Abstract | Critical infrastructure (CI) is an integrated set of systems and assets that are essential to ensure the functioning of a nation, including its economy, the public's health and/or safety. Hence, protecting critical infrastructures (CI) is vital because of the potential severe consequences that may emerge at the national level. Many CIs are now controlled by software, and likewise, software is often the major source of many security problems in critical infrastructures. Software security management in CIs has been addressed in the literature and several useful approaches have been provided. Yet, these approaches are fragmented over multiple different studies, often do not explicitly relate to CIs, and a synthesized overview of the state-of-the-art on software security in CIs is lacking. To this end, this article presents the results of a systematic literature review (SLR) that identifies and synthesizes how software security has been addressed in CIs. This study identifies and synthesizes the current approaches applied for security management in critical systems in terms of identified security threats, adopted solutions, CI domains, and evaluation approaches. Hereby 32 primary studies were retrieved from electronic databases to respond to the research questions defined in this study. Based on the outcome of the SLR the reported approaches are discussed, and a roadmap is described for security management in CIs. The results of the SLR identify the current open challenges and pave the way for further research. In addition, practitioners can benefit from the best practices in the security management of CIs. |