The increased need for constant connectivity and complete automation of existing systems fuels the popularity of Cyber Physical Systems (CPS) worldwide. Increasingly more, these systems are subjected to cyber attacks. In recent years, many major cyber-attack incidents on CPS have been recorded and, in turn, have been raising concerns in their users' minds. Unlike in traditional IT systems, the complex architecture of CPS consisting of embedded systems integrated with the Internet of Things (IoT) requires rather extensive planning, implementation, and monitoring of security requirements. One crucial step to planning, implementing, and monitoring of these requirements in CPS is the integration of the risk management process in the CPS development life cycle. Existing studies do not clearly portray the extent of damage that the unattended security issues in CPS can cause or have caused, in the incidents recorded. An overview of the possible risk management techniques that could be integrated into the development and maintenance of CPS contributing to improving its security level in its actual environment is missing. In this paper, we are set out to highlight the security requirements and issues specific to CPS that are discussed in scientific literature and to identify the state-of-the-art risk management processes adopted to identify, monitor, and control those security issues in CPS. For that, we conducted a systematic mapping study on the data collected from 312 papers published between 2000 and 2020, focused on the security requirements, challenges, and the risk management processes of CPS. Our work aims to form an overview of the security requirements and risks in CPS today and of those published contributions that have been made until now, towards improving the reliability of CPS. The results of this mapping study reveal (i) integrity authentication and confidentiality as the most targeted security attributes in CPS, (ii) model-based techniques as the most used risk identification and assessment and management techniques in CPS, (iii) cyber-security as the most common security risk in CPS, (iv) the notion of “mitigation measures” based on the type of system and the underline internationally recognized standard being the most used risk mitigation technique in CPS, (v) smart grids being the most targeted systems by cyber-attacks and thus being the most explored domain in CPS literature, and (vi) one of the major limitations, according to the selected literature, concerns the use of the fault trees for fault representation, where there is a possibility of runtime system faults not being accounted for. Finally, the mapping study draws implications for practitioners and researchers based on the findings.

中文翻译：

---

网络物理系统中的安全风险——系统映射研究

对现有系统持续连接和完全自动化的需求不断增加，推动了网络物理系统 (CPS) 在全球范围内的普及。这些系统越来越多地受到网络攻击。近年来，在 CPS 上发生了许多重大的网络攻击事件，从而引起了用户的担忧。与传统 IT 系统不同，CPS 的复杂架构由与物联网 (IoT) 集成的嵌入式系统组成，需要对安全要求进行相当广泛的规划、实施和监控。在 CPS 中规划、实施和监控这些要求的一个关键步骤是将风险管理过程集成到 CPS 开发生命周期中。在记录的事件中，现有的研究并没有清楚地描述 CPS 中无人值守的安全问题可能造成或已经造成的损害程度。缺少对可以集成到 CPS 的开发和维护中的可能风险管理技术的概述，这些技术有助于提高其实际环境中的安全级别。在本文中，我们将重点介绍科学文献中讨论的 CPS 特有的安全要求和问题，并确定用于识别、监控和控制这些安全问题的最先进的风险管理流程。 CPS。为此，我们对从 2000 年至 2020 年间发表的 312 篇论文中收集的数据进行了系统的映射研究，重点关注 CPS 的安全要求、挑战和风险管理流程。我们的工作旨在概述当今 CPS 中的安全要求和风险以及迄今为止已发表的那些贡献，以提高 CPS 的可靠性。该映射研究的结果表明 (i) 完整性认证和机密性是 CPS 中最有针对性的安全属性，(ii) 基于模型的技术是 CPS 中最常用的风险识别和评估和管理技术，(iii) 网络安全作为 CPS 中最常见的安全风险，(iv) 基于系统类型的“缓解措施”概念和强调国际公认的标准是 CPS 中最常用的风险缓解技术，(v) 智能电网是最有针对性的系统受到网络攻击，因此是 CPS 文献中探索最多的领域，以及 (vi) 主要限制之一，根据所选文献，涉及使用故障树进行故障表示，其中有可能未考虑运行时系统故障。最后，映射研究根据调查结果对从业者和研究人员产生影响。