Threat Modeling for Digital Twins
Risk tolerance at this stage sometimes is determined empirically. No matter what symmetrical or asymmetrical scheme the analyst has determined, a refuting example may be found in life, because the scheme is only in the analyst ' s head. It needs reinforcement from real life.
Example
For example, firmware tampering for the telematics electronic control unit( ECU) on vehicle may have a severe operational impact. The attack on the firmware-over-the-air( FOTA) updating mechanism is assessed as likely because of the leaked cryptographic keys currently used to sign the updates. The risk is high, and the cybersecurity experts confirm this rating.
Denial of service of the manufacturer’ s cloud platform( accessed through an API) which supports the seamless integration capability for the digital twin have the moderate operational impact, and we have assumed, that it is almost certainly vulnerable to attack. The risk is also assessed as high. Not all experts will confirm it, but considerations on some service level agreement( SLA) provisions about service availability may be used to revise the rating.
General considerations for an analyst when conducting a risk assessment are summarized in Figure 5-3.
6 FINAL CONSIDERATIONS
Figure 5-3: Considerations on risks.
Capabilities supporting trustworthiness of the digital twin system should be in focus from the early stages of the concept phase. At the same time, not all details are available to assess hazards and threats and evaluate risks at early stages of the lifecycle. For the integrated system there are
Journal of Innovation 33