Backgrounds

Software permeates modern society. Within critical infrastructures and systems providing important societal services, there have been considerable digitisation efforts the last decade. To address critical infrastructures vulnerabilities in design, development, implementation, operation and maintenance, a Joint Workshop is arranged between the International Workshop on Engineering and security of Critical Systems (EnCyCriS) and the International Workshop on Software Vulnerability Management (SVM).

An effect of the 4th industrial revolution is that cyber physical systems and software are in continuous growth in their complexity. Complexity of data, and system integration are becoming increasingly important for business and operation.

For critical infrastructures in e.g., energy production and transmission, transportation and public health, this transformation has led to an increased exposure to cyber, physical, and combined cyber-physical attacks.

Most of these cyber attacks have been caused by software vulnerabilities, and thus software vulnerability management has become indispensable to ensure the security of critical systems and infrastructures (e.g., safety protection systems in nuclear, high integrity control systems in transportation, etc.), and emerging solutions with potential high impact (e.g., Artificial Intelligence, block chain, and quantum systems).

Systems are required to be more efficient whilst retaining their efficacy, resulting in a more complex security landscape. For cybersecurity, handling both hardware and software vulnerabilities throughout the system life cycle is critical. To manage software vulnerabilities, Software Vulnerability Management (SVM) is a vital process to ensure the quality and security of critical systems and infrastructures.

Workshop

EnCyCriS and SVM invites contributions from research scholars and practitioners working on challenges and solutions for engineering and cybersecurity of critical systems on the following topics:

• Safe, reliable, and secure by design - and - Safety and security co-engineering.
• Software Vulnerability Management for critical systems, including threat modeling and event analysis.
• Cyber response estimation on software and hardware of CI using models, simulations, and digital twins.
• The role and impact of human in cybersecurity in critical infrastructures development and operation.
• Human factors in cybersecurity software engineering and software vulnerability management.

We accept position papers, research papers, and industrial experience papers. We highly value industrial experience and lessons learned, and academic papers where research artefacts have been applied in an industrial context.

Accepted Papers

Call For Papers

EnCyCriS and SVM invites contributions from research scholars and practitioners working on challenges and solutions for engineering and cybersecurity of critical systems on the following topics:

• Safety and security co-engineering.
• Cyber security challenges and solutions in critical infrastructure and industrial software-intensive systems.
• Threat modeling and analyzing software systems security.
• Requirements engineering for critical infrastructure systems and software.
• Techniques and practices of threat modeling (including mixed-methods).
• Identification and impact estimation for response of cyber effects on software and hardware of CI using models, simulations, and digital twins.
• Human factors in cybersecurity software engineering and software vulnerability management.
• SecDevOps for critical infrastructure software and systems - and - SVM for DevOps.
• Methodology, processes and tools for SVM.
• AI-driven techniques for SVM (AI4SVM) and SVM for AI-based systems (SVM4AI).
• Human-AI collaboration for SVM.
• Empirical study of SVM tools and/or practices (including mixed-methods).
• SVM in software development lifecycle.
• Mining software repositories, and data sets for SVM.
• Data quality for SVM analytics.
• SVM for infrastructure-as-code and/or virtualised infrastructures.
• Systems cybersecurity management and SVM for emerging systems (e.g., blockchain, virtual, and quantum systems).
• Cyber-response estimation on software and hardware of critical infrastructure using models, simulations, and digital twins.

We accept position papers, research papers, and industrial experience papers. We highly value industrial experience and lessons learned, and academic papers where research artefacts have been applied in an industrial context.

Important dates

• Paper Submission Deadline: 27th November 2023 extended 15th December
• Paper Acceptance Notification: 11th January 2024.
• Camera-ready Papers: 25th January 2024.
• Workshop date: Monday 15th April 2024.

Paper Submission

Workshop proceedings will be prepared by IEEE CPS and published in ACM Digital Library and IEEE Xplore Digital Library. Workshop papers must follow the ACM formatting instructions.

We accept submission of research papers of 8 pages maximum length as well as position papers & short papers of 4 to 6 pages length, and industry experiences and challenges papers of 4 to 6 pages. All paper should be submitted in PDF through the HotCRP platform of the workshop, and should not be longer than 8 pages including references. Each paper will be reviewed on the basis of technical quality, relevance, significance, and clarity by at least three Program Committee members.

If you have any questions or wonder whether your submission is in scope, please do not hesitate to contact the organizers.

Submission Link

https://encycris-svm-2024.hotcrp.com/

Professor Adam Joinson

Adam Joinson is Professor of Information Systems at the University of Bath, School of Management, UK. He is co-director of the joint Bristol-Bath Centre for Doctoral Training in Cybersecurity, Director of the ESRC Digital Security by Design Social Science Hub+ (Discribe Hub+), and established and co-directs the new ‘Bath Institute for Digital Security and Behaviour’. By training, Prof. Joinson is a behavioural scientist, although his career has spanned Psychology, Educational Technology, Behaviour Change, and Information Systems - as well as a spell working in Government on national security and digital behaviour. He was one of the founders of the field now known as “cyber psychology”, and pioneered the use of online methods for data collection (first through web-based surveys and then data analytics and natural language processing). His work now broadly focuses on the interaction between human behaviour and technology with a focus on security - and includes recent investigations into digital footprints and privacy, security habits, balancing innovation and security in businesses, online bystanders, and terrorist use of the Internet. He has published > 100 papers and books / book chapters, which have been cited almost 20,000 times. For more information: https://researchportal.bath.ac.uk/en/persons/adam-joinson

Talk: If you build it, they (probably) won’t come

Addressing the in-built technical vulnerabilities of our digital systems is a necessary pre-condition for a secure digital future - but not sufficient. The Discribe Hub+ has been centrally placed in the effort to move CHERI from a theoretical proposition to an architecture ready to be adopted at scale as part of the wider Digital Security by Design programme. As such, we have also witnessed the many and varied challenges and barriers between prototype and mass market adoption. In this talk I will outline the Digital Security by Design programme, and the lessons learnt for the adoption of secure by design technologies.

Léonard Keat

Leonard is a cybersecurity consultant for more than 20 years. He currently works for the French cybersecurity company, Advens. He has worked for hundreds of companies and organizations, in multiple sectors, mainly in health, industry, and public sector. He has provided his expertise in providing cybersecurity risk analysis, implementing crisis management against cyberattacks, and defining cybersecurity strategy and governance. He is also the main expert of the security of Artificial Intelligence for Advens.

Talk: Current threats and challenges for securing OT/IoT systems.

The talk will focus on presenting real scenarios of cyberattacks occurring on industrial systems, and the current challenges that industrial companies are facing to implement cybersecurity best practices. Some solutions are presented to tackle these challenges, from OT governance to technical best practices.