Reconfigurable System-of-Systems Cyber Twins

Research, Education and Training for Critical Infrastructure Defence

Background: A digital twin is a software representation of a physical entity. Traditionally, digital twins have been categorised as component twins, asset twins, system or unit twins, and process twins. A fifth category – cyber twin – coined by iTrust, has been developed, and is in use since April 2020 for research, education, and training. Development of the cyber-twin began in 2017 as a personal project  in iTrust aimed at creating a software version of an existing water treatment plant, namely, SWaT. Gradually, the Cyber Twin grew in complexity and feature-set with a usable version available in 2020. This Cyber Twin is intended to be rapidly configurable within a domain, e.g., for different water utilities, as well as across different domains, such as for gas pipelines and electric power grids. At the time of this writing, the Cyber Twin has been configured to mimic the behaviour of an operational water treatment plant (SWaT), a virtual gas pipeline (GASP), and an enhanced version of an operational electric power grid (SHOCK).

Novelty:  Twinning a system of systems, configurability, and the nearly unlimited ability to launch IT and OT cyberattacks, add to the novelty of the iTrust Cyber Twin, and distinguish it from the traditional digital twins. Other distinguishing factors include accessibility, completeness, ability to add plugins such as anomaly detectors and HMIs, and multiple modes of operation. iTrust Cyber Twin is  targeted at understanding the impact of a variety of stealthy and non-stealthy, e.g., denial-of-service, cyber attacks on critical infrastructure and the effectiveness of the corresponding defence mechanisms.

Additionally, an independent application named AttackDesk is available as a programmable application for launching cyber attacks on the Cyber Twin, as well as on the operational iTrust testbeds. To date, we are not aware of any digital twins of the kind described here that is purpose-built for, and in regular use in cyber exercise, research, education, and training.

Communication protocols:  The currently available version of the Cyber Twin uses pyZMQ and OPCUA protocols for communications with internal (e.g., PLC) and peripheral components (e.g., HMI and anomaly detectors.) Additional protocols (e.g. IES61850, MQTT, ENIP, and CIP) are in the process of being integrated into the Cyber Twin.

Operation Modes: The Cyber Twin operates in the following modes: twin, hist, live, and control. In the twin-mode, the Cyber Twin operates independently and mimics the behaviour of every cyber component of the twinned plant. In the hist-mode, it extracts data from an Excel file, runs it through the HMIs and the peripheral plant protection mechanisms. In the live mode, it connects to the twinned operational plant and passes the plant state to the peripheral defence mechanisms and the HMIs. In the control-mode, it can take over fully the control of the twinned plant from the PLC and SCADA*.

Installation:  The Cyber Twin can be installed as a monolithic or a distributed application. In the monolithic mode the entire code resides in a single VM. In the distributed mode each of the multiple processes in the Cyber Twin (e.g., PLCs, generators, and valves) run in their respective VMs. The monolithic mode operation is mostly used by individual researchers when debugging their defence mechanisms or the HMI. The distributed mode operation has been found useful in large scale cyber exercises, such as NATO CCDCOE’s Locked Shields.

Availability:  iTrust Cyber Twins (SWaT, GASP and in the near future SHOCK) are accessible locally, as well as remotely via a VPN connection. It is available for rent by cyber security researchers and practitioners.

See here for published work: https://ieeexplore.ieee.org/document/10153672

*The control-mode operation of the cyber-twin is currently under development.

Water Treatment (SWaT) Cyber Twin 

Gas Pipeline (GASP) Cyber Twin 

Electric Power (SHOCK) Cyber Twin