exceeded 12 minutes, often prolonged by falsified sensor data masking the initial deviation. Extended downtime: recovery frequently required full system resets, with average downtime of 45 minutes (range 30–65 minutes). The PID oscillation scenario revealed a particularly significant structural vulnerability: network-layer monitoring produced no alert for 23 minutes following the introduction of oscillatory instability, because no threshold was crossed and no network anomaly was generated. Detection occurred only when an operator observed physical process behaviour directly. This confirmed the case study finding that monitoring restricted to the security layer is structurally insufficient for safety-critical process environments. 5.2 Effectiveness of Resilience Enhancements and Trajectory Attribution When resilience attributes were systematically implemented, outcomes improved significantly across all measured dimensions. Critically, engineering and organisational improvements produced improvements in distinct phases of the trajectory without substituting for one another - direct experimental evidence of domain-phase attribution, within this testbed context, consistent with the dominant-influence model (Table 3 ). Technical safeguards : PLC input validation blocked all unsafe parameter changes; redundant sensors cross-verified readings to mitigate spoofing; correctly governed segmentation limited lateral movement. Safety mechanisms : PLC safety functions prevented unsafe commands outright; fail-safes ensured processes entered safe shutdown when thresholds were approached. Organisational measures : operator training reduced detection time by more than 50%; formalised IT-OT communication protocols reduced mean time to recovery by approximately 50%. Table 3 Quantitative Performance Comparison: Baseline vs Enhanced Metric Baseline Enhanced Improvement Product deviation (ΔP) ~ 25% < 5% > 80% reduction Detection latency (Td) > 12 minutes < 5 minutes > 58% reduction Recovery duration (Tr) ~ 45 min (range 30–65) < 15 minutes ~ 67% reduction Safety boundary breaches All affected scenarios None Eliminated The domain attribution is confirmed by the pattern of results: PLC validation and segmentation improvements - engineering domain interventions - reduced product deviation from ~ 25% to below 5% but did not reduce recovery duration. Communication protocol and training improvements - organisational domain interventions - reduced recovery duration by ~ 67% and detection latency by > 58% but did not further reduce degradation magnitude. Safety interlock activation eliminated unsafe boundary breaches entirely, independently of whether engineering or organisational improvements were present (Fig. 4 ). Each domain produced improvements in its attributed phase of the trajectory and not in the others, consistent with the dominant-influence model rather than a substitutable-attribute model. 5.3 Attribute Validation and Interaction Effects The experiments confirmed that resilience attributes cannot be treated in isolation. Their influence emerged through reinforcement, trade-offs and critical dependency - often shaping outcomes in unexpected ways. Reinforcing Interactions Safety mechanisms and PLC input validation acted synergistically to block unsafe states that neither would have prevented alone. Operator training amplified the effectiveness of monitoring systems - process telemetry integration produced the greatest detection improvements when operators were simultaneously trained to interpret process-layer alerts. Formalised IT-OT communication protocols improved both detection and recovery phases, indicating that organisational coordination amplifies the value of technical monitoring investments. Conflict ing Interactions Segmentation improved containment but created recovery delays when misconfigured - segments that successfully isolated a disturbance also isolated recovery resources, extending downtime. Excessive redundancy increased complexity and overhead without proportional safety gains; in some configurations, redundant pathways introduced added failure modes. Rigid stability measures reduced adaptability under changing conditions, illustrating the tension between engineering determinism and ecological flexibility. Critical Dependencies Redundancy was only effective when underpinned by robustness - redundant components that were themselves insufficiently validated introduced duplicate vulnerabilities rather than resilience. Monitoring systems required both cyber anomaly detection and process telemetry awareness to be effective; either alone was structurally insufficient. Organisational attributes consistently amplified or undermined technical measures: the same monitoring architecture produced materially different detection outcomes depending on operator training and escalation protocol maturity. These findings (Fig. 5 ) support the view that resilience is a systemic property, not a sum of independent controls. They also reinforce the trajectory model's treatment of safety as a continuous constraint: trade-offs that enhanced security but undermined safe process operation degraded the trajectory by removing the constraint floor and were therefore detrimental to resilience regardless of any other improvement made. 5.4 Refinement of the Hierarchical Taxonomy The experimental findings confirmed the need to present resilience attributes as a hierarchy that reflects their causal role in the performance trajectory, rather than as a flat list of equivalent controls. Attributes that consistently influenced a specific phase of the trajectory were classified accordingly. The taxonomy was refined across five domains. Safety is positioned as a continuous constraint throughout - not an equal participant in a balanced set of domains, but the boundary condition that governs what is permissible within every domain at every phase (Fig. 6 ). 5.4.1 Safety Domain Safety is anchored by Stability (safety scope) - the capacity to maintain operations within safe bounds regardless of disruption source. All safety-domain attributes contribute to enforcing this continuous constraint throughout the trajectory: Graceful Degradation - the ability to fail safely while preserving containment. Safe Recoverability - the ability to restore a system to a safe state after disruption. Inherent Safety Mechanisms - fail-safe defaults, interlocks and safety instrumented systems. Resilience to Unsafe Inputs - prevention of unsafe or malicious parameter changes. Secure PLC Set-Point Validation - the principal mechanism empirically validated in the testbed (enabling sub-attribute). Determinism (Safety Scope) - predictable system behaviour to prevent unsafe states. Tolerance - capacity to absorb bounded variation without breaching safety thresholds. 5.4.2 Engineering and Technical Domain Attributes concerned with system design, architecture and technical implementation: Robustness - capacity to withstand abnormal conditions without significant performance degradation. Stability (Engineering Scope) - maintenance of process equilibrium and predictable performance margins. Redundancy - duplicate components to sustain function, effective only when underpinned by robustness. Dependency Management - reducing fragility from external reliance. Security - safeguards against unauthorised access, exploitation and manipulation (CIA triad, authentication, access control, secure protocols). Security contributes to robustness but does not equate to resilience. Network Topology - secure structural design of connectivity, including segmentation, protocol mediation, adaptive networks and secure remote access. Monitoring and Detection - anomaly awareness across cyber, process telemetry and IT/OT/IoT/Cloud integration layers. Engineering Determinism - protocol-level predictability to ensure reliable control behaviour. Operational Recoverability - restoration of technical functions. Interoperability - secure integration of heterogeneous systems. Obsolescence Management - addressing vulnerabilities from ageing systems. Testability and Verifiability - ability to validate performance and resilience under test conditions. 5.4.3 Ecological and Organisational Domain Attributes reflecting human, cultural and organisational capacities: Adaptability - ability to reconfigure behaviours dynamically within safe bounds. Flexibility, Resourcefulness and Learning - as enabling sub-attributes of adaptability. Preparedness (organisational scope). Training and Awareness - empirically confirmed as a primary determinant of detection performance. Communication - empirically confirmed as a primary determinant of recovery performance. Diversity of Skills and Cognitive Diversity. Staffing Resilience. Collaboration. Improvisation - bounded by safety constraint. Safety Culture - reflecting its ecological and organisational character rather than purely technical nature. 5.4.4 Governance and Management Domain Institutional and leadership-level enablers that shape whether resilience mechanisms are effectively implemented and sustained: Governance and Leadership - accountability, oversight, and cultural commitment. Policy Alignment - mapping to standards and frameworks. Preparedness (governance scope). Complexity Management - recognising when interconnected systems introduce fragility, ensuring modularity, bounding interdependencies and preventing escalation from emergent behaviours. While engineering measures address complexity locally, governance ensures it is identified and managed systemically. Assurance and Audit-ability - independent validation and verification. Strategic Foresight - capacity to anticipate long-term shifts and emerging risks. 5.4.5 Contextual and Systemic Domain Broader environmental and systemic influences that affect how resilience manifests in practice: Environmental Awareness. Scalability. Sustainability. Legacy Constraints. Regulatory Alignment. Interdependency Awareness. Geopolitical Awareness. This refined taxonomy is structured around the trajectory concept: safety domain attributes maintain the continuous constraint floor; engineering domain attributes determine how deep the performance drop can go; ecological and organisational domain attributes determine how quickly detection and recovery proceed; governance domain attributes determine whether the other domains function effectively in practice; and contextual domain attributes shape the environment in which all of these operate. Security is explicitly positioned within the engineering domain, clarifying its role as an enabler of robustness without conflating it with systemic resilience. 5.5 Integration Requirements The study demonstrates that cyber resilience emerges only through integration across domains. Security controls contribute to resilience by strengthening robustness, but they cannot alone guarantee safe outcomes. Resilience requires additional safety mechanisms and organisational capacity that extend beyond the security layer. The findings therefore confirm three integration principles : Security is necessary but not sufficient - it underpins robustness within the engineering domain but does not equate to resilience. Segmentation, intrusion detection and access controls reduced exposure but did not guarantee safe outcomes unless coupled with safety mechanisms and organisational capacity. Safety runs as a continuous constraint on all other domains - resilience measures must be judged by whether they preserve the safety constraint floor throughout the trajectory, not merely by the presence of security controls. Trade-offs that enhanced security while removing safety constraint enforcement were detrimental to resilience. Organisational and governance attributes amplify or undermine technical measures - communication, training and complexity management proved decisive in finding whether technical safeguards translated into actual resilient performance. 5. Discussion The findings confirm the trajectory concept's central claim: resilience in safety-critical CPS is the measurable performance trajectory produced by the structured interaction of causally distinct domains, each exerting dominant influence over a specific phase. The discussion addresses five interpretive themes that emerge from the evidence. 5.1 Empirical Confirmation of Domain Attribution The most significant finding is the empirical confirmation that engineering and organisational domains are causally distinct and non-substitutable within this experimental context. This qualification is important: the study was designed to vary domain-relevant attributes selectively and the observed separation of effects reflects that experimental structure. The finding is therefore accurately described as demonstrating domain distinction under controlled conditions rather than asserting it as a universal property of all safety-critical CPS environments. Cross-sector replication is still necessary to establish generalisability. Engineering resistance capacity improvements reduced degradation magnitude - the drop phase of the trajectory - without affecting recovery duration. Organisational improvements reduced detection latency and recovery duration - the detection and recovery phases - without affecting degradation magnitude. Safety constraint removal produced unsafe outcomes independently of both. This pattern directly validates the trajectory model's domain attribution and distinguishes it from flat-catalogue frameworks in which all attributes are treated as substitutable contributors to a single resilience index. In practical terms: organisations cannot compensate for absent PLC validation with more frequent SOC monitoring and cannot compensate for absent communication protocols with stronger segmentation. The domains are complementary and sequentially dependent. Improving one phase of the trajectory requires intervention in the domain that owns that phase - there is no cross-domain substitution. 5.2 Safety as Continuous Constraint, Not Organising Principle The experimental evidence strongly supports the model's treatment of safety as a continuous constraint rather than a threshold event or a parallel domain. Under baseline configuration, the absence of PLC input validation did not merely allow safety boundaries to be approached - it removed the mechanism through which the safety constraint was enforced at the process level. Unsafe product states occurred because the engineering implementation of the safety constraint was absent, not because operators failed to respond or because a threshold was crossed. This is a structurally different claim from the conventional safety engineering position that safety is the primary design priority. The trajectory model does not merely assert that safety matters - it specifies that safety functions as a boundary condition on what is permissible within every phase of the trajectory, continuously and that this boundary must be implemented at the process control level rather than only at the network perimeter. Cybersecurity measures targeting the digital communication layer without considering their effect on the underlying enforcement of safety constraint logic may provide assurance at the wrong level. 5.3 Monitoring Integration and the Detection Phase The PID oscillation scenario provided particularly clear evidence of the structural inadequacy of security-layer-only monitoring in safety-critical process environments. A process deviation that produced no network anomaly and no threshold breach remained undetected for 23 minutes under baseline (network-only) monitoring. The integration of process telemetry was the single most impactful individual improvement in the enhanced configuration, reducing detection latency by over 58% across all scenario types - a greater improvement than any engineering intervention produced. This confirms that the organisational-domain contribution to detection performance is primarily mediated by monitoring architecture rather than operator skill alone, and that security-layer visibility without process-layer integration is structurally insufficient regardless of how well the security layer performs. The implication is direct: investment in monitoring architecture that integrates process telemetry with cyber anomaly detection belongs in the organisational domain and should be assessed and funded accordingly. 5.4 Governance, Context and Complexity Governance and contextual attributes decided whether resilience mechanisms functioned effectively. Leadership, accountability, assurance, policy alignment, complexity management and strategic foresight shaped how technical and organisational measures were implemented and sustained (Sutcliffe 2003 ), (Madni 2009 ), (Zhao 2021). Complexity management emerged as a particularly significant attribute in its own right. Uncontrolled interdependencies and poorly understood vendor integrations undermined resilience even when technical and organisational attributes were strong. Both case studies surfaced instances where security controls satisfied audit criteria while quietly introducing fragilities, underscoring the need for governance-level complexity management. Governance therefore provides the strategic oversight needed to manage complexity, align investments and predict emerging risks. 5.5 Implications for OT Standards and Guidance The empirical findings carry direct implications for OT guidance. IEC 62443 (IEC 2018) and NIST SP 800 − 82 (Stouffer 2023) both address monitoring and resilience but do not specify the causal structure of domain interaction or distinguish monitoring that captures network anomalies from monitoring that captures process-layer deviations. The evidence presented here suggests three specific guidance improvements: requiring the integration of process telemetry into detection functions; distinguishing engineering and organisational resilience contributions in assessment criteria; and incorporating dependency-aware assessment requirements, including evaluation of whether monitoring changes alter the systemic exposure of previously isolated OT components. 6. Conclusion This research provides empirical validation of the trajectory concept proposed in the companion paper: that cyber resilience in safety-critical CPS is the measurable temporal performance trajectory produced by the structured interaction of causally distinct domains, each governing a specific phase. The study demonstrates that this structural attribution is not merely a conceptual convenience but an empirically verifiable property with direct practical implications. 6.1 Key Contributions Theoretical contributions Provides controlled experimental validation of domain-attributed resilience trajectory behaviour in a safety-critical industrial environment through selective attribute activation across defined trajectory phases; confirms that engineering and organisational domains are causally distinct and non-substitutable contributors to specific trajectory phases within this experimental context; empirically establishes safety as a continuous constraint rather than a threshold event; and extends the quantitative CPS resilience literature (Cassottana 2023) by supplying the domain-causal structure that unified curve-based measurement approaches lack. Methodological contributions Combines literature synthesis, field case studies and a physical industrial-scale testbed with selective attribute activation and deactivation, enabling direct observation of domain-phase attribution; applies both qualitative and quantitative assessment; demonstrates a replicable framework for controlled resilience trajectory validation; and identifies attribute interaction patterns - reinforcing, conflicting and dependency-based - invisible to compliance-oriented assessment. Practical contributions Provides phase-specific guidance for resilience investment - practitioners can identify which phase of the trajectory is underperforming and intervene in the domain that owns that phase; demonstrates that engineering and organisational interventions are not substitutable and challenges the misconception that security controls alone deliver resilience (NCSC 2022), (IEC 2018), (Stouffer 2023). 6.2 Implications for Practice The results indicate that practitioners should: Assess resilience by trajectory phase, not by attribute presence - identify which phase is underperforming and intervene in the domain that owns that phase rather than adding generic controls. Implement attributes hierarchically - robustness must underpin redundancy; safety mechanisms must be verified as operationally active, not merely present in design documentation. Integrate process telemetry with contextual insights into monitoring functions - security-layer-only monitoring is structurally insufficient for safety-critical process environments. Integrate technical safeguards with organisational measures - communication protocols, operator training and structured escalation procedures amplify technical effectiveness and are not substitutable by added engineering controls. Manage complexity at a governance level - compliance-driven implementations that satisfy audits may erode resilience in practice through uncontrolled interdependencies and rigid configurations. 6.3 Future Research While the study provides empirically grounded, quantitatively validated evidence for a hierarchical taxonomy of cyber resilience in safety-critical industrial environments, limitations remain. Results are based on two case studies and a representative testbed in a single process domain; further cross-sector validation is needed to assess generalisability. Longitudinal studies would test the durability of attributes over time and under evolving threat profiles. Research into emerging technologies - including AI-enabled automation, 5G connectivity and edge computing - could extend the taxonomy's relevance as these introduce new dependency and control architectures (Zhang 2021), (Zhao 2021). Development of automated resilience assessment tools and sector-specific attribute weighting schemes offers further applied research opportunities. 6.4 Closing Statement Cyber resilience will remain central to the safety, reliability and sustainability of modern critical infrastructures. By showing that resilience is the measurable trajectory of system performance under disturbance - produced by the structured, causally distinct interaction of engineering, organisational and safety domains - this research offers both a theoretical framework and an empirically grounded instrument for resilience assessment in safety-critical industrial environments. The goal is not simply more secure systems, but infrastructures capable of producing a better trajectory: shallower degradation, faster detection, faster recovery and consistent operation within safe bounds throughout (Stouffer 2023), (Leveson 2004 ). Declarations Competing Interests The authors declare that they have no competing interests. Author Contribution KP: conceptualisation, methodology, investigation, formal analysis, writing - original draft, writing - review and editing. IDW: funding, supervision, writing - review and editing. Data Availability The primary empirical data underpinning this study is drawn from the corresponding author's doctoral research, which is publicly available online (Cyber Maintainable Safety-Critical Complex Systems. PhD thesis, University of South Wales. https://doi.org/10.60485/80zj-jp20). References Ashby WR (1956) An Introduction to Cybernetics. Chapman and Hall, London Bagheri A, Ridley G (2018) Toward a framework for business resilience. Proc Australas Conf Inf Syst, Sydney, Australia Bruneau M, Chang SE, Eguchi RT, Lee GC, O’Rourke TD, Reinhorn AM, Shinozuka M, Tierney K, Wallace WA, von Winterfeldt D (2003) A framework to quantitatively assess and enhance the seismic resilience of communities. Earthq Spectra 19(4):733–752 Cassottana B, Roomi MM, Mashima D, Sansavini G (2023) Resilience analysis of cyber-physical systems: a review of models and methods. Risk Anal 43(11):2359–2379. https://doi.org/10.1111/risa.14089 Chehida S, Rutten E, Giraud G, Mocanu S (2025) Self-reconfiguration of industrial control systems as a response to cyberattacks. J Netw Syst Manag. https://doi.org/10.1007/s10922-025-09979-0 European Union (2022) Directive (EU) 2022/2557 on the resilience of critical entities. Official Journal of the European Union, December 2022 Holling CS (1973) Resilience and stability of ecological systems. Annu Rev Ecol Syst 4:1–23 Hollnagel E, Woods DD, Leveson N (2006) Resilience Engineering: Concepts and Precepts. Ashgate, Aldershot International Electrotechnical Commission (IEC) (2018) IEC 62443: Security for Industrial Automation and Control Systems. IEC, Geneva Laprie JC (2008) Resilience for the ICT world: dealing with mistakes, accidents and malicious acts. In: Proc 2008 Int Conf Dependable Systems and Networks, Anchorage, AK, pp 5–12 Leveson NG (2004) A new accident model for engineering safer systems. Saf Sci 42(4):237–270 Leveson NG (2011) Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, Cambridge, MA Linkov I, Bridges T, Creutzig F et al (2014) Changing the resilience paradigm. Nat Clim Chang 4:407–409 Linkov I, Eisenberg D, Plourde M, Seager TP, Allen J, Kott A (2013) Resilience metrics for cyber systems. Environ Syst Decis 33:471–476 Madni M, Jackson S (2009) Towards a conceptual framework for resilience engineering. IEEE Syst J 3(2):181–191 National Cyber Security Centre (NCSC) (2022) Cyber Assessment Framework (CAF). https://www.ncsc.gov.uk/collection/caf National Institute of Standards and Technology (2021) Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, NIST Special Publication 800 – 160 Volume 2 Revision 1. NIST, Gaithersburg, MD anon (2023a) Cyber Maintainable Safety-Critical Complex Systems. PhD thesis, University of South Wales. https://doi.org/10.60485/80zj-jp20 anon (2026) A hierarchical trajectory model of cyber resilience in safety-critical cyber-physical systems: domain attribution, safety constraint and consequence-driven assessment. Companion paper [Paper 1 of this series], awaiting review anon (2023b) A cyber resilience analysis case study of an industrial operational technology environment. Environ Syst Decis 43(2):178–190. https://doi.org/10.1007/s10669-023-09895-1 Pimm SL (1984) The complexity and stability of ecosystems. Nature 307:321–326 Rabenstein J et al (2022) Towards resilience by self-adaptation of industrial control systems. In: Proc IEEE 27th Int Conf Emerging Technologies and Factory Automation (ETFA). IEEE. https://doi.org/10.1109/ETFA52439.2022.9921597 Reason J (1997) Managing the Risks of Organizational Accidents. Ashgate, Aldershot Stouffer K, Pillitteri V, Lightman S, Abrams M, Hahn A (2023) NIST Special Publication 800 – 82 Revision 3: Guide to Operational Technology (OT) Security. National Institute of Standards and Technology Sutcliffe K, Vogus T (2003) Organizing for resilience. In: Cameron K, Dutton J, Quinn R (eds) Positive Organizational Scholarship. Berrett-Koehler, San Francisco, CA, pp 94–110 Timmerman P (1981) Vulnerability, Resilience and the Collapse of Society. Institute for Environmental Studies, University of Toronto, Toronto Walker B, Holling CS, Carpenter SR, Kinzig A (2004) Resilience, adaptability and transformability in social-ecological systems. Ecol Soc 9(2):5 Zhang X, Zheng H, Li W (2021) A systematic review of cyber resilience assessment methods. Comput Secur 108:102349 Zhao J, Li D, Wang H (2021) Cyber resilience: from risk assessment to resilience engineering. Reliab Eng Syst Saf 214:107613 Additional Declarations No competing interests reported. Cite Share Download PDF Status: Under Revision Version 1 posted Editorial decision: Revision requested 09 May, 2026 Reviews received at journal 14 Apr, 2026 Reviews received at journal 31 Mar, 2026 Reviewers agreed at journal 30 Mar, 2026 Reviewers agreed at journal 30 Mar, 2026 Reviewers agreed at journal 30 Mar, 2026 Reviewers invited by journal 28 Mar, 2026 Editor assigned by journal 26 Mar, 2026 Submission checks completed at journal 24 Mar, 2026 First submitted to journal 23 Mar, 2026 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {\"props\":{\"pageProps\":{\"initialData\":{\"identity\":\"rs-9204849\",\"acceptedTermsAndConditions\":true,\"allowDirectSubmit\":false,\"archivedVersions\":[],\"articleType\":\"Research Article\",\"associatedPublications\":[],\"authors\":[{\"id\":614013202,\"identity\":\"b83796f3-347f-466b-b0ce-fd2757231100\",\"order_by\":0,\"name\":\"Kirsty Perrett\",\"email\":\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABAUlEQVRIie3RMWrDMBSAYT0EmWKyPpOSXkHgA+QgWQxZI7pqcI2MwV1ygJiE5Arp4llGoC6CHCBLIRcIZKiHUmq3lA7FdsZC9A/iCd43CBHicv3D8GeYqsNbFYp6olReQxiSUjE824bAtUQr5udZc+kh/jo1FyHeY8hUGHjbx9noqSaVKFrJ+M7Mc2sZ0qFSc6944SsNEpb22EomuAggyRgOsJTaKwyXNaGQdZGHCyQfDIf3J0i9jeG7PjLGBYVEMkRiKOQy4vs+4m9MANIE/p7YATkbxZ9rUna9BY/pCWQ0GbGGhFHMtwddvlainfx+/3f661Tt+39J3Lnscrlct9knDWlb/HxUH9QAAAAASUVORK5CYII=\",\"orcid\":\"\",\"institution\":\"Thales (United Kingdom)\",\"correspondingAuthor\":true,\"prefix\":\"\",\"firstName\":\"Kirsty\",\"middleName\":\"\",\"lastName\":\"Perrett\",\"suffix\":\"\"},{\"id\":614013203,\"identity\":\"40e29711-c766-4ca4-bbef-6b405f82cdbb\",\"order_by\":1,\"name\":\"Ian David Wilson\",\"email\":\"\",\"orcid\":\"\",\"institution\":\"\",\"correspondingAuthor\":false,\"prefix\":\"\",\"firstName\":\"Ian\",\"middleName\":\"David\",\"lastName\":\"Wilson\",\"suffix\":\"\"}],\"badges\":[],\"createdAt\":\"2026-03-23 22:53:15\",\"currentVersionCode\":1,\"declarations\":\"\",\"doi\":\"10.21203/rs.3.rs-9204849/v1\",\"doiUrl\":\"https://doi.org/10.21203/rs.3.rs-9204849/v1\",\"draftVersion\":[],\"editorialEvents\":[],\"editorialNote\":\"\",\"failedWorkflow\":false,\"files\":[{\"id\":105786260,\"identity\":\"ea67500a-a2f2-431d-b20a-5167f4dac8e0\",\"added_by\":\"auto\",\"created_at\":\"2026-03-31 06:44:42\",\"extension\":\"jpeg\",\"order_by\":1,\"title\":\"Figure 1\",\"display\":\"\",\"copyAsset\":false,\"role\":\"figure\",\"size\":143096,\"visible\":true,\"origin\":\"\",\"legend\":\"\\u003cp\\u003e\\u003cem\\u003eThe Cyber-Compatibilism Model.\\u003c/em\\u003e\\u003c/p\\u003e\",\"description\":\"\",\"filename\":\"floatimage1.jpeg\",\"url\":\"https://assets-eu.researchsquare.com/files/rs-9204849/v1/c0d6051a4f61ed0ae1a6433f.jpeg\"},{\"id\":105904195,\"identity\":\"fb7acb58-4fb2-4a0b-9ca2-abf6ac74c38c\",\"added_by\":\"auto\",\"created_at\":\"2026-04-01 10:06:06\",\"extension\":\"png\",\"order_by\":2,\"title\":\"Figure 2\",\"display\":\"\",\"copyAsset\":false,\"role\":\"figure\",\"size\":162392,\"visible\":true,\"origin\":\"\",\"legend\":\"\\u003cp\\u003e\\u003cem\\u003eIndustrial testbed architecture. Three functional layers: physical process (PLC, redundant sensors, actuators, safety interlocks); supervisory OT layer (HMI/SCADA, historian, engineering workstation, remote access gateway simulating third-party vendor exposure); monitoring and detection (network security logs, process telemetry, SOC integration). PLC input validation was configurable on/off to isolate engineering domain causal effects.\\u003c/em\\u003e\\u003c/p\\u003e\",\"description\":\"\",\"filename\":\"floatimage3.png\",\"url\":\"https://assets-eu.researchsquare.com/files/rs-9204849/v1/5d88b787d5f9c7dd1069cc7e.png\"},{\"id\":105904462,\"identity\":\"42ed219d-2c23-4335-9c7c-0ea142d4a25a\",\"added_by\":\"auto\",\"created_at\":\"2026-04-01 10:08:46\",\"extension\":\"png\",\"order_by\":3,\"title\":\"Figure 3\",\"display\":\"\",\"copyAsset\":false,\"role\":\"figure\",\"size\":181326,\"visible\":true,\"origin\":\"\",\"legend\":\"\\u003cp\\u003e\\u003cem\\u003eExperimental domain attribution - scenario to outcome mapping.\\u003c/em\\u003e\\u003c/p\\u003e\",\"description\":\"\",\"filename\":\"floatimage5.png\",\"url\":\"https://assets-eu.researchsquare.com/files/rs-9204849/v1/a493ee8c408a764b37a575fd.png\"},{\"id\":105786262,\"identity\":\"8bea5e1c-d76d-4379-8e06-c9309351a68c\",\"added_by\":\"auto\",\"created_at\":\"2026-03-31 06:44:42\",\"extension\":\"png\",\"order_by\":4,\"title\":\"Figure 4\",\"display\":\"\",\"copyAsset\":false,\"role\":\"figure\",\"size\":84609,\"visible\":true,\"origin\":\"\",\"legend\":\"\\u003cp\\u003e\\u003cem\\u003eDomain-attributed resilience curves: baseline (amber) versus enhanced (blue). Baseline: DeltaP ~25%, Td \\u0026gt;12 min, Tr ~45 min, safety breaches in all affected scenarios. Enhanced: DeltaP \\u0026lt;5%, Td \\u0026lt;5 min, Tr \\u0026lt;15 min, zero safety breaches. Engineering improvements reduced DeltaP only; organisational improvements reduced Td \\u0026amp; Tr only; confirming domain attribution within this experimental context.\\u003c/em\\u003e\\u003c/p\\u003e\",\"description\":\"\",\"filename\":\"floatimage6.png\",\"url\":\"https://assets-eu.researchsquare.com/files/rs-9204849/v1/b62ab8305e19cfa256558c1b.png\"},{\"id\":105786264,\"identity\":\"bb3ea1c1-2d5f-4057-a7f6-da00983efc5a\",\"added_by\":\"auto\",\"created_at\":\"2026-03-31 06:44:42\",\"extension\":\"png\",\"order_by\":5,\"title\":\"Figure 5\",\"display\":\"\",\"copyAsset\":false,\"role\":\"figure\",\"size\":132746,\"visible\":true,\"origin\":\"\",\"legend\":\"\\u003cp\\u003e\\u003cem\\u003eAttribute interaction effects observed in testbed experimentation.\\u003c/em\\u003e\\u003c/p\\u003e\",\"description\":\"\",\"filename\":\"floatimage7.png\",\"url\":\"https://assets-eu.researchsquare.com/files/rs-9204849/v1/455e5c122de71c862bf1d4c7.png\"},{\"id\":105786265,\"identity\":\"687b8c64-2da9-4925-8d7c-42970829ee88\",\"added_by\":\"auto\",\"created_at\":\"2026-03-31 06:44:42\",\"extension\":\"png\",\"order_by\":6,\"title\":\"Figure 6\",\"display\":\"\",\"copyAsset\":false,\"role\":\"figure\",\"size\":715592,\"visible\":true,\"origin\":\"\",\"legend\":\"\\u003cp\\u003e\\u003cem\\u003eLayered dependency graph of cyber resilience attributes across five domains. Dashed lines indicate cross-domain dependencies, showing how attributes across domains reinforce, constrain or govern one another. The hierarchy reflects empirically validated causal relationships between attributes and trajectory phases.\\u003c/em\\u003e\\u003c/p\\u003e\",\"description\":\"\",\"filename\":\"floatimage8.png\",\"url\":\"https://assets-eu.researchsquare.com/files/rs-9204849/v1/299fb067600130a841cba542.png\"},{\"id\":106093190,\"identity\":\"af8f7dc4-d85e-49f0-9572-0d1589c3a93a\",\"added_by\":\"auto\",\"created_at\":\"2026-04-03 11:35:50\",\"extension\":\"pdf\",\"order_by\":0,\"title\":\"\",\"display\":\"\",\"copyAsset\":false,\"role\":\"manuscript-pdf\",\"size\":2822179,\"visible\":true,\"origin\":\"\",\"legend\":\"\",\"description\":\"\",\"filename\":\"manuscript.pdf\",\"url\":\"https://assets-eu.researchsquare.com/files/rs-9204849/v1/11770672-6ec4-4de4-a43c-d18682e89745.pdf\"}],\"financialInterests\":\"No competing interests reported.\",\"formattedTitle\":\"Quantitative Validation of Domain-Attributed Cyber Resilience Trajectories for Safety-Critical Systems\",\"fulltext\":[{\"header\":\"1. Introduction\",\"content\":\"\\u003cp\\u003eResilience has become a central theme across engineering, ecological, organisational and cybersecurity disciplines (Bagheri 2018; Bruneau 2003; Hollnagel 2006; Holling 1973; NCSC 2022; European Union 2022). In critical infrastructure environments, increasing interdependence between digital control systems and physical processes means that disruptions may propagate rapidly into real-world consequences (Laprie 2008), (Leveson 2011), (Linkov 2014). Such disruptions may be malicious, accidental, insider-driven or environmental in origin.\\u0026nbsp;\\u003c/p\\u003e\\n\\u003cp\\u003eContemporary regulatory and advisory guidance, including the EU Critical Entities Resilience Directive (European Union 2022), the NCSC Cyber Assessment Framework (NCSC 2022), IEC 62443 (IEC 2018) and NIST SP 800-82 (Stouffer 2023), emphasises resilience but does not specify which attributes are structurally foundational or how they interact under disruption. In practice, organisations frequently implement recognised controls - such as network segmentation, Security Operations Centre (SOC) monitoring and patching - as stand-alone measures. These are good practices but when applied without process context they risk monitoring only the security wrapper rather than the safety-critical process itself. For example, connecting a previously isolated system solely to monitor Operational Technology (OT) security logs and not process telemetry, provides visibility of the wrapper but not the process at risk.\\u003c/p\\u003e\\n\\u003cp\\u003eA companion paper (anon 2026) proposed that resilience in safety-critical Cyber-Physical Systems (CPS) is not a catalogue of controls but a measurable temporal performance trajectory produced by the structured interaction of causally distinct domains. The model's central structural claim is that each domain exerts dominant influence over a specific phase of the resilience curve: engineering resistance capacity governs how far performance degrades when disturbance occurs; organisational recovery and adaptive capacity governs how quickly disturbance is detected and how rapidly safe operation is restored; and safety functions as a continuous constraint - \\u0026nbsp; a boundary condition that frames allowable system behaviour throughout the full resilience trajectory, rather than serving as an event triggered only when limits are exceeded.\\u003c/p\\u003e\\n\\u003cp\\u003eThis paper presents the empirical validation of that trajectory concept, drawing on two industrial case studies and controlled experimentation using a physical safety-critical industrial testbed. It addresses three interrelated gaps in the existing literature:\\u003c/p\\u003e\\n\\u003col\\u003e\\n \\u003cli\\u003eThe absence of quantitative evidence that engineering and organisational domain contributions to the resilience trajectory are causally distinct and non-substitutable within controlled experimental conditions.\\u003c/li\\u003e\\n \\u003cli\\u003eThe limited use of physical testbed experimentation to observe and measure domain-specific ownership of specific trajectory phases.\\u003c/li\\u003e\\n \\u003cli\\u003eThe gap between conceptual resilience frameworks and measurable, operationally grounded evidence of attribute interaction, reinforcement and trade-offs.\\u003c/li\\u003e\\n\\u003c/ol\\u003e\\n\\u003cp\\u003eThe empirical evidence is used both to validate the trajectory model and to refine a five-domain taxonomy of resilience attributes - spanning safety, engineering/technical, ecological/organisational, governance/management and contextual/systemic domains - that specifies which attributes influence which phase of resilience.\\u003c/p\\u003e\"},{\"header\":\"2. Background: The Competing Roots of Resilience\",\"content\":\"\\u003cp\\u003eResilience in safety-critical cyber-physical systems carries competing meanings inherited from four distinct intellectual traditions. Materials science established resilience as the restoration of a prior physical state (Timmerman \\u003cspan citationid=\\\"CR26\\\" class=\\\"CitationRef\\\"\\u003e1981\\u003c/span\\u003e; Gordon 1978). Holling (\\u003cspan citationid=\\\"CR7\\\" class=\\\"CitationRef\\\"\\u003e1973\\u003c/span\\u003e) challenged this fundamentally from ecology, distinguishing engineering resilience - the speed of return to equilibrium - from ecological resilience - the magnitude of disturbance a system can absorb before structural change (Pimm \\u003cspan citationid=\\\"CR21\\\" class=\\\"CitationRef\\\"\\u003e1984\\u003c/span\\u003e). Safety engineering, rooted in constraint-based control theory (Leveson \\u003cspan citationid=\\\"CR11\\\" class=\\\"CitationRef\\\"\\u003e2004\\u003c/span\\u003e; Ashby \\u003cspan citationid=\\\"CR1\\\" class=\\\"CitationRef\\\"\\u003e1956\\u003c/span\\u003e), addressed the prevention of unsafe states rather than recovery or adaptation. Cyber resilience emerged from information security and business continuity, inheriting the restoration logic of engineering resilience without reconciling it with safety constraint or ecological adaptability (NIST 2021; NCSC 2022; Stouffer 2023).\\u003c/p\\u003e \\u003cp\\u003eThese four traditions have converged in practice without being reconciled in theory, producing frameworks in which robustness, adaptability, safety constraint and recovery are treated as equivalent attributes in flat taxonomies, their structural tensions unresolved. A full analysis of this historical divergence and its implications is provided in the companion paper (anon \\u003cspan citationid=\\\"CR19\\\" class=\\\"CitationRef\\\"\\u003e2026\\u003c/span\\u003e). The organising principle that emerges from that analysis - Cyber-Compatibilism - is introduced and developed there and operationalised directly in the empirical work presented here.\\u003c/p\\u003e\"},{\"header\":\"3. Theoretical Context and Positioning\",\"content\":\"\\u003cdiv id=\\\"Sec3\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e3.1 The Cyber-Compatibilism Model\\u003c/h2\\u003e \\u003cp\\u003eThe full theoretical development of the Cyber-Compatibilism model is presented in the companion paper (anon \\u003cspan citationid=\\\"CR19\\\" class=\\\"CitationRef\\\"\\u003e2026\\u003c/span\\u003e). In summary, the model integrates three complementary intellectual traditions: engineering resilience, which emphasises robustness, redundancy and recovery (Laprie \\u003cspan citationid=\\\"CR10\\\" class=\\\"CitationRef\\\"\\u003e2008\\u003c/span\\u003e; Leveson \\u003cspan citationid=\\\"CR12\\\" class=\\\"CitationRef\\\"\\u003e2011\\u003c/span\\u003e); ecological resilience, which contributes bounded adaptability and organisational responsiveness within defined safety limits (Holling \\u003cspan citationid=\\\"CR7\\\" class=\\\"CitationRef\\\"\\u003e1973\\u003c/span\\u003e; Walker 2004); and safety resilience, which establishes constraint enforcement and graceful degradation as primary design conditions (Reason \\u003cspan citationid=\\\"CR23\\\" class=\\\"CitationRef\\\"\\u003e1997\\u003c/span\\u003e; Leveson \\u003cspan citationid=\\\"CR11\\\" class=\\\"CitationRef\\\"\\u003e2004\\u003c/span\\u003e). Cyber-Compatibilism is the principle that, although cyber threats and failures are inevitable, systems and operators can preserve meaningful agency through resilience mechanisms that anticipate, withstand, adapt and recover while maintaining continuous safety constraint throughout the disturbance trajectory.\\u003c/p\\u003e \\u003cp\\u003eA terminological clarification is necessary here. Emerging OT resilience discourse increasingly references adaptive networks and dynamic positioning - technical mechanisms through which network infrastructure automatically reconfigures in response to detected threats, reroutes traffic or adjusts trust boundaries without manual intervention. Despite the term adaptation, these mechanisms sit within engineering resistance capacity rather than organisational adaptive capacity. Their function is to circumvent or hold disruption at the point of occurrence, limiting propagation into the operational process before degradation takes hold. This is a resistance behaviour acting on the disturbance magnitude phase of the trajectory, not the phases that organisational adaptive capacity governs. Conflating technical self-reconfiguration with organisational adaptability obscures which domain owns which phase of the resilience trajectory and risks misattributing the source of resilience improvements in assessment and investment decisions (Chehida 2025; Rabenstein 2022). These approaches nonetheless signal that the field is moving toward the trajectory-aware thinking this paper formalises empirically.\\u003c/p\\u003e \\u003cp\\u003eAdaptive networking and dynamic positioning increase system complexity, and autonomously reconfiguring systems may satisfy security goals while inadvertently degrading the safety constraint boundary that governs the entire trajectory. A network that reconfigures to contain a detected anomaly but in doing so isolates a safety-critical process telemetry feed does not improve resilience - it removes the visibility on which detection and safe recovery depend, trading one risk for a less visible but more consequential one. This is precisely the kind of trade-off that domain-attributed, consequence-driven resilience assessment is designed to surface, and it is directly evidenced in the experimental findings presented in this paper.\\u003c/p\\u003e \\u003cp\\u003e \\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec4\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e3.2 Fragmented Treatments of Resilience \\u0026amp; Measurement Gaps\\u003c/h2\\u003e \\u003cp\\u003eThe growing body of cyber resilience research reflects its importance but also exposes substantial fragmentation. Technical, organisational and systemic dimensions are often examined in isolation rather than as part of an integrated whole (Bruneau 2003), (Hollnagel 2006), (Sutcliffe \\u003cspan citationid=\\\"CR25\\\" class=\\\"CitationRef\\\"\\u003e2003\\u003c/span\\u003e), (Madni \\u003cspan citationid=\\\"CR15\\\" class=\\\"CitationRef\\\"\\u003e2009\\u003c/span\\u003e). Standards such as IEC 62443 (IEC 2018) and NIST SP 800\\u0026thinsp;\\u0026minus;\\u0026thinsp;82 (Stouffer 2023) provide structured guidance but remain primarily compliance-oriented and do not specify which attributes are foundational or empirically validate their hierarchical dependencies.\\u003c/p\\u003e \\u003cp\\u003eA consistent limitation across traditions is that attributes are presented as flat lists. Linkov et al. (Linkov 2013) identify core resilience dimensions but provide limited distinction between foundational and dependent characteristics in operational application. Zhang et al. (Zhang 2021) provide a detailed roadmap for resilience in IoT and CPS but their framework remains largely conceptual with limited experimental grounding. Zhao et al. (Zhao 2021) argue for a unified understanding but stop short of resolving how attributes interact or can be measured in practice.\\u003c/p\\u003e \\u003cp\\u003eCassottana et al. (Cassottana 2023) confirm in a systematic review that current quantitative CPS resilience frameworks measure resilience as a unified performance curve without domain-attributed causal structure. A recurring issue is that metrics capture outcomes rather than the underlying attributes that generate them. Organisations thereby often equate compliance with resilience, assuming that the presence of monitoring tools or framework-aligned controls implies systemic resilience. This study addresses that gap directly.\\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec5\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e3.3 The Trajectory Concept and Domain Attribution\\u003c/h2\\u003e \\u003cp\\u003eThe companion paper (anon \\u003cspan citationid=\\\"CR19\\\" class=\\\"CitationRef\\\"\\u003e2026\\u003c/span\\u003e) proposes that resilience in safety-critical CPS is the measurable temporal performance trajectory produced by the structured interaction of three causally distinct domains. The model's primary structural contribution is the explicit mapping of dominant domain influence over specific phases of the resilience curve - a structure that Cassottana et al. (Cassottana 2023) confirm is not commonly explicit in existing quantitative CPS resilience frameworks.\\u003c/p\\u003e \\u003cp\\u003eEngineering resistance capacity determines the depth of the performance drop when disturbance occurs. Organisational recovery and adaptive capacity govern how quickly that drop is detected and how rapidly recovery proceeds. Safety functions as a continuous constraint - not a threshold to be breached or a parallel domain to be balanced against the others but the boundary condition that governs what adaptive and restorative behaviour is permissible throughout every phase. This is the structural distinction that separates the model from prior multi-dimensional frameworks, including the TOSE decomposition of Bruneau et al. (Bruneau 2003), which address engineering and organisational dimensions in parallel without assigning them dominant influence over trajectory phases of specific curve phases or positioning safety as a continuous constraint over both.\\u003c/p\\u003e \\u003cp\\u003eThe empirical sections that follow test whether this domain attribution holds under controlled disruption conditions.\\u003c/p\\u003e \\u003c/div\\u003e\"},{\"header\":\"4. Methodology\",\"content\":\"\\u003cp\\u003eThis research adopted a mixed-methods design combining literature synthesis, taxonomy development, industrial case studies and empirical validation using a physical industrial cyber-physical testbed. The aim was to ensure that resilience attributes were not only conceptually grounded but directly observable and measurable under realistic disruption conditions.\\u003c/p\\u003e\\n\\u003cp\\u003e\\u003cstrong\\u003eTable 1. Research Design Structure\\u003c/strong\\u003e\\u003c/p\\u003e\\n\\u003cp\\u003e\\u003cstrong\\u003e\\u003cimg src=\\\"https://myfiles.space/user_files/69519_bce2c0439cd956a6/69519_custom_files/img1774883739.png\\\"\\u003e\\u003c/strong\\u003e\\u003cbr\\u003e\\u003c/p\\u003e\\n\\u003cdiv\\u003eTable 1. \\u003cem\\u003eResearch design structure across five sequential phases.\\u003c/em\\u003e\\n \\u003ctable float=\\\"Yes\\\" id=\\\"Tab1\\\" border=\\\"1\\\"\\u003e\\u003c/table\\u003e\\n\\u003c/div\\u003e\\n\\u003cdiv id=\\\"Sec7\\\"\\u003e\\n \\u003ch2\\u003e4.1 Literature Synthesis and Taxonomy Framework\\u003c/h2\\u003e\\n \\u003cp\\u003eA structured review across engineering, ecological and cyber resilience domains identified recurring attributes (Bagheri 2018), (Hollnagel 2006), (Holling 1973), (Laprie 2008), (Walker 2004), (Sutcliffe 2003), (Madni 2009), (Linkov 2013). These were consolidated into a hierarchical taxonomy with three levels: primary attributes that directly influence a specific phase of the resilience trajectory; secondary attributes that contribute to those primary mechanisms; and enabling attributes as the practical means through which they are realised. This structuring reflected the observation that resilience emerges from dependency chains rather than independent controls - redundancy contributes to robustness, which in turn constrains degradation magnitude.\\u003c/p\\u003e\\n\\u003c/div\\u003e\\n\\u003cdiv id=\\\"Sec8\\\"\\u003e\\n \\u003ch2\\u003e4.2 Industrial Case Studies\\u003c/h2\\u003e\\n \\u003cp\\u003eCase Study 1: Process Manufacturing Plant\\u003c/p\\u003e\\n \\u003cp\\u003eObservations at a process manufacturing facility identified reliance on security-driven overlays including segmentation and monitoring. PLC safety functions were routinely disabled during operational periods. SOC monitoring was restricted to security-layer logs with no integration of process telemetry, meaning disturbances affecting the physical process were invisible to the security monitoring function. Communication gaps between IT and OT teams were persistent. Redundancy had been implemented without sufficient robustness, introducing hidden fragilities and maintenance complexity.\\u003c/p\\u003e\\n \\u003cp\\u003eCase Study 2: Energy Operator\\u003c/p\\u003e\\n \\u003cp\\u003eAt an energy operator, persistent IP address conflicts masked by network address translation had gone undetected for an extended period. Segmentation governance was poorly defined and remote access through VPN directly into OT equipment was prominent for third-party maintenance support. SOC analysts lacked process context, leading to misclassification of legitimate OT maintenance activity as potentially malicious. The resulting false positive burden eroded analyst confidence and contributed to extended detection latency during genuine disturbance events.\\u003c/p\\u003e\\n \\u003cp\\u003eCross-Case Findings\\u003c/p\\u003e\\n \\u003cp\\u003eAcross both cases, security-driven implementations often satisfied audit requirements while introducing fragilities - including uncontrolled remote access and rigid segmentation that increased systemic risk. Communication gaps between IT and OT teams were the most persistent inhibitor of resilience, consistent with patterns documented in prior field investigations (anon 2023b). These observations directly influenced the taxonomy, elevating safety mechanisms to primary status and highlighting communication and process-integrated monitoring as critical enablers.\\u003c/p\\u003e\\n\\u003c/div\\u003e\\n\\u003cdiv id=\\\"Sec9\\\"\\u003e\\n \\u003ch2\\u003e4.3 Industrial Testbed Design\\u003c/h2\\u003e\\n \\u003cp\\u003eTo empirically validate the taxonomy, a physical testbed was constructed to replicate a food-grade heating and mixing process in infant milk formula production. This represented a safety-critical industrial cyber-physical system in which process deviations had direct consequences for product safety. Equipment included a Programmable Logic Controller (PLC), Human-Machine Interface (HMI), process historian, temperature sensors and actuators, a remote-access gateway simulating third-party vendor exposure and SOC log integration. Both network logs and process telemetry were monitored. Safe operating thresholds were explicitly defined:\\u003c/p\\u003e\\n \\u003cdiv\\u003e\\n \\u003ctable float=\\\"Yes\\\" id=\\\"Tab2\\\" border=\\\"1\\\"\\u003e\\n \\u003ccaption language=\\\"En\\\"\\u003e\\n \\u003cdiv\\u003eTable 2\\u003c/div\\u003e\\n \\u003cdiv\\u003e\\n \\u003cp\\u003eTestbed Safe Operating Thresholds\\u003c/p\\u003e\\n \\u003c/div\\u003e\\n \\u003c/caption\\u003e\\n \\u003cthead\\u003e\\n \\u003ctr\\u003e\\n \\u003cth align=\\\"left\\\" colname=\\\"c1\\\"\\u003e\\n \\u003cp\\u003eThreshold\\u003c/p\\u003e\\n \\u003c/th\\u003e\\n \\u003cth align=\\\"left\\\" colname=\\\"c2\\\"\\u003e\\n \\u003cp\\u003eTemperature\\u003c/p\\u003e\\n \\u003c/th\\u003e\\n \\u003cth align=\\\"left\\\" colname=\\\"c3\\\"\\u003e\\n \\u003cp\\u003eImplication\\u003c/p\\u003e\\n \\u003c/th\\u003e\\n \\u003c/tr\\u003e\\n \\u003c/thead\\u003e\\n \\u003ctbody\\u003e\\n \\u003ctr\\u003e\\n \\u003ctd align=\\\"left\\\" colname=\\\"c1\\\"\\u003e\\n \\u003cp\\u003eNominal operating range\\u003c/p\\u003e\\n \\u003c/td\\u003e\\n \\u003ctd align=\\\"left\\\" colname=\\\"c2\\\"\\u003e\\n \\u003cp\\u003e20\\u0026ndash;25\\u0026deg;C\\u003c/p\\u003e\\n \\u003c/td\\u003e\\n \\u003ctd align=\\\"left\\\" colname=\\\"c3\\\"\\u003e\\n \\u003cp\\u003eProcess within specification\\u003c/p\\u003e\\n \\u003c/td\\u003e\\n \\u003c/tr\\u003e\\n \\u003ctr\\u003e\\n \\u003ctd align=\\\"left\\\" colname=\\\"c1\\\"\\u003e\\n \\u003cp\\u003eWarning threshold\\u003c/p\\u003e\\n \\u003c/td\\u003e\\n \\u003ctd align=\\\"left\\\" colname=\\\"c2\\\"\\u003e\\n \\u003cp\\u003e25.9\\u0026deg;C\\u003c/p\\u003e\\n \\u003c/td\\u003e\\n \\u003ctd align=\\\"left\\\" colname=\\\"c3\\\"\\u003e\\n \\u003cp\\u003eOperator alert triggered\\u003c/p\\u003e\\n \\u003c/td\\u003e\\n \\u003c/tr\\u003e\\n \\u003ctr\\u003e\\n \\u003ctd align=\\\"left\\\" colname=\\\"c1\\\"\\u003e\\n \\u003cp\\u003eCritical threshold\\u003c/p\\u003e\\n \\u003c/td\\u003e\\n \\u003ctd align=\\\"left\\\" colname=\\\"c2\\\"\\u003e\\n \\u003cp\\u003e\\u0026ge;\\u0026thinsp;26\\u0026deg;C\\u003c/p\\u003e\\n \\u003c/td\\u003e\\n \\u003ctd align=\\\"left\\\" colname=\\\"c3\\\"\\u003e\\n \\u003cp\\u003eUnsafe product condition - safety interlock required\\u003c/p\\u003e\\n \\u003c/td\\u003e\\n \\u003c/tr\\u003e\\n \\u003c/tbody\\u003e\\n \\u003c/table\\u003e\\n \\u003c/div\\u003e\\n \\u003cp\\u003eTable 2. \\u003cem\\u003eSafe operating thresholds defining the safety constraint boundary.\\u003c/em\\u003e\\u003c/p\\u003e\\n \\u003cp\\u003ePLC logic could be configured with or without input validation constraints (PLC Secure Coding Practice), enabling direct experimental manipulation of engineering resistance capacity independent of organisational factors and allowing causal attribution of degradation magnitude to the engineering domain (Fig.\\u0026nbsp;2). Full technical detail on the testbed design and configuration is documented in (anon 2023a).\\u003c/p\\u003e\\n\\u003c/div\\u003e\\n\\u003cdiv id=\\\"Sec10\\\"\\u003e\\n \\u003ch2\\u003e4.4 Scenarios and Interventions\\u003c/h2\\u003e\\n \\u003cp\\u003eExperiments were structured in three phases. Under the baseline state, safety mechanisms were minimal, SOC monitoring was limited to network logs, robustness was unenhanced and redundancy was unoptimised. Disruption events included both adversarial and non-adversarial scenarios: set-point manipulation, command injection, replay attacks, falsified sensor data, unauthorised remote access and configuration errors. In later trials, subtle process destabilisation was introduced by adjusting PID derivative time parameters to produce oscillatory instability without immediate threshold breach - a scenario specifically designed to test detection of gradual degradation invisible to security-layer-only monitoring.\\u003c/p\\u003e\\n \\u003cp\\u003eUnder the enhanced state, improvements informed by the taxonomy were systematically applied: PLC input validation enabled; segmentation strengthened and correctly governed; process telemetry integrated into SOC monitoring; formalised IT-OT communication protocols established; operator training and escalation procedures implemented; safety interlocks verified and operational.\\u003c/p\\u003e\\n\\u003c/div\\u003e\\n\\u003cdiv id=\\\"Sec11\\\"\\u003e\\n \\u003ch2\\u003e4.5 Metrics and Refinement Strategy\\u003c/h2\\u003e\\n \\u003cp\\u003eResilience was assessed using both quantitative and qualitative indicators. Quantitative metrics included: detection latency (Td), time to safe state (Ts), downtime and recovery duration (Tr), product quality deviation (\\u0026Delta;P) and oscillation amplitude under PID manipulation (Ao). Additional metrics such as communication flow efficiency (Ce) were identified as candidates for future experimental refinement but were not formally reported in this study. Qualitative data included operator responses, SOC analyst debriefs and observer notes. Attributes were enabled or disabled selectively to observe their influence, allowing validation of both the hierarchy and interaction patterns (Table\\u0026nbsp;2), (Fig.\\u0026nbsp;3).\\u003c/p\\u003e\\n\\u003cp\\u003e\\u003cimg src=\\\"https://myfiles.space/user_files/69519_bce2c0439cd956a6/69519_custom_files/img1774886026.png\\\"\\u003e\\u003c/p\\u003e\\n \\u003cp\\u003eTable 2. \\u003cem\\u003eExperimental parameters, CR attributes, domain attribution and resilience outcomes.\\u003c/em\\u003e\\u003c/p\\u003e\\n \\u003cp\\u003e\\u003cem\\u003eDomain 1 (Engineering) governs degradation magnitude (DeltaP). Domain 2 (Safety) operates as a continuous constraint floor independently of both other domains. Domain 3 (Organisational) governs detection latency (Td) \\u0026amp; recovery duration (Tr).\\u003c/em\\u003e\\u003c/p\\u003e\\n\\u003c/div\\u003e\\n\\u003cdiv id=\\\"Sec12\\\"\\u003e\\n \\u003ch2\\u003e4.6 Statistical and Temporal Considerations\\u003c/h2\\u003e\\n \\u003cp\\u003eExperiments provided point estimates with inherent variability. In practice, greater variance would be expected due to organisational, environmental and operational factors absent from the testbed. Compressed timelines meant that observed differences represented conservative estimates of real-world benefit, where decision-making and approvals typically introduce additional delays.\\u003c/p\\u003e\\n\\u003c/div\\u003e\\n\\u003cdiv id=\\\"Sec13\\\"\\u003e\\n \\u003ch2\\u003e4.7 Validity and Limitations\\u003c/h2\\u003e\\n \\u003cp\\u003eThe methodology carries acknowledged limitations. The case studies, while grounded in live operational environments, remain sector-specific and were conducted as observational rather than experimental studies; causal claims from the case study component are therefore interpretive and supported by, rather than independent of, the testbed evidence. Observer bias in case studies was mitigated through triangulation of interviews, operational logs and configuration artefacts. The testbed captured representative behaviours but did not model all operational extremes, such as ultra-high-reliability or high-speed control contexts. Despite these limits, the combined approach enabled empirical grounding of the taxonomy and clarified how attributes interact, reinforce and conflict in practice.\\u003c/p\\u003e\\n\\u003c/div\\u003e\"},{\"header\":\"5. Results\",\"content\":\"\\u003cp\\u003eResults are presented across four areas: baseline vulnerability characterisation; effectiveness of resilience enhancements; attribute interaction effects; and refinement of the hierarchical taxonomy. The central analytical focus throughout is whether the trajectory model's domain attribution holds - specifically, whether engineering improvements affect degradation magnitude without affecting recovery duration, whether organisational improvements affect detection and recovery without affecting degradation magnitude and whether safety constraint removal produces unsafe outcomes independently of both.\\u003c/p\\u003e \\u003cdiv id=\\\"Sec15\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e5.1 Baseline Vulnerabilities\\u003c/h2\\u003e \\u003cp\\u003eTrials under baseline conditions revealed systematic weaknesses when resilience attributes were absent:\\u003c/p\\u003e \\u003cp\\u003e \\u003cul\\u003e \\u003cli\\u003e \\u003cp\\u003eUnsafe states: set-point manipulation caused breaches of product safety tolerances, with temperatures exceeding the 26\\u0026deg;C critical threshold.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eControl bypass: unauthorised PLC logic changes resulted in overheating and incorrect dosing, replicating vulnerabilities documented in both field case studies.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eOperator dependency: without deterministic safeguards, anomaly detection relied solely on human vigilance, which proved inconsistent across operators and shift conditions.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eDelayed detection: mean anomaly detection time exceeded 12 minutes, often prolonged by falsified sensor data masking the initial deviation.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eExtended downtime: recovery frequently required full system resets, with average downtime of 45 minutes (range 30\\u0026ndash;65 minutes).\\u003c/p\\u003e \\u003c/li\\u003e \\u003c/ul\\u003e \\u003c/p\\u003e \\u003cp\\u003eThe PID oscillation scenario revealed a particularly significant structural vulnerability: network-layer monitoring produced no alert for 23 minutes following the introduction of oscillatory instability, because no threshold was crossed and no network anomaly was generated. Detection occurred only when an operator observed physical process behaviour directly. This confirmed the case study finding that monitoring restricted to the security layer is structurally insufficient for safety-critical process environments.\\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec16\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e5.2 Effectiveness of Resilience Enhancements and Trajectory Attribution\\u003c/h2\\u003e \\u003cp\\u003eWhen resilience attributes were systematically implemented, outcomes improved significantly across all measured dimensions. Critically, engineering and organisational improvements produced improvements in distinct phases of the trajectory without substituting for one another - direct experimental evidence of domain-phase attribution, within this testbed context, consistent with the dominant-influence model (Table\\u0026nbsp;\\u003cspan refid=\\\"Tab3\\\" class=\\\"InternalRef\\\"\\u003e3\\u003c/span\\u003e).\\u003c/p\\u003e \\u003cp\\u003e \\u003cul\\u003e \\u003cli\\u003e \\u003cp\\u003e \\u003cb\\u003eTechnical safeguards\\u003c/b\\u003e: PLC input validation blocked all unsafe parameter changes; redundant sensors cross-verified readings to mitigate spoofing; correctly governed segmentation limited lateral movement.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003e \\u003cb\\u003eSafety mechanisms\\u003c/b\\u003e: PLC safety functions prevented unsafe commands outright; fail-safes ensured processes entered safe shutdown when thresholds were approached.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003e \\u003cb\\u003eOrganisational measures\\u003c/b\\u003e: operator training reduced detection time by more than 50%; formalised IT-OT communication protocols reduced mean time to recovery by approximately 50%.\\u003c/p\\u003e \\u003c/li\\u003e \\u003c/ul\\u003e \\u003c/p\\u003e \\u003cp\\u003e \\u003cdiv class=\\\"gridtable\\\"\\u003e\\u003ctable float=\\\"Yes\\\" id=\\\"Tab3\\\" border=\\\"1\\\"\\u003e \\u003ccaption language=\\\"En\\\"\\u003e \\u003cdiv class=\\\"CaptionNumber\\\"\\u003eTable 3\\u003c/div\\u003e \\u003cdiv class=\\\"CaptionContent\\\"\\u003e \\u003cp\\u003eQuantitative Performance Comparison: Baseline vs Enhanced\\u003c/p\\u003e \\u003c/div\\u003e \\u003c/caption\\u003e \\u003ccolgroup cols=\\\"4\\\"\\u003e \\u003cdiv align=\\\"left\\\" class=\\\"colspec\\\" colname=\\\"c1\\\" colnum=\\\"1\\\"\\u003e\\u003c/div\\u003e \\u003cdiv align=\\\"left\\\" class=\\\"colspec\\\" colname=\\\"c2\\\" colnum=\\\"2\\\"\\u003e\\u003c/div\\u003e \\u003cdiv align=\\\"left\\\" class=\\\"colspec\\\" colname=\\\"c3\\\" colnum=\\\"3\\\"\\u003e\\u003c/div\\u003e \\u003cdiv align=\\\"left\\\" class=\\\"colspec\\\" colname=\\\"c4\\\" colnum=\\\"4\\\"\\u003e\\u003c/div\\u003e \\u003cthead\\u003e \\u003ctr\\u003e \\u003cth align=\\\"left\\\" colname=\\\"c1\\\"\\u003e \\u003cp\\u003eMetric\\u003c/p\\u003e \\u003c/th\\u003e \\u003cth align=\\\"left\\\" colname=\\\"c2\\\"\\u003e \\u003cp\\u003eBaseline\\u003c/p\\u003e \\u003c/th\\u003e \\u003cth align=\\\"left\\\" colname=\\\"c3\\\"\\u003e \\u003cp\\u003eEnhanced\\u003c/p\\u003e \\u003c/th\\u003e \\u003cth align=\\\"left\\\" colname=\\\"c4\\\"\\u003e \\u003cp\\u003eImprovement\\u003c/p\\u003e \\u003c/th\\u003e \\u003c/tr\\u003e \\u003c/thead\\u003e \\u003ctbody\\u003e \\u003ctr\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c1\\\"\\u003e \\u003cp\\u003e\\u003cb\\u003eProduct deviation (ΔP)\\u003c/b\\u003e\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c2\\\"\\u003e \\u003cp\\u003e~\\u0026thinsp;25%\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c3\\\"\\u003e \\u003cp\\u003e\\u0026lt;\\u0026thinsp;5%\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c4\\\"\\u003e \\u003cp\\u003e\\u0026gt;\\u0026thinsp;80% reduction\\u003c/p\\u003e \\u003c/td\\u003e \\u003c/tr\\u003e \\u003ctr\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c1\\\"\\u003e \\u003cp\\u003e\\u003cb\\u003eDetection latency (Td)\\u003c/b\\u003e\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c2\\\"\\u003e \\u003cp\\u003e\\u0026gt;\\u0026thinsp;12 minutes\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c3\\\"\\u003e \\u003cp\\u003e\\u0026lt;\\u0026thinsp;5 minutes\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c4\\\"\\u003e \\u003cp\\u003e\\u0026gt;\\u0026thinsp;58% reduction\\u003c/p\\u003e \\u003c/td\\u003e \\u003c/tr\\u003e \\u003ctr\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c1\\\"\\u003e \\u003cp\\u003e\\u003cb\\u003eRecovery duration (Tr)\\u003c/b\\u003e\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c2\\\"\\u003e \\u003cp\\u003e~\\u0026thinsp;45 min (range 30\\u0026ndash;65)\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c3\\\"\\u003e \\u003cp\\u003e\\u0026lt;\\u0026thinsp;15 minutes\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c4\\\"\\u003e \\u003cp\\u003e~\\u0026thinsp;67% reduction\\u003c/p\\u003e \\u003c/td\\u003e \\u003c/tr\\u003e \\u003ctr\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c1\\\"\\u003e \\u003cp\\u003e\\u003cb\\u003eSafety boundary breaches\\u003c/b\\u003e\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c2\\\"\\u003e \\u003cp\\u003eAll affected scenarios\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c3\\\"\\u003e \\u003cp\\u003eNone\\u003c/p\\u003e \\u003c/td\\u003e \\u003ctd align=\\\"left\\\" colname=\\\"c4\\\"\\u003e \\u003cp\\u003eEliminated\\u003c/p\\u003e \\u003c/td\\u003e \\u003c/tr\\u003e \\u003c/tbody\\u003e \\u003c/colgroup\\u003e \\u003c/table\\u003e\\u003c/div\\u003e \\u003c/p\\u003e \\u003cp\\u003e \\u003c/p\\u003e \\u003cp\\u003eThe domain attribution is confirmed by the pattern of results: PLC validation and segmentation improvements - engineering domain interventions - reduced product deviation from ~\\u0026thinsp;25% to below 5% but did not reduce recovery duration. Communication protocol and training improvements - organisational domain interventions - reduced recovery duration by ~\\u0026thinsp;67% and detection latency by \\u0026gt;\\u0026thinsp;58% but did not further reduce degradation magnitude. Safety interlock activation eliminated unsafe boundary breaches entirely, independently of whether engineering or organisational improvements were present (Fig.\\u0026nbsp;\\u003cspan refid=\\\"Fig4\\\" class=\\\"InternalRef\\\"\\u003e4\\u003c/span\\u003e).\\u003c/p\\u003e \\u003cp\\u003eEach domain produced improvements in its attributed phase of the trajectory and not in the others, consistent with the dominant-influence model rather than a substitutable-attribute model.\\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec17\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e5.3 Attribute Validation and Interaction Effects\\u003c/h2\\u003e \\u003cp\\u003eThe experiments confirmed that resilience attributes cannot be treated in isolation. Their influence emerged through reinforcement, trade-offs and critical dependency - often shaping outcomes in unexpected ways.\\u003c/p\\u003e \\u003cp\\u003eReinforcing Interactions\\u003c/p\\u003e \\u003cp\\u003eSafety mechanisms and PLC input validation acted synergistically to block unsafe states that neither would have prevented alone. Operator training amplified the effectiveness of monitoring systems - process telemetry integration produced the greatest detection improvements when operators were simultaneously trained to interpret process-layer alerts. Formalised IT-OT communication protocols improved both detection and recovery phases, indicating that organisational coordination amplifies the value of technical monitoring investments.\\u003c/p\\u003e \\u003cp\\u003e \\u003cstrong\\u003eConflict\\u003c/strong\\u003e \\u003cp\\u003eing Interactions\\u003c/p\\u003e \\u003c/p\\u003e \\u003cp\\u003eSegmentation improved containment but created recovery delays when misconfigured - segments that successfully isolated a disturbance also isolated recovery resources, extending downtime. Excessive redundancy increased complexity and overhead without proportional safety gains; in some configurations, redundant pathways introduced added failure modes. Rigid stability measures reduced adaptability under changing conditions, illustrating the tension between engineering determinism and ecological flexibility.\\u003c/p\\u003e \\u003cp\\u003eCritical Dependencies\\u003c/p\\u003e \\u003cp\\u003eRedundancy was only effective when underpinned by robustness - redundant components that were themselves insufficiently validated introduced duplicate vulnerabilities rather than resilience. Monitoring systems required both cyber anomaly detection and process telemetry awareness to be effective; either alone was structurally insufficient. Organisational attributes consistently amplified or undermined technical measures: the same monitoring architecture produced materially different detection outcomes depending on operator training and escalation protocol maturity. These findings (Fig.\\u0026nbsp;\\u003cspan refid=\\\"Fig5\\\" class=\\\"InternalRef\\\"\\u003e5\\u003c/span\\u003e) support the view that resilience is a systemic property, not a sum of independent controls. They also reinforce the trajectory model's treatment of safety as a continuous constraint: trade-offs that enhanced security but undermined safe process operation degraded the trajectory by removing the constraint floor and were therefore detrimental to resilience regardless of any other improvement made.\\u003c/p\\u003e \\u003cp\\u003e \\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec18\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e5.4 Refinement of the Hierarchical Taxonomy\\u003c/h2\\u003e \\u003cp\\u003eThe experimental findings confirmed the need to present resilience attributes as a hierarchy that reflects their causal role in the performance trajectory, rather than as a flat list of equivalent controls. Attributes that consistently influenced a specific phase of the trajectory were classified accordingly. The taxonomy was refined across five domains. Safety is positioned as a continuous constraint throughout - not an equal participant in a balanced set of domains, but the boundary condition that governs what is permissible within every domain at every phase (Fig.\\u0026nbsp;\\u003cspan refid=\\\"Fig6\\\" class=\\\"InternalRef\\\"\\u003e6\\u003c/span\\u003e).\\u003c/p\\u003e \\u003cp\\u003e \\u003c/p\\u003e \\u003cdiv id=\\\"Sec19\\\" class=\\\"Section3\\\"\\u003e \\u003ch2\\u003e5.4.1 Safety Domain\\u003c/h2\\u003e \\u003cp\\u003eSafety is anchored by Stability (safety scope) - the capacity to maintain operations within safe bounds regardless of disruption source. All safety-domain attributes contribute to enforcing this continuous constraint throughout the trajectory:\\u003c/p\\u003e \\u003cp\\u003e \\u003cul\\u003e \\u003cli\\u003e \\u003cp\\u003eGraceful Degradation - the ability to fail safely while preserving containment.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eSafe Recoverability - the ability to restore a system to a safe state after disruption.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eInherent Safety Mechanisms - fail-safe defaults, interlocks and safety instrumented systems.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eResilience to Unsafe Inputs - prevention of unsafe or malicious parameter changes.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eSecure PLC Set-Point Validation - the principal mechanism empirically validated in the testbed (enabling sub-attribute).\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eDeterminism (Safety Scope) - predictable system behaviour to prevent unsafe states.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eTolerance - capacity to absorb bounded variation without breaching safety thresholds.\\u003c/p\\u003e \\u003c/li\\u003e \\u003c/ul\\u003e \\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec20\\\" class=\\\"Section3\\\"\\u003e \\u003ch2\\u003e5.4.2 Engineering and Technical Domain\\u003c/h2\\u003e \\u003cp\\u003eAttributes concerned with system design, architecture and technical implementation:\\u003c/p\\u003e \\u003cp\\u003e \\u003cul\\u003e \\u003cli\\u003e \\u003cp\\u003eRobustness - capacity to withstand abnormal conditions without significant performance degradation.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eStability (Engineering Scope) - maintenance of process equilibrium and predictable performance margins.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eRedundancy - duplicate components to sustain function, effective only when underpinned by robustness.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eDependency Management - reducing fragility from external reliance.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eSecurity - safeguards against unauthorised access, exploitation and manipulation (CIA triad, authentication, access control, secure protocols). Security contributes to robustness but does not equate to resilience.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eNetwork Topology - secure structural design of connectivity, including segmentation, protocol mediation, adaptive networks and secure remote access.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eMonitoring and Detection - anomaly awareness across cyber, process telemetry and IT/OT/IoT/Cloud integration layers.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eEngineering Determinism - protocol-level predictability to ensure reliable control behaviour.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eOperational Recoverability - restoration of technical functions.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eInteroperability - secure integration of heterogeneous systems.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eObsolescence Management - addressing vulnerabilities from ageing systems.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eTestability and Verifiability - ability to validate performance and resilience under test conditions.\\u003c/p\\u003e \\u003c/li\\u003e \\u003c/ul\\u003e \\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec21\\\" class=\\\"Section3\\\"\\u003e \\u003ch2\\u003e5.4.3 Ecological and Organisational Domain\\u003c/h2\\u003e \\u003cp\\u003eAttributes reflecting human, cultural and organisational capacities:\\u003c/p\\u003e \\u003cp\\u003e \\u003cul\\u003e \\u003cli\\u003e \\u003cp\\u003eAdaptability - ability to reconfigure behaviours dynamically within safe bounds.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eFlexibility, Resourcefulness and Learning - as enabling sub-attributes of adaptability.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003ePreparedness (organisational scope).\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eTraining and Awareness - empirically confirmed as a primary determinant of detection performance.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eCommunication - empirically confirmed as a primary determinant of recovery performance.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eDiversity of Skills and Cognitive Diversity.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eStaffing Resilience.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eCollaboration.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eImprovisation - bounded by safety constraint.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eSafety Culture - reflecting its ecological and organisational character rather than purely technical nature.\\u003c/p\\u003e \\u003c/li\\u003e \\u003c/ul\\u003e \\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec22\\\" class=\\\"Section3\\\"\\u003e \\u003ch2\\u003e5.4.4 Governance and Management Domain\\u003c/h2\\u003e \\u003cp\\u003eInstitutional and leadership-level enablers that shape whether resilience mechanisms are effectively implemented and sustained:\\u003c/p\\u003e \\u003cp\\u003e \\u003cul\\u003e \\u003cli\\u003e \\u003cp\\u003eGovernance and Leadership - accountability, oversight, and cultural commitment.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003ePolicy Alignment - mapping to standards and frameworks.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003ePreparedness (governance scope).\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eComplexity Management - recognising when interconnected systems introduce fragility, ensuring modularity, bounding interdependencies and preventing escalation from emergent behaviours. While engineering measures address complexity locally, governance ensures it is identified and managed systemically.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eAssurance and Audit-ability - independent validation and verification.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eStrategic Foresight - capacity to anticipate long-term shifts and emerging risks.\\u003c/p\\u003e \\u003c/li\\u003e \\u003c/ul\\u003e \\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec23\\\" class=\\\"Section3\\\"\\u003e \\u003ch2\\u003e5.4.5 Contextual and Systemic Domain\\u003c/h2\\u003e \\u003cp\\u003eBroader environmental and systemic influences that affect how resilience manifests in practice:\\u003c/p\\u003e \\u003cp\\u003e \\u003cul\\u003e \\u003cli\\u003e \\u003cp\\u003eEnvironmental Awareness.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eScalability.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eSustainability.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eLegacy Constraints.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eRegulatory Alignment.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eInterdependency Awareness.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eGeopolitical Awareness.\\u003c/p\\u003e \\u003c/li\\u003e \\u003c/ul\\u003e \\u003c/p\\u003e \\u003cp\\u003eThis refined taxonomy is structured around the trajectory concept: safety domain attributes maintain the continuous constraint floor; engineering domain attributes determine how deep the performance drop can go; ecological and organisational domain attributes determine how quickly detection and recovery proceed; governance domain attributes determine whether the other domains function effectively in practice; and contextual domain attributes shape the environment in which all of these operate. Security is explicitly positioned within the engineering domain, clarifying its role as an enabler of robustness without conflating it with systemic resilience.\\u003c/p\\u003e \\u003c/div\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec24\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e5.5 Integration Requirements\\u003c/h2\\u003e \\u003cp\\u003eThe study demonstrates that cyber resilience emerges only through integration across domains. Security controls contribute to resilience by strengthening robustness, but they cannot alone guarantee safe outcomes. Resilience requires additional safety mechanisms and organisational capacity that extend beyond the security layer.\\u003c/p\\u003e \\u003cp\\u003e \\u003cb\\u003eThe findings therefore confirm three integration principles\\u003c/b\\u003e:\\u003c/p\\u003e \\u003cp\\u003e \\u003cul\\u003e \\u003cli\\u003e \\u003cp\\u003eSecurity is necessary but not sufficient - it underpins robustness within the engineering domain but does not equate to resilience. Segmentation, intrusion detection and access controls reduced exposure but did not guarantee safe outcomes unless coupled with safety mechanisms and organisational capacity.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eSafety runs as a continuous constraint on all other domains - resilience measures must be judged by whether they preserve the safety constraint floor throughout the trajectory, not merely by the presence of security controls. Trade-offs that enhanced security while removing safety constraint enforcement were detrimental to resilience.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eOrganisational and governance attributes amplify or undermine technical measures - communication, training and complexity management proved decisive in finding whether technical safeguards translated into actual resilient performance.\\u003c/p\\u003e \\u003c/li\\u003e \\u003c/ul\\u003e \\u003c/p\\u003e \\u003c/div\\u003e\"},{\"header\":\"5. Discussion\",\"content\":\"\\u003cp\\u003eThe findings confirm the trajectory concept's central claim: resilience in safety-critical CPS is the measurable performance trajectory produced by the structured interaction of causally distinct domains, each exerting dominant influence over a specific phase. The discussion addresses five interpretive themes that emerge from the evidence.\\u003c/p\\u003e \\u003cdiv id=\\\"Sec26\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e5.1 Empirical Confirmation of Domain Attribution\\u003c/h2\\u003e \\u003cp\\u003eThe most significant finding is the empirical confirmation that engineering and organisational domains are causally distinct and non-substitutable within this experimental context. This qualification is important: the study was designed to vary domain-relevant attributes selectively and the observed separation of effects reflects that experimental structure. The finding is therefore accurately described as demonstrating domain distinction under controlled conditions rather than asserting it as a universal property of all safety-critical CPS environments. Cross-sector replication is still necessary to establish generalisability. Engineering resistance capacity improvements reduced degradation magnitude - the drop phase of the trajectory - without affecting recovery duration. Organisational improvements reduced detection latency and recovery duration - the detection and recovery phases - without affecting degradation magnitude. Safety constraint removal produced unsafe outcomes independently of both. This pattern directly validates the trajectory model's domain attribution and distinguishes it from flat-catalogue frameworks in which all attributes are treated as substitutable contributors to a single resilience index.\\u003c/p\\u003e \\u003cp\\u003eIn practical terms: organisations cannot compensate for absent PLC validation with more frequent SOC monitoring and cannot compensate for absent communication protocols with stronger segmentation. The domains are complementary and sequentially dependent. Improving one phase of the trajectory requires intervention in the domain that owns that phase - there is no cross-domain substitution.\\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec27\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e5.2 Safety as Continuous Constraint, Not Organising Principle\\u003c/h2\\u003e \\u003cp\\u003eThe experimental evidence strongly supports the model's treatment of safety as a continuous constraint rather than a threshold event or a parallel domain. Under baseline configuration, the absence of PLC input validation did not merely allow safety boundaries to be approached - it removed the mechanism through which the safety constraint was enforced at the process level. Unsafe product states occurred because the engineering implementation of the safety constraint was absent, not because operators failed to respond or because a threshold was crossed.\\u003c/p\\u003e \\u003cp\\u003eThis is a structurally different claim from the conventional safety engineering position that safety is the primary design priority. The trajectory model does not merely assert that safety matters - it specifies that safety functions as a boundary condition on what is permissible within every phase of the trajectory, continuously and that this boundary must be implemented at the process control level rather than only at the network perimeter. Cybersecurity measures targeting the digital communication layer without considering their effect on the underlying enforcement of safety constraint logic may provide assurance at the wrong level.\\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec28\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e5.3 Monitoring Integration and the Detection Phase\\u003c/h2\\u003e \\u003cp\\u003eThe PID oscillation scenario provided particularly clear evidence of the structural inadequacy of security-layer-only monitoring in safety-critical process environments. A process deviation that produced no network anomaly and no threshold breach remained undetected for 23 minutes under baseline (network-only) monitoring. The integration of process telemetry was the single most impactful individual improvement in the enhanced configuration, reducing detection latency by over 58% across all scenario types - a greater improvement than any engineering intervention produced. This confirms that the organisational-domain contribution to detection performance is primarily mediated by monitoring architecture rather than operator skill alone, and that security-layer visibility without process-layer integration is structurally insufficient regardless of how well the security layer performs. The implication is direct: investment in monitoring architecture that integrates process telemetry with cyber anomaly detection belongs in the organisational domain and should be assessed and funded accordingly.\\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec29\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e5.4 Governance, Context and Complexity\\u003c/h2\\u003e \\u003cp\\u003eGovernance and contextual attributes decided whether resilience mechanisms functioned effectively. Leadership, accountability, assurance, policy alignment, complexity management and strategic foresight shaped how technical and organisational measures were implemented and sustained (Sutcliffe \\u003cspan citationid=\\\"CR25\\\" class=\\\"CitationRef\\\"\\u003e2003\\u003c/span\\u003e), (Madni \\u003cspan citationid=\\\"CR15\\\" class=\\\"CitationRef\\\"\\u003e2009\\u003c/span\\u003e), (Zhao 2021).\\u003c/p\\u003e \\u003cp\\u003eComplexity management emerged as a particularly significant attribute in its own right. Uncontrolled interdependencies and poorly understood vendor integrations undermined resilience even when technical and organisational attributes were strong. Both case studies surfaced instances where security controls satisfied audit criteria while quietly introducing fragilities, underscoring the need for governance-level complexity management. Governance therefore provides the strategic oversight needed to manage complexity, align investments and predict emerging risks.\\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec30\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e5.5 Implications for OT Standards and Guidance\\u003c/h2\\u003e \\u003cp\\u003eThe empirical findings carry direct implications for OT guidance. IEC 62443 (IEC 2018) and NIST SP 800\\u0026thinsp;\\u0026minus;\\u0026thinsp;82 (Stouffer 2023) both address monitoring and resilience but do not specify the causal structure of domain interaction or distinguish monitoring that captures network anomalies from monitoring that captures process-layer deviations. The evidence presented here suggests three specific guidance improvements: requiring the integration of process telemetry into detection functions; distinguishing engineering and organisational resilience contributions in assessment criteria; and incorporating dependency-aware assessment requirements, including evaluation of whether monitoring changes alter the systemic exposure of previously isolated OT components.\\u003c/p\\u003e \\u003c/div\\u003e\"},{\"header\":\"6. Conclusion\",\"content\":\"\\u003cp\\u003eThis research provides empirical validation of the trajectory concept proposed in the companion paper: that cyber resilience in safety-critical CPS is the measurable temporal performance trajectory produced by the structured interaction of causally distinct domains, each governing a specific phase. The study demonstrates that this structural attribution is not merely a conceptual convenience but an empirically verifiable property with direct practical implications.\\u003c/p\\u003e \\u003cdiv id=\\\"Sec32\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e6.1 Key Contributions\\u003c/h2\\u003e \\u003cp\\u003e \\u003cstrong\\u003eTheoretical contributions\\u003c/strong\\u003e \\u003cp\\u003eProvides controlled experimental validation of domain-attributed resilience trajectory behaviour in a safety-critical industrial environment through selective attribute activation across defined trajectory phases; confirms that engineering and organisational domains are causally distinct and non-substitutable contributors to specific trajectory phases within this experimental context; empirically establishes safety as a continuous constraint rather than a threshold event; and extends the quantitative CPS resilience literature (Cassottana 2023) by supplying the domain-causal structure that unified curve-based measurement approaches lack.\\u003c/p\\u003e \\u003c/p\\u003e \\u003cp\\u003e \\u003cstrong\\u003eMethodological contributions\\u003c/strong\\u003e \\u003cp\\u003eCombines literature synthesis, field case studies and a physical industrial-scale testbed with selective attribute activation and deactivation, enabling direct observation of domain-phase attribution; applies both qualitative and quantitative assessment; demonstrates a replicable framework for controlled resilience trajectory validation; and identifies attribute interaction patterns - reinforcing, conflicting and dependency-based - invisible to compliance-oriented assessment.\\u003c/p\\u003e \\u003c/p\\u003e \\u003cp\\u003e \\u003cstrong\\u003ePractical contributions\\u003c/strong\\u003e \\u003cp\\u003eProvides phase-specific guidance for resilience investment - practitioners can identify which phase of the trajectory is underperforming and intervene in the domain that owns that phase; demonstrates that engineering and organisational interventions are not substitutable and challenges the misconception that security controls alone deliver resilience (NCSC 2022), (IEC 2018), (Stouffer 2023).\\u003c/p\\u003e \\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec33\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e6.2 Implications for Practice\\u003c/h2\\u003e \\u003cp\\u003eThe results indicate that practitioners should:\\u003c/p\\u003e \\u003cp\\u003e \\u003cul\\u003e \\u003cli\\u003e \\u003cp\\u003eAssess resilience by trajectory phase, not by attribute presence - identify which phase is underperforming and intervene in the domain that owns that phase rather than adding generic controls.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eImplement attributes hierarchically - robustness must underpin redundancy; safety mechanisms must be verified as operationally active, not merely present in design documentation.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eIntegrate process telemetry with contextual insights into monitoring functions - security-layer-only monitoring is structurally insufficient for safety-critical process environments.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eIntegrate technical safeguards with organisational measures - communication protocols, operator training and structured escalation procedures amplify technical effectiveness and are not substitutable by added engineering controls.\\u003c/p\\u003e \\u003c/li\\u003e \\u003cli\\u003e \\u003cp\\u003eManage complexity at a governance level - compliance-driven implementations that satisfy audits may erode resilience in practice through uncontrolled interdependencies and rigid configurations.\\u003c/p\\u003e \\u003c/li\\u003e \\u003c/ul\\u003e \\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec34\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e6.3 Future Research\\u003c/h2\\u003e \\u003cp\\u003eWhile the study provides empirically grounded, quantitatively validated evidence for a hierarchical taxonomy of cyber resilience in safety-critical industrial environments, limitations remain. Results are based on two case studies and a representative testbed in a single process domain; further cross-sector validation is needed to assess generalisability. Longitudinal studies would test the durability of attributes over time and under evolving threat profiles. Research into emerging technologies - including AI-enabled automation, 5G connectivity and edge computing - could extend the taxonomy's relevance as these introduce new dependency and control architectures (Zhang 2021), (Zhao 2021). Development of automated resilience assessment tools and sector-specific attribute weighting schemes offers further applied research opportunities.\\u003c/p\\u003e \\u003c/div\\u003e \\u003cdiv id=\\\"Sec35\\\" class=\\\"Section2\\\"\\u003e \\u003ch2\\u003e6.4 Closing Statement\\u003c/h2\\u003e \\u003cp\\u003eCyber resilience will remain central to the safety, reliability and sustainability of modern critical infrastructures. By showing that resilience is the measurable trajectory of system performance under disturbance - produced by the structured, causally distinct interaction of engineering, organisational and safety domains - this research offers both a theoretical framework and an empirically grounded instrument for resilience assessment in safety-critical industrial environments. The goal is not simply more secure systems, but infrastructures capable of producing a better trajectory: shallower degradation, faster detection, faster recovery and consistent operation within safe bounds throughout (Stouffer 2023), (Leveson \\u003cspan citationid=\\\"CR11\\\" class=\\\"CitationRef\\\"\\u003e2004\\u003c/span\\u003e).\\u003c/p\\u003e \\u003c/div\\u003e\"},{\"header\":\"Declarations\",\"content\":\"\\u003cp\\u003e \\u003cstrong\\u003eCompeting Interests\\u003c/strong\\u003e \\u003cp\\u003eThe authors declare that they have no competing interests.\\u003c/p\\u003e \\u003c/p\\u003e\\u003ch2\\u003eAuthor Contribution\\u003c/h2\\u003e\\u003cp\\u003eKP: conceptualisation, methodology, investigation, formal analysis, writing - original draft, writing - review and editing. IDW: funding, supervision, writing - review and editing.\\u003c/p\\u003e\\u003ch2\\u003eData Availability\\u003c/h2\\u003e\\u003cp\\u003eThe primary empirical data underpinning this study is drawn from the corresponding author's doctoral research, which is publicly available online (Cyber Maintainable Safety-Critical Complex Systems. PhD thesis, University of South Wales. https://doi.org/10.60485/80zj-jp20).\\u003c/p\\u003e\"},{\"header\":\"References\",\"content\":\"\\u003col\\u003e\\u003cli\\u003e\\u003cspan\\u003eAshby WR (1956) An Introduction to Cybernetics. Chapman and Hall, London\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eBagheri A, Ridley G (2018) Toward a framework for business resilience. Proc Australas Conf Inf Syst, Sydney, Australia\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eBruneau M, Chang SE, Eguchi RT, Lee GC, O\\u0026rsquo;Rourke TD, Reinhorn AM, Shinozuka M, Tierney K, Wallace WA, von Winterfeldt D (2003) A framework to quantitatively assess and enhance the seismic resilience of communities. Earthq Spectra 19(4):733\\u0026ndash;752\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eCassottana B, Roomi MM, Mashima D, Sansavini G (2023) Resilience analysis of cyber-physical systems: a review of models and methods. Risk Anal 43(11):2359\\u0026ndash;2379. \\u003cspan class=\\\"ExternalRef\\\"\\u003e\\u003cspan class=\\\"RefSource\\\"\\u003ehttps://doi.org/10.1111/risa.14089\\u003c/span\\u003e\\u003cspan address=\\\"10.1111/risa.14089\\\" targettype=\\\"DOI\\\" class=\\\"RefTarget\\\"\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eChehida S, Rutten E, Giraud G, Mocanu S (2025) Self-reconfiguration of industrial control systems as a response to cyberattacks. J Netw Syst Manag. \\u003cspan class=\\\"ExternalRef\\\"\\u003e\\u003cspan class=\\\"RefSource\\\"\\u003ehttps://doi.org/10.1007/s10922-025-09979-0\\u003c/span\\u003e\\u003cspan address=\\\"10.1007/s10922-025-09979-0\\\" targettype=\\\"DOI\\\" class=\\\"RefTarget\\\"\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eEuropean Union (2022) Directive (EU) 2022/2557 on the resilience of critical entities. Official Journal of the European Union, December 2022\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eHolling CS (1973) Resilience and stability of ecological systems. Annu Rev Ecol Syst 4:1\\u0026ndash;23\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eHollnagel E, Woods DD, Leveson N (2006) Resilience Engineering: Concepts and Precepts. Ashgate, Aldershot\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eInternational Electrotechnical Commission (IEC) (2018) IEC 62443: Security for Industrial Automation and Control Systems. IEC, Geneva\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eLaprie JC (2008) Resilience for the ICT world: dealing with mistakes, accidents and malicious acts. In: Proc 2008 Int Conf Dependable Systems and Networks, Anchorage, AK, pp 5\\u0026ndash;12\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eLeveson NG (2004) A new accident model for engineering safer systems. Saf Sci 42(4):237\\u0026ndash;270\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eLeveson NG (2011) Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, Cambridge, MA\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eLinkov I, Bridges T, Creutzig F et al (2014) Changing the resilience paradigm. Nat Clim Chang 4:407\\u0026ndash;409\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eLinkov I, Eisenberg D, Plourde M, Seager TP, Allen J, Kott A (2013) Resilience metrics for cyber systems. Environ Syst Decis 33:471\\u0026ndash;476\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eMadni M, Jackson S (2009) Towards a conceptual framework for resilience engineering. IEEE Syst J 3(2):181\\u0026ndash;191\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eNational Cyber Security Centre (NCSC) (2022) Cyber Assessment Framework (CAF). \\u003cspan class=\\\"ExternalRef\\\"\\u003e\\u003cspan class=\\\"RefSource\\\"\\u003ehttps://www.ncsc.gov.uk/collection/caf\\u003c/span\\u003e\\u003cspan address=\\\"https://www.ncsc.gov.uk/collection/caf\\\" targettype=\\\"URL\\\" class=\\\"RefTarget\\\"\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eNational Institute of Standards and Technology (2021) Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, NIST Special Publication 800\\u0026thinsp;\\u0026ndash;\\u0026thinsp;160 Volume 2 Revision 1. NIST, Gaithersburg, MD\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eanon (2023a) Cyber Maintainable Safety-Critical Complex Systems. PhD thesis, University of South Wales. \\u003cspan class=\\\"ExternalRef\\\"\\u003e\\u003cspan class=\\\"RefSource\\\"\\u003ehttps://doi.org/10.60485/80zj-jp20\\u003c/span\\u003e\\u003cspan address=\\\"10.60485/80zj-jp20\\\" targettype=\\\"DOI\\\" class=\\\"RefTarget\\\"\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eanon (2026) A hierarchical trajectory model of cyber resilience in safety-critical cyber-physical systems: domain attribution, safety constraint and consequence-driven assessment. Companion paper [Paper 1 of this series], awaiting review\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eanon (2023b) A cyber resilience analysis case study of an industrial operational technology environment. Environ Syst Decis 43(2):178\\u0026ndash;190. \\u003cspan class=\\\"ExternalRef\\\"\\u003e\\u003cspan class=\\\"RefSource\\\"\\u003ehttps://doi.org/10.1007/s10669-023-09895-1\\u003c/span\\u003e\\u003cspan address=\\\"10.1007/s10669-023-09895-1\\\" targettype=\\\"DOI\\\" class=\\\"RefTarget\\\"\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003ePimm SL (1984) The complexity and stability of ecosystems. Nature 307:321\\u0026ndash;326\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eRabenstein J et al (2022) Towards resilience by self-adaptation of industrial control systems. In: Proc IEEE 27th Int Conf Emerging Technologies and Factory Automation (ETFA). IEEE. \\u003cspan class=\\\"ExternalRef\\\"\\u003e\\u003cspan class=\\\"RefSource\\\"\\u003ehttps://doi.org/10.1109/ETFA52439.2022.9921597\\u003c/span\\u003e\\u003cspan address=\\\"10.1109/ETFA52439.2022.9921597\\\" targettype=\\\"DOI\\\" class=\\\"RefTarget\\\"\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eReason J (1997) Managing the Risks of Organizational Accidents. Ashgate, Aldershot\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eStouffer K, Pillitteri V, Lightman S, Abrams M, Hahn A (2023) NIST Special Publication 800\\u0026thinsp;\\u0026ndash;\\u0026thinsp;82 Revision 3: Guide to Operational Technology (OT) Security. National Institute of Standards and Technology\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eSutcliffe K, Vogus T (2003) Organizing for resilience. In: Cameron K, Dutton J, Quinn R (eds) Positive Organizational Scholarship. Berrett-Koehler, San Francisco, CA, pp 94\\u0026ndash;110\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eTimmerman P (1981) Vulnerability, Resilience and the Collapse of Society. Institute for Environmental Studies, University of Toronto, Toronto\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eWalker B, Holling CS, Carpenter SR, Kinzig A (2004) Resilience, adaptability and transformability in social-ecological systems. Ecol Soc 9(2):5\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eZhang X, Zheng H, Li W (2021) A systematic review of cyber resilience assessment methods. Comput Secur 108:102349\\u003c/span\\u003e\\u003c/li\\u003e \\u003cli\\u003e\\u003cspan\\u003eZhao J, Li D, Wang H (2021) Cyber resilience: from risk assessment to resilience engineering. Reliab Eng Syst Saf 214:107613\\u003c/span\\u003e\\u003c/li\\u003e\\u003c/ol\\u003e\"}],\"fulltextSource\":\"\",\"fullText\":\"\",\"funders\":[],\"hasAdminPriorityOnWorkflow\":false,\"hasManuscriptDocX\":true,\"hasOptedInToPreprint\":true,\"hasPassedJournalQc\":\"\",\"hasAnyPriority\":true,\"hideJournal\":false,\"highlight\":\"\",\"institution\":\"\",\"isAcceptedByJournal\":false,\"isAuthorSuppliedPdf\":false,\"isDeskRejected\":\"\",\"isHiddenFromSearch\":false,\"isInQc\":false,\"isInWorkflow\":false,\"isPdf\":false,\"isPdfUpToDate\":true,\"isWithdrawnOrRetracted\":false,\"journal\":{\"display\":true,\"email\":\"info@researchsquare.com\",\"identity\":\"environment-systems-and-decisions\",\"isNatureJournal\":false,\"hasQc\":true,\"allowDirectSubmit\":false,\"externalIdentity\":\"envr\",\"sideBox\":\"Learn more about [Environment Systems and Decisions](http://link.springer.com/journal/10669)\",\"snPcode\":\"10669\",\"submissionUrl\":\"https://submission.nature.com/new-submission/10669/3\",\"title\":\"Environment Systems and Decisions\",\"twitterHandle\":\"\",\"acdcEnabled\":true,\"dfaEnabled\":true,\"editorialSystem\":\"em\",\"reportingPortfolio\":\"Springer Hybrid\",\"inReviewEnabled\":true,\"inReviewRevisionsEnabled\":false},\"keywords\":\"Cyber Resilience, Safety-Critical Complex Systems, Cyber-Physical Systems, Quantitative Metrics, Industrial Control Systems, Testbed Experimentation\",\"lastPublishedDoi\":\"10.21203/rs.3.rs-9204849/v1\",\"lastPublishedDoiUrl\":\"https://doi.org/10.21203/rs.3.rs-9204849/v1\",\"license\":{\"name\":\"CC BY 4.0\",\"url\":\"https://creativecommons.org/licenses/by/4.0/\"},\"manuscriptAbstract\":\"\\u003cp\\u003eCyber resilience in safety-critical systems is widely discussed, yet the structural relationships between resilience attributes remain weakly defined and rarely measured in practice. Controls are often implemented as isolated improvements, despite the possibility that strengthening one aspect of performance may leave weakness elsewhere unresolved or introduce new fragilities across the wider system. This paper presents empirical quantitative evidence from two industrial case studies and controlled experimentation on a safety-critical industrial testbed to examine how distinct resilience domains and attributes influence system behaviour during disturbance. Results show that engineering resistance capacity (engineering resilience) primarily governs degradation magnitude, organisational recovery and adaptive capacity (ecological resilience) govern detection latency and recovery duration, and safety operates as a continuous constraint boundary throughout disturbance and recovery rather than as a threshold event triggered only at extremis. Quantitative measurements across adversarial and non-adversarial disruption scenarios demonstrate, within the limits of the experimental setting, that these domains are causally distinct in effect and non-substitutable in outcome: improvements in one phase do not compensate for weakness in another. The findings support a refined five-domain hierarchical taxonomy of resilience attributes and provide empirical grounding for assessing resilience as the measurable trajectory of system performance in safety-critical, cyber-physical environments. Getting resilience right is how we protect not only the systems we depend on today but the people who will depend on them tomorrow.\\u003c/p\\u003e\",\"manuscriptTitle\":\"Quantitative Validation of Domain-Attributed Cyber Resilience Trajectories for Safety-Critical Systems\",\"msid\":\"\",\"msnumber\":\"\",\"nonDraftVersions\":[{\"code\":1,\"date\":\"2026-03-31 06:44:37\",\"doi\":\"10.21203/rs.3.rs-9204849/v1\",\"editorialEvents\":[{\"type\":\"communityComments\",\"content\":0},{\"type\":\"decision\",\"content\":\"Revision requested\",\"date\":\"2026-05-09T16:37:02+00:00\",\"index\":\"\",\"fulltext\":\"\"},{\"type\":\"editorInvitedReview\",\"content\":\"\",\"date\":\"2026-04-14T04:15:06+00:00\",\"index\":\"hide\",\"fulltext\":\"\"},{\"type\":\"editorInvitedReview\",\"content\":\"\",\"date\":\"2026-03-31T21:37:17+00:00\",\"index\":\"hide\",\"fulltext\":\"\"},{\"type\":\"reviewerAgreed\",\"content\":\"17651532153806144815235686882592510601\",\"date\":\"2026-03-30T21:16:51+00:00\",\"index\":\"hide\",\"fulltext\":\"\"},{\"type\":\"reviewerAgreed\",\"content\":\"137709283184872538927518572047609347136\",\"date\":\"2026-03-30T20:37:20+00:00\",\"index\":\"hide\",\"fulltext\":\"\"},{\"type\":\"reviewerAgreed\",\"content\":\"318833755076000088936905607479021700480\",\"date\":\"2026-03-30T19:58:00+00:00\",\"index\":\"hide\",\"fulltext\":\"\"},{\"type\":\"reviewersInvited\",\"content\":\"\",\"date\":\"2026-03-28T19:52:06+00:00\",\"index\":\"\",\"fulltext\":\"\"},{\"type\":\"editorAssigned\",\"content\":\"\",\"date\":\"2026-03-26T23:05:31+00:00\",\"index\":\"\",\"fulltext\":\"\"},{\"type\":\"checksComplete\",\"content\":\"\",\"date\":\"2026-03-24T15:07:34+00:00\",\"index\":\"\",\"fulltext\":\"\"},{\"type\":\"submitted\",\"content\":\"Environment Systems and Decisions\",\"date\":\"2026-03-23T22:36:13+00:00\",\"index\":\"\",\"fulltext\":\"\"}],\"status\":\"published\",\"journal\":{\"display\":true,\"email\":\"info@researchsquare.com\",\"identity\":\"environment-systems-and-decisions\",\"isNatureJournal\":false,\"hasQc\":true,\"allowDirectSubmit\":false,\"externalIdentity\":\"envr\",\"sideBox\":\"Learn more about [Environment Systems and Decisions](http://link.springer.com/journal/10669)\",\"snPcode\":\"10669\",\"submissionUrl\":\"https://submission.nature.com/new-submission/10669/3\",\"title\":\"Environment Systems and Decisions\",\"twitterHandle\":\"\",\"acdcEnabled\":true,\"dfaEnabled\":true,\"editorialSystem\":\"em\",\"reportingPortfolio\":\"Springer Hybrid\",\"inReviewEnabled\":true,\"inReviewRevisionsEnabled\":false}}],\"origin\":\"\",\"ownerIdentity\":\"a4d79d11-4b12-47d7-9a82-0293cb1da72f\",\"owner\":[],\"postedDate\":\"March 31st, 2026\",\"published\":true,\"recentEditorialEvents\":[{\"type\":\"decision\",\"content\":\"Revision requested\",\"date\":\"2026-05-09T16:37:02+00:00\",\"index\":\"\",\"fulltext\":\"\"}],\"rejectedJournal\":[],\"revision\":\"\",\"amendment\":\"\",\"status\":\"in-revision\",\"subjectAreas\":[],\"tags\":[],\"updatedAt\":\"2026-05-09T16:39:59+00:00\",\"versionOfRecord\":[],\"versionCreatedAt\":\"2026-03-31 06:44:37\",\"video\":\"\",\"vorDoi\":\"\",\"vorDoiUrl\":\"\",\"workflowStages\":[]},\"version\":\"v1\",\"identity\":\"rs-9204849\",\"journalConfig\":\"researchsquare\"},\"__N_SSP\":true},\"page\":\"/article/[identity]/[[...version]]\",\"query\":{\"redirect\":\"/article/rs-9204849\",\"identity\":\"rs-9204849\",\"version\":[\"v1\"]},\"buildId\":\"XKTyCvWXoU3ODBz1xrDgd\",\"isFallback\":false,\"isExperimentalCompile\":false,\"dynamicIds\":[84888],\"gssp\":true,\"scriptLoader\":[]}","source_license":"CC-BY-4.0","license_restricted":false}