Article Preview
Top1. Introduction
In recent years, with the emergence of Cyber-Physical Systems (CPSs), societies have become interconnected (Müller, 2017). This increased connectivity is associated with greater concerns related to various quality attributes, such as safety and security. The incidents and risks of operating CPSs are essential nowadays due to the expansion of CPSs across critical and regulated industry sectors such as energy, aerospace, automotive, and healthcare, where even minor failures may lead to devastating human and financial loss. Therefore, higher levels of security and reliability must be achieved in developing CPSs, and these systems must also stay continuously updated to remain resilient in operation, especially during critical events such as cyber-attacks (Yasar & Kontostathis, 2016).
At the same time, production organizations in critical and regulated domains, e.g., automotive, aerospace, and healthcare express an increasing interest in utilizing the DevOps approach for developing and maintaining consumer CPSs (e.g., wearables, virtual reality), as it enables them to shorten time-to-market and be more responsive to operational demands of customers and the market in general (Foehr et al., 2017; Stirbu & Mikkonen, 2010). However, adopting DevOps in industrial domains is extremely challenging due to the complexity of critical CPSs and the devastating costs associated with their downtime, as well as strict requirements demanded by regulatory authorities within those domains (Giaimo, Yin, Berger, & Crnkovic, 2016; Törngren & Sellgren, 2018, Morales, Yasar & Volkmann, 2018). Therefore, there is an increasing need for novel solutions and technologies enabling organizations to benefit from DevOps and, at the same time, maintain the required high levels of security and reliability in critical CPSs.
The objective of our study was to obtain a better understanding of what these novel solutions and technologies entail. To this end, a set of research questions were formulated as below:
RQ1: What are the needs of critical and regulated industries for integrating security into DevOps?
RQ2: What are the benefits and characteristics of such systematic integration expected by these industries?
RQ3: What is the impact of such systematic integration on the company’s business?
To answer the research questions, we conducted a qualitative survey of 33 companies active in a variety of critical and regulated industrial sectors to explore the gap in the state-of-practice on DevOps-oriented continuous development and maintenance of CPSs. As such, we make three contributions to research and practice. First, we provide an empirical insight into a set of key needs of and expected benefits from implementing DevOps while complying with required security standards in CPSs development and deployment, as well as the business impacts that it can produce on the implementing companies. Second, based on these identified needs, benefits and impacts, we envisioned a new approach, called Secure DevOps, which encompasses human factors, tools, technologies and processes for adopting DevOps integrated with security across industrial domains. Finally, we propose three main areas which deserve future scientific research as well as further development in practice.
The remainder of the paper is organized as follows. Section 2 provides a review of literature related to CPSs and security in critical and regulated industries, and DevOps in such a context. The research methodology is explained in Section 3, and the findings are reported in Section 4. In Section 5, we present the envisioned Secure DevOps approach based on the findings of the study. Section 6 concludes the paper with highlights for future work.