Next Article in Journal
Building Trust and Cybersecurity Awareness in Saudi Arabia: Key Drivers of AI-Powered Smart Home Device Adoption
Previous Article in Journal
Analysis of Factors Influencing Cybersecurity in Railway Critical Infrastructure: A Case Study of Taiwan Railway Corporation, Ltd.
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Systems
Volume 13
Issue 10
10.3390/systems13100862
Review Report
systems-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Regulating Cyberworthiness: Governance Frameworks for Safety-Critical Cyber-Physical Systems

Systems 2025, 13(10), 862; https://doi.org/10.3390/systems13100862
by Mark van Zomeren 1, Felicity Deane 2, Keith F. Joiner 3,*, Li Qiao 4, Rachel Horne 2 and Emiliya Suprun 1
Reviewer 1:
Ibrahim Zeid
Reviewer 2: Anonymous
Reviewer 3: Anonymous
Systems 2025, 13(10), 862; https://doi.org/10.3390/systems13100862
Submission received: 2 August 2025 / Revised: 14 September 2025 / Accepted: 23 September 2025 / Published: 30 September 2025
(This article belongs to the Section Complex Systems and Cybernetics)

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

** paper is very long and verbose. Cut it down to about 20 pages

** all figure: when you hove over any figure, it is showing it is AI generated, and the tool tip says “AI generated content may be incorrect”. Authors must carefully check all the figures and make sue AI did not hallucinate

** Lines 452 – 466: has quantum computing deployed in this domain?

** Line 545: remove “below”

** this author is not sure about the archival value of this paper. The conclusion section 7 lists 3 recommendations for the regulatory aviation bodies. Add more details on implementing each recommendation: how long it takes to implement, resources required, and the approval process.

Author Response

** paper is very long and verbose. Cut it down to about 20 pages

Response/Action taken: Although parts were cut down where possible, this has had only a minor impact on the overall length.

** all figure: when you hove over any figure, it is showing it is AI generated, and the tool tip says “AI generated content may be incorrect”. Authors must carefully check all the figures and make sue AI did not hallucinate

Response/Action taken: I am unsure why this is occurring. All figures were developed or adapted for this paper; no AI was used. The message that appears is not associated with the development of this article and may be associated with MDPI formatting the system that you are viewing the manuscript on.

** Lines 452 – 466: has quantum computing deployed in this domain?

Response/Action taken: You are correct in making this observation, as there is little evidence that quantum computing has been deployed in this domain. The wording in this area has been amended to reflect this, and it is noted that the impact of quantum computing should be anticipated.

** Line 545: remove “below”

Response/Action taken: Thank you for pointing this out, the word “below” has been removed.

** this author is not sure about the archival value of this paper. The conclusion section 7 lists 3 recommendations for the regulatory aviation bodies. Add more details on implementing each recommendation: how long it takes to implement, resources required, and the approval process.

Response/Action taken: Thank you for this feedback. Changes have been made in Sections 5 and 7 to resolve these concerns. It is noted that Regulators will need to assess the speed with which they can implement these changes within their broader legislative frameworks, and with consideration of the regulated communities that will be impacted by these changes.

Reviewer 2 Report

Comments and Suggestions for Authors
  • This paper discusses ways of improving the governance of modern cyber-physical systems (CPS) and Complex Systems of CPS through better standards and regulations.
  • This paper considers insights into how maritime, aviation, and nuclear regulators from the United States, the European Union, and Australia.
  • This study is a systematic review paper which looks for analysis of the regulations, codes, standards and guidance that have already been published related to the hazards in CPS systems.
  • However references are adequate, but those references mainly relied to standards, governance reports and regulations, it would be better if authors cite several recent publications relating to CPS systems safety or so on as well.
  • Fonts of figure 2 need to be improved for better visibility.
  • This paper discusses ways of improving the governance of modern cyber-physical systems (CPS) and Complex Systems of CPS through better standards and regulations.
  • This paper provides insights into how maritime, aviation, and nuclear regulators from the United States, the European Union, and Australia.
  • This study is a systematic review paper which looks for analysis of the regulations, codes, standards and guidance that have already been published related to the hazards in CPS systems.
  • However references are adequate, but those references mainly relied to standards, governance reports and regulations, it would be better if authors cite several recent publications relating to CPS systems safety or so on as well.
  • Fonts of figure 2 need to be improved for better visibility.

Author Response

  • This paper discusses ways of improving the governance of modern cyber-physical systems (CPS) and Complex Systems of CPS through better standards and regulations.
  • This paper considers insights into how maritime, aviation, and nuclear regulators from the United States, the European Union, and Australia.
  • This study is a systematic review paper which looks for analysis of the regulations, codes, standards and guidance that have already been published related to the hazards in CPS systems.
  • However, references are adequate, but those references mainly relied on standards, governance reports and regulations; it would be better if authors cite several recent publications relating to CPS systems safety or so on as well.

Response/Action taken: Thank you for your feedback. Additional references have been integrated. Section 3.6 now includes additional contemporary examples of cyber-attacks.

  • Fonts of Figure 2 need to be improved for better visibility.

Response/Action taken: Thank you for this observation. The text in the figure has been amended

Reviewer 3 Report

Comments and Suggestions for Authors

This paper presents a comprehensive argument for a new governance paradigm for safety-critical cyber-physical systems (CPS), centered on the concept of "cyberworthiness." It identifies a critical gap in current regulatory frameworks, which tend to address physical safety and cybersecurity in isolation. Through an analysis of regulatory documents from the maritime, aviation, and nuclear sectors across the US, EU, and Australia, the authors contend that existing approaches are insufficient for the complex, interconnected nature of modern CPS. The paper's ambition to synthesize regulatory theory, complex systems governance, and cybersecurity into a coherent framework for high-hazard industries is both timely and commendable.

Despite its valuable premise, the manuscript requires a major revision due to significant methodological weaknesses and a lack of analytical depth. The core of the empirical work is described as a "systematic document review and word search analysis," which, as presented, lacks scientific rigor. Simply searching for terms like "cyber" or "computer" and then qualitatively assessing the surrounding text is a highly subjective process that is vulnerable to researcher bias. The paper fails to provide a transparent, replicable methodology for how these word searches translated into the summary ratings of "Low," "Moderate," or "High" importance and conformance. A more robust approach, such as a systematic content analysis with a defined coding scheme, thematic analysis, or a grounded theory approach, would be necessary to substantiate the claims made in the findings tables (Tables 6-9). Without this, the analysis section reads more like an informed opinion than a rigorous empirical study.

Furthermore, the structure and argumentation of the paper could be significantly improved. A substantial portion of the manuscript is dedicated to defining foundational concepts (e.g., CPS, CSoCPS, types of regulation) that, while useful, detract from the paper's core research contribution and make it read more like a literature review or position paper. The logical connection between the analysis in Section 4 and the proposed principles-based requirements in Section 5 is not as strong as it could be. While the analysis effectively highlights regulatory gaps, the proposed framework in Section 5 appears as a well-reasoned but separate proposal rather than a set of principles directly derived from the analytical findings. The paper would be more impactful if it explicitly demonstrated how each identified gap in the analysis directly informs a specific principle in the proposed governance framework.

In addtion, the current manuscript lacks discussion about recent attacks on CPS such as smartphones and other critical infrastructures. Below are some works you have to discuss in the revised version.

- Injection Attacks on CPS: (1) Wight: Wired ghost touch attack on capacitive touchscreens (IEEE S&P’22), (2) PowerRadio: Manipulate Sensor Measurementvia Power GND Radiation (NDSS’25), (3) False Reality: Uncovering Sensor-induced Human-VR Interaction Vulnerability (Arxiv).

- Side-channel Attacks on CPS: (1) Uncovering User Interactions on Smartphones via Contactless Wireless Charging Side Channels (IEEE S&P’23), (2) Recovering Fingerprints from In-Display Fingerprint Sensors via Electromagnetic Side Channel (ACM CCS’23), (3) Exploiting Contactless Side Channels in Wireless Charging Power Banks for User Privacy Inference via Few-shot Learning (MobiCom’23).

- Defense/Authentication on CPS: (1) MagSign: Harnessing Dynamic Magnetism for User Authentication on IoT Devices (IEEE TMC’23), (2) Evidence in hand: Passive vibration response-based continuous user authentication (ICDCS’21), (3) HandKey: Knocking-triggered robust vibration signature for keyless unlocking (IEEE TMC’22).

In conclusion, this paper tackles an issue of immense importance and introduces the valuable concept of cyberworthiness as a necessary evolution in safety governance. However, to be suitable for publication, it must be substantially revised. The authors need to fundamentally strengthen their methodology to provide a transparent and rigorous analysis of the regulatory documents. They should also streamline the background sections and more explicitly bridge the gap between their analysis of current regulations and the development of their proposed cyberworthiness framework.

Author Response

This paper presents a comprehensive argument for a new governance paradigm for safety-critical cyber-physical systems (CPS), centered on the concept of "cyberworthiness." It identifies a critical gap in current regulatory frameworks, which tend to address physical safety and cybersecurity in isolation. Through an analysis of regulatory documents from the maritime, aviation, and nuclear sectors across the US, EU, and Australia, the authors contend that existing approaches are insufficient for the complex, interconnected nature of modern CPS. The paper's ambition to synthesize regulatory theory, complex systems governance, and cybersecurity into a coherent framework for high-hazard industries is both timely and commendable.

Despite its valuable premise, the manuscript requires a major revision due to significant methodological weaknesses and a lack of analytical depth. The core of the empirical work is described as a "systematic document review and word search analysis," which, as presented, lacks scientific rigor. Simply searching for terms like "cyber" or "computer" and then qualitatively assessing the surrounding text is a highly subjective process that is vulnerable to researcher bias.

The paper fails to provide a transparent, replicable methodology for how these word searches translated into the summary ratings of "Low," "Moderate," or "High" importance and conformance. A more robust approach, such as a systematic content analysis with a defined coding scheme, thematic analysis, or a grounded theory approach, would be necessary to substantiate the claims made in the findings tables (Tables 6-9). Without this, the analysis section reads more like an informed opinion than a rigorous empirical study.

Response/Action taken: Thank you for this feedback. The analysis has been strengthened with a more robust content analysis and word frequency analysis using MAXQDA auto-coding on the full set of documents assessed. This has been integrated into Section 4. 

Furthermore, the structure and argumentation of the paper could be significantly improved. A substantial portion of the manuscript is dedicated to defining foundational concepts (e.g., CPS, CSoCPS, types of regulation) that, while useful, detract from the paper's core research contribution and make it read more like a literature review or position paper.

Response/Action taken: Thank you for this feedback. These sections have been included for completeness. Efforts were made to reduce content where possible.

The logical connection between the analysis in Section 4 and the proposed principles-based requirements in Section 5 is not as strong as it could be. While the analysis effectively highlights regulatory gaps, the proposed framework in Section 5 appears as a well-reasoned but separate proposal rather than a set of principles directly derived from the analytical findings. The paper would be more impactful if it explicitly demonstrated how each identified gap in the analysis directly informs a specific principle in the proposed governance framework.

Response/Action taken: This feedback is acknowledged, and additional references have been included in Section 5 to demonstrate the links with the background and analysis sections.

In addition, the current manuscript lacks discussion about recent attacks on CPS, such as smartphones and other critical infrastructures. Below are some works you have to discuss in the revised version.

- Injection Attacks on CPS: (1) Wight: Wired ghost touch attack on capacitive touchscreens (IEEE S&P’22), (2) PowerRadio: Manipulate Sensor Measurementvia Power GND Radiation (NDSS’25), (3) False Reality: Uncovering Sensor-induced Human-VR Interaction Vulnerability (Arxiv).

- Side-channel Attacks on CPS: (1) Uncovering User Interactions on Smartphones via Contactless Wireless Charging Side Channels (IEEE S&P’23), (2) Recovering Fingerprints from In-Display Fingerprint Sensors via Electromagnetic Side Channel (ACM CCS’23), (3) Exploiting Contactless Side Channels in Wireless Charging Power Banks for User Privacy Inference via Few-shot Learning (MobiCom’23).

- Defense/Authentication on CPS: (1) MagSign: Harnessing Dynamic Magnetism for User Authentication on IoT Devices (IEEE TMC’23), (2) Evidence in hand: Passive vibration response-based continuous user authentication (ICDCS’21), (3) HandKey: Knocking-triggered robust vibration signature for keyless unlocking (IEEE TMC’22).

Response/Action taken: Thank you, these references are valuable additions and have been included and discussed in Section 3.6, Illustrative Case Studies of Cyberworthiness Issues of Cyber-Physical Systems

In conclusion, this paper tackles an issue of immense importance and introduces the valuable concept of cyberworthiness as a necessary evolution in safety governance. However, to be suitable for publication, it must be substantially revised.

Round 2

Reviewer 3 Report

Comments and Suggestions for Authors

I sincerely appreciate the authors for their efforts in the submission and revisions. All my previous concerns were addressed. I suggest accepting this paper as it is.

Back to TopTop