Threat Modeling for Digital Twins
4-6( Development) • All goals defined for TRL 1-3
• Ensure proper synchronization enabling feedback and control between the digital twin and the physical entity, protect synchronization from unauthorized interference
• Avoid architectural issues and vulnerabilities while integrating with IT / OT systems( e. g. IoT devices, enterprise platforms)
7-9( Deployment) • All goals defined for TRL 1-6
• Ensure resilience to cyberattacks for a full-fledged digital twin system: even if one of the components is compromised, the entire system maintains availability of services and remains trustworthy
Table 1-1: Threat modeling goals depending on the technology readiness levels of digital twins.
Threat modeling method and objectives may be further detailed based on the lifecycle stage, or process under which the assessment is conducted. For example, for the application under development, the STRIDE method 6 is applied to reveal the issues of the particular categories( spoofing, tampering, etc.) and prevent them regardless of the damage for the system under attack.
During development, the essential impact of tampering with data or denial of service of a separate piece of code may not be clear for the entire system when it is subsequently used. This is just a good practice to prevent the code issues to anticipate and prevent any effect they may have in future. For the system under design, the attack trees 7 method may be used to analyze threats from the general to the specific ones. This approach also enables the connection of threats to attacking techniques and vulnerabilities at the latest stage of design.
While different threat modeling techniques can be used to assess threats and analyze risks in different SDLC processes of a digital twin( and its components), we will focus on a threat model that will support trustworthiness to the digital twin in terms of the emergent values it brings.
These values are described in McKee’ s white paper [ 3 ] as follows:
• Business transformation by accelerating holistic understanding, optimal decision-making and effective action,
• Ability to represent the past and present and simulate predicted futures based on both real-time and historical data,
6
STRIDE abbreviation stands for spoofing, tampering, repudiation of origin, information disclosure, denial of service, elevation of privilege. STRIDE helps to identify cybersecurity threats and used for threat modeling in conjunction with the description of the system under attack.
7
Attack tree is the diagram showing how the target might be attacked. The root of the tree describes the general threat and the leaves detail the conditions under which the attack is implemented.
Journal of Innovation 21