Context: Holistic CPS security

Cyber-Physical Systems (CPSs) combine cyber, physical and human activities through computing and network technologies, creating opportunities for benign and malign actions that affect organisations in both the physical and computational spheres. The US National Cyber Security Strategy (US White House, 2023) warns that this exposes crucial systems to disruption over a wide CPS attack surface. The UK National Cyber Security Centre Annual Review (UK National Cyber Security Centre, 2023) acknowledges that, although some organisations are evolving ‘a more holistic view of critical systems rather than purely physical assets’, this is not reflected in governance structures that still tend to treat cyber and physical security separately.

This RQ focuses on developing and evaluating holistic approaches to CPS security. Such approaches have both technical and non-technical elements. They are cross-domain in that they span computational and physical processes and their interactions, supporting the examination of overall system-level effects. They are also explainable in that they support decision-making at multiple levels ‘from the circuit board to the executive board’.

For example, chemical process operators may wish to address the risk of plant damage resulting from digital attacks on sensors and control units. A holistic solution might model and verify physical failsafe mechanisms, software-based authorisation for potentially dangerous actions and governance changes restricting remote access software. It would help explain risks and trade-offs of cost and business implications through techniques such as modelling, simulation, dashboards and visualisation that engage the full range of stakeholders.

There are technical and non-technical challenges in delivering holistic CPS security.

• From a technical perspective, surveys (e.g., those by Wu et al. (Reference Wu, Sun and Chen2016), Giraldo et al. (Reference Giraldo, Sarkar, Cardenas, Maniatakos and Kantarcioglu2017), Humayed et al. (Reference Humayed, Lin, Li and Luo2017), Alguliyev et al. (Reference Alguliyev, Imamverdiyev and Sukhostat2018) or Kayan et al. (Reference Kayan, Nunes, Rana, Burnap and Perera2022)) identify needs for systems engineering methods and tools that work across computational and physical domains. There is a need for these to support the maintenance and adaptation of security properties as both cyber and physical system elements change, as well as CPS response, resilience and survivability when facing attacks (e.g., the cross-domain attacks identified by Yampolskiy et al. (Reference Yampolskiy, Horvath, Koutsoukos, Xue and Sztipanovits2013)). Testbeds and synthetic datasets are needed to form a basis for benchmarking, simulation and proof-of-concept studies.

• From a non-technical perspective, the 2023 UK Cyber Security Breaches Survey (UK Dept. for Science, 2023) shows that some businesses may not protect cybersecurity spending when it is seen as part of the IT budget, creating challenges for people in cyber roles making cases for security investment when governance boards can lack expertise and time to engage with cybersecurity issues. This is crucial in the CPS context, where, as Rosado et al. suggest, there is no adequate risk assessment (Rosado et al., Reference Rosado, Santos-Olmo, Sánchez, Serrano, Blanco, Mouratidis and Fernández-Medina2022), and, as Savtschenko et al. (Reference Savtschenko, Schulte and Voß2017) indicate, new IT governance structures are required. Viganò and Magazzeni have pointed out that, in this environment, research should help stakeholders explain cybersecurity risks, options and decisions (Viganò et al., Reference Viganò and Magazzeni2018). One approach is integrating results with toolkits such as the NCSC Cyber Security Toolkit for Boards (UK National Cyber Security Centre, 2023).

Scope

We welcome contributions that advance holistic approaches to CPS security. These should help to address the challenges of cross-domain and explainable security outlined above, identifying which stakeholders (e.g., designers, users and governance) generate and use results within systems engineering activities (e.g., requirements elicitation, design, implementation, and defence). Topics in scope include but are not limited to:

• Foundations for holistic CPS security.

• Well-founded methods and tools for engineering cross-domain CPS security, including effectively integrating existing methods and tools.

• Authentication and evidence supporting trust in CPSs.

• Architectures, methods and tools for analysing and ensuring CPS security and privacy.

• Methods for assessing and increasing CPS resilience and survivability, including redundancy and improved incident response.

• Temporal performance as critical to CPS resilience.

• Maintenance of security-related properties under change in computational and physical processes.

• Domain-relevant tensions, for example, security/usability in medical devices.

• Adaptability and context awareness: maintenance of up-to-date security mechanisms.

• Testbeds and synthetic datasets development of realistic datasets and testbeds that are open and accessible for benchmarking, simulation and proof-of-concept studies.

• Contributions to stakeholder decision-making processes.

How to contribute to this Question

If you believe you can contribute to answering this Question with your research outputs, find out how to submit them in the Instructions for authors (https://www.cambridge.org/core/journals/research-directions-cyber-physical-systems/information/author-instructions/preparing-your-materials). This journal publishes Results, Analyses, Impact papers and additional content such as preprints and ‘grey literature’. Questions will be closed when the editors agree that enough has been published to answer the Question so before submitting, check if this is still an active Question. If it is closed, another relevant Question may be currently open, so do review all the open Questions in your field. For any further queries, check the information pages (https://www.cambridge.org/core/journals/research-directions-cyber-physical-systems/information/about-this-journal) or contact this email (cps@cambridge.org).