Article Preview
TopIntroduction
Modern society’s viability depends on the reliable functioning of specific systems whose incapacitation or degradation can have debilitating impacts on public safety, health, security, and economic strength. Such systems are referred to as critical infrastructures. They typically include energy, communications, transportation, healthcare, information technology, government facilities, commercial facilities, financial services, critical manufacturing, dams, defense industrial bases, emergency services, food and agriculture, nuclear reactors, materials, space, and wastewater systems (Gheorghe et al., 2006; Habibzadeh et al., 2019; Kröger & Zio, 2011; Obama, 2013; Tatar et al., 2020). Although such systems are expected to produce essential products and services, they operate in a 21st-century environment with attributes of volatility, uncertainty, complexity, and ambiguity (Katina et al., 2014; Keating et al., 2014; Mackey, 1992). Risks posed by critical infrastructure of a nation requires a well-established risk management approach. For example, in the U.S., Cybersecurity and Infrastructure Security Agency “leads such management efforts by mobilizing a collective defense” that includes coordinating a diverse set of stakeholders (Nussbaum, 2017; Tatar et al., 2019) including entities from academia, federal, state, and local government agencies, industry, private sectors, non-profits, and general public (Cybersecurity and Infrastructure Security Agency [CISA], 2020).
These attributes also affect practitioners dealing with modern cybersecurity complex systems. Following previous recitations of the nature of this changing world (Keating et al. 2015; Keating and Katina, 2019), the following summary points are offered regarding cybersecurity:
- •
Complexity: the unprecedented availability and accessibility of data and information have become beyond current capabilities to structure to enable effective decision making.
- •
Emergence: the emergence deals with the appearance of attributes (e.g., behaviors, performance) that cannot be known in advance. In such cases, traditional methods are potentially detrimental, creating a need for ‘next-generation’ methods with the necessary capabilities to engage highly emergent situations.
- •
Ambiguity: instabilities in understanding, shifting boundary conditions, and unstable structural patterns create a lack of clarity for decisive action.
- •
Uncertainty: the attributes of ambiguity, emergence, and complexity create conditions where the inability to have a measure of confidence runs rampant. Producing desired performance becomes the exception rather than the norm.
- •
Solution spaces: the problem space for cybersecurity is neither simple, absolute, nor isolated. Therefore, the solution space must address the spectrum of sociotechnical encompassing technology, organizational, managerial, human, and policy across special, temporal, and social norms.
- •
Context: the context involves the uniqueness of circumstances, factors, patterns, or conditions are affecting a situation: these can enable or constrain decisions and actions.
This landscape amplifies the criticality of looking to new and untapped sources to strengthen cybersecurity, especially in cyber-physical systems (CPS). Moreover, there is also recognition that CPS systems do not operate in isolation and must deal with an increasing range of issues affecting their performance --- beyond risk (Thissen & Herder, 2003). Hence, understanding the characteristics of distinct constituent systems and their interdependencies is necessary to address emerging vulnerabilities. This is especially the case for cyber threats against electronic systems that directly control and alter physical systems. Again, a mounting concern is the issue of cybersecurity, which is concerned with the use of modern communication systems to disable, impede, or degrade system operations to directly or indirectly harm the reputation, causing physical or mental damage, or loss, to the target (Halder & Jaishankar, 2011; Johnson, 2016; White et al., 2010).