The use of digital twins (virtual representations of real or imagined real-world objects) is growing. Their uses are manifold and they can be incredibly useful, providing real-time models of physical assets or even people or biological systems that can help identify problems as they occur or even before.
Grand View Research has predicted that the global digital twin market, valued at $11.1 billion in 2022, will grow at a CAGR of 37.5% from 2023 to 2030 to reach $155.83 billion.
But as companies increase their use of digital twins and others create new ones, experts say organizations are also increasing their cybersecurity exposure. Because digital twins rely on data to create an accurate representation of what they model, they are vulnerable. What if that data gets corrupted or, much worse, stolen and used for evil instead of its intended purpose?
“Here we have another tool, and it can be beneficial, but it still needs to be hardened, it still needs to be cyber-secured, the internet connection needs to be secured and the data needs to be protected,” says Brian. Bothwell, director of the US Government Accountability Office’s Science, Technology and Analysis (STAA) team and author of a February 2023 GOA report on digital twins.
Digital twins are vulnerable to threats and need to be protected
Technology experts and security leaders say digital twins can be just as vulnerable to existing threats as conventional information technology (IT) and operational technology (OT) environments. Some say digital twins could not only create new entry points for these types of attacks, but could also present opportunities for new types of attack, including what one security expert described as the “twin evil digital.”
“There are a lot of opportunities for cyber security and potential hacker infiltration in this type of technology,” says Bothwell.
The beauty of digital twins is that they allow testing and analysis of the behavior of real-world systems using data from the system itself. The object represented by a digital twin could be a physical item such as an airplane or an environment such as a building or a manufacturing plant, a virtual replica of a technical system, an environment that already exists, with all real-world processes simulated by technology duplicated in the digital twin, or a replica of plans of these objects.
According to some, a digital twin can also be a duplicate of a person, such as an employee or person, a digital representation of an individual entity, such as a customer or a company.
Digital twins change in real time to match the original
A digital twin is not static: it takes the same data, often supplied in real time, as its real-world counterpart and changes accordingly. This type of modeling has proven very useful for the manufacturing, aerospace, transportation, energy, utilities, healthcare, life sciences, retail, and real estate industries.
Regardless of industry, organizations use digital twins to run simulations that can be performed faster, easier, cheaper, and with less risk in the digital twin than in the real environment. These simulations help organizations understand the outcomes of various scenarios, which helps with planning, predictive maintenance, design improvements, and the like. Organizations can then take their findings from the simulations performed on their digital twins and apply them to the real-world object.
“There are huge advantages to digital twins, such as having the ability to monitor systems in real time and using digital twins to predict what might happen in certain situations,” says Bothwell. But there are risks, concerns and dangers, which Bothwell highlights in his report: “Many industries use them to reduce costs, improve engineering design and production, and test supply chains. But some applications, such as creating ‘a digital twin of a person, they pose technical, privacy, security and ethical challenges’.
Digital twins can create an expanded attack surface
Digital twins involve the same complex collection and configuration of technologies that make up their real-world counterparts, explains Mahadeva Bisappa, principal architect at SPR, a technology modernization company. In other words, they are made up of the same constellation of systems, computing power (usually in the cloud), networks and data flows.
“You have to protect all the endpoints; the cloud platform, whatever product you’re using, has to be protected. And all the data that’s going in has to be secured,” says Bisappa. Bisappa and others maintain that digital twins further expand the attack surface that hackers can exploit. “A digital twin is another application connected to the Internet, so you have the same kind of security issues.”
But there are additional concerns with the growing use of digital twins, says Kayne McGladrey, a senior fellow at the Institute of Electrical and Electronics Engineers (IEEE), a nonprofit professional association and field CISO at Hyperproof. For starters, he says CISOs may not have visibility into their own organization’s use of digital twins.
CISOs need to be aware of when digital twins are being used
“Is the CISO aware that this is happening?” he asks, explaining that he’s seen business units take the lead in implementing digital twins without consulting security. As he notes, “It’s hard to apply effective controls to something you don’t even know exists.”
Legal and regulatory issues also come into play with digital twins, McGladrey says. The main concerns are whether digital twin operators can ensure that the data used in their digital twins is managed in a way that meets regulatory requirements on privacy, confidentiality and even the geography where it can be hosted the data.
Data ownership can also become a sticking point if not addressed, especially if an organization partners with other entities to run their digital twins, he adds.
McGladrey says some organizations may be failing to address these security and risk considerations, as business and engineering teams using digital twins may fear that adding certain security controls or too many controls could slow down the performance of digital twins .
The possibility of emerging risks, new threats
Some see even more risks stemming from the very nature of the digital twin. Jason M. Pittman, University Professor, School of Cybersecurity and Information Technology, University of Maryland Global Campus (UMGC), is one of those people.
He has highlighted the security risk around what he calls the “evil digital twin”. In a recent UMGC blog, Pittman predicted: “Over the coming year, we will see the rise of evil digital twins. This virtual malware model will be used to enhance cybercriminal activities, such as ransomware, phishing and highly targeted cyberwarfare. These attacks will demonstrate a significant increase in effectiveness compared to traditional methods due to the specificity provided through evil digital twin models.”
A hacker could create a digital twin of an existing person, “insert it into your environment and then look and participate in your organization and then inject malware into the ecosystem,” Pittman tells CSO. “This gives hackers another avenue, and there’s unlikely to be a defense for it.”
Evil digital twins could distort simulation results
Pittman says he sees other new attack scenarios arising from the use of digital twins; for example, if hackers can break into a digital twin environment, they could either steal the data or, depending on their motives, manipulate the data used by the digital twin to deliberately bias the simulation results.
Considering the potential of these scenarios, Pittman adds, “I think this is another case where we’re spreading technology without necessarily thinking about the repercussions. I’m not saying that’s good or bad; we’re human, and that’s what we do very well. And while I don’t think we’re going to see anything catastrophic, I think we’re going to see something significant.”
Pittman is not alone in expressing concern about the potential for new security threats arising from digital twins. Bothwell, while researching the issue of digital twins, heard concerns about the possibility that adversaries could manipulate data within digital twins. “We didn’t look at it specifically for the report, but that’s one of the issues that came up,” he says, adding that it’s a frequently-cited concern about the training data used in training algorithms. ‘machine learning’, a type of attack known as “data poisoning”.
David Shaw, CEO of cybersecurity firm Intuitus, also warns that there are risks inherent in twinning. Shaw, who is also co-chair of the fintech, security and trust, and aerospace and defense working groups at the nonprofit Digital Twin Consortium, notes that digital twins have been used in some industries for many years, but as they are used every more and more and more technologies, the risks also increase.
Security should start from the emergence of digital twins
For example, augmented and virtual reality technologies are becoming part of the digital twin landscape, adding another layer of potential vulnerability and requiring additional security considerations. But Shaw says security isn’t always part of the digital twin’s construction, but is built in later in the process. That, he says, usually means lower security checks.
“Security has to be built right into the core of the digital twin you’re building. It has to be there from the start to protect it,” he adds. “But the engineers [building digital twins] and cybersecurity still has a lot of work to do to learn how to work together.”
And like Pittman, Shaw acknowledges the potential for new attack scenarios to emerge, noting that researchers in the past have identified new instructional techniques in testbeds, indicating that they are possible.
There’s also the question, Shaw says, if hackers develop a new type of attack, whether organizations would be able to detect it. Faced with this, it underlines the need for proactive surveillance and security.
“We have to keep our eyes open and find ways to bake on the rails to identify anomalous behavior.”
Copyright © 2023 IDG Communications, Inc.
As digital twins become more prevalent, it has become inevitable that we acknowledge the risks that accompany this technology. From malicious actors to data security flaws, the use of digital twins can open up a host of new security concerns that must be addressed. Companies such as Ikaroa have a responsibility to consider the safety of their user data when developing any new technology.
In basic terms, a digital twin is a virtual replica of a physical piece of technology. It is used to capture and analyze the data generated by a physical device, allowing the user to make changes or observations in the digital world and implement them in the real world. As a result, these digital twins open up vast amounts of data and information, making them a valuable target for malicious activities.
The threat of a digital twin being hacked is also a real issue. Hackers can potentially gain access to a user’s personal data, rendering the digital twin useless and potentially putting the user’s data at risk. Additionally, there is the risk of a malicious actor using a digital twin to cause physical harm or damage to the system that is being replicated.
The potential for data theft is another serious concern. Digital twins can store a large amount of data that is difficult to password protect and is accessible to anyone with the right skills. This could potentially lead to the theft of valuable data and other personal information.
Furthermore, the use of digital twins inherently introduces a layer of complexity, as the technology requires multiple data points to be analyzed at once. This means more possibilities for errors and added difficulties in securing the data associated with the digital twins.
Ikaroa is making a commitment to user safety and privacy by exploring the security issues associated with digital twins and working to ensure the safety of their users in the digital world. To this end, they are also committed to continued research and development in the areas of digital twins and security, offering solutions that ensure the safety of both user data and the physical devices being replicated.
In order for digital twins to work properly, companies like Ikaroa must ensure that the technology is properly secured. This will require a comprehensive assessment of the risks associated with the technology and a plan for mitigating those risks in order to ensure the safety of the user data and physical systems being replicated.