A framework for enhancing cyber incident response with security-enhancing digital twins in cyber–physical systems

Standalone traditional cybersecurity solutions and tools often fall short in covering the lifecycle of critical assets, conducting vulnerability identification, and correlating cyber incidents with adversary knowledge bases. This limitation can lead to fragmented incident response (IR) strategies. Security-enhancing digital twins (SEDTs) can act as complementary security solutions alongside existing solutions to support various IR lifecycle phases in cyber–physical systems (CPSs). In this work, we propose a framework that can serve as a guide for plant operators on how to design, develop, deploy, and manage SEDT-based IR solutions across four key phases, including prerequisites, design-and-engineering, operation-and-maintenance, and end-of-life. With the automotive manufacturing industry as a cyber–physical production system (CPPS) use case, we thoroughly examine the applicability of the proposed framework. Furthermore, we evaluate the proposed framework in both industry and academic settings, covering various aspects, including the design and operation requirements of SEDTs. This evaluation helps identify gaps between academic findings and practical industry solutions, such as in SEDT objectives, architecture, integration with existing security solutions, and lifecycle.