SECURITY-BY-DESIGN IN INTELLIGENT CYBER-PHYSICAL SYSTEMS: AN AI-ENHANCED ADAPTIVE DEVSECOPS ARCHITECTURE
Keywords:
DevSecOps, Threat Intelligence, Security-by-DesignAbstract
Background: The convergence of DevOps practices with security (DevSecOps) has become a necessary evolution to secure modern cloud-native and cyber-physical systems; yet the integration of artificial intelligence (AI/ML), threat intelligence automation, and Security-by-Design into DevSecOps pipelines remains immature (Myrbakken & Colomo-Palacios, 2017; Carter, 2017; Malik, 2025).
Objective: This paper synthesizes evidence from literature and professional studies to advance an integrative conceptual framework—Adaptive DevSecOps for Intelligent Cyber-Physical Systems (ADICS)—that formalizes how AI/ML, automated threat intelligence, and model-based security assurances interoperate within continuous delivery for IoT, smart grid and GNSS-dependent systems (Yan et al., 2012; Thombre et al., 2017; Pramanik et al., 2017).
Methods: We perform an analytic synthesis of empirical studies, systematic reviews, and methodological contributions (Erich et al., 2017; Ahmed et al., 2021; Casola et al., 2024), mapping security controls to pipeline stages and describing AI/ML roles in verification and runtime monitoring (Cankar et al., 2023; Nebojsa Djosic et al., 2020). We then develop a prescriptive, text-based methodology for integrating threat intelligence automation and Security-by-Design SLAs into CI/CD.
Results: ADICS articulates (1) a layered threat model for cyber-physical contexts, (2) an AI/ML lifecycle integrated into build, test, and monitoring stages, and (3) automated risk mitigation flows that can block or quarantine artifacts before production (Malik, 2025; Bromberg & Gitzinger, 2020). We identify trade-offs between automation, explainability, and governance and provide operational controls for each trade-off.
Conclusions: Integrating AI/ML and real-time threat intelligence into DevSecOps can materially raise security assurance for intelligent cyber-physical systems, but success requires model-based security SLAs, continuous verification, and governance frameworks that balance automation with human oversight (Casola et al., 2020; Casola et al., 2024). Recommendations and a research agenda are provided.
References
Myrbakken, H., & Colomo-Palacios, R. (2017). DevSecOps: A Multivocal Literature Review. Communications in Computer and Information Science, 17–29. https://doi.org/10.1007/978-3-319-67383-7_2
Thombre, S., Bhuiyan, M. Z. H., Eliardsson, P., Gabrielsson, B., Pattinson, M., Dumville, M., Fryganiotis, D., Hill, S., Manikundalam, V., Pölöskey, M., Lee, S., Ruotsalainen, L., Söderholm, S., & Kuusniemi, H. (2017). GNSS Threat Monitoring and Reporting: past, present, and a Proposed future. Journal of Navigation, 71(3), 513–529. https://doi.org/10.1017/s0373463317000911
Erich, F. M. A., Amrit, C., & Daneva, M. (2017). A qualitative study of DevOps usage in practice. Journal of Software, 29(6). https://doi.org/10.1002/smr.1885
Huang, M., & Rust, R. T. (2018). Artificial intelligence in service. Journal of Service Research, 21(2), 155–172. https://doi.org/10.1177/1094670517752459
Yan, Y., Qian, Y., Sharif, H., & Tipper, D. (2012). A survey on cyber security for smart grid communications. IEEE Communications Surveys & Tutorials, 14(4), 998-1010. https://doi.org/10.1109/surv.2012.010912.00035
Mell, P., & Grance, T. (2011). The NIST definition of cloud computing. National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
Carter, K. (2017). Francois Raynaud on DevSecOps. IEEE Software, 34(5), 93–96. https://doi.org/10.1109/ms.2017.3571578
Ehrlich, M., Trsek, H., Lang, D., Wisniewski, L., Wendt, V., & Jasperneite, J. (2017). Security concept for a cloud-based automation service. In VDI Verlag eBooks (pp. 151–152). https://doi.org/10.51202/9783181022931-151
Pramanik, P. K. D., Pal, S., & Choudhury, P. (2017). Beyond automation: the cognitive IoT. Artificial intelligence brings sense to the internet of things. In Lecture notes on data engineering and communications technologies (pp. 1–37). https://doi.org/10.1007/978-3-319-70688-7_1
Ahmed Bahaa, Ahmed Abdelaziz, Abdalla Sayed, Laila Elfangary, & Hanan Fahmy. (2021). Monitoring real time security attacks for IoT systems using DevSecOps: a systematic literature review. Information, 12(4), 154.
Yérom-David Bromberg & Louison Gitzinger. (2020). DroidAutoML: A Microservice Architecture to Automate the Evaluation of Android Machine Learning Detection Systems. In Distributed Applications and Interoperable Systems: 20th IFIP WG 6.1 International Conference, DAIS 2020, Proceedings (pp. 148–165). Springer-Verlag. doi:10.1007/978-3-030-50323-9_10
Nicolas Guzman Camacho. (2024). Unlocking the potential of AI/ML in DevSecOps: effective strategies and optimal practices. Journal of Artificial Intelligence General science (JAIGS), 3(1), 106–115.
Matija Cankar, Nenad Petrovic, Joao Pita Costa, Ales Cernivec, Jan Antic, Tomaz Martincic, & Dejan Stepec. (2023). Security in DevSecOps: Applying Tools and Machine Learning to Verification and Monitoring Steps. In Companion of the 2023 ACM/SPEC International Conference on Performance Engineering (ICPE ’23 Companion) (pp. 201–205). Association for Computing Machinery. doi:10.1145/3578245.3584943
Valentina Casola, Alessandra De Benedictis, Carlo Mazzocca, & Vittorio Orbinato. (2024). Secure software development and testing: A model-based methodology. Computers & Security, 137, Article 103639. doi:10.1016/j.cose.2023.103639
Valentina Casola, Alessandra De Benedictis, Massimiliano Rak, & Umberto Villano. (2020). A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach. Journal of Systems and Software, 163, 110537. doi:10.1016/j.jss.2020.110537
Malik, G. (2025). Integrating Threat Intelligence with DevSecOps: Automating Risk Mitigation before Code Hits Production. Utilitas Mathematica, 122(2), 309-340.
CASP. (2019). CASP Qualitative Checklist. https://casp-uk.net/wp-content/uploads/2018/01/CASP-Qualitative-Checklist-2018.pdf
Nebojsa Djosic, Bojan Nokovic, & Salah Sharieh. (2020). Machine Learning in Action: Securing IAM API by Risk Authentication Decision Engine. In 2020 IEEE Conference on Communications and Network Security (CNS) (pp. 1–4). doi:10.1109/CNS48642.2020.9162317
