{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,28]],"date-time":"2025-03-28T09:33:37Z","timestamp":1743154417382,"version":"3.40.3"},"publisher-location":"Cham","reference-count":16,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031532269"},{"type":"electronic","value":"9783031532276"}],"license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,2,9]],"date-time":"2024-02-09T00:00:00Z","timestamp":1707436800000},"content-version":"vor","delay-in-days":39,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Secure and agile development of operational technology (OT) and related software in industry is a crucial but challenging issue. Generally recognized standards such as IEC 62443\u20134-1 set up the requirements for cybersecurity processes for OT and software development. The main challenge of IEC 62443\u20134-1 resides in its adoption and implementation in practice, which originates from the standard\u2019s complexity. We propose three novel design principles and two subsequent design objectives to be prioritized for future design-research oriented work on standard-compliant DevSecOps. The design principles have been formed after six years of experience and observations in cybersecurity consulting in industry, documented here as a piece of action design research (ADR). As a case study, we describe instantiation of the design principles at Valmet Automation Systems, one of the earliest IEC 62443\u20134-1 -certified companies. The proposed design principles altogether suggest for the information-centric view on the contextual adoption and use of the IEC 62443\u20134-1 standard in DevSecOps practices for OT.<\/jats:p>","DOI":"10.1007\/978-3-031-53227-6_28","type":"book-chapter","created":{"date-parts":[[2024,2,8]],"date-time":"2024-02-08T06:02:41Z","timestamp":1707372161000},"page":"400-415","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Information-Centric Adoption and Use of Standard Compliant DevSecOps for Operational Technology: From Experience to Design Principles"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3791-882X","authenticated-orcid":false,"given":"Henry","family":"Haverinen","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7477-0783","authenticated-orcid":false,"given":"Tero","family":"P\u00e4iv\u00e4rinta","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0000-5410-4364","authenticated-orcid":false,"given":"Jussi","family":"V\u00e4nsk\u00e4","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6341-7055","authenticated-orcid":false,"given":"Henry","family":"Joutsijoki","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,2,9]]},"reference":[{"key":"28_CR1","doi-asserted-by":"publisher","first-page":"106894","DOI":"10.1016\/j.infsof.2022.106894","volume":"147","author":"MA Akbar","year":"2022","unstructured":"Akbar, M.A., Smolander, K., Mahmood, S., Alsanad, A.: Toward successful DevSecOps in software development organizations: a decision-making framework. Inf. Softw. Technol. 147, 106894 (2022)","journal-title":"Inf. Softw. Technol."},{"key":"28_CR2","volume-title":"The Mythical Man-Month","author":"FP Brooks Jr","year":"1975","unstructured":"Brooks, F.P., Jr.: The Mythical Man-Month. Addison-Wesley, Reading MA (1975)"},{"key":"28_CR3","volume-title":"Database Management: Objectives, System Functions, and Administration","author":"GC Everest","year":"1986","unstructured":"Everest, G.C.: Database Management: Objectives, System Functions, and Administration. McGraw-Hill, New York (1986)"},{"issue":"6","key":"28_CR4","doi-asserted-by":"publisher","first-page":"3370","DOI":"10.1109\/TII.2017.2740434","volume":"13","author":"O Givehchi","year":"2017","unstructured":"Givehchi, O., Landsdorf, K., Simoens, P., Colombo, A.W.: Interoperability for industrial cyber-physical systems: an approach for legacy systems. IEEE Trans. Industr. Inf. 13(6), 3370\u20133378 (2017)","journal-title":"IEEE Trans. Industr. Inf."},{"issue":"6","key":"28_CR5","first-page":"1622","volume":"21","author":"S Gregor","year":"2020","unstructured":"Gregor, S., Chandra Kruse, L., Seidel, S.: Research perspectives: the anatomy of a design principle. J. Assoc. Inf. Syst. 21(6), 1622\u20131652 (2020)","journal-title":"J. Assoc. Inf. Syst."},{"issue":"4","key":"28_CR6","doi-asserted-by":"publisher","first-page":"394","DOI":"10.1016\/j.infsof.2010.12.002","volume":"53","author":"J Iden","year":"2011","unstructured":"Iden, J., Tessem, B., P\u00e4iv\u00e4rinta, T.: Problems in the interplay of development and IT operations in system development projects: a delphi study of Norwegian IT experts. Inf. Softw. Technol. 53(4), 394\u2013406 (2011)","journal-title":"Inf. Softw. Technol."},{"unstructured":"IEC 62443\u20134\u20131 International Standard: Security for industrial automation and control systems - Part 4\u20131: Secure product development lifecycle requirements. International Electrotechnical Commission (2018)","key":"28_CR7"},{"unstructured":"ISASecure: ISASecure SDLA Certified Development Organizations. International Society of Automation. https:\/\/isasecure.org\/end-users\/iec-62443-4-1-certified-development-organizations. Accessed 23 Dec 2022","key":"28_CR8"},{"issue":"6","key":"28_CR9","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3359981","volume":"52","author":"L Leite","year":"2020","unstructured":"Leite, L., Rocha, C., Kon, F., Milojicic, D., Meirelles, P.: A survey of DevOps concepts and challenges. ACM Comput. Surv. 52(6), 1\u201335 (2020). https:\/\/doi.org\/10.1145\/3359981","journal-title":"ACM Comput. Surv."},{"doi-asserted-by":"crossref","unstructured":"Moy\u00f3n, F., Almeida, P., Riofr\u00edo, D., Mendez, D., Kalinowski, M.: Security compliance in agile software development: a systematic mapping study. In: Proceedings of the 2020 46th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), pp. 413\u2013420 (2020)","key":"28_CR10","DOI":"10.1109\/SEAA51224.2020.00073"},{"key":"28_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"434","DOI":"10.1007\/978-3-030-64148-1_27","volume-title":"Product-Focused Software Process Improvement (PROFES 2020)","author":"F Moy\u00f3n","year":"2020","unstructured":"Moy\u00f3n, F., Soares, R., Pinto-Albuquerque, M., Mendez, D., Beckers, K.: Integration of security standards in DevOps pipelines: an industry case study. In: Morisio, M., Torchiano, M., Jedlitschka, A. (eds.) Product-Focused Software Process Improvement (PROFES 2020). Lecture Notes in Computer Science, vol. 12562, pp. 434\u2013452. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-64148-1_27"},{"key":"28_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"458","DOI":"10.1007\/978-3-030-67731-2_34","volume-title":"SOFSEM 2021: Theory and Practice of Computer Science","author":"F Moy\u00f3n","year":"2021","unstructured":"Moy\u00f3n, F., M\u00e9ndez, D., Beckers, K., Klepper, S.: Using process models to understand security standards. In: Bure\u0161, T., Dondi, R., Gamper, J., Guerrini, G., Jurdzi\u0144ski, T., Pahl, C., Sikora, F., Wong, P.W.H. (eds.) SOFSEM 2021. LNCS, vol. 12607, pp. 458\u2013471. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-67731-2_34"},{"key":"28_CR13","series-title":"Communication in Computer and Information Science","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1007\/978-3-319-67383-7_2","volume-title":"Software Process Improvement and Capability Determination (SPICE 2017)","author":"H Myrbakken","year":"2017","unstructured":"Myrbakken, H., Colomo-Palacios, R.: DevSecOps: a multivocal literature review. In: Mas, A., Mesquida, A., O\u2019Connor, R., Rout, T., Dorling, A. (eds.) Software Process Improvement and Capability Determination (SPICE 2017). Communication in Computer and Information Science, vol. 770, pp. 17\u201320. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-67383-7_2"},{"key":"28_CR14","doi-asserted-by":"publisher","first-page":"106700","DOI":"10.1016\/j.infsof.2021.106700","volume":"141","author":"RN Rajapakse","year":"2022","unstructured":"Rajapakse, R.N., Zahedi, M., Babar, M.A., Shen, H.: Challenges and solutions when adopting DevSecOps: a systematic review. Inf. Softw. Technol. 141, 106700 (2022)","journal-title":"Inf. Softw. Technol."},{"key":"28_CR15","doi-asserted-by":"publisher","first-page":"106488","DOI":"10.1016\/j.infsof.2020.106488","volume":"131","author":"K Rindell","year":"2021","unstructured":"Rindell, K., Ruohonen, J., Holvitie, J., Hyrynsalmi, S., Lepp\u00e4nen, V.: Security in agile software development: a practitioner survey. Inf. Softw. Technol. 131, 106488 (2021)","journal-title":"Inf. Softw. Technol."},{"issue":"1","key":"28_CR16","doi-asserted-by":"publisher","first-page":"37","DOI":"10.2307\/23043488","volume":"35","author":"MK Sein","year":"2011","unstructured":"Sein, M.K., Henfridsson, O., Purao, S., Rossi, M., Lindgren, R.: Action design research. MIS Q. 35(1), 37\u201356 (2011)","journal-title":"MIS Q."}],"container-title":["Lecture Notes in Business Information Processing","Software Business"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-53227-6_28","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,3,7]],"date-time":"2024-03-07T20:05:50Z","timestamp":1709841950000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-53227-6_28"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"ISBN":["9783031532269","9783031532276"],"references-count":16,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-53227-6_28","relation":{},"ISSN":["1865-1348","1865-1356"],"issn-type":[{"type":"print","value":"1865-1348"},{"type":"electronic","value":"1865-1356"}],"subject":[],"published":{"date-parts":[[2024]]},"assertion":[{"value":"9 February 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"Authors 1 and 4 were employed by Insta and author 3 by VAS during the research. Author 2 has no competing interests in the contents or results of this research.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Disclosure of Interests"}},{"value":"ICSOB","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Software Business","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Lahti","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Finland","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2023","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27 November 2023","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"29 November 2023","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"icsob2023","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.lut.fi\/en\/icsob2023","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"79","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"27","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"8","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"34% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"4,07","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3,21","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}