ABSTRACT
Cyber-physical systems underpin many of our society’s critical infrastructures. Ensuring their cyber security is important and complex. A major activity in this regard is cyber security incident response, whose primary goal is to detect and mitigate cyber-attacks in order to ensure the continuity and resilience of services. For cyber-physical systems this is particularly challenging because it requires insights both from the cyber and physical (process) domains and the engagement of stakeholders that are not strictly concerned with cyber security. A technology that is receiving a lot of attention are digital twins – virtual representations of real-world (cyber-physical) systems. They can be used to support tasks such as estimating the state of a system and exploring the consequences of interventional activities (e.g., upgrades).
In this paper, we examine the use of digital twins to support cyber security. Specifically, our novel contribution is to provide a comprehensive analysis of the types of activities and how different modalities of digital twin use can be applied to the phases of cyber security incident response. Building on this analysis, we propose a structured approach to enhancing cyber security playbooks for cyber-physical systems incident response with digital twins. Playbooks are an essential component of incident response, ensuring that multi-disciplinary teams are effective in responding to cyber security incidents; therefore, improvements in their execution can result in increased resilience. To illustrate our approach, we present its use for a playbook that is concerned with mitigating a cyber-attack to critical industrial equipment.
- David Allison, Paul Smith, and Kieran McLaughlin. 2022. Digital Twin-Enhanced Methodology for Training Edge-Based Models for Cyber Security Applications. In 2022 IEEE 20th International Conference on Industrial Informatics (INDIN). IEEE, Perth, Australia.Google Scholar
- Manolya Atalay and Pelin Angin. 2020. A Digital Twins Approach to Smart Grid Security Testing and Standardization. In 2020 IEEE International Workshop on Metrology for Industry 4.0 & IoT. 435–440. https://doi.org/10.1109/MetroInd4.0IoT48571.2020.9138264Google ScholarCross Ref
- E. Biham, S. Bitan, Aviad Carmel, Alon Dankner, Uriel Malin, and A. Wool. 2019. Rogue 7 : Rogue Engineering-Station Attacks on S 7 Simatic PLCs.Google Scholar
- Adrien Bécue, Eva Maia, Linda Feeken, Philipp Borchers, and Isabel Praça. 2020. A New Concept of Digital Twin Supporting Optimization and Resilience of Factories of the Future. Applied Sciences 10, 13 (Jan. 2020), 4482. https://doi.org/10.3390/app10134482 Number: 13 Publisher: Multidisciplinary Digital Publishing Institute.Google ScholarCross Ref
- Paul Cichonski, Tom Millar, Tim Grance, and Karen Scarfone. 2012. Computer Security Incident Handling Guide : Recommendations of the National Institute of Standards and Technology. Technical Report. National Institute of Standards and Technology. NIST SP 800–61r2 pages. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdfDOI: 10.6028/NIST.SP.800-61r2.Google Scholar
- Incident Response Consortium. 2023. Incident Response Playbooks Gallery. https://www.incidentresponse.org/playbooks/Google Scholar
- Cybersecurity and Infrastructure Security Agency (CISA). 2022. Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems. Technical Report. Cybersecurity and Infrastructure Security Agency (CISA), Arlington, VA. https://www.cisa.gov/uscert/sites/default/files/publications/federal-government-cybersecurity-incident-and-vulnerability-response-playbooks-508c.pdfGoogle Scholar
- Marietheres Dietz, Ludwig Englbrecht, and Günther Pernul. 2021. Enhancing Industrial Control System Forensics using Replication Based Digital Twins. In Advances in Digital Forensics XVII, Gilbert Peterson and Sujeet Shenoi (Eds.). Springer International Publishing, Cham, 21–38.Google Scholar
- Marietheres Dietz and Gunther Pernul. 2020. Unleashing the Digital Twin’s Potential for ICS Security. IEEE Security Privacy 18, 4 (July 2020), 20–27. https://doi.org/10.1109/MSEC.2019.2961650Google ScholarDigital Library
- Marietheres Dietz, Benedikt Putz, and Günther Pernul. 2019. A Distributed Ledger Approach to Digital Twin Secure Data Sharing. In Data and Applications Security and Privacy XXXIII(Lecture Notes in Computer Science), Simon N. Foley (Ed.). Springer International Publishing, Cham, 281–300. https://doi.org/10.1007/978-3-030-22479-0_15Google ScholarDigital Library
- Marietheres Dietz, Manfred Vielberth, and Günther Pernul. 2020. Integrating digital twin security simulations in the security operations center. In Proceedings of the 15th International Conference on Availability, Reliability and Security(ARES ’20). Association for Computing Machinery, New York, NY, USA, 1–9. https://doi.org/10.1145/3407023.3407039Google ScholarDigital Library
- Matthias Eckhart and Andreas Ekelhart. 2018. A Specification-Based State Replication Approach for Digital Twins. In Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy - CPS-SPC ’18. ACM Press, Toronto, Canada, 36–47. https://doi.org/10.1145/3264888.3264892Google ScholarDigital Library
- Matthias Eckhart and Andreas Ekelhart. 2018. Towards Security-Aware Virtual Environments for Digital Twins. In Proceedings of the 4th ACM Workshop on Cyber-Physical System Security - CPSS ’18. ACM Press, Incheon, Republic of Korea, 61–72. https://doi.org/10.1145/3198458.3198464Google ScholarDigital Library
- Matthias Eckhart and Andreas Ekelhart. 2019. Digital Twins for Cyber-Physical Systems Security: State of the Art and Outlook. In Security and Quality in Cyber-Physical Systems Engineering. Springer, 383–412. https://doi.org/10.1007/978-3-030-25312-7_14Google ScholarCross Ref
- Matthias Eckhart, Andreas Ekelhart, and Edgar Weippl. 2019. Enhancing Cyber Situational Awareness for Cyber-Physical Systems through Digital Twins. In 2019 24th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA). 1222–1225. https://doi.org/10.1109/ETFA.2019.8869197Google ScholarDigital Library
- Philip Empl, Daniel Schlette, Daniel Zupfer, and Günther Pernul. 2022. SOAR4IoT: Securing IoT Assets with Digital Twins. In Proceedings of the 17th International Conference on Availability, Reliability and Security. ACM, Vienna Austria. https://doi.org/10.1145/3538969.3538975Google ScholarDigital Library
- Integrated Adaptive Cyber Defense (IACD). 2017. A Specification for Defining, Building and Employing Playbooks to Enable Cybersecurity Integration and Automation. https://tinyurl.com/IACDSpecGoogle Scholar
- International Atomic Energy Agency. 1985. IAEA-TECDOC-341 - Developments in the Preparation of Operating Procedures for Emergency Conditions of Nuclear Power Plants. Technical Report. International Atomic Energy Agency, Vienna, Austria.Google Scholar
- International Atomic Energy Agency. 2006. Development and Review of Plant Specific Emergency Operating Procedures. Technical Report 48. International Atomic Energy Agency, Vienna, Austria. 103 pages.Google Scholar
- International Atomic Energy Agency. 2016. Computer Security Incident Response Planning at Nuclear Facilities. Technical Report IAEA-TDL-005. International Atomic Energy Agency, Vienna, Austria. https://www-pub.iaea.org/MTCD/publications/PDF/TDL005web.pdfGoogle Scholar
- Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, and Christopher Glyer. 2017. Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html [Online; accessed 2018-05-25].Google Scholar
- Patrick Kral. 2021. The Incident Handler’s Handbook. Technical Report. Escal Institute of Advanced Technologies (SANS Institute), Rockville, Maryland, United States.Google Scholar
- Robert Lee, Michael Assante, and Tim Conway. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. Technical Report. Electricity Information Sharing and Analysis Center (E-ISAC), Washington D.C., USA. https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdfGoogle Scholar
- Microsoft Corporation. 2022. Microsoft Incident Response Playbooks. https://learn.microsoft.com/en-us/security/compass/incident-response-playbooksGoogle Scholar
- Judea Pearl. 2019. The Seven Tools of Causal Inference, with Reflections on Machine Learning. Commun. ACM 62, 3 (Feb. 2019), 54–60. https://doi.org/10.1145/3241036Google ScholarDigital Library
- Paula Savioja, Leena Norros, Leena Salo, and Iina Aaltonen. 2014. Identifying resilience in proceduralised accident management activity of NPP operating crews. Safety Science 68 (Oct. 2014), 258–274. https://doi.org/10.1016/j.ssci.2014.04.008Google ScholarCross Ref
- Manfred Vielberth, Magdalena Glas, Marietheres Dietz, Stylianos Karagiannis, Emmanouil Magkos, and Günther Pernul. 2021. A Digital Twin-Based Cyber Range for SOC Analysts. In Data and Applications Security and Privacy XXXV(Lecture Notes in Computer Science), Ken Barker and Kambiz Ghazinour (Eds.). Springer International Publishing, Cham, 293–311. https://doi.org/10.1007/978-3-030-81242-3_17Google ScholarDigital Library
- Kim Zetter. 2014. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Crown Publishing Group, USA.Google Scholar
Recommendations
Integrating digital twin security simulations in the security operations center
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and SecurityWhile industrial environments are increasingly equipped with sensors and integrated to enterprise networks, current security strategies are generally not prepared for the growing attack surface that resides from the convergence of their IT ...
Exploiting Digital Twin technology for Cybersecurity Monitoring in Smart Grids
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityThe adoption of Digital Twin technology has witnessed significant growth in various domains, enabling continuous monitoring and testing in diverse applications. In the context of safeguarding critical infrastructures, particularly smart grids, Digital ...
Digital Twin for Cybersecurity Incident Prediction: A Multivocal Literature Review
ICSEW'20: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering WorkshopsThe advancements in the field of internet of things, artificial intelligence, machine learning, and data analytics has laid the path to the evolution of digital twin technology. The digital twin is a high-fidelity digital model of a physical system or ...
Comments