Embedding holistic security principles will support the protection of personal data and privacy, sensitive national infrastructure assets, commercial interests, and intellectual property. Furthermore, it actively mitigates risks that arise from data aggregation. This is achieved by adopting a 'secure by design' approach [1], meaning that security is not an afterthought but an integral aspect of the design process from the outset.

The Gemini Principles [1] also highlight the need for a balance among all principles against the key consideration of security. To strike this balance, the digital twin framework promotes a risk-based approach. In this way, the digital twin is not just a secure entity but also a facilitator of effective data sharing.

The security of digital twins is a multi-faceted concept that extends beyond the protection of data. It encapsulates a broader spectrum of considerations, including personnel, physical and cyber security, thereby enabling the integrity of the entire digital twin ecosystem.

Mechanisms - how to embed Security

The CPNI Security Considerations Assessment (SCA)

The Security Considerations Assessment (SCA) is mentioned in the Digital Twin Navigator Report [5] and it is a structured process designed to take into account potential security-related vulnerabilities across a range of activities and processes within an organization [5].

Standards for Security

The Digital Twin Navigator Report [5] highlights the following standards in relation to Security:

• ISO 27001: Information security management systems, which provides guidelines for setting up and sustaining an information security management system in an organization, promoting a comprehensive and consistent approach to information security.

• BS EN ISO 19650-5:2020, the international standard setting out requirements for the security minded management of sensitive information within building information modelling (BIM) [5].

Planned Information Management Framework

Security is an integral part of the design process, an approach referred to as ‘secure by design' [6] should be used when developing a digital twin. This strategy enables that role-based access control, ownership and authorship information, and usage restrictions are incorporated throughout the work. The aim is to give information providers the confidence that they have control over who has access to their data, and the ability to dynamically adjust data availability. This is essential for fostering trust and adoption among industry and government. The approach addresses security-related requirements, particularly those concerning the managed control of information that should not be openly released or has handling caveats. Examples include data with personal, commercial, and national security sensitivities - a mix that is common in infrastructure-related applications.

The ‘secure by design’ approach applies not just to individual components of the architecture, but also to the integration architecture as a whole. Adopting a systems-of-systems approach is key to addressing security issues, such as access control and data aggregation issues, across the connected digital twins ecosystem [6].

In addition to secure design, securely sharing data to connect digital twins is emphasized as a vital aspect. The Architecture Components for Integration Architecture, such as Authorisation [7], play a crucial role in managing access and authentication, aligning with the Gemini Principle of Security.

Skills and Competencies for Security

To establish a strong skill set, competency scorecards presented in the Skills & Competencies Framework [8] are a valuable tool. These scorecards will help identify skill and competency gaps, build cross-functional teams, and develop a resource plan and pipeline of skills needed over a specific time frame.

In the context of Security Gemini Principle, Data Fundamentals and Security and Ethics are critical skills for organizations working with data and developing digital literacy and security-mindedness [8]. The Security and Ethics skills enable to govern data use, promote a secure by design approach to cybersecurity, as well as data privacy and legal obligations. Key skills in this area include business continuity, cyber security, data privacy, and legal knowledge [8]. Data Fundamentals skills include data collection and management, data literacy and security-mindedness, generating value from data, and making decisions with data [8]

Security skills are especially key in roles such as Data Regulators, Cyber Security Specialists, Data Architects, Data Consumers, Data Custodians and Data Producers [8].

Ethical considerations

The Gemini Principle of Security extends beyond digital protections to include the safety of people and assets. As mentioned in the report Digital Twins, Ethics and the Gemini Principles [2], balancing security with openness and privacy is challenging, especially when handling sensitive personal data. Digital twins can be targets for malicious activities, with risks including data/identity theft and system attacks. Moreover, those overseeing a digital twin could misuse extensive societal data, especially in scenarios lacking oversight or accountability. Addressing these concerns is crucial for secure digital twin implementation and operation.

Examples

Case studies

The case studies outlined below demonstrate the practical applicability of digital twins across various industries and sectors in relevance to the Gemini Principle of Security.

• National Underground Asset Register (NUAR) [10]: The NUAR enhances work efficiency and safety by granting secure access to public and private underground asset data. It offers a digital map for standardized data access, incorporating effective and safe work execution and features to secure data and enhance its quality.

• General Data Protection Regulation (GDPR) [9]: The GDPR governs the handling of personal data, including data from infrastructure sectors like smart meters or connected vehicles. It strengthens consent requirements, meaning data used prior to the GDPR might need 're-consenting' or a different legal basis to comply. Additionally, it provides individuals with increased rights regarding their data, including restrictions on usage, data portability, and the right to request data erasure.

• Offshore energy Case Study [11]: Advancements such as an autonomous inspection vehicle for submerged assets without human operator lead to reduced risks and enhanced safety and operational security.

Please see the DT Hub case study register (Case Studies - DT Hub Community (digitaltwinhub.co.uk) for further evidence of successful outcomes with digital twins.

References

[1] The Gemini Principles. Available at: https://digitaltwinhub.co.uk/files/file/12-gemini-principles/. Accessed March 12, 2024.

[2] Digital Twins, Ethics and the Gemini Principles. Available at:Digital_Twins_Ethics_and_the_Gemini_Principles.pdf (utwente.nl) Accessed March 12, 2024.

[3] Data for the Public Good. Available at: Data for the Public Good - Public Resources - DT Hub Community (digitaltwinhub.co.uk) Accessed March 12, 2024.

[4] Digital Twin Toolkit. Available at: About the Digital Twin Toolkit project - DT Hub Community (digitaltwinhub.co.uk) Accessed March 12, 2024.

[5] Digital Twin Navigator. Available at: Digital Twin Navigator - Public Resources - DT Hub Community (digitaltwinhub.co.uk) Accessed March 12, 2024.

[6] Pathway towards an IMF. Available at: The pathway towards an Information Management Framework - Public Resources - DT Hub Community (digitaltwinhub.co.uk) Accessed March 12, 2024.

[7] National Digital Twin: Integration Architecture Pattern and Principles. Available at: Integration Architecture Pattern and Principles - Public Resources - DT Hub Community (digitaltwinhub.co.uk) Accessed March 12, 2024.

[8] Skills and Competency Framework. Available at: Skills & Competency Framework - Public Resources - DT Hub Community (digitaltwinhub.co.uk) Accessed March 12, 2024.

[9] Data for the Public Good. Available at: Data for the Public Good - Public Resources - DT Hub Community (digitaltwinhub.co.uk) Accessed March 12, 2024.

[10] Gemini Papers: How to Enable at Ecosystem of Connected Digital Twins? Available at: The Gemini Papers - DT Hub Community (digitaltwinhub.co.uk). Accessed March 12, 2024.

[11] Cyber-Physical Infrastructure Vision. Available at: The Cyber-Physical Infrastructure - Empowering innovation, people, robots and smart machines to enhance prosperity, resilience, sustainability and security (publishing.service.gov.uk) Accessed March 12, 2024.

Further Reading

• www.cpni.gov.uk/security-considerations-assessment

• Security-Minded approach to Digital Engineering | NPSA

• Cloud security guidance - NCSC.GOV.UK

• Security-Minded approach to developing Connected Places (npsa.gov.uk)

• Connected Places Cyber Security Principles - NCSC.GOV.UK