EnCyCriS/SVM 2024

Software permeates modern society. Within critical infrastructures and systems providing important societal services, there have been considerable digitisation efforts the last decade

To address critical infrastructures vulnerabilities in design, development, implementation, operation and maintenance, a Joint Workshop is arranged between the International Workshop on Engineering and security of Critical Systems (EnCyCriS) and the International Workshop on Software Vulnerability Management (SVM).

An effect of the 4th industrial revolution is that cyber physical systems and software are in continuous growth in their complexity. Complexity of data, and system integration are becoming increasingly important for business and operation.

For critical infrastructures in e.g., energy production and transmission, transportation and public health, this transformation has led to an increased exposure to cyber, physical, and combined cyber-physical attacks.

Most of these cyber attacks have been caused by software vulnerabilities, and thus software vulnerability management has become indispensable to ensure the security of critical systems and infrastructures (e.g., safety protection systems in nuclear, high integrity control systems in transportation, etc.), and emerging solutions with potential high impact (e.g., Artificial Intelligence, block chain, and quantum systems).

Systems are required to be more efficient whilst retaining their efficacy, resulting in a more complex security landscape. For cybersecurity, handling both hardware and software vulnerabilities throughout the system life cycle is critical. To manage software vulnerabilities, Software Vulnerability Management (SVM) is a vital process to ensure the quality and security of critical systems and infrastructures.

This workshop facilitates discourse and discussions among researchers, practitioners, and students who are working on challenges and solutions related to the 4th industrial revolution, with a particular focus on sharing industry experience and project results pertaining to cyber threats on critical systems; secure software engineering; and attack detection and response mechanisms.

We highly value industrial experience and lessons learned, and academic papers where research artefacts have been applied in an industrial context

• Integrated safety and security software engineering processes
  and methods for CI that enable coordination among different teams and personnel with different competences, and continuous integration of new and emerging technologies enabling the 4^th Industrial Revolution.
• As a means to support both development and operational phases: threat landscape for digital systems’ software in critical infrastructure, and the modelling of cyber-attack scenarios for digital systems’ architecture and inter-dependencies, must be considered. This includes accurate software architecture design model specification that facilitates cyber-security, Reliability, Availability, Maintainability and Safety (RAMS) assessment, Software Vulnerability Management (SVM), and support effective communication of the threats, vulnerabilities, risks, and potential mitigation to relevant stakeholders.
• Development and use of risk models for digital systems’ software for quick and effective decision-making in order to respond to fast evolving cyber incidents. For e.g., how to use, combine or tailor software system models, network topology, risk models, in a way that they could be used in incident response to determine event propagation and suitable response and mitigation strategies.
• Demonstrate the use of digital twins, Hardware-In-the-Loop (HIL) testbeds, simulators, and/or emulators developed for cybersecurity purposes in critical infrastructures, especially to understand the consequences of a cyber-attack on both the software and on the an overall system-level, evaluate the effectiveness of the developed risk models, detection, and response tools and/or methods.
• Disseminate the state-of-the-art and state-of-the-practice of SVM to identify and close the gap between industry and research on the advances and practices of SVM for critical systems and infrastructures such as Artificial Intelligence based, blockchain, Augmented/Virtual/Mixed Reality, and quantum systems, as well as and the respective development paradigms, including DevOps and infrastructure-as-code.

Workshop proceedings will be prepared by IEEE CPS and published in ACM Digital Library and IEEE Xplore Digital Library. Workshop papers must follow the ACM formatting instructions.

We accept submission of research papers of 8 pages maximum length as well as position papers & short papers of 4 to 6 pages length, and industry experiences and challenges papers of 4 to 6 pages

All paper should be submitted in PDF through the HotCRP platform of the workshop, and should not be longer than 8 pages including references: https://encycris-svm-2024.hotcrp.com/.

Each paper will be reviewed on the basis of technical quality, relevance, significance, and clarity by at least three Program Committee members.

NOTE: the submissions for this workshop are closed. Nine papers have been accepted. See the section "program" for details.

The workshop opens discussions among researchers, practitioners and students with a particular focus on software and systems vulnerability management for critical infrastructure and systems across life cycle phases.
The workshop invites papers within the following topics:

• Safety and security co-engineering.
• Threat modeling and analyzing software systems security.
• Requirements engineering for critical infrastructures systems and software.
• SecDevOps for critical infrastructures software and systems - and - SVM for DevOps
• Methodology, processes and tools for SVM
• AI-driven techniques for SVM (AI4SVM) and SVM for AIbased systems (SVM4AI).
• Socio-technical aspects of critical infrastructures cybersecurity and SVM.
• Human-AI collaboration for SVM.
• Empirical study of SVM tools and/or practices (including mixed-methods).
• SVM in software development lifecycle, including supply chain.
• Mining software repositories, and data sets for SVM.
• Software infrastructures for SVM.
• SVM for infrastructure-as-code and/or virtualised infrastructures.
• Systems cyber security management and SVM for emerging systems (e.g., blockchain, virtual, and quantum systems).

This workshop will include keynote talks in both topical areas. The workshop is accepting research papers of a maximum of 8 pages as well as industrial or results short papers of minimum 4pages.

The workshop will be organized into different sessions, with a session chair. Each presentation will be followed by live Q&A session.

List of accepted papers:

• On DevSecOps and Risk Management in Critical Infrastructures: Practitioners´Insights on Needs and Goals
  Xhesika Ramaj¹, Mary Sanchez-Gordon¹, Vasileios Gkioulos², Ricardo Colomo-Palacios³.
  1: Østfold University College, Norway;
  2: Norwegian University of Science and Technology, Norway;
  3: Universidad Politécnica de Madrid, Spain.
  
  
  
• Interplay of Digital Twins and Cyber Deception: Unraveling Paths for Technological Advancements
  Jessica Heluany, Ahmed Amro, Vasileios Gkioulos, Sokratis Katsikas.
  Norwegian University of Science and Technology, Norway.
  
  
  
• Training Developers to Code Securely: Theory and Practice
  Ita Ryan¹, Utz Roedig², Klaas-Jan Stol³.
  1: ADVANCE Centre for Research Training, School of Computer Science and IT, University College Cork;
  2: School of Computer Science and IT University College Cork;
  3: Lero, the SFI Research Centre for Software, School of Computer Science and IT, University College Cork.
  
  
  
• Trust in Software Supply Chains: Blockchain-Enabled SBOM and the AIBOM Future
  Boming Xia¹, Dawen Zhang², Yue Liu¹, Qinghua Lu¹, Zhenchang Xing², Liming Zhu¹.
  1: CSIRO's Data61 & University of New South Wales;
  2: CSIRO's Data61 & Australian National University.
  
  
  
• Cyber-incident Response in Industrial Control Systems: Practices and Challenges in the Petroleum Industry
  Vahiny Gnanasekaran¹, Maria Bartnes¹, Tor Olav Grøtan², Poul Einar Heegaard¹.
  1: Norwegian University of Science and Technology, Norway;
  2: SINTEF Digital.
  
  
  
• WasmCFuzz: Structure-aware Fuzzing for Wasm Compilers
  Xiangwei Zhang¹, Junjie Wang^1,3, Xiaoning Du², Shuang Liu¹.
  1: College of Intelligence and Computing, Tianjin University, China;
  2: Monash University, Australia;
  3: Nanyang technological university, Singapore.
  
  
  
• Cybersecurity and medical devices: a bull in a china shop
  Roberto Filippini, Sara Spiller.
  EBG MedAustron, Austria.
  
  
  
• Mitigating Automation Risks in GitHub: Security Issues and Remediation Strategies
  Hassan Onsori Delicheh, Tom Mens.
  University of Mons, Belgium.
  
  
  
• Building a Cybersecurity Knowledge Graph with CyberGraph
  Paolo Falcarin, Fabio Dainese.
  Ca' Foscari University of Venice, Italy.
  

The conference main event will be organized in Lisbon, Portugal.

The workshop is aiming to be organized physically as a co-located event to ICSE 2024. Be advised that although we aim for a hybrid event (both physically and digitally), this option is not confirmed yet and may be changed. Virtual attendance option will be updated. The workshop will not cover participants or authors expenses for travel or registration.

All participants, including workshop organizers, keynote speakers, and invited guests, must register for the workshop through ICSE webpage. Registrations are mandated and must be performed at least 10 days prior to this workshop. We cannot guarantee participation after this date.

Please follow the ICSE conference instructions: https://conf.researchr.org/attending/icse-2024/registration

The workshop fees is included in the category "1-Day Co-Located
Event or Workshop", with the option "EnCyCriS/SVM". Participants require only one day participation.

Note from ICSE: In case of registration for multiple overlapping events, it is applied the price per day indicated for “1-Day Co-Located Events or Workshops”, multiplied by the number of days occupied by those events.

For further information about Co-Located Events and Workshops please visit the ICSE 2024 website (https://conf.researchr.org/home/icse-2024).

• Doo-Hwan Bae, KAIST, South Korea, 
• John Eidar Simensen, IFE, Norway, 
• Mary Sánchez-Gordón, Østfold University College, Norway
• Vasileios Gkioulos, Norwegian University of Science and Technology (NTNU), Norway,
• Sridhar Adepu, University of Bristol, UK,
• Kate Labunets, Utrecht University, The Netherlands,
• Nadia Saad Noori, University of Adger, Norway,
• Ita Ryan, School of Computer Science and Information Technology, University College Cork. Science Foundation Ireland Centre for Research Training in Advanced Networks for Sustainable Societies - ADVANCE CRT, Cork Ireland,
• André Teixeira, Uppsala University, Sweden,
• Andy Meneely, Rochester Institute of Technology, USA,
• Amiangshu Bosu, Wayne State University, USA,
• Zhiyuan Wan, Zhejiang University, China,
• Joanna C. S. Santos, University of Notre Dame, USA,
• Gias Uddin, University of Calgary, Canada,
• Jingyue Li, NTNU, Norway,
• Hongyu Zhang, University of Newcastle, Australia,
• Kristen Moore, Data61, Australia,
• Xiaoning Du, Monash University, Australia,
• Sharif Abuadbba, Data61, Australia,
• Chadni Islam, Queensland University of Technology, Australia,
• Hoa K. Dam, University of Wollongong, Australia,
• Monica Whitty, Monash University, Australia,
• Karen Renaud, University of Strathclyde, United Kingdom,
• Jamal El Hachem, University of South Brittany, France,
• Nicolás E. Díaz Ferreyra, Hamburg University of Technology, Germany,
• Steven Arzt, Fraunhofer SIT, Germany.

• Coralie Esnoul, IFE, Norway,
• Eunkyoung Jee, KAIST, South Korea,
• Triet Huynh Minh Le, Adelaide University, Australia,
• Ali Babar, Adelaide University, Australia,
• Ricardo Colomo-Palacios, Universidad Politécnica de Madrid,
• Awais Rashid, University of Bristol, UK.