Why is Security Important for Digital Twins?
According to Wikipedia [1], a digital twin is a digital representation of a physical object or system. In fact, a digital twin typically combines a model of the represented object with algorithms to describe and analyze the object’s properties or behavior.
A digital twin of the electricity grid is a virtual representation of the physical electricity grid. As shown in Figure 1, grid information such as topology data and measurement data (e.g. from inverters, measurement devices at trafo stations or smart meters) are integrated to automatically derive an accurate grid model to support grid operations. The digital model can be used to simulate, monitor and optimize the performance of the physical grid [2]. A digital twin helps utility companies in their day-to-day operations as well as in planning, efficiency improvements, and personnel training [3]. As an important side effect, through optimization of the use of physical grid resources, carbon emissions can be reduced while saving grid investments [4].
The electricity grid being a critical resource, digital grid twins can become a potential source of data breaches as well as a potential target for hacking. Security aspects need to be addressed during development and even more during grid operation. In the sequel we will look at security requirements for digital twins of the electricity grid from two angles with focus on the digital twin software:
- How can security become an immanent quality when developing digital twins?
- What security features are relevant when using the digital twin in grid operation?
Secure Development of Digital Twins
When it comes to software development environments, there are several security aspects that must be considered to ensure the integrity of digital twins. One of the most important aspects is a clear architectural set-up with an eye on the software development lifecycle including development, deployment and maintenance. During implementation, developer security awareness, security and risk audits as well as code-reviews are recommended to create secure digital twins.
Finally, it is important to secure development environments to minimize the risk of cyber-attacks. This includes paying close attention to the development environment in use, use proven practices, pay close attention to security setting and always manage the security settings [5]. As it is now common practice to use cloud-based environments, a trusted cloud provider with documented security policies should be selected to run the development environment.
The following practices and technologies have proven their applicability in the electricity grid domain:
- Microservices architecture [6]: define how to construct a digital twin and how the services interact (e.g. REST API, web sockets…).
- Software component technology stack/frameworks: define how to implement different software layers such as presentation, database or application layers
- Continuous integration and deployment: define how to manage the production and the produced artefacts. Tools for agile software development, project management as well as image management are key to success.
- The use of public key infrastructure for authentication is a must.
Operational Security Aspects
The security of the operational environment of the digital twin is crucial to ensure its integrity and prevent unauthorized access to manipulation potentially impacting the corresponding electricity grid [7]. Here is a list of aspects to be covered:
- Operational system
- Access controls
- Organizational environment
Operational system:
After the digital twin is installed, the continuous integration of data from the electricity grid as well as on-the-fly updates of the grid topology are a prerequisite for a high-quality twin of the physical grid. All interfaces to measurement devices and other data sources are therefore encrypted and integrity protected during transfer by using protected interfaces and public key infrastructure technology.
The grid model as provided by the digital twin is regularly reviewed to validate its accuracy on the one hand. On a case by case basis, physical grid behavior is cross checked against the predictions of the grid model for consistency and accuracy (see for example [8]).
On the other hand, algorithms are in place to detect data inconsistencies, missing data, time deviations, range checks of voltage, data completeness and many more to continuously assure the grid model to reflect reality. The correspondence of measured data and its topological position is surveilled. In some cases, systematic errors are automatically rectified.
Data from the electricity grid are used for creating a high-quality digital twin. Access to and use of such data is regulated (regulation authorities, grid operator guidelines). Regular data backups are required for availability and security reasons. Therefore, a clear deletion strategy is required to minimize the risk of fraudulent data use.
Access controls:
Monitoring of system accesses by grid operator staff or maintenance staff are standard. Encryption is used to protect grid measurement data during transfer. Password hashing and public key infrastructure are applied as well as two-way-authentication for the utmost security of system access. SSH and SSL are typical tools used to have a close eye on the software components with data from the electricity grid.
Privacy of grid customer data is important to obey. The use of such data is reduced to a minimum (such as energy consumed in a household). Often, customers have to consent to this use. While the digital twin uses the data internally, interfaces to customer specific data are not made available.
Organizational environment:
As the digital twin of an electricity grid represents a critical resource, therefore operating staff should undergo regular security trainings to raise awareness of cyber security. Being certified according to ISO 27001 will assure that a clear security regimen is in place as well as processes to assure that rules are followed and monitored.
As of today, a digital twin of the electricity grid is implemented in a cloud environment. This can be within the grid operator domain following the operator’s security guidelines. But, in many cases, clouds from third party cloud providers are used for a number of reasons:
- High cost of operation
- Security controls assured by cloud provider
- High cost to follow the evolution of security technology
- Unavailable staff expertise
Therefore, the selection of a trusted cloud provider is of highest importance. Aspects such as location of the cloud servers, implemented security services (including availability), certifications must be evaluated. The Cloud Security Alliance (CS) has developed a program called Security, Trust, Assurance and Risk (STAR) to provide security assurance in the cloud [9] and offers a cloud provider registry.
Another important operational principle is the separation of duties (sometime called the Chinese Wall Principle). It aims to prevent fraud, errors, conflicts of interest, and misuse of resources by dividing critical tasks or functions among different individuals or roles. It is especially important when operating critical software, such as those that handle sensitive data, financial transactions, or security operations. Generic rules such as role-based access control, code review, continuous integration and delivery, audit logging and monitoring can be found at [10]. Within the operation of electric grids, a clear distinction is made between grid analysis, monitoring, planning and actually changing the grid with digital twin. A well-defined digital twin of the electricity grid will support this separation of duties by installing a “Chinese Wall” between the analysis functions and activation functions for physically changing the grid structures.
Digital Twins and Separation of Duties Key for Electricity Grids
Being a critical resource, electricity grids and digital twins as their digital representations pose high demands on security in all life-cycle phases: from development and deployment to operation and maintenance. Many technologies are available to support these challenging tasks. Digital twins are an important concept as they help to address digital security risks while keeping the physical grid untouched. The concept of separation of duties is a strong approach to separate activation of changes to the grid from the grid model.
Further Reading, Referenced Sources
1 https://en.wikipedia.org/wiki/Digital_twin
2 https://etech.iec.ch/issue/2022-03/digital-twins-and-the-smart-grid
5 https://www.uscybersecurity.net/5-best-practices-for-ensuring-secure-software-deployment/
6 https://www.mulesoft.com/sem/lp/whitepaper/api/microservices-best-practices
7 https://managementevents.com/news/digital-twins-for-cyber-security/
8 https://de.mathworks.com/products/matlab.html
9 https://cloudsecurityalliance.org/
10 https://kpmg.com/de/de/home/themen/2020/12/funktionstrennung-rechtssicher-umsetzen.html
By Manfred Reitenspieß, Vice President Of Business Development at GridData GmbH
Manfred Reitenspieß
- Born 1953
- M.Sc. computer science; 1983 PhD on Security of Software Systems
- 1983 CERN Health Division,
- 1995 Siemens: System architect; Head of engineering for highly secure, highly available system and communications software
- 2001 Fujitsu: Standardization of high-availability software; sales support for internal customers
- From 2018: GridData GmbH, Co-Founder, VP Sales & Business Development
- reitenspiess@griddata.eu, https://www.griddata.eu