Backgrounds
Software permeates modern society. Within critical infrastructures and systems providing important societal services, there have been considerable digitisation efforts the last decade. To address critical infrastructures vulnerabilities in design, development, implementation, operation and maintenance, a Joint Workshop is arranged between the International Workshop on Engineering and security of Critical Systems (EnCyCriS) and the International Workshop on Software Vulnerability Management (SVM).
An effect of the 4th industrial revolution is that cyber physical systems and software are in continuous growth in their complexity. Complexity of data, and system integration are becoming increasingly important for business and operation.
For critical infrastructures in e.g., energy production and transmission, transportation and public health, this transformation has led to an increased exposure to cyber, physical, and combined cyber-physical attacks.
Most of these cyber attacks have been caused by software vulnerabilities, and thus software vulnerability management has become indispensable to ensure the security of critical systems and infrastructures (e.g., safety protection systems in nuclear, high integrity control systems in transportation, etc.), and emerging solutions with potential high impact (e.g., Artificial Intelligence, block chain, and quantum systems).
Systems are required to be more efficient whilst retaining their efficacy, resulting in a more complex security landscape. For cybersecurity, handling both hardware and software vulnerabilities throughout the system life cycle is critical. To manage software vulnerabilities, Software Vulnerability Management (SVM) is a vital process to ensure the quality and security of critical systems and infrastructures.
Workshop
EnCyCriS and SVM invites contributions from research scholars and practitioners working on challenges and solutions for engineering and cybersecurity of critical systems on the following topics:
- Safe, reliable, and secure by design - and - Safety and security co-engineering.
- Software Vulnerability Management for critical systems, including threat modeling and event analysis.
- Cyber response estimation on software and hardware of CI using models, simulations, and digital twins.
- The role and impact of human in cybersecurity in critical infrastructures development and operation.
- Human factors in cybersecurity software engineering and software vulnerability management.
We accept position papers, research papers, and industrial experience papers. We highly value industrial experience and lessons learned, and academic papers where research artefacts have been applied in an industrial context.
Mon 15 AprDisplayed time zone: Lisbon change
09:00 - 10:30 | Developing secure softwareEnCyCriS/SVM at Amadeo de Souza-Cardoso Chair(s): Awais Rashid University of Bristol, UK | ||
09:00 5mDay opening | Wokshop opening EnCyCriS/SVM | ||
09:05 45mKeynote | Keynote: If you build it, they (probably) won’t come EnCyCriS/SVM | ||
09:50 20mFull-paper | WasmCFuzz: Structure-aware Fuzzing for Wasm Compilers EnCyCriS/SVM A: Xiangwei Zhang College of Intelligence and Computing, Tianjin University, A: Junjie Wang College of Intelligence and Computing, Tianjin University, A: Xiaoning Du Monash University, Australia, A: Shuang Liu Tianjin University | ||
10:10 20mFull-paper | Mitigating Security Issues in GitHub Actions EnCyCriS/SVM |
10:30 - 11:00 | |||
10:30 30mCoffee break | Break Catering |
11:00 - 12:30 | Developing secure software and Industrial ChallengesEnCyCriS/SVM at Amadeo de Souza-Cardoso Chair(s): Awais Rashid University of Bristol, UK, John Eidar Simensen IFE | ||
11:00 20mFull-paper | Trust in Software Supply Chains: Blockchain-Enabled SBOM and the AIBOM Future EnCyCriS/SVM A: Boming Xia CSIRO's Data61 & University of New South Wales, A: Dawen (David) Zhang CSIRO's Data61, A: Yue Liu , A: Qinghua Lu Data61, CSIRO, A: Zhenchang Xing CSIRO’s Data61; Australian National University, A: Liming Zhu CSIRO’s Data61 | ||
11:20 20mFull-paper | Interplay of Digital Twins and Cyber Deception: Unraveling Paths for Technological Advancements EnCyCriS/SVM A: Jessica Heluany Norwegian University of Science and Technology NTNU, A: Ahmed Amro Norwegian University of Science and Technology NTNU, A: Vasileios Gkioulos NTNU, A: Sokratis Katsikas Norwegian University of Science and Technology (NTNU) | ||
11:40 45mKeynote | Keynote: Current threats and challenges for securing OT/IoT systems EnCyCriS/SVM |
12:30 - 14:00 | |||
12:30 90mLunch | Lunch Catering |
14:00 - 15:30 | Training, knowledge and Industrial challengesEnCyCriS/SVM at Amadeo de Souza-Cardoso Chair(s): John Eidar Simensen IFE | ||
14:00 20mFull-paper | Building a Cybersecurity Knowledge Graph with CyberGraph EnCyCriS/SVM A: Paolo Falcarin Ca' Foscari University of Venice, A: Fabio Dainese Ca' Foscari University of Venice | ||
14:20 20mFull-paper | Training Developers to Code Securely: Theory and Practice EnCyCriS/SVM A: Ita Ryan University College Cork, A: Utz Roedig University College Cork, A: Klaas-Jan Stol Lero; University College Cork; SINTEF Digital | ||
14:40 20mFull-paper | On DevSecOps and Risk Management in Critical Infrastructures: Practitioners´Insights on Needs and Goals EnCyCriS/SVM A: Xhesika Ramaj Østfold University College (HiØ) / Norwegian University of Science and Technology (NTNU), A: Mary Sánchez-Gordón Østfold University College, A: Vasileios Gkioulos NTNU, A: Ricardo Colomo-Palacios Universidad Politécnica de Madrid | ||
15:00 20mFull-paper | Cyber-incident Response in Industrial Control Systems: Practices and Challenges in the Petroleum Industry EnCyCriS/SVM A: Vahiny Gnanasekaran Norwegian University of Science and Technology NTNU, A: Maria Bartnes Norwegian University of Science and Technology NTNU, A: Tor Olav Grøtan SINTEF Digital, Poul Einar Heegaard Norwegian University of Science and Technology NTNU |
15:30 - 16:00 | |||
15:30 30mCoffee break | Break Catering |
16:00 - 17:30 | Training, knowledge and Industrial challengesEnCyCriS/SVM at Amadeo de Souza-Cardoso Chair(s): Muhammad Ali Babar School of Computer Science, The University of Adelaide, Coralie Esnoul Institute For Energy Technology (IFE), Awais Rashid University of Bristol, UK, John Eidar Simensen IFE | ||
16:00 20mFull-paper | Cybersecurity and medical devices: a bull in a china shop EnCyCriS/SVM | ||
16:20 60mMeeting | Panel based discussions and open questions EnCyCriS/SVM Coralie Esnoul Institute For Energy Technology (IFE), Awais Rashid University of Bristol, UK, John Eidar Simensen IFE, Muhammad Ali Babar School of Computer Science, The University of Adelaide | ||
17:20 10mDay closing | Workshop Closure EnCyCriS/SVM |
Accepted Papers
Call For Papers
EnCyCriS and SVM invites contributions from research scholars and practitioners working on challenges and solutions for engineering and cybersecurity of critical systems on the following topics:
- Safety and security co-engineering.
- Cyber security challenges and solutions in critical infrastructure and industrial software-intensive systems.
- Threat modeling and analyzing software systems security.
- Requirements engineering for critical infrastructure systems and software.
- Techniques and practices of threat modeling (including mixed-methods).
- Identification and impact estimation for response of cyber effects on software and hardware of CI using models, simulations, and digital twins.
- Human factors in cybersecurity software engineering and software vulnerability management.
- SecDevOps for critical infrastructure software and systems - and - SVM for DevOps.
- Methodology, processes and tools for SVM.
- AI-driven techniques for SVM (AI4SVM) and SVM for AI-based systems (SVM4AI).
- Human-AI collaboration for SVM.
- Empirical study of SVM tools and/or practices (including mixed-methods).
- SVM in software development lifecycle.
- Mining software repositories, and data sets for SVM.
- Data quality for SVM analytics.
- SVM for infrastructure-as-code and/or virtualised infrastructures.
- Systems cybersecurity management and SVM for emerging systems (e.g., blockchain, virtual, and quantum systems).
- Cyber-response estimation on software and hardware of critical infrastructure using models, simulations, and digital twins.
We accept position papers, research papers, and industrial experience papers. We highly value industrial experience and lessons learned, and academic papers where research artefacts have been applied in an industrial context.
Important dates
- Paper Submission Deadline:
27th November 2023extended 15th December - Paper Acceptance Notification: 11th January 2024.
- Camera-ready Papers: 25th January 2024.
- Workshop date: Monday 15th April 2024.
Paper Submission
Workshop proceedings will be prepared by IEEE CPS and published in ACM Digital Library and IEEE Xplore Digital Library. Workshop papers must follow the ACM formatting instructions.
We accept submission of research papers of 8 pages maximum length as well as position papers & short papers of 4 to 6 pages length, and industry experiences and challenges papers of 4 to 6 pages. All paper should be submitted in PDF through the HotCRP platform of the workshop, and should not be longer than 8 pages including references. Each paper will be reviewed on the basis of technical quality, relevance, significance, and clarity by at least three Program Committee members.
If you have any questions or wonder whether your submission is in scope, please do not hesitate to contact the organizers.
Submission Link
Keynotes
Professor Adam Joinson
Adam Joinson is Professor of Information Systems at the University of Bath, School of Management, UK. He is co-director of the joint Bristol-Bath Centre for Doctoral Training in Cybersecurity, Director of the ESRC Digital Security by Design Social Science Hub+ (Discribe Hub+), and established and co-directs the new ‘Bath Institute for Digital Security and Behaviour’. By training, Prof. Joinson is a behavioural scientist, although his career has spanned Psychology, Educational Technology, Behaviour Change, and Information Systems - as well as a spell working in Government on national security and digital behaviour. He was one of the founders of the field now known as “cyber psychology”, and pioneered the use of online methods for data collection (first through web-based surveys and then data analytics and natural language processing). His work now broadly focuses on the interaction between human behaviour and technology with a focus on security - and includes recent investigations into digital footprints and privacy, security habits, balancing innovation and security in businesses, online bystanders, and terrorist use of the Internet. He has published > 100 papers and books / book chapters, which have been cited almost 20,000 times. For more information: https://researchportal.bath.ac.uk/en/persons/adam-joinson
Talk: If you build it, they (probably) won’t come
Addressing the in-built technical vulnerabilities of our digital systems is a necessary pre-condition for a secure digital future - but not sufficient. The Discribe Hub+ has been centrally placed in the effort to move CHERI from a theoretical proposition to an architecture ready to be adopted at scale as part of the wider Digital Security by Design programme. As such, we have also witnessed the many and varied challenges and barriers between prototype and mass market adoption. In this talk I will outline the Digital Security by Design programme, and the lessons learnt for the adoption of secure by design technologies.
Léonard Keat
Leonard is a cybersecurity consultant for more than 20 years. He currently works for the French cybersecurity company, Advens. He has worked for hundreds of companies and organizations, in multiple sectors, mainly in health, industry, and public sector. He has provided his expertise in providing cybersecurity risk analysis, implementing crisis management against cyberattacks, and defining cybersecurity strategy and governance. He is also the main expert of the security of Artificial Intelligence for Advens.
Talk: Current threats and challenges for securing OT/IoT systems.
The talk will focus on presenting real scenarios of cyberattacks occurring on industrial systems, and the current challenges that industrial companies are facing to implement cybersecurity best practices. Some solutions are presented to tackle these challenges, from OT governance to technical best practices.