The American Society of Mechanical Engineers
5 Ways to Cyber-Protect Your Digital Twin
By: Mark Crawford
A digital twin is an exact virtual copy of an object, system, or process. The role of digital twins continues to expand in manufacturing and supply chain management, ranging from specific equipment to entire business ecosystems. Digital twins are created using data derived from the Internet of Things (IoT) sensor technologies that are attached to or embedded in the original object or system.
As more companies embrace IoT and big data, digital twin technology is becoming more popular. With the fast-moving development of Internet of Things, especially for wireless sensor technologies or digital devices, cyber protection is often inadequate. This is also true for digital twins. Depending on the scale of the digital twin, the level of detail, and the number of systems to which it is connected, hacking into a less-protected digital twin is an easy way to access everything that is connected within that business system, including sensitive documents, plans, proprietary manufacturing techniques, and intellectual property, including those of your trusted supply chain partners.
Jon Powvens, director of cybersecurity for the National Center for Cybersecurity in Manufacturing (MxD), has some advice on the best ways to protect digital twins, along with critical data, plans, and intellectual property, from cyber assault.
IoT Security Is Not the Best
Digital twins depend on sensors that are connected through IoT devices, which are often not designed with robust cybersecurity in mind. These devices are often shipped with known default username and passwords, with no mechanism to enforce a change on the equipment.
“This leaves many IoT devices vulnerable to attacks from entities ranging from bot nets to malware,” said Powvens. Because security is an afterthought for many IoT devices, it then falls to the security of the manufacturing network to protect digital twins. “A careful strategy of security to mitigate the lack of security in IoT devices cannot be an afterthought,” he said.
Strengthen Your Network Security
Manufacturing networks need to evolve to fully enable and protect digital twins. Companies need to determine where on the network these devices will “live” and how to allow access outside of the manufacturing network.
In the past, sensors were located behind air-gapped networks or carefully crafted network zones that followed the Purdue Enterprise Reference Architecture (PERA) for manufacturing networks. However, these systems can no longer fully protect digital twins in today’s digital world.
The air-gap method kept network traffic on the manufacturing network from reaching any other network. PERA was created to help companies create more sophisticated 3.0 manufacturing networks. “PERA places sensors at level 0 and does not allow for network connectivity to level 0 devices,” said Powvens. “Both these models fall short for protecting Industry 4.0 technologies. New, more advanced network reference architecture must be developed to allow for online sensors and the security of the networks.”
Zero Trust Will Become the Security Standard
Zero-trust networking is the future of data security. A zero-trust network can be configured to allow only certain devices to talk to each other. The network can fully configure and allow or disallow machines to communicate, providing greater security. For example, a system can be programmed so it only allows the minimum privileges needed to complete a job or action, such as communicating with a digital twin. “The added security comes from disallowing unwanted communication or access,” said Powvens. “Malware cannot propagate from one computer to the next computer if those computers are not able to communicate with each other. Today, a zero-trust network is increasingly obtainable and easier to deploy and manage.”
Utilize Other Methods of Security
Protecting your digital twin is as important as protecting the physical manufacturing line. Hacking a digital twin would allow the attacker access to critical trade secret information, detailed plans on how products are produced, and even allow the attacker to practice attacks before attacking the physical manufacturing line. Organizations need to ask in-depth questions to better understand the risks that digital twins can pose.
“You will need to understand how the digital twin is accessed, how the access is monitored, and how quickly an organization can detect rouge access,” said Powvens. “The digital twin will ultimately be stored on physical servers. How is the physical protection of those servers? Organizations will need to send data from the physical system to the digital twin. How is that link established and protected? And what steps need to be taken to protect the up-time of those links?”
Traditional Security Concerns Still Exist
The traditional security concerns that have been in the forefront for years are still important. Authentication to the digital twin will need to be understood. Full read/write permissions need to be carefully guarded and read access must be restricted to only those people who need to read the twin. All access should follow best practices and utilize multifactor authentication, which makes hacking into a digital twin much more difficult.
Role Reversal: Letting Your Digital Twin Protect You
A use case that is little discussed is how digital twins can be used to improve the security of both your digital and physical systems. A significant challenge for all manufacturing systems is the fragility of the equipment when faced with standard IT security tools. This has led the industry to adopt tools made to be safe for manufacturing, but with the known trade-off that that these passive tools do not provide the same robust information available to IT security tools.
“Your digital twin will not suffer from these same concerns,” said Powvens. “As the twin can be spun up and down in a virtual environment, continuous vulnerability management is now possible. Bringing the power of traditional disruptive security tools to your manufacturing environment will lead to security findings that would otherwise have remained hidden, leaving your system vulnerable to attackers.”