On the use of security principles and practices for architecting cyber-physical systems

Context: Security has become a major concern for modern Cyber-Physical Systems (CPS), due to their distributed, sensing, actuating, and always connected nature. A considerable number of security principles and practices have been defined by the security communities and are being implemented in architecting secure CPS. Objective: The main question we are looking for an answer in this work is on how security principles have been used while architecting secure CPS. Method: We conducted a systematic literature review by searching four major scientific databases, resulting in 1591 candidate studies and eventually retaining 32 primary studies included for data collection after applying inclusion and exclusion criteria. Results: 81% of the studies use architectural patterns in designing systems. Among the security principles used integrity is an attribute that is implemented in systems most frequently (53%) followed by confidentiality (43%) and availability (37%).Often these principles are applied in combination with each other. More than 31% of design implementation do not consider any architectural styles while implementing security in CPS. Only 9% of studies suggests security is applied ubiquitously across all relevant CPS components. Conclusions: Our analysis shows that the traditional practice to only add security as an additional layer/component into the CPS is still in place, as opposed to the real need to ensure the security of all relevant components. There is a lack of uniformity in the application of security principles in designing CPS.