Towards a Secure DevOps Approach for Cyber-Physical Systems: An Industrial Perspective

Towards a Secure DevOps Approach for Cyber-Physical Systems: An Industrial Perspective

Pekka Abrahamsson, Goetz Botterweck, Hadi Ghanbari, Martin Gilje Jaatun, Petri Kettunen, Tommi J. Mikkonen, Anila Mjeda, Jürgen Münch, Anh Nguyen Duc, Barbara Russo, Xiaofeng Wang
DOI: 10.4018/IJSSSP.2020070103
Article PDF Download
Open access articles are freely available for download


With the expansion of cyber-physical systems (CPSs) across critical and regulated industries, systems must be continuously updated to remain resilient. At the same time, they should be extremely secure and safe to operate and use. The DevOps approach caters to business demands of more speed and smartness in production, but it is extremely challenging to implement DevOps due to the complexity of critical CPSs and requirements from regulatory authorities. In this study, expert opinions from 33 European companies expose the gap in the current state of practice on DevOps-oriented continuous development and maintenance. The study contributes to research and practice by identifying a set of needs. Subsequently, the authors propose a novel approach called Secure DevOps and provide several avenues for further research and development in this area. The study shows that, because security is a cross-cutting property in complex CPSs, its proficient management requires system-wide competencies and capabilities across the CPSs development and operation.
Article Preview

1. Introduction

In recent years, with the emergence of Cyber-Physical Systems (CPSs), societies have become interconnected (Müller, 2017). This increased connectivity is associated with greater concerns related to various quality attributes, such as safety and security. The incidents and risks of operating CPSs are essential nowadays due to the expansion of CPSs across critical and regulated industry sectors such as energy, aerospace, automotive, and healthcare, where even minor failures may lead to devastating human and financial loss. Therefore, higher levels of security and reliability must be achieved in developing CPSs, and these systems must also stay continuously updated to remain resilient in operation, especially during critical events such as cyber-attacks (Yasar & Kontostathis, 2016).

At the same time, production organizations in critical and regulated domains, e.g., automotive, aerospace, and healthcare express an increasing interest in utilizing the DevOps approach for developing and maintaining consumer CPSs (e.g., wearables, virtual reality), as it enables them to shorten time-to-market and be more responsive to operational demands of customers and the market in general (Foehr et al., 2017; Stirbu & Mikkonen, 2010). However, adopting DevOps in industrial domains is extremely challenging due to the complexity of critical CPSs and the devastating costs associated with their downtime, as well as strict requirements demanded by regulatory authorities within those domains (Giaimo, Yin, Berger, & Crnkovic, 2016; Törngren & Sellgren, 2018, Morales, Yasar & Volkmann, 2018). Therefore, there is an increasing need for novel solutions and technologies enabling organizations to benefit from DevOps and, at the same time, maintain the required high levels of security and reliability in critical CPSs.

The objective of our study was to obtain a better understanding of what these novel solutions and technologies entail. To this end, a set of research questions were formulated as below:

  • RQ1: What are the needs of critical and regulated industries for integrating security into DevOps?

  • RQ2: What are the benefits and characteristics of such systematic integration expected by these industries?

  • RQ3: What is the impact of such systematic integration on the company’s business?

To answer the research questions, we conducted a qualitative survey of 33 companies active in a variety of critical and regulated industrial sectors to explore the gap in the state-of-practice on DevOps-oriented continuous development and maintenance of CPSs. As such, we make three contributions to research and practice. First, we provide an empirical insight into a set of key needs of and expected benefits from implementing DevOps while complying with required security standards in CPSs development and deployment, as well as the business impacts that it can produce on the implementing companies. Second, based on these identified needs, benefits and impacts, we envisioned a new approach, called Secure DevOps, which encompasses human factors, tools, technologies and processes for adopting DevOps integrated with security across industrial domains. Finally, we propose three main areas which deserve future scientific research as well as further development in practice.

The remainder of the paper is organized as follows. Section 2 provides a review of literature related to CPSs and security in critical and regulated industries, and DevOps in such a context. The research methodology is explained in Section 3, and the findings are reported in Section 4. In Section 5, we present the envisioned Secure DevOps approach based on the findings of the study. Section 6 concludes the paper with highlights for future work.

Complete Article List

Search this Journal:
Volume 14: 1 Issue (2023)
Volume 13: 2 Issues (2022): 1 Released, 1 Forthcoming
Volume 12: 2 Issues (2021)
Volume 11: 2 Issues (2020)
Volume 10: 2 Issues (2019)
Volume 9: 4 Issues (2018)
View Complete Journal Contents Listing