Using digital twins for improving the security of cyber-physical systems – the DOSS approach

By Levente Buttyán, CrySyS Lab, Budapest University of Technology and Economics 

Digital twins are virtual copies of physical devices or entire systems that can be used to address various challenges in the design, testing, and operation of those devices and systems. During the design phase, a digital twin can, for instance, be used to try various design options without the need to implement prototypes in the physical world, and hence to reduce development costs. In the testing phase, test cases can be executed on a digital twin, which can be much faster and, in certain cases, safer than executing them on the real device or system. In the operational phase, a digital twin can replicate the state transitions of the real device or system, which allows for closely tracking and monitoring the operation, and for easier prediction of future behavior, including, among other things, the prediction of faults, and hence making predictive maintenance of the physical device or system possible. They can also be converted to simulators of the real device or system, which can make the training of the operating personnel cost-effective and safe.

Digital twins also gained momentum in the domain of cyber-physical systems, as the development, testing, and operation of such systems are expensive and must satisfy safety requirements, and digital twins can be helpful in these regards. Indeed, the concept of digital twins has its origins in NASA’s Apollo program, where a twin of a spacecraft (which is a cyber-physical system) was built and used for training astronauts before the mission and for supporting the mission by mirroring the flight conditions of the spacecraft, and hence allowing for monitoring its operation, as well as for debugging errors [1]. While the twins of those spacecraft were physical objects, advances in computing technology now allow for creating digital twins, meaning virtual copies that simulate the operating conditions of real devices or systems. Today, digital twins are created for vehicles (airplanes[1], ships[2], and cars[3]), robots[4], and entire industrial facilities[5], just to mention a few examples, and they are used in various life-cycle phases of such cyber-physical systems for a multitude of purposes.

Not surprisingly, digital twins can also be useful for enhancing the security of cyber-physical systems[6]. More specifically, a high-fidelity virtual representation of a physical device, system, or process can be used for testing or otherwise improving the security properties of the real system, or even for implementing certain security services, such as intrusion detection, for the real system [2].

Perhaps, the use case of security testing is the most straightforward: checking for erroneous configurations (e.g., ports open unnecessarily), well-known weaknesses (e.g., default passwords), and known vulnerabilities, as well as creative penetration testing can all be performed on the digital twin of the real cyber-physical system, with the advantage of not affecting at all its live operation, which may be unacceptable due to performance or safety reasons. In addition, such testing can also be performed during the system development phase, in which case it can help identify and fix insecure configurations and other security weaknesses before the system is actually deployed.

Digital twins can also be used for detecting attacks on the real system if there is strong data integration between the twin and the real system, meaning that the twin receives the same input as the real system and accurately tracks the real operational state. In this case, intrusion detection tools can be deployed in the twin (rather than in the real system) to identify ongoing attacks on the real system. Such attack detection may be performed in real-time, or in a more advanced scenario, system compromise may be predicted from the operational data before it actually occurs (i.e., attacks are detected in an early stage, before they are completed and the system actually gets in a compromised state). In the latter case, the compromise of the real system may even be prevented, if live intervention to its operation is possible and not excluded by safety requirements.

Finally, digital twins can be useful in case of incident handling. First of all, various incidents can be simulated in the twin for the purpose of training an incident response team or for assessing the incident handling capabilities of the team. In addition, a digital twin of the real system can also be useful when analyzing incident-related data and artefacts, as well as for testing system re-configuration options as possible reactive countermeasures aiming at containing an ongoing attack and preventing its escalation.

In the DOSS project, we aim to support security-by-design of IoT systems by automating their security testing in their design phase, hence allowing for the detection and correction of any security weaknesses before the system is actually deployed. For this purpose, we rely on a digital twin of the system, which we assume to be developed in parallel with the real system. More precisely, we assume that a low-level representation of the IoT system under development is provided by the system developer in the form of an infrastructure-as-code description, together with the actual software components of the system. In the project, we are developing a framework, in which a digital twin of the system can be automatically instantiated from the above-described input in a virtualization environment, and various security test cases can be executed on that twin in order to identify weaknesses. We also aim to report back to the system developer any discovered weaknesses, together with recommendations for strengthening the system.

The novel element of our approach is that the test cases to be executed on the twin are generated automatically. This makes our approach fully automated: we receive the low-level description of the system to be tested, and our framework automatically (i) creates a digital twin of the system, (ii) generates relevant security test cases, (iii) executes those test cases on the twin, and (iv) reports discovered vulnerabilities. The approach we follow is that we extract high-level models (e.g., network topology graph and abstract representations of system components) from the low-level system description received as input, and we generate attack trees for potentially impactful attack goals automatically from those high-level models. For the attack tree generation, we use a traditional approach (i.e., formal modeling of the system and the attacker, and logic-based step-by-step derivation of preconditions for various attack (sub-)goals), as well as different AI-based approaches (e.g., we are currently experimenting with generating attack trees with generative language models). Once the attack trees are generated, our framework translates the elementary attack steps in those trees to invocations of appropriate tools from a pre-defined toolbox (e.g., a Metasploit module with the right parameters). By running these parametrized tools, the framework can essentially execute the steps of the complex attack scenarios encoded in the generated attack trees. If the execution of a full attack scenario is successful, then this means that the attack goal corresponding to the root of an attack tree can be reached, and therefore, the system is vulnerable. By analyzing the attack scenario, our framework can also determine weaknesses of the system and provide recommendations to fix them.

We are still at the beginning and the description above is our vision, but we are confident that it is possible to build the described framework that automates the security testing of IoT systems in their development phase. Expect some more details in our deliverable scheduled at the end of 2024.









[1] R. Rosen, G. von Wichert, G. Lo, K. D. Bettenhausen, About the importance of autonomy and digital twins for the future of manufacturing, In Proceedings of the 15th IFAC Symposium on Information Control Problems in Manufacturing (INCOM), 2015.


[2] M. Eckhart, A. Ekelhart, Digital Twins for Cyber-Physical Systems Security: State of the Art and Outlook, In: S. Biffl, M. Eckhart, A. Lüder, E. Weippl (eds), Security and Quality in Cyber-Physical Systems Engineering. Springer, 2019.

Leave a Reply