Large-scale digital transformation initiatives over the last decade mean that cyber-physical systems are now intertwined with many manufacturing and industrial processes. These intelligent systems use computing, networking and sensors to help monitor, control and optimize physical environments. There are also IoT devices connecting IT and OT environments, and smart devices get created and sold to other businesses or customers.
Blending the physical and virtual is central to Industry 4.0, but this blurring of the lines between the physical and digital worlds carries cybersecurity risks. Some of the biggest cyberattacks in recent years targeted critical infrastructure and manufacturing sectors, where cyber-physical systems and IoT devices feature heavily. This article outlines how the use of digital twins in cybersecurity can help to reduce risks in an increasingly connected world.
IT/OT Convergence and an Expanded Attack Surface
The convergence of information technology and operation technology is a cornerstone feature of modern industrial processes that sees increased connectivity and communication between these formerly siloed environments. There are many upsides to this convergence, including cost savings, more efficient processes and better agility in responding to changing conditions.
One downside, though, is that this interconnectivity greatly expands the attack surface and introduces extra security risks in operational environments, such as plant floors. Mismanaged convergence can mean threat actors using malicious tactics and communications from the IT side to hijack the devices that control important industrial processes. The risks here go beyond the financial into potential safety ramifications.
A recent incident that exemplifies this risk is The Colonial Pipeline breach. The ransomware attack on the pipeline began on the IT side by compromising a legacy VPN account. The operators evidently felt that close alignment between IT and OT warranted a complete pipeline shutdown. The outcome was panicked motorists and widespread gas shortages in several states.
Another facet to consider here is that many (indeed most) OT systems, such as industrial control systems (ICS) aren’t designed with security in mind. The overarching focus for any ICS design is on reliability because any significant downtime in manufacturing, energy or even adjacent sectors like healthcare is intolerable.
What is a Digital Twin?
There are many different definitions of digital twins out there, but the simplest and most practical one is that it’s a virtual model that represents a physical object or process. These virtual models, accessible via dedicated software or platforms, use machine learning and data modeling to create exact digital counterparts of physical systems, and they’re often fed relevant real-time data by sensors fitted to the actual physical system. You can use digital twins to run simulations, understand performance, and tweak the underlying system or process represented in the model.
The origin of digital twin technology is an interesting story in itself. As far back as NASA’s Apollo missions in the 1960s, astronauts and engineers built physical replicas of spacecraft engines. Engineers fed data reflecting actual flight conditions digitally into these physical replicas to help diagnose problems and run simulations. Modern digital twin technology advanced the concept further by negating any need for physical replicas, ensuring that the same idea could be realized using solely a computer system.
Digital twins took off in the manufacturing sector around 2013, with use cases including machine health monitoring, systems engineering and prognostics.
Potential Uses of Digital Twins in Cybersecurity
The use of digital twins in cybersecurity potentially empowers security teams to get ahead of sophisticated threat actors and reduce risks to cyber-physical systems in manufacturing, IoT devices and consumer smart devices. Here are three exciting use cases for digital twins in cybersecurity
Whether the device you want to secure is a cyber-physical system used within a smart grid, a self-driving car or an IoT blood pressure monitor, digital twins let security professionals simulate a slew of cyberattacks on physical systems to see how they react while under attack.
The results of these simulated attacks can be fed back into the systems’ design before these crucial devices ever leave plant floors. Analyzing how the system reacts in response to different types of cyberattacks helps to create more robust designs with greater fault tolerance built-in.
Digital twins also improve the security of a system’s design by reducing its attack surface. Leaving aside any attack simulations, thoroughly analyzing the system’s architecture, communications protocols and traffic flows during normal system use can flag weak spots that malicious outsiders could feasibly exploit. Unneeded services could be taken out of the design to reduce the system’s attack surface.
Safer Penetration Testing
Penetration tests in ICS/OT environments are a valuable but risky activity. Bearing in mind the intolerability to system downtime, pen tests on live production systems could cause damage that results in downtime. Often, there is a compromise where certain paths, techniques or tools aren’t used during these tests because of the threat they pose to availability.
However, in the real world, hackers don’t care if they take a crucial operational system down when trying to achieve their goals. In fact, taking a system or bunch of systems down may well be the prime objective of any given cyberattack on an OT/ICS environment.
Digital twins offer the potential to perform comprehensive pen tests on the virtual representations of systems without any probability of affecting live systems. This has the dual benefit of addressing more security risks and ensuring no downtime.
Smarter Intrusion Detection
Intrusion detection capabilities in OT environments are one of the more exciting ways to use digital twins in cybersecurity. As cyberattacks targeting these environments increase due to growing interconnectivity, ICS systems – including Supervisory Control and Data Acquisition (SCADA) systems – and Distributed Control Systems (DCS) need intrusion detection to precisely monitor for malicious activities or corporate security policy violations.
One interesting research paper from 2020 outlines the use of digital twins for intrusion detection. Since digital twins can be fed real-time data that enables them to mirror the performance and state of actual physical systems upon which they’re based, an intrusion detection algorithm can monitor and detect attacks rapidly without any impact on or interference with production systems.
These use cases represent just a small sample of what’s possible with digital twins in cybersecurity. However, while digital twins might empower improved detection of anomalous behaviors, thwarting attacks only comes from accelerated detection and response.