The cybersecurity challenges and opportunities of digital twins

Digital twins are a digital representation of objects, structures or systems that give organizations greater insight into the life cycle of these objects, but this same level of insight and control can also open doors for malicious attackers.

Digital twins can be created for any physical infrastructure that includes individual components of an engine, turbine and other equipment, or entire factories, and data centers.

“What makes a digital twin different from just your normal model is the fact that it’s a model of the specific serial number that you have deployed in the field,” says Justin John, executive technology director at GE Global Research. “It’s either backed by physics, or you’ve learned how an asset works through historical data—and now you’re going to use that for prediction.”

Digital twins can scale to model complex systems, he says. “You might have five or six different models and then you’ll just combine them together for whatever business outcome you’re interested in.”

In some cases, digital twins can be used to directly control the asset they mirror.

Digital twin challenges CISOs face

By using data from a digital twin, a real-world device or system can be adjusted to work as efficiently as possible for cost savings and to extend its life cycle, but it also creates its own security risks.

Unfortunately, while CISOs should be key stakeholders in digital twin projects, they are almost never the ultimate decision maker, says Alfonso Velosa, research vice president of IoT at Gartner.

“Since digital twins are tools to drive business process transformation, the business or operational unit will often lead the initiative. Most digital twins are custom-built to address a specific business requirement,” he says.

When an enterprise buys a new smart asset, whether a truck, backhoe, elevator, compressor, or freezer, it will often come with a digital twin, according to Velosa. “Most of the operational teams will need a streamlined and cross-IT—not just CISO—set of support to integrate them into their broader business processes and to manage security.”

If proper cybersecurity controls aren’t put in place, digital twins can expand a company’s attack surface, give threat actors access to previously inaccessible control systems, and expose pre-existing vulnerabilities.

Expanded attack surface

When the digital twin of a system is created, the potential attack surface effectively doubles—adversaries can go after the systems themselves or attack the digital twin of that system.

Sometimes, when the underlying systems are not readily accessible from the outside, a digital twin can expose previously hidden parts of the enterprise. For example, in the past, a power supply in a data center might have only been accessible by a technician who is physically at a near-by control terminal. A digital twin of that infrastructure could allow the technician to monitor the device remotely—and so could a hacker if they managed to get access.

And it’s not just previously inaccessible sensor data that is now exposed. “In some cases, the digital twin can send control signals that change the state of the actual thing [being modelled],” says Gartner’s Velosa.

And when digital twins are models of business operations fed by real-time data, they can collect key enterprise information, and sometimes employee and customer personal identifiable information as well, according to Velosa. That makes them tempting targets.

Depending on the sovereign geography this can lead to regulatory and compliance penalties. “It also highlights what data is important since digital twins are built to meet business objectives,” he adds.

As a result, the outputs of a digital twin can tell an adversary or competitor not only what an enterprise is working on but can also give valuable insight into a company’s strategy and future direction, warns Velosa.

In addition, digital twins are linked to their physical twins, and that connection itself presents an additional attack vector to jump between twins, should one be compromised, says Lawrence Munro, group CISO for consulting firm NCC Group.

Finally, digital twins can be deployed to allow remote monitoring by internal users or third parties, says Munro. “This could introduce the threat of a remote user being able to access the physical twin via network connectivity.”

CISOs are unaware of assets that have digital twins

One of the top use cases of digital twins is to make operational technology better accessible and manageable. Unfortunately, cybersecurity is often an afterthought in the operational technology realm, and many systems are running on legacy technology which may not be easily secured.

But if attackers get access to operational technology, they can do a great deal of harm to an enterprise—and digital twins accelerate this risk, says Todd Dekkinga, CISO at consulting and SaaS management software company Zluri.

Digital twins are more easily accessible than their physical counterparts, says Dekkinga. Operational technology environments used to be considered separate and isolated, but that is no longer the case. Now they are fully connected, accessible and easily compromised.

CISOs might not even be aware of the full list of operational technology assets that have digital twins. “If you don’t know what you have it can’t be protected,” Dekkinga says.

Exposing underlying vulnerabilities

Digital twins rely on input from IoT sensors, which can be full of vulnerabilities, as well as systems running vulnerable, legacy operating systems.

According to an August security report by Nozomi Networks, there were 560 ICS-CERT-issued common vulnerabilities and exposures relating to operational technology and IoT in the first half of 2022, with 109 directly affecting the critical manufacturing industry.

“The use of IoT devices as sensors within the twin set-up presents a concern due to the generally poor state of security on these devices,” says NCC Group’s Munro. There is often a lag in cybersecurity expertise when it comes to digital twins.

“It’s often very difficult to get exposure to newer technologies and for researchers or engineers to gain access to running examples. This presents a challenge in getting the right expertise to support securing these platforms,” Munro says.

How to secure digital twins

Best practices for securing digital twins start with including cybersecurity experts on the deployment team, following basic cybersecurity hygiene, and adopting zero-trust principles.

Organizations deploying digital twins should work with security experts to produce detailed threat models, says Munro. “As with any newer technology, CISOs should seek to understand the threat models that it introduces and the impact on the attack surface.”

The needed expertise may not always be available in-house, and a solution can be to work with partners in the cybersecurity industry, Munro suggests.

Enterprises deploying digital twins should follow good cybersecurity principles from the start of the process, says Gartner’s Velosa. “Leverage security best practices in their design from policies to technologies to standards. This ranges from encryption to NIST or TLS policies to role-based access control.”

Digital twin design and development should be properly funded and ethically focused on making a difference while mitigating risk and aligning to regulations, Velosa says. “Avoid using personal data where possible and be transparent about where you do collect it, why you collect it, and how you will protect it. Work with procurement to ensure your enterprise owns not just the data in the digital twin but also the models.”

Digital twins should be protected as any other critical device on the network, says Zluri’s Dekkinga. “Implant a zero-trust architecture, not only on the perimeter, but also secure the internal network through micro-segmentation, multi-factor authentication, and other techniques. It may require extra steps for employees to access these systems, but it’s well worth the inconvenience.”

How digital twins can help cybersecurity

But digital twins aren’t just a security liability for companies. Some enterprises are using them to improve their cybersecurity—as an early-warning system of attack, a honey trap, and as a testing sandbox.

Digital twins can help organizations weed out vulnerabilities in systems by creating virtual clones to use for security testing. They can help cybersecurity because they can react to cyber vulnerabilities in a way that mirrors an actual system.

“You can get that reaction in many ways, up to and including having your actual system software or firmware run on your digital twin,” says Kevin Coggins, vice president at consulting firm Booz Allen.

And they can be used to test expensive physical systems for vulnerabilities before they go into production, such as in avionics. “You can’t just walk up to an aircraft and apply some kind of threat, because you will invalidate the whole aircraft certification process. You attack that digital twin, and you discover any potential vulnerabilities,” Coggins says.

For one client, Coggins’ company partnered with software developer Unity Technologies to make a three dimensional, IoT-connected digital twin of a large facility that, according to him, is allowing them to look at vulnerabilities in the system to figure out what effect someone might have given access.

Even though they are not production systems themselves, these digital twins should get the same level of security protection. “Someone can use that to train on to go after the real thing,” Coggins says. “If you’re going to do a digital twin, make sure you’re securing the environment within which it’s going to live.”

A digital twin can also act as a kind of spider’s web or threat detection system—an incursion by an attacker will create ripples that can be felt by cybersecurity teams.

One company using digital twins as a kind of highly sensitive sensor layer is GE, which is building something they call “digital ghosts”. For example, if an adversary attacks the controls of a key piece of critical infrastructure, even if they are able to fake the output of that particular sensor, the digital twin as a whole will recognize that something is wrong because the entire system will no longer act as predicted or won’t match the information flowing from other sensors.

In fact, the more complex the system, the better, because it will have more sensors and thus more observability, says GE’s John.

Critical infrastructure are perfect examples of how digital twins can be deployed to help with cybersecurity. “The reality is I can predict pretty well how things are supposed to operate, especially if I have the controls integrated with my digital twin model, and I can use that to tell if a cyberattack is happening,” John says. “I’m going to look at the process variables—airflow, pressure, temperature—all the things that make the assets operate the way that they do, and I’m going to check to see if those are all normal or abnormal, figure out where the problem is, and let the operator know.”

“We’re using a twin, but we don’t want the attacker to know about it, so it’s a digital ghost,” he says.

Digital ghosts can be used to secure not just critical infrastructure but also operational technology in an organization’s data center, he says. Typical OT cybersecurity is about looking at network traffic, firewalls, and searching for viruses. “This is not any of it.”

Instead, he says, GE’s vision of digital ghosts is more about the way the underlying physical assets operate. “What we need to understand is, what are the physics of what normal looks like, how do the controls normally operate these assets. And if I had that knowledge and a lot of either simulated data or historical data, I could build a really good representation of how an asset should be operating.”

The digital ghost would be able to detect if something’s wrong and tell you precisely what sensor is compromised, says John. “That alone typically takes operators days or weeks to pinpoint where the problem is. The digital ghost does that within seconds.”