From a joint work of NIST and the University of Michigan, a computer security framework that combines digital twin, machine learning techniques and the human element in the classification of cyber-attack signals against the machinery of production sites in full digital transformation.
The digital twins for cyber-security, i.e. i digital twins for cyber security applicationsrefer to an unprecedented scenario of defense against cyber-attacks in the field of smart manufacturing, where More and more manufacturing equipment is becoming remotely accessible, creating new potential entry points for cyber threats.
We recall that the maturity reached, over the last decade, by emerging technologies – including artificial intelligence, robotics, the Internet of Things and the Cloud, just to name a few – have allowed the automation of production processes to progress, where the presence of autonomous machines delegated to the heaviest and most repetitive jobs, the connectivity and dialogue between different devices and the centrality of the data, its collection, its analysis and its use to make decisions, give life to a more efficient and competitive production site.
In such a site, the vast amount of data collected by the sensors on board the machinery, as well as those generated by other devices, are analyzed to extract value and make decisions concerning, for example, product development, marketing actions , all the management part and forecasting activities, including predictive maintenance and failure forecasting.
«In such an environment, cyber-attacks against data collected by machines can be difficult to detect and differentiate from other, sometimes more routine, system anomalies» points out the team composed of researchers from the National Institute of Standards and Technology (NIST) and the University of Michigan in a study entitled “Digital Twin-Based Cyber-Attack Detection Framework for Cyber-Physical Manufacturing Systems”, which explains :
«The point is that direct and real-time access across devices Operational Technology (OT) – as can be a 3D printer, for example – to those data that describe what is happening inside the machines, could jeopardize the performance and safety of the entire process in the factory»
Hence the intuition that led the authors of the aforementioned study to develop one strategy based on the digital twin, capable of detecting cyber attacks directed at a 3D printer. Potential future strategy applicable to a wide range of intelligent production equipment, equipped with digital technologies, within the manufacturing industry. But let’s take a closer look at what it is.
Digital twins for industrial cyber-security: beyond predictive maintenance applications
The underlying difficulty – observe the authors of the study on digital twins for cyber-security – is that the usual IT security strategies applied to production devices «they are based on copies of network traffic which do not always help us see what is happening inside a given piece of machinery or a process», when instead, in order not to leave room for external attacks, it is also necessary to probe the hardware part of the equipment.
«The machine’s digital twin, being closely related to its physical counterparts, is able to extract its data and support it in real time. So, when it is not possible to physically inspect an industrial machine while it is in operation, its digital twin becomes a strategic tool» is the thesis from which the research team started.
Over the past few years, we’ve gotten used to thinking about digital twins in the industrial sector for production and design purposes, where the digital twin comes to the rescue before its physical counterpart is built, with significant savings in terms of time and costs.
But not only. The digital twins of production machinery – thanks to the abundance of data they are able to provide – are elements in support of the forecast analysis of possible failures. A high-level example is that of the predictive maintenance of wind turbines within the European project IoTwins, achieved thanks to the creation of the digital twin of a wind farm with the aim of detecting the state of health of the blades, planning maintenance operations and reduce any failures.
The example of the digital twin that reproduces the 3D printing process and its anomalies
According to the authors of the study on digital twins for cyber-security, in the context of smart manufacturing, digital twins could also have other functions.
In particular – they underline – the production processes equipped with digital technologies supply data sets that are so varied (inherent, for example, temperature, consumption, voltage, current and much more) and so repetitive, within which it is possible to detect anomalies that they can also relate to cyber attacks on their network.
Here, then, they have built a digital twin to emulate the work process of a standard 3D printer.
As soon as the printer started generating a product (in particular, a plastic hourglass) – the researchers explain – its monitoring system began to control the data streams, including both those relating to printhead temperatures physics and those relating to simulated temperatures, calculated in real time by its digital twin.
At that point, the creation began nuisance elements such as simulations of “attacks external to its operation”, including irregularities in the operation caused by a fan external to the printer (which caused the machine to cool down), all the way to more serious effect disturbances, which caused the printer to incorrectly report readings of printhead temperature data, resulting in malfunction and blockage problems for the entire production.
What happened at that point? How did monitoring systems distinguish a cyber attack from an ordinary anomaly?
«The systems that analyzed both the data relating to the real 3D printer and its digital twin were based on machine learning models trained to recognize the operation of the printer under normal conditions and, therefore, to discern any situations out of the ordinary»
specifies the team. In short, during the test phase, if the artificial intelligence models suitable for this task detected an irregularity, other AI models intervened with the task of verifying «whether the anomalous signals were consistent with data within a dataset of already known problematic signals, such as – for example – the printer fan cooling the print head more than expected».
At that point, the system classified the irregularity as an “expected anomaly” or “potential IT threat”. Finally, in the last phase, a cyber-security expert intervened with the task of interpreting what was classified by the machine learning system and, therefore, making the most suitable decision for the IT security of the machine and the company’s business.
Digital twins per la cyber-security: prospettive future
The framework developed by researchers at NIST and the University of Michigan on the subject of digital twins for cyber-security provides a tool to support the human expert in detecting machine anomalies within a smart production site and then classifying them or less as possible threats to their cyber security.
In case the framework has never detected a given irregularity before, «the expert analyzes the collected data to provide further insights to be integrated into the framework, contributing to its implementation».
So, the human element would confirm the suspicions of the AI system responsible for monitoring or, on the contrary, would train it to identify a new anomaly to be filed in the database.
In the specific case of the 3D printer, the team verified the functioning of its security system and discovered that it was able to correctly distinguish cyber attacks from normal anomalies, starting from the analysis of both physical data and those emulated by its digital twin.
In the future work of the researchers there is the study of how the developed framework is capable of responding to more varied and aggressive cyber-attacks, ensuring that the strategy is always scalable.
Their objectives – they anticipate – also include the application of the strategy to a fleet of printers at the same time, «in order to verify whether such extended coverage harms or undermines their detection capabilities».
The main objective they aim for in the future is to make their own methodology «a concrete advantage in both the maintenance and security monitoring of compromised Operation Technology (OT) systems».