Beware of the ‘twin demons’… 4 new security concerns amid the proliferation of digital twins

Recently, the use of digital twins is increasing. Digital twins have a wide range of uses and are very useful. It provides real-time models of physical assets, people or biological systems that help identify problems as they arise, or before they occur. Market research firm Grand View Research predicts that the global digital twin market, which is worth $11.1 billion in 2022, will grow at an average annual rate of 37.5% from 2023 to 2030 to reach $155.83 billion.
ⓒ Getty Images Bank

However, there are also concerns that cybersecurity exposures are also increasing as digital twin usage increases and new digital twins are created. Digital twins are vulnerable to security in that they rely on data for an accurate representation of what they are modeling. What if the data gets corrupted or worse, stolen and used for malicious purposes other than what it was intended for?

“The digital twin is another tool,” said Brian Boswell, director of the Science, Technology Assessment, and Analytics (STAA) team at the U.S. Government Accountability Office and author of the February 2023 US Government Accountability Office (GOA) report on digital twins. “It’s a useful tool, but it still needs to be hardened, cybersecurity applied, and internet connections and data protected.”

Why Digital Twins Are Dangerous

Technology experts and security leaders say digital twins can be just as vulnerable to existing threats as typical IT and operational technology (OT) environments. Some argue that digital twins not only create new attack entry points, but also provide room for new types of attacks. Boswell also pointed out that “there are many opportunities for cybersecurity and potential hacker penetration with this kind of technology.”

The advantage of a digital twin is that it enables testing and behavioral analysis of real systems using data from the system itself. Objects represented by a digital twin include physical elements such as aircraft, environments such as buildings or manufacturing plants, virtual replicas of pre-existing environments or technological systems (where all real-world processes are simulated by the technology replicated in the digital twin); or copies of plans for such entities.

Some say even clones of people can be digital twins, such as employees or personas (digital representations of individual entities such as customers or companies).

The digital twin is not static. It takes the same data as the corresponding real twin (in many cases in real time) and changes accordingly. Modeling like this has proven extremely useful in the manufacturing, aerospace, transportation, energy, utilities, healthcare, life sciences, retail and real estate industries.

Businesses across industries are using digital twins to run simulations that are faster, easier, cheaper, and less risky than real environments. Such simulations help companies understand the outcomes of different scenarios and aid in planning, predictive maintenance, and design enhancements. Companies can run the results from simulations on digital twins and apply them to real objects. “The digital twin is very beneficial,” Boswell said. For example, you can monitor a system in real time and use a digital twin to predict what might happen in a particular situation.”

But there are also risks and concerns. “Many industries use digital twins to lower costs, improve engineering design and production, and test supply chains,” Bothwell said in the report. However, some applications, such as the creation of digital twins of people, lead to technical, privacy, security and ethical issues.”

Risk of developing a broad attack surface

The digital twin uses the same complex set of technologies and constructs that make up the real world, said Mahadeva Visapa, chief architect at technology modernization firm SPR. In other words, the same complex structure of systems, computing power (usually located in the cloud), networking, and data flow is present in the digital twin.

“You need to secure all endpoints and cloud platforms (whichever product you use),” says Visapa. You also need to protect any data that feeds into the digital twin.” Visafa believes that digital twins expand the attack surface that hackers can exploit. “The digital twin is just another internet-connected application, so the same kind of security issues arise.”

Kane McGladry, CISO of Hyperproof and senior member of the Institute of Electrical and Electronics Engineers (IEEE), a nonprofit professional association, said the growing use of digital twins raises additional concerns. said that it may not be possible to secure

problem of cognition

“Are CISOs aware that digital twins are being used?” McGladry asked, noting that he had seen business units implement digital twins on their own without consulting the security department. “It’s difficult to apply effective controls to things you don’t even know exist,” he added.

There are also legal and regulatory issues. A key concern is whether digital twin operators can ensure that the data used in the digital twin is processed in a manner that complies with regulatory requirements related to privacy, confidentiality and geographic location of the data. Data ownership can also be an issue, especially if a business is partnering with another entity to operate a digital twin.

McGrady notes that some organizations are concerned that the digital twin will perform poorly if the business and engineering teams using the digital twin add specific or too many security controls, which may prevent them from properly addressing security and risk considerations. added that there is

More new dangers emerge

There is also a view that more risks will arise due to the nature of the digital twin. Jason M. Pittman, a professor in the Department of Cybersecurity and Information Technology at the University of Maryland Global Campus (UMGC), is one of them.

Pittman highlighted the security risks associated with so-called “evil digital twins.” In a recent UMGC blog, Pittman said, “next year, the evil digital twin will rise in earnest. This malicious virtual software model will be used to power cybercriminal activities such as ransomware, phishing, and highly targeted cyber warfare. Because of the specificity provided by the evil digital twin, these attacks will be far more effective than traditional methods.”

Pittman told CSO, “A hacker can create a digital twin of an existing persona and put it into a corporate environment. They can then inject malware into the ecosystem by monitoring businesses and participating in their activities. “It’s another attack vector for hackers, but often the defenses against it are not in place.”

Distortion of simulation results

Pittman said there are also other new attack scenarios stemming from the use of digital twins. For example, if a hacker is able to infiltrate the digital twin environment, he or she can intentionally distort simulation results by stealing data or, depending on the motive, manipulating the data used in the digital twin.

Regarding the potential impact of this scenario, Pittman said, “The digital twin is another example of technology propagation without worrying about what impact it might have. I’m not saying digital twins are good or bad, people do them all the time. Nothing close to catastrophic will happen, but something serious will happen.”

Pittman isn’t the only one concerned about the potential for new security threats arising from digital twins. In the course of researching digital twins, Boswell also encountered concerns about the possibility of adversarial forces manipulating the data within the digital twin. “One of the issues raised, though not specifically addressed in this report,” Boswell added, is a concern about a type of attack often referred to as data poisoning involving training data used in machine learning algorithms.

Dane Wid Shaw, CEO of cybersecurity firm Intuitus, also warned of the inherent risks of digital twins. Shaw, who is also co-chair of the non-profit Digital Twin Consortium’s Working Group on FinTech, Security and Reliability, and Aerospace and Defense, says that while digital twins have been in use for several years in some industries, the risks are rising as they are used in more technologies. stressed that it is increasing.

The solution is to “implement security from the start”

As AR/VR technology becomes part of the digital twin technology landscape, it adds another layer of potential vulnerability and requires additional security considerations. However, Shaw points out that building a digital twin often doesn’t reflect security and adds security later, meaning that security controls are usually lax.

“Security needs to be built into the core of the digital twin being built,” Shaw said. “But there is still a long way to go before the engineers building the digital twin and the cybersecurity people will learn to work together.”

Like Pitman, Shaw hinted at the possibility of new attack scenarios, noting that researchers had previously discovered new command techniques in test beds. Shaw also stressed the need for vigilance and preemptive security, saying that it is questionable whether companies will be able to detect when hackers devise new types of attacks.

“We need to keep a close eye on it and find ways to build guardrails to identify unusual behavior,” Shaw added.
[email protected]

Source: ITWorld Korea by

*The article has been translated based on the content of ITWorld Korea by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!