Evil digital twins and other risks: the use of twins opens up a host of new security concerns

The use of digital twins — virtual representations of actual or envisioned real-world objects — is growing. Their uses are multifold and can be incredibly helpful, providing real-time models of physical assets or even people or biological systems that can help identify problems as or even before they occur.

Grand View Research has predicted that the global digital twin market, valued at $11.1 billion in 2022, will grow at a 37.5% compound annual growth rate from 2023 to 2030 to eventually hit $155.83 billion.

But as companies expand their use of digital twins and others create new ones, experts say organizations are also increasing their cybersecurity exposure. Because digital twins rely on data to create an accurate representation of whatever they model, they are vulnerable. What if that data is corrupted or — far worse — stolen and used for evil rather than their intended purpose?

“Here we have another tool, and it can be beneficial, but it still needs to be hardened, it still needs cybersecurity applied to it, the connection to the internet has to be secured, and the data has to be protected,” says Brian Bothwell, a director in the science, technology assessment, and analytics (STAA) team at the US Government Accountability Office and author of a February 2023 GOA report on digital twins.

Digital twins are vulnerable to threats and need to be protected

Technology experts and security leaders say digital twins can be as vulnerable to existing threats as conventional information technology (IT) and operational technology (OT) environments. Some say digital twins could not only create new entry points for those types of attacks but could present opportunities for new attack types — including what one security expert described as the “evil digital twin.”

“There are a lot of cybersecurity and potential hacker infiltration opportunities in this kind of technology,” Bothwell says.

The beauty of digital twins is that they allow the testing and behavioral analysis of real-world systems using data from the system itself. The object represented by a digital twin could be a physical item such as an aircraft or an environment such as a building or manufacturing plant, a virtual replica of a technical system, an environment that already exists, with all the real-world processes simulated by the technology duplicated in the digital twin, or a replica of plans for those objects.

According to some, a digital twin can also be a duplicate of a person such as an employee or a persona — a digital representation of an individual entity such as a customer or a company.

Digital twins change in real-time to match the original

A digital twin is not static: it takes in the same data — often supplied in real-time — that its real-world twin does and changes accordingly. That kind of modeling has proven very useful to the manufacturing, aerospace, transportation, energy, utilities, healthcare, life sciences, retail, and real estate industries.

Regardless of the industry, organizations use digital twins to run simulations that can be performed faster, easier, cheaper, and with lower risk in the digital twin than the real-world environment. These simulations help organizations understand the outcomes of various scenarios, which helps with planning, predictive maintenance, design enhancements, and the like. Organizations can then take their findings from the simulations run in their digital twins and apply them to the real-world object.

“There are great benefits to digital twins, such as having the ability to monitor systems in real-time and using digital twins to forecast what might happen in certain situations,” Bothwell says. But there are risks, concerns, and dangers, which Bothwell highlights in his report: “Many industries use them to reduce costs, improve engineering design and production, and test supply chains. But some applications — like creating a digital twin of a person — raise technical, privacy, security, and ethical challenges.”

Digital twins can create an expanded attack surface

Digital twins involve the same complex collection and configuration of technologies that make up their real-world counterparts, explains Mahadeva Bisappa, a principal architect with SPR, a technology modernization firm. In other words, they’re comprised of the same constellation of systems, computing power (typically in the cloud), networking, and data flows.

“You need to secure all the endpoints; the cloud platform — whatever product you’re using — that needs to be secured. And whatever data is being fed in needs to be secured,” Bisappa says. Bisappa and others maintain that digital twins further expand the attack surface that hackers can exploit. “A digital twin is another internet-connected application, so you have all the same kinds of security issues.”

But there are additional concerns with the growing use of digital twins, says Kayne McGladrey, a senior member of the Institute of Electrical and Electronics Engineers (IEEE), a nonprofit professional association, and field CISO at Hyperproof. To start, he says CISOs may not have visibility into their own organization’s use of digital twins.

CISOs need to be aware when digital twins are being used

“Is the CISO even aware of this happening?” he asks, explaining that he has seen business units take the lead on implementing digital twins without consulting security. As he points out: “It’s hard to apply effective controls to something you don’t know even exists.”

Legal and regulatory issues come into play with digital twins, too, McGladrey says. The primary concerns are around whether the operators of digital twins can ensure that the data being used in their digital twins is handled in ways that meet regulatory requirements around privacy, confidentiality, and even the geography where data can be housed.

Data ownership can also become a problematic point if not addressed, particularly if an organization is partnering with other entities to run its digital twins, he adds.

McGladrey says some organizations may be falling short in addressing these security and risk considerations, as the business and engineer teams using the digital twins may fear that adding in certain or too many security controls could slow digital twin performance.

The possibility for emerging risks, novel threats

Some see even more risks stemming from the digital twin’s very nature. Jason M. Pittman, collegiate faculty with the School of Cybersecurity & Information Technology at the University of Maryland Global Campus (UMGC), is one such person.

He has highlighted the security risk around what he terms the “evil digital twin.” In a recent UMGC blog, Pittman predicted: “Over the coming year, we will witness a rise of evil digital twins. This malicious virtual software model will be used to enhance cybercriminal activities such as ransomware, phishing, and highly targeted cyber warfare. Such attacks will demonstrate a significant increase in effectiveness compared to traditional methods because of the specificity provided through the evil digital twin models.”

A hacker could create a digital twin of an existing persona, “insert it into your environment and then watch and participate in your organization and then inject malware into the ecosystem,” Pittman tells CSO. “This gives hackers another avenue in, and it’s unlikely there’s a defense for this.”

Evil digital twins could skew simulation outcomes

Pittman says he sees other new attack scenarios arising from the use of digital twins; for example, if hackers are able to break into a digital twin environment, they could either steal the data or, depending on their motives, could manipulate the data used by the digital twin to deliberately skew the simulation outcomes.

Given the potential for such scenarios, Pittman adds: “I think this is another instance in which we’re propagating technology without necessarily thinking about the repercussions. I’m not saying that’s good or bad; we’re humans, and it’s what we do really well. And while I don’t think we’re going to see something catastrophic, I think we’ll see something significant.”

Pittman isn’t the only one voicing concerns about the potential for new security threats arising from digital twins. Bothwell, while researching the topic of digital twins, heard concerns about the possibility that adversaries could manipulate data within digital twins. “We didn’t look at it specifically for the report, but that’s one of the issues that came up,” he says, adding that it’s a frequently-mentioned concern around training data used in machine learning algorithms — an attack type known as “data poisoning.”

David Shaw, CEO of cybersecurity firm Intuitus, also warns that there are hazards inherent in twinning. Shaw, who is also co-chair of the fintech, security and trustworthy and aerospace and defense working groups at the nonprofit Digital Twin Consortium, notes that digital twins have been in use in some industries for many years but as they are increasingly used in more and more technologies, the risks are increasing too.

Security should start at the onset of digital twins

For example, augmented and virtual reality technologies are becoming part of the digital twin landscape, adding another layer of possible vulnerability and necessitating additional security considerations. But Shaw says that security is not always part of the digital twin buildout and instead is brought in later in the process. That, he says, typically means subpar security controls.

“Security has got to be baked right into the core of the digital twin you’re building. It has to be there right from the onset to protect it,” he adds. “But the engineers [building digital twins] and cybersecurity still have a lot of work to do to learn to work together.”

And like Pittman, Shaw acknowledges the potential for novel attack scenarios to emerge, noting that researchers in the past have identified new instruction techniques in test beds, indicating that such are possible.

There’s also the question, Shaw says, if hackers were to evolve a new attack type, whether organizations could detect it. Given that, he stresses the need for vigilance and proactive security.

“We have to keep our eyes open for it, and we have to find ways to bake in guardrails to identify anomalous behavior.”