Threat Modeling for Digital Twins
major, and operational impact is severe because of the need of ECUs replacement or firmware update at the service station.
Seamless integration to reduce service costs is one of the main goals of FleetTwin solution. If one of external services supporting this capability fails, it may cause moderate financial and operational impact, but will not affect safety.
This evaluation becomes more formal as the details come. The worst conditions should be evaluated, but coincidences and combinations of events are usually not considered.
4 ATTACK VECTORS, SCENARIOS, AND ATTACKS LIKELIHOOD ASSESSMENT
When damage methods for the assets are evaluated, the likelihood of attacks should be assessed. The typical approach is to consider the attack surface, possible attack paths, describe attack scenarios and the likelihood of each scenario. Although the preceding stage does not require specialized cybersecurity knowledge, it is best to have cybersecurity experts perform these steps.
This is the other viewpoint, focusing not on the system capabilities but on the technical interdependencies between assets, attackers, methods, tools, and attack surfaces.
The best way to define the attack surface is to consider system architecture and external interfaces. Digital twin is the system-of-systems, comprised by at least two components.
Example Architecture of the FleetTwin system introduces multiple attack surfaces:
• In-vehicle Telematics Devices: Physical tampering or spoofing sensor data.
• Data Transmission: Man-in-the-middle attacks on unsecured networks.
• Cloud APIs: Exploitable vulnerabilities enabling data tampering and denial of service.
• Third-Party Integrations: Compromised suppliers could inject malicious data.
• User Access: Weak authentication might allow unauthorized dashboard access.
Attack scenario is the set of deliberate actions to implement the threat. Possible attack scenarios are identified at the intersection of the description of system interfaces, system architecture and assumptions about the attacker. These assumptions include, for example, physical location, capabilities, knowledge and motivation.
Assessing attack scenarios for digital twin infrastructure is essentially the same as assessing other types of systems and networks.
The first step is to identify the attack vector: how the attacker accesses the system or its component. For the complex systems, depending on the access vector, the attacker may plan further actions and follow a tactic to eventually implement the damage method. This may be evaluated based on MITRE Att & ck 8 matrices( or similar matrices of attacking tactics and techniques). Tactical schemes vary depending on the system purpose and typical internal
8 https:// attack. mitre. org / 30
May 2025