Towards a Secure DevOps Approach for Cyber-Physical Systems: An Industrial Perspective

With the expansion of cyber-physical systems (CPSs) across critical and regulated industries, systems must be continuously updated to remain resilient. At the same time, they should be extremely secure and safe to operate and use. The DevOps approach caters to business demands of more speed and smartness in production, but it is extremely challenging to implement DevOps due to the complexity of critical CPSs and requirements from regulatory authorities. In this study, expert opinions from 33 European companies expose the gap in the current state of practice on DevOps-oriented continuous development and maintenance. The study contributes to research and practice by identifying a set of needs. Subsequently, the authors propose a novel approach called Secure DevOps and provide several avenues for further research and development in this area. The study shows that, because security is a cross-cutting property in complex CPSs, its proficient management requires system-wide competencies and capabilities across the CPSs development and operation.

[1]  Valentina Casola,et al.  A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach , 2020, J. Syst. Softw..

[2]  Mirna Muñoz,et al.  Strategy for Performing Critical Projects in a Data Center Using DevSecOps Approach and Risk Management , 2020, Int. J. Inf. Technol. Syst. Approach.

[3]  Valentina Casola,et al.  Toward the automation of threat modeling and risk assessment in IoT systems , 2019, Internet Things.

[4]  Tommi Mikkonen,et al.  Towards Agile Yet Regulatory-Compliant Development of Medical Software , 2018, 2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).

[5]  Riccardo Scandariato,et al.  Threat analysis of software systems: A systematic literature review , 2018, J. Syst. Softw..

[6]  André van Hoorn,et al.  Exploiting DevOps Practices for Dependable and Secure Continuous Delivery Pipelines , 2018, 2018 IEEE/ACM 4th International Workshop on Rapid Continuous Software Engineering (RCoSE).

[7]  Jose Andre Morales,et al.  Weaving Security into DevOps Practices in Highly Regulated Environments , 2018 .

[8]  Ville Leppänen,et al.  Fitting Security into Agile Software Development , 2018 .

[9]  Martin Törngren,et al.  Complexity Challenges in Development of Cyber-Physical Systems , 2018, Principles of Modeling.

[10]  Martin Höst,et al.  System requirements-OSS components: matching and mismatch resolution practices – an empirical study , 2018, Empirical Software Engineering.

[11]  Hausi A. Müller,et al.  The Rise of Intelligent Cyber-Physical Systems , 2017, Computer.

[12]  Kavita Sharma,et al.  Introduction to the Special Issue on Secure Solutions for Network in Scalable Computing , 2017, Scalable Comput. Pract. Exp..

[13]  Martin Gilje Jaatun,et al.  DevOps for Better Software Security in the Cloud Invited Paper , 2017, ARES.

[14]  Jörg Henkel,et al.  Cyber-Physical Systems Security and Privacy , 2017, IEEE Des. Test.

[15]  Pekka Abrahamsson,et al.  Security challenges in IoT development: a software engineering perspective , 2017, XP Workshops.

[16]  Tommi Mikkonen,et al.  DevOps in Regulated Software Development: Case Medical Devices , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering: New Ideas and Emerging Technologies Results Track (ICSE-NIER).

[17]  Stefan Biffl,et al.  Multi-Disciplinary Engineering for Cyber-Physical Production Systems, Data Models and Software Solutions for Handling Complex Engineering Projects , 2017 .

[18]  Fengjun Li,et al.  Cyber-Physical Systems Security—A Survey , 2017, IEEE Internet of Things Journal.

[19]  Matthias Foehr,et al.  Engineering of Next Generation Cyber-Physical Automation System Architectures , 2017, Multi-Disciplinary Engineering for Cyber-Physical Production Systems.

[20]  Tommi Mikkonen,et al.  A Roadmap to the Programmable World: Software Challenges in the IoT Era , 2017, IEEE Software.

[21]  Hasan Yasar,et al.  Where to Integrate Security Practices on DevOps Platform , 2016, Int. J. Secur. Softw. Eng..

[22]  Lotfi Ben Othmane,et al.  SecDevOps: Is It a Marketing Buzzword? - Mapping Research on Security in DevOps , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[23]  Christian Berger,et al.  Continuous Experimentation on Cyber-Physical Systems: Challenges and Opportunities , 2016, XP Workshops.

[24]  Siddhartha Kumar Khaitan,et al.  Design Techniques and Applications of Cyberphysical Systems: A Survey , 2015, IEEE Systems Journal.

[25]  Manish Virmani,et al.  Understanding DevOps & bridging the gap from continuous integration to continuous delivery , 2015, Fifth International Conference on the Innovative Computing Technology (INTECH 2015).

[26]  B. S. Farroha,et al.  A Framework for Managing Mission Needs, Compliance, and Trust in the DevOps Environment , 2014, 2014 IEEE Military Communications Conference.

[27]  Tore Dybå Contextualizing empirical evidence , 2013, IEEE Software.

[28]  Jiafu Wan,et al.  Security in the Internet of Things: A Review , 2012, 2012 International Conference on Computer Science and Electronics Engineering.

[29]  Oisín Cawley,et al.  Lean/Agile Software Development Methodologies in Regulated Environments - State of the Art , 2010, LESS.

[30]  H. Jansen,et al.  The Logic of Qualitative Survey Research and its Position in the Field of Social Research Methods , 2010 .

[31]  Edward A. Lee Computing Foundations and Practice for Cyber- Physical Systems: A Preliminary Report , 2007 .

[32]  Per Runeson,et al.  Verification and validation in industry - a qualitative survey on the state of practice , 2002, Proceedings International Symposium on Empirical Software Engineering.

[33]  T. Wassmer 6 , 1900, EXILE.