This content is part of the Essential Guide: Mitigate IoT security risks with a strong defense strategy

Due diligence and compliance in IoT with digital twins and mirrors

Part of speed to market and efficient market investment management is the use of digital resources to create, adapt, manage and extend new revenue services. This is the foundation of today’s rapid IoT and AI application growth. Digital transformation with IoT and AI tools is effectively a survivalist technique for lowering costs through efficient management, effective security and exceptional compliance across a variety of business sectors.

A growing operations and management IoT tool being fielded by organizations are virtualized duplicates of physical systems, products or applications. By using a virtualized clone, such as a building alarm system, an application for loading cargo or even the steering applications applicable to planes, cars and trains, businesses are able to gain labor and time savings which translate into profitability, lower consumer costs and other improved capabilities.

This increasing use of virtualized clones is categorized by some as a digital twin and by others as a mirrored environment. Gartner reported and referenced the use and methodology of digital twins to simplifying IoT, while Wired Magazine in March 2019 highlighted “mirrored world” and the impact of blending virtual world operations and physical world interactions.

A fused digital and physical world offers a more dynamic customization and response capability. As IoT and AI make digital twins and mirrored worlds the de facto tool for blended world capabilities, security and risk managers must properly consider the associated requirements and impacts of NIST, FISMA, FedRAMP and GDPR, as well as potential new risks.

New risk potential with IoT/AI twins

Determining how to comply with security and data protection from both a standards and liability perspective now must address managing the virtual system and the physical components. Like most new information technology and cloud adaptions, the blended environments of digital twins or mirrored applications create new targets for hackers, a new landscape for potential configuration issues and areas of required due diligence for organizations and C-suite executives.

Managing risks will now likely “come to life” as the virtual twin models, telegraphs or identifies gaps, liabilities, mistakes and system issues prior to the physical realities of an IoT system. Built into the complex use of digital twins are potentially higher risks related to errors in the virtualized planning, management, implementation or operations of the physical system by the virtual. The potential liability of advance notifications, plausible prevention or even delays in proactive responses by automated systems, i.e., the twin, or delays in responding to alerts in the mirrored system is rich in due diligence risks.

Plan for managing twin risks

Creating manageable risk within the digital twin or mirrored world of IoT applications begins with addressing the following three actions:

Broaden the risk assessment
Risk assessments often focus on aspects of technical testing, such as vulnerability assessments, and audit results for specific security and privacy frameworks. All are important, but risk assessments will need to examine the effectiveness and impact related to more than just the physical and virtual security. Another element of risk assessment should be evaluating the blended risks related to potential misinformation from the digital twin or even from the physical components reporting to the twin. Elements of health and safety issues generated as a result of IoT applications will need to be assessed for risk and in supporting any due diligence claims.

Rethink the contingency plan and incident response plan
Using a digital twin or a mirrored environment means that the implications for contingency and incident response are different as well. Any changes to the contingency plan now should address simulated and automated capabilities wherever possible, including the effects of functioning in a degraded state. IoT and AI use automated creates automation that may already integrate automated failovers. The incident response plan will now face the challenge of coordinating supply chain incident responses, including cross-organizational coordination, from preparation through testing and reporting perspectives.

Remodel your policies, procedures and plans
The adaptive use of smart IoT and AI technologies in a digital twin or mirrored environment translates into a need for new policies that incorporate these new methods. Consider remodeling your plans first with extended customer and supplier networks. Then address the more granular levels of your policies and procedures. When updating these, remember to add supply chain elements that address expectations for security, security reporting and privacy into chain-of-trust relationships. These may be implemented using service level agreements that address the quality and completeness of reporting regarding events, issues and capabilities.

As the concept of twins and mirrors become more prominent, organizations and C-suite executives should apply changes using a balanced approach for due diligence. The expected coming publications of NIST SP 800-53, Rev. 5 and NIST SP 800-171, Rev. 2 may have some additional focus changes for IoT vendors and users.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.

Data Center
Data Management