Using a Security Digital Twin to simulate in advance the impact of security measures on operational technology systems

A youth with an interest in physics and another youth fond of personal computers meet up at Hitachi

Tsuji: I studied geophysics in university. After earning my doctoral degree in science, I joined Hitachi in 2020. During my student days, I did basic research in physics and conducted research specializing in applications to planetary phenomena. I think what clearly got me interested in studying physics was riding trains when I was a child, and having my curiosity aroused by the mysterious power generated when the train was starting to move. Then when I was studying physics in high school, and learned that you could describe a pseudo-force like “inertia” in an equation, I remember being struck by the richness of perspectives from which to view the world. A pseudo-force like inertia, for example, helped me understand the circular motion of planets.

When I was trying to decide on a career path, I wavered between academia or the industrial world. Thanks to an introduction by a former upperclassman from university, I decided to knock on the gate of Hitachi’s R&D sector. As someone who studied basic research in university, I wondered whether people in a company would be able to understand the details of my studies. When I actually got to the interview stage, though, I felt that I was being treated not as simply a student but as a fellow researcher, on an equal footing. I decided to join the company, convinced that such an open place would be a good place to work.

Tamura: In my university days, I conducted research on security in the network field. Software Defined Network (SDN) technology, for controlling a network with software, achieves access control based on user attributes. I loved personal computers already as a child, and progressed on a straight line from there to choosing my research theme in university. When I was in elementary school, not being permitted to use the PC in our house, I used a PC at school. Since it was intended for educational purposes, however, it was shackled with all kinds of restrictions, making me feel that “security is something that really gets in the way of convenience.” By the time I came to study security in university, though, my awareness changed to “security is something that provides users with the service of safety.” I have the feeling my decision to carry out research on network technology that ensures security without making things inconvenient for users can be traced all the way back to my experience as a child.

After I completed the master’s program and was looking for a job, my eyes were on becoming an engineer, having no intention of becoming a researcher. It was then that a graduate pointed out to me, “You seem to have interests in many different things. I think you are more geared to becoming a researcher than an engineer.” After deciding to change the direction of my job hunting, I came across a notice that Hitachi was looking for researchers in the security field, and that’s how I ended up here today.

The key point was believing digital twin technology could help ensure availability

Tsuji: After joining Hitachi, my work was all about OT system security. Because of my physics studies as a student, the Hitachi research fields that most interested me included particle simulation and human flow simulation. Believing that by combining these with optimization technology, there would be demand for such studies also in Hitachi, I applied with Hitachi out of a desire to conduct R&D. What I actually ended up working on, however, was OT security. Although I had worked with control devices in my university research and had some involvement with OT, I was initially hesitant as I had not anticipated getting into security. Even so, I could feel rising momentum for OT security, and remember urging myself to make the best of this opportunity. In 2021, we launched an R&D project combining OT security with digital twin elements, which continues to this day.

Tamura: After joining Hitachi in 2019, I worked mainly on cloud security. Many kinds of applications are provided in Hitachi’s Lumada solutions, including no-code applications. Thanks to no-code and other technologies, people coming with no development experience can make applications, bringing the need for mechanisms that keep those applications secure. It was in this connection that we conducted research on “Secure by Default,” achieving security automatically without the developer needing to be aware of it. Two years later, in 2021, my assignment changed to Security Digital Twin research.

Tsuji: Until recently, IT systems were generally considered the main target of cyberattacks. Over the past few years, however, cyberattacks targeting social infrastructure, the manufacturing industry, and other such OT systems have increased sharply. When the attempt is made to devise countermeasures, it becomes clear that different approaches are needed for IT and OT. The most important thing in IT security is protecting data, whereas with OT, which moves physical objects, the emphasis is on maintaining stable system operation. The systems must not be shut down. The highest priority with OT security, in other words, is guaranteeing availability. With IT, it is taken for granted that system operation will need to be suspended for applying a security patch; but in many cases this is not permitted with OT.

This is why for OT systems, technology is demanded that guarantees both security and availability. In the belief that a digital twin would be useful for verification and assessment of security measures, a Security Digital Twin (SDT) research project was launched.

Tamura: With IT systems, for verifying the impact of cyberattacks, sometimes penetration testing is adopted, a method whereby a real environment is readied, attacks are attempted, and the impact is measured. If you want to see that impact in the same way with OT, though, there’s no way you are going to carry out testing like, “We attacked the system and the equipment broke.” What we puzzled our heads about initially in going ahead with the research was, when carrying over the knowledge from our studies with IT to operations in OT, what kind of model we should distill that knowledge into for use in the simulations.

Tsuji: The theme we set for our research was investigating in advance the impact that would be seen in an OT system when new security measures were instituted. From a security standpoint, if you take a certain level of countermeasures, they will have the benefit of making the system safe. At the same time, there may be negative impacts, such as that instituting the measures will involve temporarily halting the system. The aim of the Security Digital Twin is to look at the balance between the constraints, such as “This operation must absolutely not be stopped” or “This one can be stopped, if temporarily,” and the security benefits, trying to find points where compromise can be made with management people. A world-first concept was born, being able to decide on implementing security measures by looking at the balance between business continuity and security.

Developing a digital twin as a three-layer model of an OT system

Tsuji: When seeking to replicate an OT system as a digital twin, while searching past academic papers, we considered how to go about assessing impact on operations. It took around a year of trial and error before we succeeded in establishing an architecture, as we grappled with what kind of model we could devise that would be scalable and capable of multifaceted deployment. What we came up with was a three-layer model of an OT system. The digital twin model we devised was divided into three layers, the “actor” layer indicating people such as operators and attackers, the “asset” layer modeling information equipment and the like, and the “process” layer modeling operations. After simulating the impact on operations from security measures and cyberattacks in a cyber space modeled by these three layers, the optimal measures are synchronized in an OT system in physical space.

One advantage of the three-layer model is that the knowledge of experts can be reflected in each layer of the model. For example, a process-layer model devised for the manufacturing industry can simply be replaced by a model in a different domain to apply the technology to social infrastructure in a different field. This three-layer model, as Hitachi original technology (patent pending), has earned high acclaim, including the granting of a Best Paper award by the Society of Instrument and Control Engineers (SICE).

Reference paper: TSUJI Daisuke et al., 3-layer modelling method to improve the cyber resilience in Industrial Control Systems , SICE Journal of Control, Measurement, and System Integration, Pages 63-74 | Published online: 26 Feb 2023

Tamura: When the R&D project first was launched, it was targeted at the manufacturing industry; but it would be a shame to have it end with the manufacturing industry alone. We are aiming to make it more universal so that it can be extended to other industries and also be used with IT, not just OT.

Tsuji: In this project, development was carried out mainly by three researchers, I with my OT simulation ability, Tamura-san with his expertise in information security, and one more person as a network researcher. Looking back now that the three-layer model has been completed, it could be said that the work was carried out by dividing it into three layers, the specialties of each of us involved in the project. I believe the successful outcome resulted from maximizing the overall value by dividing the development into separate layers for each of our specialties, and cooperating, so I guess the R&D itself was a three-layer model. [laughs]

The next hurdle waiting after development was how to convey the concept

Tamura: After the concept had been fleshed out and the direction decided, the next problem we faced was the difficulty of getting people to understand the concept. IT people would wonder, “Why not just apply a patch?” whereas OT people were like, “Whatever your impact assessment may tell you, the equipment simply must not be stopped!” Even in Hitachi, we had a hard time going ahead with demonstration testing.

What we finally came up with as a way to convey the concept was a video introducing the Security Digital Twin. For us, it was a major challenge to create a video at the concept stage aimed at spreading the idea. The video with a story line explains what happens without the Security Digital Twin, and how the people on the job and those above them need to act. I believe this went a long way toward explaining the significance.

Tsuji: Yes, the video was quite effective. While as a researcher I tend to lean toward academic society presentations or papers, I learned that this kind of effort at winning wider recognition is also important.

Tamura: Around almost the same time, we began prototyping to indicate how the Security Digital Twin would actually operate. We felt that we would not be able to go ahead further without first creating a prototype, to see how information would be input, how it would actually work, and what kind of interface would be needed to show these things. As we were getting ready to build a prototype, the need arose to complete it in time for an event introducing technologies under research to Hitachi customers.

Tsuji: The project began in 2021, the concept was formulated in the first year, and people were asking for results in the second year. Considering it necessary to show a prototype so people could understand the value, we worked at a feverish pace, completing it in time for the event. In autumn of the second year, we were able to have people experience a three-layer model of a digital twin, working as a prototype, and to get them to recognize its value.

Tamura: Yes, we really were able to develop it in a month or two, in time for the event. Once we introduced it, we heard from many customers about how much they liked the idea and wanted to try it out. As things turned out, with the video for conveying the concept readily, and the prototype showing the technology in actual operation, I believe we were able to demonstrate to customers the true significance.

Tsuji: The prototype, created as a web application, was designed to visualize the assessment. When you enter asset data, a network diagram is automatically generated, and at the same time vulnerability information is collected. Then on a GUI (graphical user interface), you input information as to how processes operate using which assets. It then runs a simulation showing how those processes will change when an actor applies a security measure to an asset.

Tamura: Say, for example, there are three operation processes, “production operations,” “remote monitoring operations,” and “quality assurance operations.” Assuming three types of security measures, the way these operations proceed when these measures are applied is shown graphically on a timeline. From this display, it can be seen that measures 1 and 3 will impact production, whereas measure 2, while halting remote monitoring, will not affect production.

Tsuji: What kind of balance can be taken to keep operations running? Given the difficulty of satisfying every need of the operations people, the prototype showed the ability to simulate in advance the extent to which disruptions can be tolerated.

Aiming to automate the processes from simulation to instituting security measures

Tamura: One of the big outcomes to date is that we were able to get to the PoC (Proof of Concept) stage using the prototype. The PoC was begun in fiscal 2023 with an outside customer, with whom the hard-to-understand concept of the Security Digital Twin found favor, and who expressed a desire to have an analysis tried out using their own data. We started by meeting their request to make attacks visible and having them assess the result, and have now gone on to the stage of simulating security measures. Currently they are assessing whether there are any discrepancies between the simulation and actual results when the prototype is implemented on an operating system, and whether the security measures can be accepted.

We are still at the stage of simulating the impact of security measures on operations, but our next target will be to automate the application of optimal measures with minimal impact on operations. What we are after is the kind of solution that, when introduced, will automatically improve the security environment in a plant, so that more customers will want to use the Security Digital Twin. There are many experts in plant operations, and also many security experts; but the fact is, there are surprisingly few plant security experts, who understand both areas. I thought the Security Digital Twin would be able to play the role of experts in both areas. I also think this is a field well suited to AI use. My hope is to change the current situation in which attacks are received because security measures could not be taken.

Tsuji: When we showed off the prototype at the event, I was surprised to see so many management people gathered around it. From there we were able to gain experience by conducting a PoC with an outside customer; and thanks to the prototype and video, we have had inquiries from many different places. Next, as we increase the case studies including in Hitachi, I would like to keep up persistent efforts until the Security Digital Twin is released as an actual product.