Cybersecurity Considerations for Digital Twin Implementations
policy (whether that is to avoid it, make sure
the latest versions are used or to ensure
compliance to license requirements). These
automated processes need to be enhanced
by best practices such as secure coding
methodology, peer code review and good
repository control. Where applicable,
specific security testing techniques such as
fuzz and penetration testing should be
applied.
Software protection can also inject more
active defenses which detect that the binary
executable has been modified, debuggers
have been attacked or environments have
been rooted. Software protection creates a
safe zone within which to repair weaknesses
and defects in software. When patches are
released, adversaries rush to perform
differential analysis to compare the new
release with the previous version, often
being able to pinpoint security updates in
minutes. Fixes reveal weaknesses in the
earlier code that can be exploited.
Preventing differential analysis resets the
“effort clock” for the adversary, providing
time for the new release to safely roll out
upgrades across the operational system.
The activities discussed to this point focus on
creating and implementing a software
design and development that meets the
clear requirements of both quality and
security.
Software protection, sometimes referred to
as “software hardening,” has a rich set of
techniques to draw on that make the
resultant binary executable hack resistant.
These techniques include data and software
transformation that effectively protect the
“data in use” in the design, as well as
enhance the level of effort required to
reverse
engineer
the
executable.
Simultaneously merging functions together
or in-lining functions to break up the
modular code and then entangle
transformed data with the altered control
flow of the software render the reverse
engineered binary very hard to understand.
As each solution is unique, so too are the
exact defensive blend of software protection
techniques that can be applied to harden
each design. The application of software
protection technologies, specifically to
sensitive areas, hardens the software in the
twin and makes it exceedingly difficult for a
hacker to use as a blueprint, as well as
making the twin software more difficult to
modify without being caught.
Finally, there are techniques that can lock
both the software and data to specific
devices (computers) by using various types
of data and copy protection technologies
(such as whitebox cryptography) and
hardened APIs. The end goal is to render the
software inoperable and/or to ensure that
the data is inaccessible if the software
and/or data is copied to another machine,
thereby preventing propagation of the twin
implementations
between
devices.
Technologies such as these necessarily have
additional management overhead but
This transformative technology offers
multiple benefits. Not only is it very hard to
understand—thwarting the adversary’s
efforts to attack a system—it is equally
difficult to modify the protected binary to
introduce the desired nefarious functionality
and still have the software operate in a
reliable manner.
- 112 -
November 2019