On the Disappearing Boundary Between Digital, Physical, and Social Spaces: Who, What, Where and When?

Abstract

Boundaries play a critical role in the systems development process. In software engineering, boundaries are used to scope the real world problems that the software is required to address, and to scope the design solutions through which the software will meet its requirements. In security engineering, boundaries delimit the points at which assets may be legitimately accessed or the defences that attackers seek to breach. Cyber physical systems (CPS) add another set of boundaries that require consideration - the boundaries between the digital and the physical spaces that the CPS inhabit, as well as the boundaries with the social spaces in which such systems will operate. These boundaries have been the bedrock upon which developers build software, systems, and security capabilities. They help manage complexity of systems, organise their development, and manage their deployment. However, the views and behaviours of "end users" of CPS - legitimate or otherwise - do not always align with the separation of concerns embodied by such boundaries. Legitimate users, for example, may see a CPS as a single provider of services and functions, and may not find it useful to separate digital, physical, and social considerations. Similarly, malicious users may intentionally exploit the larger attack surfaces presented by a CPS, and actively exploit the design or accidental interplay between digital, physical, and social spaces. Thus, in a world of disappearing boundaries, there is sometimes what appears to be a conflicting need to make these boundaries visible and explicit. In our research work, we explore the development of software-intensive systems deployed in such a world, and set this against the development of secure, privacy-aware, forensics-ready systems, where boundaries need to be recognised and managed. We suggest some technical contributions that may contribute to addressing some of the research challenges in the area, including techniques for engineering adaptive software, collaborative security, and topology awareness. We contextualise our research in cyber-physical-social systems, which we argue provide research challenges to the community that go beyond any single technical discipline such as software or security engineering. Indeed we further argue, and demonstrate, that considerations of the interplay of security and human behaviour are fundamental to tackling some of the key challenges of developing secure cyber physical systems.