We spoke to Jon Geater, CTO and Cofounder of Jitsuin and ex-CTO of Thales e-Security, who is an expert in cybersecurity, crypto security, and systems security, about the role of security and trust in digital twins and the barriers we need to break down.
Digital twins and connected infrastructure are synonymous. Their aim is to enhance connectivity between people, departments, and even between organisations.
Jon Geater stated, “I do think, ultimately, if we want to have the sort of cleaner, greener, faster, cheaper world that everybody’s aiming for, an awful lot of that needs to come from better connectivity, better insight, better sharing.”
However, for that to happen, there needs to be increased trust. Geater believes there is still a lack of trust of digital twins for many because there is a fundamental misunderstanding of the security that underpins the technology.
Security and trust in digital twins
The security of the digital twin underpins the level of risk that an organisation is willing to take. But security isn’t a standalone item; it’s the addition of processes, technology, and tools to keep things working in as many conditions as possible, including being under attack. But as secure as a digital twin deployment may be, there still needs to be trust.
Let’s define our terms. Jon Geater defines the difference between security and trust as, “Security is the addition of processes, technology, tools, etc. that means your implementation works better for you under increasingly adverse conditions, under a wider range of attack. But the way that security tends to work is that it’s under the control of one authority – ultimately in the administrators within my business. That authority needs to be trustworthy. Therefore, trust is an expression of making an implementation work better for other people under a wider range of attack conditions.”
The authority behind the security system needs to be trusted by those outside or everything falls over. Fortunately, there are many ways to increase security and trust in a digital twin deployment. Here, we take a closer look at authentication security, which underpins many of the trust concerns when strict access to sensitive information and systems is needed.
Watertight authentication to build trust
Security and trust are built on the ability to keep a secret safe. In the case of digital twin security, that secret can be an identifier of someone accessing the simulation. Authentication provides a robust level of governance that can be trusted when correctly implemented. When you can be sure that only the designated people are able to access the digital twin, the security of the simulation, the data held within it, and the output of the digital twin can be trusted.
2FA and 3FA
Authentication methods, such as two-factor authentication (2FA) and multi-factor authentication (MFA or 3FA), use two or more methods of identification before granting access to the data or software. This is essential when granting access to your digital twin so you can be sure only trusted parties have access.
The identification most often seen in 2FA is device authentication where, for example, a text is sent to a phone as a second verification method. However, this simply identifies the device. There is no way of ensuring the person in possession of the device is the person they claim to be. Therefore, the stronger option is identity authentication. This typically uses biometrics to identify and individual and is much more trustworthy.
Nevertheless, Geater suggests that the biggest problem with 2FA is that it is often not true 2FA at all. True two-factor authentication requires, at a cryptographic level, that the data you are accessing to be protected by some factor of both pieces of information.
However, following rapid hacks of 2FA, there is even more reason for multi-factor authentication, which includes identity checks. This level of security will become ever more critical as enterprises rely on their digital twins for safe and optimal operations.
MFA offers enhanced security, which breeds the essential trust in the access to and output of digital twins.
Another method of authentication to ensure the security of digital twins, is the use of hardware keys. Unfortunately, with 2FA, the authentication code sent to your device can be intercepted or the personal identifier could be spoofed. So that’s where hardware keys come in.
These pieces of hardware perform encryption and decryption of digital signatures, which nobody else can access, that authenticate the user. The hardware cannot be hacked anywhere as easily as software can. Hardware keys at like a black box.
Enterprises traditionally use a hardware security module (HSM) and individuals can use a security key for their phones. Encoding authentication in hardware creates amore robust security system which, in turn, builds trust of the digital twin and its outputs for users.
Questions to consider
To get a more rounded picture of how well an organisation is able to demonstrate and uphold trust, Geater poses these questions:
- Does the organisation have trouble demonstrating to their upstream stakeholders that they’ve done things correctly?
- Are stakeholders refusing to work with them?
- Or have they had to bring in extra people and extra checks to validate their position?
- Are they having to pay or sign up to extra bonds as a way of underwriting their inability to prove trust, good operation, security, hygiene etc.?
- Or, on the other side, are they exposed to business risk?
- Are they running their operations based on things that their downstream suppliers are sending into them?
- Are they taking a signal from a third-party machine that, for example, can spin a turbine in their facility? Then how much risk are they willing to take from that signal without being able to see into that third-party’s operations and processes?
Digital twin providers should be able to prove their trust and security through their astute use of authentication, encryption, data privacy, and software resilience. Take a look at our other article on the security measures your digital twin provider should have in place for a fuller checklist.
The future of cybersecurity
In considering cutting-edge technology, we asked Jon Geater for his thoughts on the future of the cybersecurity required to protect digital twins’ voluminous data inputs and outputs. Security will need to evolve to keep up with the need and the increasing sophistication of attacks.
It’s easy to jump straight to the exciting promises of quantum computing as the future of cybersecurity but Jon noted that this methodology still poses as many problems as it does opportunities.
Homomorphic encryption – which allows calculations to be performed on data without decrypting it first – is another security technology that is under investigation. But, so far, this technology is still limited and unable to keep up with the scale of data required.
Perhaps most promising, suggests Geater, is the use of secure Multi-party Computation (MPC). This method of cryptography allows multiple parties to jointly compute a function while keeping their own inputs private, which can dramatically increase trust. This technology has greatly reduced the cost of deploying high quality cryptography and gives a much broader choice in where to run the engines, therefore opening more robust security opportunities to digital twin technologies.
Trust: the foundation of digital twin security
As we have discussed, trust in digital twin security could be the greatest barrier to the adoption of digital twins by enterprises. However, through the insights brought to us by Jon Geater, we can see that this is a barrier that can be overcome with a shared terminology and by following industry gold standards of security.
Authentication security lies at the heart of the trustworthiness of digital twins and, using true MFA or hardware keys, this lynchpin of cybersecurity can be made robust and ensure the trustworthiness of the deployment. Digital twins are here to stay, and trusted digital twin security will make them a concrete answer to Industry 4.0.
Want to build and deploy a secure digital twin?
Speak to an expert at Slingshot Simulations, the world’s first Simulation-as-a-Service provider. Security is at the core of all our simulations and we can partner with you to build and deploy the digital twins that will take your organisation to the next level.
Contact us here: www.slingshotsimulations.co.uk/get-in-touch
 Christy Petty. ‘Prepare for the Impact of Digital Twins’. (2017) Accessed at https://www.gartner.com/smarterwithgartner/prepare-for-the-impact-of-digital-twins/
 TheRegister.com. ‘Twitter hackers busted 2FA to access accounts and the reset user passwords.’ (2020) Accessed at https://www.theregister.com/2020/07/20/twitter_security_update_hackers_broke_2fa/