Integrating digital twin security simulations in the security operations center

Abstract

While industrial environments are increasingly equipped with sensors and integrated to enterprise networks, current security strategies are generally not prepared for the growing attack surface that resides from the convergence of their IT infrastructure with the industrial systems. As a result, the organizations responsible for corporate security, the Security Operations Center (SOC), are overwhelmed with the integration of the industrial systems. To facilitate monitoring the industrial assets, digital twins represent a helpful novel concept. They are the virtual counterparts of such assets and provide valuable insights through collecting asset-centric data, analytic capabilities and simulations. Moreover, digital twins can assist enterprise security by simulating attacks and analyzing the effect on the virtual counterpart. However, the integration of digital twin security simulations into enterprise security strategies, that are mainly controlled by the SOC, is currently neglected. To close this research gap, this work develops a process-based security framework to incorporate digital twin security simulations in the SOC. In the course of this work, a use case along with a digital twin-based security simulation provides proof of concept. It is demonstrated how a man-in-the-middle attack can be performed in a simulated industry setting and how it affects the systems. Moreover, we show how the resulting system logs can support the SOC by building technical rules to implement in Security Information and Event Management (SIEM) systems.