A Cybersecurity Digital Twin Architecture for Modelling Threats in Interconnected Systems

The growing digitalisation of industrial and business processes is creating large deployments where Information Technology (IT) and Operational Technology (OT) are tightly interconnected and interdependent. While cybersecurity risks for IT are mostly related to data breaches and service unavailability, OT is far more critical, since it handles physical equipment. In fact, intrusions into cloud infrastructure may directly or indirectly affect critical processes for autonomous driving or energy operations, with high-impact consequences for people’s lives. Additionally, the prevailing interconnection between providers across business and technological value chains creates further tight, recursive inter-domain security dependencies, which are challenging to address due to the fragmentation of cybersecurity operations. Secure and reliable operation of the whole chain requires each provider to improve the security posture of its suppliers. However, the current practice primarily relies on human intervention to disclose vulnerabilities, raise alerts, and suggest remediations, which has been proven to be largely ineffective and risky. In this position paper, we discuss how digital twins can help address the security implications of large, multi-ownership, interconnected systems. We start from the concept of cybersecurity digital twin, a live threat model that combines digital assets and cyber threats, and then extend the scope to hybrid digital inter-twins, which brings physical devices into the abstraction. While the former can be used for threat hunting, lateral movement detection, and attack eradication, the latter also models cascading effects and hazards in critical infrastructure. We discuss the two models for two use cases, namely Smart City and Smart Grid.