Next Article in Journal
Profiling Decision-Making Styles Under Healthcare Resource Scarcity: An Interdisciplinary Clustering Approach
Next Article in Special Issue
A Qualitative Synthesis of Cyberattack Trends in Managed Service Providers: Analyzing Multi-Tenant Vulnerabilities and Mitigation Strategies
Previous Article in Journal
Activation-Guided Layer Selection for LoRA
Previous Article in Special Issue
Development of a Method for Determining Password Formation Rules Using Neural Networks
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Information
Volume 17
Issue 3
10.3390/info17030286
information-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Cybersecurity Digital Twins for Industrial Systems: From Literature Synthesis to Framework Design

by
Konstantinos E. Kampourakis
*,
Vasileios Gkioulos
and
Sokratis Katsikas
*
Department of Information Security and Communication Technology, Norwegian University of Science and Technology, 2802 Gjøvik, Norway
*
Authors to whom correspondence should be addressed.
Information 2026, 17(3), 286; https://doi.org/10.3390/info17030286
Submission received: 12 February 2026 / Revised: 6 March 2026 / Accepted: 11 March 2026 / Published: 12 March 2026
(This article belongs to the Special Issue Security and Privacy Approaches Against Cyber Threats: Innovations, Challenges, and Practical Solutions)
Browse Figures
Versions Notes

Abstract

Digital Twins (DTs) are increasingly recognized as a strategic technology for enhancing cybersecurity in industrial environments, particularly in the face of rising threats targeting Operational Technology (OT). After comparatively examining closely related DT–cybersecurity frameworks to position the contribution within the existing research landscape, this paper presents a systematic literature review and comparative analysis of 19 recent DT-based cybersecurity studies, focusing on their relevance to incident detection and response in sectors such as Industrial Internet of Things (IIoT), manufacturing, and energy. The analysis evaluates each study across multiple dimensions, including attack types, detection and response mechanisms, DT integration, and technology stacks. From this review, we derive a consolidated set of requirements, categorized as functional, non-functional, security-specific, and domain-specific. These requirements serve as the foundation for a novel, cybersecurity-focused, ISO 23247-based framework. The proposed architecture formalizes a DT-enabled incident detection and response lifecycle aligned with ISO 23247. It is explicitly mapped to the derived requirements and detailed with practical implementation considerations. This work contributes a structured, evidence-based approach to DT-based security engineering and offers a reference design for researchers and practitioners aiming to build resilient, adaptive cybersecurity solutions in industrial settings.

1. Introduction

The continuous digital evolution of industrial environments is introducing both new capabilities and critical security challenges. The main reason behind this shift is the increasing convergence of Operational Technology (OT) with Information Technology (IT) systems [1]. This has inevitably resulted in the expansion of the risk landscape, exposing Cyber–Physical Systems (CPSs) to progressively more cyber threats. In other words, the risk of cyber–physical attacks has moved far beyond theoretical speculation, as demonstrated by high-impact incidents such as the Stuxnet malware [2], which manipulated PLC logic to silently alter centrifuge operation while concealing its effects from operators. The nature of these threats varies, ranging from system-level disruptions to targeted attacks on control logic, compromising both system safety and integrity. Beyond technical disruption, cyber–physical attacks are responsible for substantial economic and operational consequences. Recent industry reports indicate that ransomware incidents targeting manufacturing have resulted in billions of dollars in increasing downtime losses, while the average cost of an industrial data breach may exceed USD 5 million per event [3,4]. Also, regarding operational environments, unplanned downtime caused by cyber incidents can reach six-figure losses per hour, particularly in energy and manufacturing sectors [5]. These real-world insights show that industrial cybersecurity failures not only pose safety risks but also material business liabilities. Consequently, enhancing the security posture of industrial systems is a strategic imperative for Critical Infrastructure (CI) operators and policymakers alike.
Nevertheless, assessing cybersecurity posture directly on operational systems remains difficult and often impractical, especially in CI environments. Live OT systems must maintain continuous availability and safety compliance, and many rely on legacy technologies that cannot tolerate intrusive testing, active scanning, or simulated attacks without risking operational disruption. In this context, Digital Twin (DT) technology has emerged as a promising solution to these challenges. A DT’s ability to enable advanced cybersecurity functionalities, such as continuous monitoring, anomaly detection, predictive threat analysis, and rapid incident response, is facilitated through the creation of high-fidelity, real-time virtual replicas of physical assets and processes [6]. Their ability to simulate, assess, and adapt to various operational and threat conditions makes DT a supportive and proactive, intelligence-driven approach to industrial cybersecurity [7]. In the context of this paper, Figure 1 provides a conceptual representation of the connection between the DT and the physical asset. Specifically, the DT continuously synchronizes with real-world industrial systems to collect operational data, perform real-time analysis, and provide actionable insights for various cybersecurity functions.
The concept of a Cybersecurity Digital Twin (CS-DT) extends beyond passive replication of assets, as it can be utilized as an on-field, active measure of safeguarding industrial environments. A CS-DT is responsible for continuously monitoring IoT sensors and network traffic to detect anomalies in real time, reducing the Mean Time to Detect (MTTD) and Mean Time to Recovery (MTTR) through automated containment, rollback, and adaptive response [8,9]. It further enhances resilience through simulated cyber attacks, penetration testing support, and modeling of cascading failures without disrupting live operations [10], analogous to cyber ranges [11,12] and security testbeds [13]. Furthermore, integrating the CS-DT with Security Information and Event Management (SIEM) systems and Cyber Threat Intelligence (CTI) platforms can also provide forensic data collection and context-aware risk evaluation using metrics such as the Common Vulnerability Scoring System (CVSS) [14,15]. On top of that, its modular, standards-aligned architecture, compatible with NIST CSF [16] and IEC 62443 [17], ensures interoperability with existing systems while scaling across diverse CI domains. In this sense, the CS-DT can operate as both a defensive mechanism and a proactive instrument for incident detection, analysis, and response. Despite these promising capabilities, the practical use of CS-DTs for end-to-end cybersecurity in industrial environments remains fragmented. Existing approaches often address isolated functions, such as anomaly detection, simulation, or response orchestration, but rarely integrate them into a coherent, standards-aligned workflow. This gap highlights the need for a systematic assessment of current DT-based security solutions and for a unified framework that operationalizes these capabilities in a consistent and interoperable manner.
Contribution: The current work first presents a systematic investigation into the role of DTs in cybersecurity incident detection and response within industrial environments. Unlike prior works that often focus on broader DT applications or isolated technical aspects, this study centers specifically on the intersection of DTs and cybersecurity in operational settings such as power grids, manufacturing plants, and industrial IoT (IIoT) networks. Through our extensive analysis of the existing literature regarding recent DT-based security frameworks, we synthesize current trends, identify key architectural patterns, and outline the technical roles that DTs fulfil across the incident detection and response lifecycle. Second, building on this analysis, we design a cybersecurity and integration–aligned (ISO 23247)-based [18] DT framework for manufacturing, that embeds four additional dedicated Feature Elements (FEs), namely Data Ingestion & Synchronization, Anomaly Detection, Incident Response, and Adaptive Learning, directly into the standard’s entities. These Feature Elements are derived from the evidence-based requirement gaps identified through the SLR. As a result, the framework is structured to enable secure data flow, real-time threat detection, and verifiable response sequencing at the architectural level. The rationale for selecting these four FEs is systematically derived from the SLR findings and requirement analysis presented in Section 4 and Section 5.
This paper’s scope is restricted to frameworks that embed DTs specifically into industrial cybersecurity workflows. The contributions focus on synthesized requirements, DT-security threat surfaces, and a standards-aligned reference framework mapped to ISO 23247 baseline entities. The aim is to explicitly expand the framework’s entities, without modifying the core reference architecture. Although DTs are widely deployed for real-time industrial monitoring, predictive maintenance, and optimization, security-specific DT engineering that closes the loop from anomaly reasoning to safe containment prior to control-plane actuation is rarely standardized or empirically exercised. This work contributes an architecture-level generalization that emphasizes incident-handling enforceability, evidence-derived requirements, plant-safe validation sequencing, and SOC feedback integration, addressing gaps not resolved by real-time DT monitoring alone. Specifically, the main scope of this paper is:
  • To analyze the current state of DT-based cybersecurity frameworks in industrial environments.
  • To extract a set of requirements to inform the design and development of a robust and adaptive DT-based cybersecurity framework.
  • To perform a targeted risk assessment that identifies DT-specific threat vectors and mitigation strategies across representative industrial sectors.
  • To develop a structured DT-based cybersecurity framework, powered by advanced technologies, for scalable and adaptive incident detection and response.
The remainder of the paper is structured as follows: The following section reviews recent surveys on DTs and cybersecurity, with a comparative analysis of their scope and limitations. Section 3 outlines the systematic literature review (SLR) process, as well as the steps followed for designing our proposed framework. Section 4 then discusses the selected studies in depth, summarising use-cases, attack types, detection techniques, response mechanisms, DT roles, and underlying technologies across multiple industrial sectors. Section 5 distills this evidence into a structured set of functional, non-functional, security-specific, and domain-specific requirements that a modern DT-centric security architecture must satisfy. Finally, Section 6 synthesizes the previous insights into an ISO 23247-aligned DT security framework, and Section 7 concludes the paper and proposes directions for future research in DT-enabled cybersecurity.

2. Related Work & Research Positioning

This section reviews existing literature related to the use of DTs for cybersecurity incident detection and response, with a particular emphasis on industrial environments. Given the specific scope of this review, broader surveys on DTs or general cybersecurity, such as those in [19,20,21,22], which primarily address architectural considerations or overarching security concerns, are intentionally excluded. We focus exclusively on works published between 2020 and 2025, as no significant research aligning with our criteria was identified before this timeframe. The analysis centers on studies that explicitly integrate DTs into cybersecurity workflows for incident detection and response within industrial or CI contexts. Moreover, we include works that have a clear relevance to this focus, with a particular preference given to studies that propose or discuss structured frameworks for DT-enabled cybersecurity. This broader inclusion allows for a comprehensive comparative analysis of the current research landscape and highlights the specific contributions relevant to industrial environments. Table 1 summarizes these works in reverse chronological order, evaluating them across six key dimensions: use of DTs, cybersecurity focus, incident detection, incident response, industrial environment applicability, and the presence of a structured framework.
The authors in [23] present a comprehensive review on the convergence of DTs and AI for cybersecurity across various industrial domains. They highlight how DTs, when integrated with AI, enhance system resilience by enabling real-time monitoring, simulation, and autonomous decision-making within CPS. The authors discuss the architectural components of DTs, particularly focusing on their evolution from simple digital models to fully interactive cyber–physical mirrors. They examine common misconceptions and clarify differences between digital models, shadows, and twins. Importantly, the work explores cybersecurity challenges across DT ecosystems, including threats to IoT devices, sensor data integrity, and communication protocols, while emphasizing the limitations of current security standards. A layered DT architecture is proposed, outlining how each layer (physical, data, service, or application) introduces unique security needs. The study also categorizes DT protocols, identifies key vulnerabilities, and discusses mitigation techniques using public key infrastructure, anomaly detection, and multi-layered IDS systems. This work contributes a valuable synthesis of DT security challenges, threat models, and AI-driven solutions, making it a key reference for understanding the cybersecurity landscape in industrial DT applications. Nevertheless, it does not deliver a structured, end-to-end framework explicitly designed for incident detection and response in industrial environments.
The authors in [24] provide a comprehensive survey, highlighting the evolution of DTs beyond traditional modeling into domains requiring real-time synchronization, predictive analytics, and large-scale integration. Their work underscores the importance of DTs in enabling closed-loop control, proactive system optimization, and resilient network operations, particularly in 5G and 6G contexts. The survey also outlines major barriers to widespread DT adoption, including issues related to standardization, interoperability, latency, and cybersecurity. Furthermore, the authors map out the current ecosystem of software tools and standardization bodies, offering valuable insights into how the field is maturing technically and organizationally. This work establishes a strong foundation for understanding how DTs can support scalable, secure, and intelligent industrial applications. However, it does not specifically address incident detection or response mechanisms within industrial cybersecurity contexts, nor does it provide a structured framework approach.
The work in [25] conducts a comprehensive SLR on the integration of DTs with Distributed Ledger Technologies (DLTs), particularly focusing on enhancing data security, trustworthiness, and auditability in DT-based systems. The paper identifies key challenges in securing heterogeneous and potentially untrustworthy data streams in CPS and argues that DLTs, such as blockchains, can provide immutability, transparency, and decentralized validation for DT operations. The authors analyze 61 selected studies, answering seven research questions related to use cases, architectural requirements, and implementation challenges in DT-DLT integration. Based on this review, they propose a domain-agnostic reference architecture for DT systems leveraging DLTs and validate it through two proof-of-concept implementations across different industrial scenarios. Their work highlights the potential of combining DTs with blockchain to mitigate threats like data tampering and to improve system reliability in Industry 4.0 contexts. While this work provides meaningful insights into security and trust frameworks, it does not concentrate on real-time incident detection or coordinated response mechanisms within DT-driven cybersecurity environments.
The authors in [26] present a comprehensive survey of DT technologies, focusing on their architectural design, enabling tools, security challenges, and operational requirements. Their work categorizes DTs into various application domains, such as manufacturing, energy, healthcare, and smart cities, and introduces a layered DT architecture spanning data acquisition, synchronization, modeling, and visualization. A key contribution of this study is a unified security framework that classifies threats and vulnerabilities across DT layers, proposing mitigation strategies including AI, blockchain, and access control mechanisms. While the survey offers a broad view of DT adoption and security considerations, its scope is cross-domain and does not exclusively target industrial environments. The work remains general in scope and does not offer an in-depth exploration of incident-level detection or response mechanisms tailored to industrial CPS environments.
In [27], the authors provide a critical review of DTs as enablers of enhanced security and operational efficiency within CPS and Industry 4.0 environments. The study positions DTs as a transformative technology that bridges physical and virtual realms, supporting real-time simulation, streamlined operations, and advanced modeling of security threats. The review highlights DTs’ contributions across the product lifecycle, from design through to operation and optimization, while emphasizing their role in fostering resilience, adaptability, and interoperability in smart manufacturing and industrial automation systems. Furthermore, the authors discuss the integration of DTs with emerging technologies such as IoT, AI, and blockchain, and identify ongoing challenges related to data privacy, cybersecurity, and system reliability. While this work provides a valuable overview of response strategies within CPS, it does not propose specific methods or frameworks for incident detection.
The study in [28] offers a comprehensive review of the evolution from traditional to smart and decentralized grids, ultimately framing the concept of the “Electric DT Grid” as a convergence point of real-time monitoring, predictive modeling, cybersecurity, and cloud-based energy management. Unlike prior studies focusing on isolated grid elements, this review emphasizes a layered DT framework comprising online analysis, cloud integration, communication protocols, and self-healing capabilities. It also outlines the integration of advanced technologies like ML, blockchain, and real-time Supervisory Control and Data Acquisition (SCADA) updates to improve fault prediction, energy optimization, and cybersecurity resilience. The study identifies current technical challenges, including communication latency, data overload, and cybersecurity vulnerabilities, while also mapping a future roadmap for DT implementation in national grid systems. This work stands out for presenting a holistic, multi-layered perspective that incorporates both technical architecture and strategic management of DTs in critical energy infrastructure. While the study provides a broad architectural perspective, it does not explicitly develop or evaluate frameworks for DT-based incident detection and response workflows.
In Table 1, the “Industrial Environment” dimension reflects the degree to which a study explicitly targets operational industrial or CI contexts. Full coverage denotes domain-specific validation or architectural grounding in concrete industrial use cases, whereas partial coverage indicates conceptual or cross-domain relevance without empirical industrial deployment or sector-specific adaptation. Moreover, while all reviewed works emphasize the role of DTs, often in conjunction with enabling technologies such as AI or blockchain, their coverage of incident detection and incident response varies notably. Studies such as [23,24,25] offer strong contributions in cybersecurity and architectural modeling, yet they either omit or only partially address detection and response processes. Notably, refs. [26,27] advance the field through layered architectures and resilience-oriented strategies but fall short on providing full integration of incident detection and incident response mechanisms. Although ref. [28] proposes a forward-looking vision for DTs in smart grids, their approach addresses detection and response in a high-level manner without linking them into a coordinated security lifecycle. In contrast, the present work distinguishes itself by fully addressing all six dimensions, delivering a structured synthesis of DT integration, security modeling, incident detection, and response strategies, all within the context of industrial environments. This positions the study as a unique and valuable reference for advancing DT-enabled cybersecurity frameworks in critical industrial applications.
The works reviewed in this section are not part of the systematic literature review corpus analyzed in Section 4. Rather, they represent closely related survey and framework contributions that motivate the need for a focused SLR on DT-enabled incident detection and response in industrial environments. The structured selection, screening, and analysis of the 19 primary studies forming the evidence base of this work are described in the following section.

3. Methodology

As stated in Section 1, this work adopts a dual-method approach: first, an SLR is conducted to synthesize the current state of DT-based cybersecurity frameworks in industrial environments; and second, the insights and gaps identified through the SLR directly inform the requirements engineering and design decisions for the development of a structured, ISO 23247-based DT framework.
Although various SLR approaches exist, such as those found in usability capability/maturity reviews [29] and qualitative meta-syntheses [30], this study adopts a reproducible SLR protocol defined by explicit search queries, database selection criteria, predefined inclusion and exclusion rules, and dual-reviewer screening. The methodology emphasizes explicit search queries, defined inclusion and exclusion criteria, reproducible screening steps, and independent dual-reviewer screening to ensure consistency and traceability. The following steps were undertaken:
  • Major scientific databases (Scopus, ScienceDirect, IEEE Xplore, ACM) were searched. These databases were prioritized due to their focused relevance to DT and industrial systems research, stemming from their robust coverage and strength in engineering, computer science, and applied technology domains. While SpringerLink and Web of Science are comprehensive indexing services, preliminary scoping searches indicated substantial duplication of records already indexed in Scopus and IEEE Xplore for the specific query formulation. Given the highly targeted nature of our search string and strict inclusion criteria, we prioritized databases with strong coverage in engineering and applied cybersecurity research to ensure thematic precision while limiting redundant screening overhead.
  • The search query was: “Digital Twins” AND (“incident detection” OR “incident response”) AND (“cybersecurity”) AND (“framework”). We acknowledge that this formulation may exclude some relevant studies, for example, those using terms such as intrusion detection, attack detection, or alternative descriptors like architecture or model instead of framework. To mitigate this, we complemented the core query with additional synonym searches and manual screening. Specifically, we ran secondary queries replacing (“incident detection”)/(“incident response”) with terms such as (“intrusion detection”) and (“attack detection”), and replaced (“framework”) with (“architecture”) or (“model”). During full-text screening, papers that did not use our exact query terms but clearly addressed DT-assisted cybersecurity for incident detection and/or response in industrial or CI settings were manually included.
  • Literature published between 2020 and 2025 was examined.
As already mentioned, to ensure a focused and highly relevant dataset, the review deliberately restricted the publication window to 2020–2025. This period was chosen because it reflects the rapid technical maturation of DT applications, particularly in the specialized fields of cybersecurity and industrial domains. Earlier works often lacked concrete implementations or direct security relevance, making them less relevant to the specific scope of this review. Similarly, the search query prioritized precision and clarity over breadth by combining terms directly targeting DTs, cybersecurity, incident detection or response, and framework suggestions. While this approach may have excluded some peripheral interdisciplinary works, it ensured thematic consistency by focusing on studies that directly addressed DTs for incident detection and response in cybersecurity. Although many of these works are relatively recent and citation-based impact remains limited, their methodological and technical alignment with our research objectives makes them the most relevant contributions to include.
The selection process, guided by the inclusion and exclusion criteria outlined in Table 2, is illustrated in Figure 2. The relatively focused corpus size reflects the specificity of the search string, which required the simultaneous presence of “Digital Twins,” “cybersecurity,” “incident detection” or “incident response,” and “framework,” within an industrial context. Broader DT security studies that did not explicitly address incident workflows or framework design were excluded during screening. As a result, although DT cybersecurity is an active field, only a limited subset of publications directly met the combined criteria. Two independent reviewers conducted the screening and extraction process to reduce selection bias, and disagreements were resolved through consensus discussion. Only peer-reviewed literature presenting an explicit DT security role for incident detection and/or response in industrial or CI environments informed the final corpus. Studies not meeting these quality expectations were excluded prior to synthesis. Of the 77 full-text articles assessed for eligibility, 58 were excluded for the following primary reasons: (i) lack of explicit focus on incident detection or response within a cybersecurity context, (ii) absence of DT integration beyond conceptual mention, (iii) non-industrial application domain, or (iv) absence of a structured framework or architectural contribution. Only studies satisfying all inclusion criteria were retained, resulting in a final corpus of 19 publications. The final set of studies formed the evidence base for requirements derivation and framework design. We acknowledge that limiting the search to selected databases may introduce residual selection bias. However, complementary synonym-based searches and manual full-text screening were conducted to mitigate this risk.
Following the SLR, the methodology transitions into the design and development phases of the DT-based cybersecurity framework. Specifically, Section 5 to Section 6 present a structured approach for deriving and formalizing requirements, analyzing the core functionalities and cybersecurity capabilities of DTs, and synthesizing these insights into a comprehensive framework. The methodology combines empirical findings from the reviewed literature with theoretical principles and domain-specific constraints to ensure that the proposed framework is technically robust, practically viable, and aligned with real-world industrial cybersecurity challenges. This multiphase methodological approach provides a coherent transition from literature review to framework development, ensuring the proposed system is grounded in evidence and adapted to emerging security requirements.

4. Literature Review

This section presents the analysis of the 19 primary studies derived through the structured SLR process described in Section 3, regarding DT frameworks for incident detection and response in industrial environments. As detailed in Section 3, the scope of the included works is strongly related to incident detection or response in cybersecurity. Readers seeking broader perspectives on DT-based incident detection and response, beyond the cybersecurity domain, are encouraged to consult studies like the ones in [19,31,32,33]. More specifically, this section covers multiple industrial sectors, such as IIoT, ICS, smart grids, and others, presenting a unique use case in each included work. The studies presented in this section are organized by sector. Moreover, this section examines key criteria defining the role of DTs in cybersecurity. The discussion covers the types of cyber attacks addressed by DT-based frameworks, as well as the detection techniques employed to identify and mitigate security threats. Furthermore, this section explores the DT role in cybersecurity frameworks and provides insight into the underlying technologies, protocols, and platforms leveraged in each work. Such technologies include SCADA systems, Open Platform Communications—Unified Architecture (OPC-UA), AI models, and communication protocols, which collectively enable the implementation and integration of DTs within complex industrial environments. Key criteria are summarized at the end of each subsection, particularly in Table 3, Table 4 and Table 5. In line with the inclusion criteria, studies were retained if they explicitly addressed incident detection, incident response, or both. Accordingly, some works emphasize only one dimension of the incident lifecycle, which is reflected in the comparative tables.

4.1. ICS & IIoT

The work in [34] highlights the growing cybersecurity risks in CPS, particularly in industries like automotive manufacturing, where cyber attacks can cause severe consequences. They propose a structured framework that incorporates Security-Enhancing DTs (SEDTs) that improve incident response and address the identified risks. The proposed framework consists of the following four phases: (a) prerequisites (identifying critical assets and mapping them to SEDTs), (b) design-and-engineering (developing and deploying SEDTs with appropriate fidelity and interaction models), (c) operation-and-maintenance (integrating SEDTs into security workflows for continuous monitoring, threat detection, and response), and (d) end-of-life (managing the archiving or disposal of SEDTs). Then, the authors present a case study on automotive manufacturing demonstrating the framework’s effectiveness in detecting and mitigating cyber threats, such as attacks on programmable logic controllers (PLCs) in welding processes. They also identify real-world challenges in implementing SEDTs, including resource constraints, data governance, and integration with existing cybersecurity tools like SIEM and IDS.
The authors in [35] propose a Cyber Twin Technology framework that extends DT concepts to enhance real-time software security in large-scale IoT ecosystems, with direct implications for industrial automation environments. The proposed architecture leverages AI-driven DTs, referred to as Cyber Twins, that create real-time digital replicas of IoT devices to enable predictive anomaly detection, autonomous response, and system optimization. Core components include Convolutional Neural Networks (CNNs) for intrusion detection, Generative Adversarial Networks (GANs) for simulating attack scenarios, and reinforcement learning for adaptive threat mitigation. The framework also integrates advanced ML methods, including Explainable AI (XAI) and Federated Learning (FL) to ensure model transparency and data privacy across distributed systems. The evaluation takes place on a simulated IoT environment with 1000 devices, where the framework achieved high detection accuracy, reduced false positives, and significantly improved adaptation speed and energy efficiency. These features establish the Cyber Twin approach as a scalable, intelligent layer for real-time incident detection and response in complex, resource-constrained industrial ecosystems.
The study in [36] proposes a DT-based cyber attack detection framework to enhance security in Cyber–Physical Manufacturing Systems (CPMS), by leveraging real-time data, simulation models, and ML techniques. The framework aims to differentiate between expected system anomalies and cyber attacks, a major challenge in manufacturing security due to the dynamic nature of industrial processes and transient system responses. The authors introduce a multi-layer DT architecture that integrates data-driven ML models, physics-based models, and expert knowledge to analyze abnormalities in manufacturing processes. The framework includes a cybersecurity DT, which utilizes anomaly detection, consistency checks, and historical data analysis to identify cyber threats. The system is tested on an off-the-shelf 3D printer, demonstrating its ability to detect cyber attacks while minimizing false positives caused by normal system fluctuations.
The authors in [37] investigate how DTs can be used to strengthen cybersecurity incident response in CPS. Securing CPS is inherently challenging, as it demands an understanding of both cyber and physical domains and involves coordination among various stakeholders. The authors analyze different modalities of DT applications across the phases of the incident response lifecycle, proposing a structured approach to integrating DTs into cybersecurity playbooks. These playbooks, essential for effective incident response, can be improved by incorporating DTs to provide better system monitoring, anomaly detection, and impact assessments. The paper illustrates this approach using a playbook for mitigating cyber attacks on ICS, particularly targeting PLCs. The proposed framework enhances incident response efficiency, reduces response times, and strengthens the resilience of CI against cyber threats.
The work in [38] presents the SOAR4IoT framework, a novel DT-based approach that integrates Security Orchestration, Automation, and Response (SOAR) mechanisms to manage and secure IoT assets within complex industrial systems. The framework leverages DTs as middleware to abstract and synchronize physical IoT devices and networks with their virtual counterparts, enabling real-time monitoring and incident response. The authors facilitate both proactive and reactive response workflows through playbooks addressing threats like Mirai botnets and Sybil attacks by incorporating replication-based DTs built on Eclipse Ditto. Their microservice architecture connects DTs, security tools such as SIEM systems, CTI platforms, and a custom SOAR platform that automates alert handling and remediation. Through practical experimentation with Zigbee-based industrial devices and edge nodes, the authors demonstrate the effectiveness of DTs in orchestrating security actions and streamlining the response process. The framework proves particularly valuable for securing heterogeneous and distributed IoT environments in industrial contexts, offering a scalable, open-source alternative to commercial SOAR platforms.
The authors in [39] present a notable real-world implementation of DT technology for ICS cybersecurity. This involves the deployment of a DT-based security framework in an industrial filling plant, where DTs are used to simulate industrial processes, detect abnormal behavior, and classify cyber intrusions. In this use case, the role of the DT is to continuously analyze real-time sensor data from the production line and compare it against simulated operational models to detect discrepancies indicative of cyber attacks. For classification purposes, ML algorithms were integrated into the DT in order to identify different types of intrusions, including command injection attacks, network-based DoS attempts, and unauthorized firmware modifications. Upon detecting an attack, the DT automatically triggers response protocols, such as isolating the compromised system or reverting PLCs to a known safe state. This approach not only improves real-time intrusion detection capabilities but also provides incident response teams with a comprehensive forensic analysis of incidents.
The contribution in [40] proposes a comprehensive SDN-enabled security framework for IIoT networks, combining Manufacturer Usage Description (MUD) profiles with network DTs to enhance behavioral profiling and incident detection. The framework uses a dual-layered intrusion detection approach: specification-based (using static MUD profiles) and anomaly-based (leveraging ML for real-time traffic analysis). In this case, a key innovation is the use of a network DT that simulates the operational environment, including devices, traffic, and policies, to validate configurations and test countermeasures before applying them to the physical infrastructure. The system performs predictive threat modeling, detects rogue device behavior, and applies flow-rule-based mitigation with high accuracy and low latency. Evaluations demonstrate superior performance in detecting attacks such as Mirai botnets, while also offering scalable deployment on edge gateways. This hybrid architecture strengthens DT-driven resilience by integrating deep behavioral monitoring, proactive policy validation, and dynamic rule enforcement in industrial networked environments.
The study in [41] presents a process-based framework that effectively integrates DT security simulations with Security Operations Centers (SOCs) and SIEM systems to enhance incident detection and response in industrial environments. By leveraging DTs to emulate cyber–physical systems, the framework enables simulation of security incidents such as Man-in-the-Middle (MitM) attacks on industrial control assets, allowing SOCs to analyze incident behavior and develop corresponding SIEM detection rules. The paper’s practical implementation, using an industrial filling plant and a microservice architecture including MiniCPS, Logstash, and Dsiem, demonstrates how DT-generated log data can be utilized for incident analysis, risk calculation, and real-time alerting. This approach not only supports preemptive identification of vulnerabilities during the design phase of assets but also provides a scalable, modular method for proactive cybersecurity management in ICS. This work advances the operational maturity of DTs as a strategic component in cyber defense for industrial systems by embedding DT simulations into the SOC’s workflow.
Overall, Table 3 demonstrates the most concentrated application of DT-based cybersecurity frameworks. Across these works, anomaly detection and intrusion monitoring are consistently emphasized, often through ML or AI-driven methods such as CNNs, GANs, or hybrid MUD+SDN approaches. Incident response, however, is addressed unevenly: while some studies propose automated playbooks, rollback mechanisms, or SOC integration, others omit concrete response logic entirely. A further strength of this sector lies in the diversity of DT roles, like lifecycle twins, network replicas, and middleware synchronization, which illustrates adaptability across use cases such as ICS playbooks, IIoT orchestration, and CPMS anomaly detection.
Table 3. DT-based cybersecurity studies in ICS and IIoT.
Table 3. DT-based cybersecurity studies in ICS and IIoT.
TagWork/YearSectorUse CaseAttack TypesDetectionResponseDT RoleTech Stack
1Suhail et al. [34] (2025)AutomotiveICS protection via SEDTsAttacks against PLCConceptual/Not explicitly implementedThreat mitigationLifecycle twinSIEM, IDS
2Sunkara et al. [35] (2024)IIoTCyber Twin with AI/MLMalware, spoofingCNN, GAN, RLAutonomous responsePer-device twinXAI, FL, RL
3Balta et al. [36] (2023)CPMSDT-based attack detectionSpoofingML-based anomaly detectionN/AMulti-layer twin3D printer
4Allison et al. [37] (2023)ICS/CPSDT-driven IR playbooksICS logic attacksNetwork monitoring, anomaly detectionResponse playbooksLifecycle DT supportICS stack
5Empl et al. [38] (2022)IIoTSOAR4IoT with DTMirai, SybilDT-based monitoringAutomated playbooksMiddleware syncEclipse Ditto, SIEM, CTI
6Varghese et al. [39] (2022)ICS/Industrial automationIntrusion detectionDoS, injectionML, anomaly detectionAuto rollbackSensor-model DTMiniCPS, PLC
7Krishnan et al. [40] (2021)IIoTMUD + SDN profilingMirai botnetMUD + MLFlow rule based mitigationNetwork twinSDN, edge gateways
8Dietz et al. [41] (2020)ICSSOC-integrated simMitMSimulation logs, SIEM rulesSOC alertsSIEM rule-gen twinMiniCPS, Dsiem, SIEM

4.2. Smart Grids and Energy Systems

The authors in [42] propose a Deep Learning (DL)-driven cybersecurity framework that integrates a cyber-physical DT to enhance intrusion detection and response in Smart Grid Control Systems (SGCS). The DT enables real-time training, testing, and fine-tuning of detection models using synthetic cyber threats by modeling both the physical and cyber layers, including SCADA systems, substations, and communication networks. The authors utilize a hybrid approach combining SVM and K-NN within a DL framework, improving the detection of both known and novel attack patterns, including False Data Injection (FDI) and DoS attacks. The DT serves not only as a simulation tool but also as a proactive defense mechanism, incorporating scenario analysis, anomaly injection, dynamic learning, and cyber-range simulations to optimize security policies and incident response strategies. The system is validated on real SGCS datasets and shows superior performance over traditional IDS in handling data imbalance and evolving threats, which makes it a highly effective tool for safeguarding CI in industrial environments.
The contribution in [43] proposes a modular, real-time, and interactive DT-enabled metaverse framework for photovoltaic (PV) power plants. The architecture integrates SCADA systems, OPC-UA protocols, and a fault detection subsystem using ML to provide an intelligent, real-time operational environment. The framework ensures interoperability and live monitoring across hardware and software components by leveraging Unity as the front-end and incorporating standardized protocols like IEC 61850 [44]. The authors utilize a Python-based fault detection service, fed with SCADA and environmental data, to continuously evaluate anomalies and communicate alerts via the OPC-UA server. The system’s decoupled design enables seamless integration of external APIs, cloud-based scalability, and modular updates without disrupting the platform. A case study on a 150 kW PV plant demonstrates the framework’s potential for proactive fault management and immersive visualization, providing a valuable digital tool for improving resilience, operational oversight, and rapid incident response in industrial energy infrastructures.
The authors in [45] propose a DT-based safety analysis framework for CPS under cyber attacks, specifically tailored for industrial automation environments like conveyor systems. The core contribution of this work is the integration of a probabilistic Mealy automaton to model cascading component deviations triggered by cyber attacks such as static spoofing and control logic manipulation. The authors simulate cyber attack propagation and measure safety-critical behavioral shifts by synchronizing a physical testbed, based on Siemens PLCs, with a Factory I/O virtual replica via MQTT [46]. They introduce a three-state model, which includes conformity, partial deviation, and complete deviation, to quantify unsafe transitions in system behavior. The experimental results demonstrate how deviations in one component, for example, a sensor or actuator, cascade across dependent components, ultimately affecting system safety and operational integrity. Overall, this framework enables proactive risk assessment and mitigation by allowing real-time monitoring and analysis of cyber-induced anomalies.
The study in [47] introduces EPICTWIN, a DT designed for cybersecurity testing, research, and education in electric power systems, particularly smart grids and ICS. Built as a digital counterpart to the Electric Power and Intelligent Control (EPIC) test-bed, EPICTWIN integrates Virtual Machines (VMs), Docker containers, and industry-standard communication protocols such as MQTT, IEC61850, and Modbus to simulate cyber–physical interactions. The DT enables users to conduct real-world cyber attack simulations, including MitM, spoofing, and test defense mechanisms like IDS in a controlled and cost-effective manner. To facilitate systematic security testing, the paper also introduces EpicSploit, an attack designer and launcher that allows researchers and operators to simulate and analyze cyber threats. A case study demonstrates a MitM attack on smart home loads in a smart grid environment, highlighting the DT’s capability to model vulnerabilities and assess potential countermeasures. The authors further discuss attack detection strategies, including anomaly-based and design-centric approaches, illustrating how EPICTWIN bridges the gap between cybersecurity research and real-world ICS applications. Overall, EPICTWIN enhances cybersecurity education, operator training, and the development of robust security solutions for CI by offering a scalable and accessible platform.
The authors in [48] investigate the cybersecurity of smart grids using a Cyber–Physical Twin (CPT) approach, which replicates a real-world power grid segment in a secure, isolated laboratory environment. The increasing integration of information and communication technology (ICT) into power grids introduces new vulnerabilities. The authors propose a CPT framework that combines co-simulation and a laboratory environment to replicate both the physical and ICT layers of a smart grid, enabling the study of cyber attacks without compromising the actual grid. They present a case study involving a microgrid in Terni, Italy, where a cyber attack scenario is simulated to demonstrate the approach’s effectiveness. The results highlight the impact of coordinated cyber attacks on grid operations and the importance of realistic environments for testing and validating cybersecurity measures. The CPT approach provides a valuable basis for generating attack data and developing countermeasures, ultimately enhancing the resilience of smart grids against cyber threats.
Table 4 illustrates a diverse application of DTs across smart grids, photovoltaic plants, and industrial automation systems. Most works emphasize anomaly detection and resilience testing, with techniques like hybrid ML approaches (e.g., SVM, KNN, DL) and domain-specific models. However, incident response is less uniformly addressed; while some studies incorporate simulation-based countermeasure testing, cyber-range training, or real-time alerting, others limit their scope to detection and risk evaluation. A notable strength in this sector is the reliance on testbeds and physical-virtual co-simulation (e.g., EPICTWIN, CPT labs), which enhances experimental realism compared to purely synthetic evaluations.
Table 4. DT-based cybersecurity studies in the energy sector.
Table 4. DT-based cybersecurity studies in the energy sector.
TagWork/YearSectorUse CaseAttack TypesDetectionResponseDT RoleTech Stack
9Ji et al. [42] (2024)Smart GridDL-enhanced IDSFDI, DoSSVM, KNN, DLScenario simulationCyber–physical mirrorSCADA, Cyber range
10Menezes et al. [43] (2024)PV PlantsIMV framework for fault detectionN/AML anomaly evaluationReal-time alert3D DTSCADA, OPC-UA, Unity
11Wang et al. [45] (2024)Industrial automationSafety deviation modelingData spoofing, logic manipulationMealy automatonRisk trackingSynced twinMQTT, PLC
12Kandasamy et al. [47] (2022)Smart Grid, ICSEPICTWIN testbedMitM, spoofingIDS, EpicSploitCyber trainingContainerized DTMQTT, IEC61850, Docker, Modbus
13Sen et al. [48] (2022)Smart GridCPT simulation labCoordinated attacksN/AImpact evaluationPhysical testbed twinICT, microgrid lab

4.3. Other Domains

In [49], the authors introduce the Cyber-Twin framework, a DT-boosted autonomous attack detection system for Vehicular Ad-Hoc Networks (VANETs), addressing the growing cybersecurity risks in Vehicle-to-Infrastructure (V2I) communications. While traditionally not categorized as an industrial environment, the increasing reliance on VANETs for critical V2I communications positions them as an emerging form of CI, making this study relevant to our broader scope. Evidently, VANETs are essential for intelligent transportation systems (ITS), but are vulnerable to threats, such as jamming, Distributed Denial-of-Service (DDoS), and unauthorized intrusions, which can compromise road safety and network reliability. The proposed Cyber-Twin framework integrates DTs and AI models to enhance real-time monitoring, threat detection, and attack mitigation in VANET environments. The system enables continuous network analysis and automated anomaly detection by creating a real-time digital replica of roadside units, resulting in the reduction of computational loads and the improvement of energy efficiency. After comparing to traditional methods, the authors concluded that Cyber-Twin optimizes data transmission, reduces detection latency, and improves overall attack identification accuracy, making it a more sustainable and efficient approach for securing VANETs. Overall, the study demonstrates that integrating DTs with AI-driven cybersecurity mechanisms can enhance both security and resource management.
The authors in [50] propose a robust DT-based cyber modeling and simulation framework for assessing resilience and security in IoT-enabled CPS, particularly within Critical National Infrastructure (CNI). The authors integrate simulation standards with security descriptors to visualize and test multi-stage attack scenarios in a DT environment by using AI-enabled threat characterization. Their testbed, applied to the Port of Southampton, models adversarial behavior in two key attack scenarios: ransomware propagation and GNSS spoofing. The DT captures system vulnerabilities in real time, assessing system responses using well-defined security metrics such as MTTR, MTTD, and Mean Time Between Failures (MTBF), and supports predictive defense strategies by deploying a hybrid of physical and virtual IoT devices. Through their framework, the authors also highlight gaps in integrating cyber and simulation standards, emphasizing the need for AI-driven automation in identifying and mitigating threats across complex CPS landscapes.
The authors in [51] note that smart seaports are increasingly vulnerable to multiple cyber threats such as ransomware attacks, data breaches, and operational disruptions caused by malware, as they become more reliant on digitalization. To address these risks, the authors introduce a DT-assisted honeypot system called “TwinPot”, designed to attract, analyze, and counteract cyber threats targeting smart port operations. The TwinPot framework creates a high-fidelity virtual environment that mirrors real port infrastructure, allowing security analysts to study attacker behaviors and identify vulnerabilities without exposing actual systems to danger. The DT continuously monitors network activity, detecting suspicious patterns indicative of phishing attempts, unauthorized access, or malware injections. When a potential attack is identified, the system dynamically redirects attackers to the honeypot, an isolated decoy environment that mimics legitimate infrastructure, to deceive and contain them while collecting forensic data. This approach not only helps defend against cyber attacks in real-time but also provides valuable intelligence on attacker techniques, tactics, and procedures.
The authors in [52] offer a comprehensive exploration of DT frameworks within the context of smart manufacturing, proposing a novel integrated product-process DT architecture aimed at enhancing flexibility, real-time responsiveness, and cyber–physical integration. Although the primary focus is manufacturing optimization, the framework’s emphasis on real-time data acquisition, virtual-physical system synchronization, and predictive analytics has significant implications for incident detection and response. The integration of operational and environmental data, along with the use of AI-driven intelligent layers, supports dynamic monitoring and control, enabling early detection of process anomalies and system failures. Case studies, including a Festo smart factory and a pharmaceutical crystallization system, demonstrate how the proposed DT framework enables proactive decision-making and bottleneck identification through simulations and real-time data analysis. These capabilities highlight the framework’s potential as a foundational component for incident response strategies in ICS and other industrial environments.
The authors in [53] propose a comprehensive Industry 4.0 implementation framework tailored for the composite manufacturing sector, with strong implications for DT adoption in industrial environments. While the primary focus is on overcoming tacit knowledge, lack of standardization, and automation resistance in SMEs, the proposed systems-engineering-based framework emphasizes vertically and horizontally integrated cyber–physical systems—key to realizing responsive DT architectures. Technologies such as IIoT, process simulation, advanced data analytics, and automation are highlighted as enablers for smart manufacturing, predictive quality control, and adaptive response. Though not explicitly built for incident detection, the framework’s integration of DTs, sensor-driven feedback loops, and simulation-enabled process validation enables early anomaly detection and mitigation, foundational to resilient incident response strategies in high-stakes industrial settings. The structured layering of digital infrastructure, knowledge capture, and operational integration makes this framework highly adaptable for building secure, responsive DTs across manufacturing environments.
The authors in [54] propose a framework for implementing Secure Embedded Intelligence (SEI) and Integrated State Awareness (ISA) in Smart Nuclear Systems (SNS). They incorporate DT principles for resilient, autonomous monitoring and control. Although the primary domain is nuclear energy, the concepts translate broadly across industrial environments within CI. The proposed architecture leverages DTs as distributed digital replicas of physical System Structures and Components (SSCs), enabling predictive maintenance, adaptive security, and mission-driven risk assessment. Key features include hybrid modeling (combining physics-based and data-driven methods), multi-agent intelligent control systems, and integrated digital-physical threat detection through a hybrid Intrusion Detection and Protection System (IDPS). The paper also introduces a SEI-by-design approach that proactively embeds cybersecurity, real-time diagnostics, and explainable AI into system architecture. With applications to microreactors and sensor-rich environments, this framework offers a comprehensive foundation for DT-driven incident detection, mitigation, and operational resilience in industrial-scale CPS.
Table 5 showcases highly tailored DT applications that reflect sector-specific priorities. In VANETs and ports, DTs act as cyber-twins or honeypot environments to enhance anomaly detection, deception, and automated response against attacks such as DDoS, phishing, and ransomware. In manufacturing, contributions focus on synchronization of product-process twins and adaptive DT adoption in SMEs, primarily targeting operational optimization while still enabling proactive response. The nuclear sector demonstrates the integration of DTs with hybrid IDS and self-monitoring mechanisms, reflecting the heightened security requirements of CI. Overall, while these studies highlight innovative and context-driven DT designs, they remain fragmented, with limited standardization across detection and response strategies. This underlines the need for a unifying architectural approach, as proposed in our framework.
Table 5. DT-based cybersecurity studies in specialized domains.
Table 5. DT-based cybersecurity studies in specialized domains.
TagWork/YearSectorUse CaseAttack TypesDetectionResponseDT RoleTech Stack
14Yigit et al. [49] (2024)VANETsCyber-Twin for V2I securityJamming, DDoSAI-based detectionAutomated mitigationDigital replica of roadside unitsAI, DTs
15Epiphaniou et al. [50] (2023)Ports (CNI)Threat M&S via DTRansomware, GNSS spoofingAI modelingScenario simulationHybrid IoT twinIoT devices, AI models
16Yigit et al. [51] (2023)Smart PortsTwinPot honeypot systemPhishing, malwareNetwork monitoring, anomaly detectionDeception & forensicsHoneypot twinVirtual infrastructure
17Onaji et al. [52] (2022)Smart manufacturingProduct-process syncN/AAnomaly detection, predictive analyticsProactive responseContinuous DT syncFesto smart factory
18Stojkovic et al. [53] (2022)ManufacturingDT adoption in SMEsN/ASensor feedback, anomaly detectionAdaptive responseResponsive DTsIIoT
19Garcia et al. [54] (2020)Nuclear energy infrastructureSEI via DTAttacks against CPSHybrid IDSSelf-monitoringDistributed replicas of SSCsXAI, multi-agent systems

4.4. Summary

This subsection synthesizes 19 key studies on the use of DTs for industrial cybersecurity, particularly focusing on DT frameworks for incident detection and response. The comparison is organized around seven core criteria, covering aspects such as application sectors, threat models, detection and response strategies, DT functions, and enabling technologies. The reviewed works span a variety of industrial domains and demonstrate diverse interpretations of how DTs can contribute to incident detection and response. Within the final set of 19 studies, we explicitly separate conceptual proposals, simulation-driven validations, and the smaller subset reporting empirical testbeds or industrial pilots. Conceptual and survey contributions were used to identify architectural roles, incident stages, and DT threat surfaces, while works using simulation or ICS testbeds more strongly influenced containment sequencing and operational requirement derivation. Some studies focus on system monitoring and anomaly detection, while others explore automated mitigation or simulation-based decision support. The role of the DT varies accordingly, functioning either as a passive mirror, a predictive model, or an active coordinator of security responses. Although the approaches differ, this body of work reflects a growing interest in embedding DTs into cybersecurity workflows and provides a useful reference point for identifying design patterns, implementation gaps, and research opportunities. Figure 3 presents the temporal evolution of the 19 studies included in the SLR corpus, categorized by lifecycle focus. The majority of contributions, particularly after 2022, adopt integrated detection and response approaches. Only one study focuses exclusively on detection mechanisms [36], while two emphasize response-related strategies without implementing explicit detection logic [34,48]. This distribution indicates a clear trend toward holistic incident lifecycle architectures, reinforcing the need for structured and standards-aligned DT frameworks that formalize coordinated detection and response processes.
Real-world CS-DT deployments rarely follow a single unified mandatory standard, but several implementation patterns are widely adopted in industrial practice. Specifically, Eclipse Ditto, AWS IoT TwinMaker, Microsoft Azure DTs, and Unity-based SCADA or OPC-UA–integrated co-simulation testbeds are commonly used to virtualize field assets and maintain live state synchronization through message buses such as MQTT, AMQP, or OPC-UA. Industrial security teams frequently embed anomaly detection within twin analytics services and validate containment or rollback playbooks in isolated co-simulation replicas or cyber-range–style environments before acting on control assets. These middleware twin platforms are typically combined with IEC 62443 Security Zones for segmentation and NIST SP 800-207 Zero-Trust principles [55] for secure twin interfaces, while orchestration and rule feedback loops are implemented using SOAR or SIEM pipelines for alerting, containment, and forensic evidence capture. In practice, replica-based IoT/ICS twin platforms, telemetry message buses, access-controlled APIs, and isolated playbook validation form the most scalable and widely exercised implementation approach for industrial CS-DTs.
Despite the broad coverage achieved across sectors and technical dimensions, several critical limitations emerge. Specifically, the inconsistency in reporting fundamental attributes, such as attack types, detection logic, or response mechanisms, reveals a lack of methodological standardization. Notably, several studies omit either the threat model or incident response logic entirely, undermining the completeness of the DT-enabled security lifecycle. Furthermore, most contributions validate their frameworks through simulations or controlled environments rather than full-scale industrial deployments, reflecting both the practical challenges and ethical constraints of experimenting in live critical systems. The absence of interoperability standards and limited reporting of performance metrics beyond accuracy highlight additional gaps in current research [56]. Figure 4 visualizes these disparities by presenting, for each industrial sector grouping, the number of studies within the 19-study SLR corpus that explicitly address attack coverage, detection techniques, and response mechanisms. The numerical values represent the frequency with which each lifecycle dimension is investigated across the included works. A dimension was considered addressed when a study provided architectural design, algorithmic implementation, simulation validation, or a structured technical discussion of that capability. Since several studies span multiple sectors or lifecycle components, individual works may contribute to more than one category. Domains such as ICS and IIoT exhibit relatively balanced attention across all three dimensions, whereas sectors like specialized production and nuclear energy infrastructure show limited or uneven coverage. This imbalance highlights the heterogeneous maturity of DT-enabled cybersecurity research across industrial contexts.
Overall, the previously detailed insights, gained from analyzing the identified limitations, directly motivate the four dedicated FEs—Data Ingestion & Synchronization, Anomaly Detection, Incident Response, and Adaptive Learning—that are embedded into our proposed ISO 23247-aligned framework, as detailed in Section 6. Specifically:
  • The frequent omission of clear data models and synchronization pipelines highlights the need for a standardized Data Ingestion & Synchronization element. That is, in industrial environments, data comes from diverse sources with different protocols, e.g., MQTT, Modbus, and without a standardized ingestion and synchronization layer, a cohesive, real-time representation is impossible to maintain.
  • The uneven coverage of threat detection mechanisms across sectors points to the importance of a robust Anomaly Detection component that integrates both signature-based and AI-driven techniques.
  • The lack of explicit incident response logic in many works underscores the necessity of a Response element that can automate containment and rollback, while remaining verifiable.
  • The reliance on static models and the absence of continuous evaluation demonstrate the value of an Adaptive Learning element, enabling CS-DTs to evolve with emerging threats and operational conditions. Namely, industrial environments are dynamic, with changes in operational conditions, hardware, and threats. An Adaptive Learning component, which continuously evaluates data and updates the DT’s models, is essential, allowing the system to learn from new data, refine its threat detection capabilities, and remain effective against evolving cyber threats and changing operational conditions.
Together, these elements address the key gaps observed in the literature and form the foundation for the proposed framework presented in Section 6.

5. Requirements Engineering

In this section, we apply a structured Requirements Engineering (RE) perspective to identify the system-level requirements that a DT-based cybersecurity framework must fulfill to be both technically robust and operationally relevant within industrial environments. Following the principles of ISO/IEC/IEEE 29148:2018 [57], requirements are derived through a systematic analysis of the works discussed in Section 4 and are characterized according to the qualities of good requirements: Necessary, Verifiable, Unambiguous, Feasible, and Consistent.
ISO/IEC/IEEE 29148 defines nine characteristics of well-formed requirements. In this study, we focus on these five core attributes because they directly influence the technical enforceability, evaluability, and internal coherence of DT-based cybersecurity architectures. The remaining characteristics, such as traceable, modifiable, prioritized, and complete, are addressed implicitly through structured requirement mapping and documentation but are not independently analyzed, as they pertain primarily to requirements management processes rather than architectural design logic.
It should be noted that the application of ISO 29148 in this work is not fully fledged. Rather than executing the entire requirements engineering process prescribed by the standard, we applied its core principles as an analytical lens to structure and assess requirements derived from the literature. As such, the use of ISO 29148 here provides methodological rigor in evaluating requirement quality. This approach ensures that the requirements not only reflect empirical findings from the literature but are also framed within a standardized RE process. Moreover, RE provides the methodological foundation for translating stakeholder needs into precise and actionable system specifications. Within the DT context, this ensures that the digital representation of assets and processes directly supports incident detection, simulation, and response while remaining aligned with operational and regulatory constraints. Requirements are categorized to promote systematic coverage and traceability across technical and contextual dimensions.
Stakeholder groups in industrial environments include operators, SOC analysts, OT engineers, and decision-makers. These roles were identified based on recurring functional responsibilities observed in the reviewed literature and are consistent with the role separation principles reflected in the NIST CSF, which distinguishes between operational execution, monitoring and detection, response coordination, and governance functions. The selected stakeholders directly interact with DT data flows and hold operational responsibility for detection, response, and system adjustments. In contrast, higher-level managerial roles primarily influence governance and policy but do not directly shape the technical system requirements addressed in this framework. Their needs therefore map directly into system-level requirements, forming the basis of the four requirement categories defined below:
  • Functional requirements (FR): These typically refer to the core DT capabilities that enable real-time detection, autonomous response, simulation, and integration with legacy environments.
  • Non-functional requirements (NFR): These are a set of operational qualities such as scalability, latency, accuracy, reliability, maintainability, and usability, which ensure deployment viability. These requirements describe how the system must perform its functions under certain constraints, rather than specifying what the system does. They are critical for ensuring the framework is effective in real-world industrial environments where factors like speed, stability, and ease of use are paramount.
  • Security-specific requirements (SR): These encompass the capabilities necessary to protect the system and the industrial environment it monitors, aligning with the foundational principles of confidentiality, integrity, and availability (CIA). While security is often categorized as a non-functional requirement in general software engineering, this study treats it as a distinct category due to the safety-critical and operational nature of industrial cyber–physical systems. In DT-enabled architectures, security mechanisms such as threat detection, containment orchestration, forensic data capture, and secure communications directly influence system behavior and control logic, extending beyond traditional quality attributes. They include threat resilience capabilities like broad-spectrum detection, forensic data capture, and secure communications.
  • Domain-specific requirements (DR): A customization to heterogeneous industrial sectors, including modeling fidelity and compatibility with simulators or testbeds.
This mapping preserves a direct line of traceability from stakeholder needs to framework requirements. Further, based on the analysis of relevant work done in Section 4, each of these four system-level requirements can be divided into relevant sub-requirements as shown in Table 6. For instance, FR1 specifies the need for real-time anomaly detection using AI/ML techniques, NFR1 emphasizes ultra-low latency to ensure responsiveness during fast-spreading attacks, SR2 requires forensic data capture to support post-incident analysis, and DR3 highlights configurable fidelity levels to balance accuracy and performance across different industrial domains. Specifically, to meet the stringent low-latency (NFR1) and scalability (NFR2) demands of industrial environments, the framework should be designed to support distributed processing at the network edge. That is, by performing analytics closer to the data source, one can minimize data transmission times and reduce the computational load on central systems, enabling faster detection and response.
Moreover, to ensure robustness, each identified sub-requirement is structured to align with five ISO/IEC/IEEE 29148 characteristics. Recall that this standard, which focuses on requirements engineering for systems and software, guides what constitutes a “well-formed” requirement. A key part of this is defining nine characteristics in total that each system-level requirement should possess, which are used to evaluate their quality. In this work, we focus on five of them, namely necessary, verifiable, unambiguous, feasible, and consistent. This is because these directly determine the technical robustness and operational enforceability of DT-based cybersecurity requirements. The remaining characteristics, namely Complete, Traceable, Modifiable, and Prioritized, are not disregarded; rather, either they are addressed implicitly or fall outside the immediate scope of this study. Specifically, Completeness is achieved by ensuring that all four requirement categories are fully represented in Table 6, while Traceability is maintained by linking each requirement to its literature source in the table and to its implementation within the FEs in Figure 5. On the other hand, Modifiability and Prioritization pertain more to requirements management processes than to the design of the framework itself. Concentrating on the five selected characteristics, therefore, balances methodological rigor with clarity and relevance to the technical objectives of this work. Below, the five key characteristics are outlined as guiding criteria for assessing the quality and applicability of the identified requirements.
  • Necessary: Each requirement addresses a distinct stakeholder or system-level objective. For instance, FR1 (real-time anomaly detection) is necessary for operators to detect and respond to cyber attacks before they propagate through industrial networks. Omitting FR1 would directly undermine the stakeholder goal of timely incident detection and leave the system exposed to cascading failures.
  • Verifiable: Requirements can be validated through testing, simulation, or monitoring. SR2 (forensic data capture) is verifiable because the presence and integrity of stored packet traces and control-state logs can be directly measured and audited. Verification can be performed by checking log completeness, integrity, and compliance with forensic standards.
  • Unambiguous: Requirements are expressed in measurable and precise terms. NFR3 (low detection false positive rate, e.g., <2%) is unambiguous because it specifies a quantifiable performance metric, unlike vague statements such as “the DT should be accurate”. This allows performance to be validated against a clear threshold, avoiding interpretation gaps.
  • Feasible: Requirements must be technically achievable within industrial resource constraints. FR4 (interoperability with legacy systems) demonstrates feasibility since it leverages existing communication standards and interfaces, avoiding unrealistic system overhauls. This ensures that the requirement can be satisfied in practice without prohibitive cost or redesign.
  • Consistent: Requirements must not conflict with each other. For example, DR3 (configurable fidelity levels) ensures consistency by allowing designers to balance the need for simulation accuracy with NFR1 (low latency), preventing contradictions between precision and performance. This illustrates how consistency is preserved across requirement categories rather than compromised.
Information 17 00286 g005
Figure 5. Linkage between RE and FEs.
Figure 5. Linkage between RE and FEs.
Information 17 00286 g005
The classification into FR, NFR, SR, and DR further provides a structured foundation for quality assurance, as each requirement can be validated against representative use cases in CIs. In power grids, the ability to satisfy FR1 (real-time anomaly detection) and SR1 (broad-spectrum threat detection) is essential for identifying malicious SCADA commands. Together with FR3 (simulation capabilities), these requirements enable modeling of cascading blackout scenarios and validation of proactive response. By contrast, oil and gas pipelines emphasize rapid containment: FR2 (autonomous incident response) addresses spoofed flow control signals, while SR3 (isolated response testing) enables safe evaluation of containment strategies in sandboxed DT replicas.
In water treatment plants, SR2 (forensic data capture) guarantees that unauthorized dosing commands are logged in sufficient detail to support post-incident analysis, while NFR1 (low-latency response) ensures that mitigation occurs quickly enough to prevent chemical contamination or safety violations. Finally, in smart manufacturing, DR2 (testbed and simulator compatibility) enables validation in environments such as Factory I/O or MiniCPS, ensuring that simulated responses reflect operational behavior. DR3 (configurable fidelity) also allows system designers to balance high simulation accuracy with NFR2 (scalability), preserving detection capabilities for attacks such as robotic arm hijacking without undermining production efficiency.
These scenario-driven validations demonstrate that the requirements are not abstract design ideals but operationally enforceable constraints. Each requirement directly supports incident detection and response in its respective domain, and their interplay across FR, NFR, SR, and DR establishes the set as both technically complete and contextually validated across heterogeneous CI environments.
Table 6 presents a consolidated overview of the identified requirements, organized according to the four defined categories. Each entry includes a brief description, a reference to the source from which it was derived or inspired, and a mapping to existing industrial standards. This set of requirements forms the baseline for developing our proposed framework in Section 6, ensuring it is both context-aware and technically grounded. While some requirements may appear conflicting in practice, for example, achieving real-time anomaly detection (FR1) within highly constrained legacy systems (FR4), or balancing low latency (NFR1) against low false positives (NFR3), this tension is not a limitation in our study. Since the RE process here is applied as a guide for enhancing the ISO 23247-2 [58] framework rather than a strict engineering specification, these potential collisions serve more as design trade-offs to be acknowledged than obstacles. Their role is to shape the direction of the proposed framework and not to prescribe fully resolved implementations.
Table 6. Consolidated requirements for DT-based cybersecurity frameworks.
Table 6. Consolidated requirements for DT-based cybersecurity frameworks.
IDNameRequirementDerived FromStandard Alignment
FR1Real-time anomaly detectionThe framework shall enable real-time anomaly detection using AI/ML techniques to identify cyber attacks and operational anomalies.[35,42]IEC 62443-3-3 [59], NIST 800-82 [60]
FR2Autonomous incident responseThe framework shall support autonomous incident response via predefined playbooks or adaptive policies.[35,38]IEC 62443-3-3, NIST 800-61 [61]
FR3Predictive simulationThe framework shall replicate both physical and cyber behaviors to enable predictive simulation and proactive threat testing.[41,45]NIST 800-30 [62], MITRE ATT&CK
FR4Legacy interoperabilityThe framework shall interoperate with industrial standards and legacy systems.[39,43]ISO 23247
NFR1Low latencyThe framework shall offer low-latency responses (e.g., <500 ms) suitable for CI applications.[34,49]IEC 62443-3-3, NIST 800-82
NFR2ScalabilityThe architecture must scale to thousands of devices and support distributed DTs in edge or fog environments.[35,40]ISO 23247, NIST 800-207 [63]
NFR3Low false positivesThe framework should maintain a low detection false positive rate, e.g., <2%.[35]NIST 800-82
SR1Broad-spectrum detectionThe DT framework shall detect and respond to a representative range of cyber attacks relevant to industrial environments.[39,41,45]IEC 62443-3-3, MITRE ATT&CK
SR2Forensic data captureThe framework shall capture forensic data to support post-incident analysis.[50,51]NIST 800-61, IEC 62351-14 [64]
SR3Isolated response testingThe framework shall offer isolated test environments for safely validating response strategies.[50,54]IEC 62443
SR4Secure communicationsThe system shall employ secure communication protocols and enforce robust access control mechanisms, like role-based or attribute-based for DT interfaces.[65]IEC 62443-3-3, NIST 800-207
DR1Domain-specific modelingThe framework shall support DT modeling for domain-specific CPS.[43,50]ISO 27005 [66], IEC 62443
DR2Testbed compatibilityThe DT framework shall interface with physical testbeds and/or simulators.[41,45]IEC 62443 testbeds
DR3Configurable fidelityThe framework shall provide configurable fidelity levels in DT modeling to match varying operational needs.[67]ISO 27005, IEC 62443
Figure 5 depicts a traceability scheme that connects the outcomes of the RE analysis with the four proposed FEs of the cybersecurity DT framework, which were detailed in Section 4. The lower layer groups the identified requirements into their respective category ID, while the upper layer lists the proposed four FEs. The links between them highlight how each requirement is concretely operationalized within the framework design. For instance, FR1 and SR1 are realized through the Anomaly Detection FE, while FR2 and SR3 map to the Incident Response FE. Similarly, NFR1 and SR2 are addressed by the Data Ingestion & Synchronization FE, which provides secure, efficient data pipelines for telemetry and log collection. Adaptive Learning is motivated by requirements such as FR3, NFR2, and DR3, ensuring that the DT evolves dynamically with operational changes and emerging threats. In addition, SR4 illustrates the role of cross-cutting requirements, as it maps simultaneously to Data Ingestion & Synchronization and Incident Response, reflecting the dual need for secure pipelines and controlled response execution. Overall, the figure demonstrates how all 14 identified requirements are systematically translated into framework features, offering a transparent and verifiable link between stakeholder needs, RE outcomes, and the technical architecture of the proposed DT-based security framework.

6. Towards a Standardized Framework: An ISO 23247-Based Approach

Building on the architectural insights and requirements, outlined in Section 4 and Section 5, this section introduces a comprehensive DT framework for industrial cybersecurity, explicitly aligned with the reference architecture defined in the ISO 23247 series, specifically ISO 23247-2 [68]. Recall that ISO 23247 defines a reference architecture composed of four core entities: the Observable Manufacturing Element (OME), representing the physical assets; the Data Collection and Device Control Entity (DCDCE), responsible for data collection and control; the Core Entity (CE), which is the core digital model; and the User Entity (UE), which includes the applications and human users. ISO 23247 provides a modular, bidirectional DT architecture originally for manufacturing systems and increasingly referenced in OT cybersecurity research. The standard separates observation, control, modeling, and user interaction into independent entities, allowing analytics and simulation to run in the CE, while field data ingestion and control connectors run in the DCDCE, preserving real-time determinism on production assets. Typical compliant implementations rely on timestamped state synchronization, event logging, and secure message-bus integration, and are frequently validated in isolated CPS/ICS testbeds or co-simulation replicas before operational deployment. The architecture’s separation of concerns and configurable fidelity levels make it suitable for integrating anomaly detection, safe incident-response validation, and adaptive learning without modifying the underlying control plan.
Specifically, the design is grounded in the above-mentioned ISO 23247’s four entities; this ensures consistency with established DT principles while extending the architecture with cybersecurity-centric capabilities. The following subsections detail a step-by-step analysis of each FE, formally mapping them to the corresponding ISO 23247 entities and sub-entities, thereby forming the final framework (as overviewed in Section 6.6).
To aid the reader, Table 7 consolidates the mapping between the proposed FEs, their supporting requirements, and the ISO 23247-2 entities and sub-entities in which they are realized. Each suggested FE operationalizes a distinct subset of functional, non-functional, security-specific, or domain-specific requirements identified in Section 5, ensuring systematic coverage across the requirement space. Moreover, the proposed FEs are anchored within specific ISO 23247-2 entities and sub-entities (which include ISO 23247-specified FEs), ensuring architectural alignment and modular integration. Specifically, as detailed in the following subsections, the data ingestion & synchronization and incident response FEs reside within the DCDCE, while the anomaly detection and adaptive learning FEs are implemented within the CE, leveraging its Application & Service sub-entity for analytics, model execution, and decision-making.
It is to be noted that the remaining two ISO 23247-2 entities, namely OME and UE, are not included in Table 7, because no new cybersecurity-specific FEs are introduced within them. The OME represents the physical industrial assets themselves; it is observed and controlled, but is not extended with additional digital functionalities. Similarly, the UE provides operator interfaces and application endpoints for interacting with the DT, but the proposed framework leverages existing visualization and management FEs rather than defining new ones within this entity. Actually, the OME and UE roles remain essential as sources of data (OME) and sinks for decision support (UE), yet the proposed extension FEs are concentrated in the DCDCE and CE, where security-relevant processing and control occur.
Table 7. Mapping of FEs to requirements and to the ISO 23247-2 framework core entities.
Table 7. Mapping of FEs to requirements and to the ISO 23247-2 framework core entities.
Proposed FERequirement IDEntitySub-Entity
Data Ingestion & SynchronizationFR4, NFR1, SR2, SR4, DR2DCDCEData Collection
Anomaly DetectionFR1, NFR3, SR1, DR1CEApplication & Service
Incident ResponseFR2, SR3, SR4DCDCEDevice Control
Adaptive LearningFR3, NFR2, DR3CEApplication & Service

6.1. Data Ingestion & Synchronization

This proposed FE serves as the framework’s foundation. It represents a robust data ingestion pipeline that interfaces with physical industrial assets, such as sensors, actuators, and controllers, to continuously synchronize the DT with the real system’s state. In ISO 23247 terms, this functionality is realized within the DCDCE. The DCDCE’s data collection sub-entity is responsible for gathering all observable manufacturing data and forwarding it into the digital realm. Concretely, a foreseeable implementation would employ connectors such as IIoT gateways or message brokers, and logging agents like Filebeat [69] and Logstash [70], to stream sensor measurements, actuator states, control logs, and network telemetry into the twin environment.
Incoming data first flows through two key processing components defined in ISO 23247’s DCDCE: the data collecting FE, which directly acquires raw signals from sensors and field devices; and the data preprocessing FE, which filters, formats, and normalizes the data before passing it on for analysis. These components ensure that only clean, structured data enters the twin, enabling accurate and timely synchronization with the physical system [71]. Once integrated into the twin environment, this preprocessed data enables the synchronization FE within the CE to continuously align the DT’s internal state with the real-world system.
Synchronization is a background function, rather than a discrete processing step, which ensures that the DT reflects the most current and accurate representation of the physical process [72]. In the proposed framework, each data update from the DCDCE is timestamped and applied to the virtual model to guarantee temporal consistency between the twin and its physical counterpart. High-fidelity synchronization enables the twin to capture even transient states of the process. For example, a middleware proxy can intercept field device signals and broadcast them to both the real controller and the virtual controller simultaneously, ensuring the twin “sees” the same inputs as the physical system [73,74]. This ISO-aligned data ingestion and synchronization pipeline (DCDCE ↦ CE) establishes the data foundation for all higher-level cybersecurity functions.
Figure 6 depicts the integration of the proposed data ingestion & synchronization FE, which enhances the ISO 23247’s DCDCE Sub-Entity by introducing timestamped, preprocessed data flow into the synchronization layer of the DT.

6.2. Machine Learning-Based Anomaly Detection

At the core of the cybersecurity DT framework is an intelligent anomaly detection FE powered by data analytics and ML. This capability maps primarily to the ISO 23247 core entity’s analytical functions. Within the core entity, the Application and Service sub-entity provides the necessary computational features for analysis, simulation, and prediction. In particular, ISO 23247 defines an analytical service FE for analyzing collected data and a Simulation FE for testing scenarios via virtual representations. The proposed anomaly detection FE integrates both physics-based and data-driven approaches. The DT’s simulation models establish expected behavior baselines, while ML models learn normal patterns and detect deviations that may indicate cyber incidents or process faults. Formally, the detection logic evaluates the difference between the observed physical state and the twin’s predicted state in real time [75]. Let x ( t ) be the vector of key measurements from the physical system at time t, and x ^ ( t ) the twin’s simulated or predicted state. The framework computes a residual
r ( t ) = x ( t ) x ^ ( t ) ,
which under normal operations remains near zero, within expected bounds. An anomaly score can thus be defined as
S ( t ) =   r ( t ) ,
or a statistical divergence (e.g., the Mahalanobis distance [76])
D ( t ) = r ( t ) Σ 1 r ( t ) ,
Accordingly, an alarm is raised if
S ( t ) > τ ,
where τ is a chosen threshold. This residual-based detection aligns with ISO 23247 CE’s use of simulation for expected values and analytics for residual evaluation. In practice, a hybrid approach is used: the Simulation FE continuously generates expected sensor readings from the DT model, while the Analytical Service flags deviations beyond normal variance. The proposed framework supports multiple ML techniques to implement this anomaly detection FE, consistent with state-of-the-art ICS security practices. When little attack data is available, unsupervised or one-class models can be employed, like autoencoders or one-class SVMs, or models can use one-shot learning that learn a compact representation of legitimate behavior, such that any significant deviation indicates an anomaly [77].
Efficient anomaly detection for industrial DTs increasingly relies on models that scale linearly or use sparse attention for long temporal windows. Approaches such as GNNs for cross-sensor correlation modeling, Temporal Convolutional Autoencoders (TCA) [78] for deterministic sequential inference, and lightweight transformer models such as PatchTST [79] or Informer [80] are now common for real-time anomaly detection. These models reduce infrastructure overhead compared to classical methods that store or compare every signal independently.
For capturing temporal patterns, time-series forecasting models like ARIMA [81] or LSTMs [82] predict sensor values and trigger alerts if actual readings lie outside forecasted confidence intervals. In scenarios where labeled attack data exists, supervised classifiers, say SVMs, Random Forests, and neural networks, are trained to recognize known attack signatures [83]. Prior studies have shown that an ensemble of diverse detectors can enhance accuracy, especially in ICS contexts [84]. Embedding these techniques within the CE’s analytical framework enables the DT to identify a broad spectrum of cyber threats and process anomalies in real-time. Crucially, hosting the detection algorithms in the core entity avoids impacting real-time control performance. In terms of computational complexity, approaches such as large-scale K-nearest neighbours introduce linear query cost per comparison but scale poorly at thousands of devices due to the need to compare against large sample banks. Kernel SVM inference is efficient post-training, but cannot adapt online due to quadratic or cubic training cost. By contrast, TCN or LSTM autoencoders with compressed state, drift-aware statistical detectors, and sparse-neighbour GNNs introduce predictable linear inference cost on sliding windows or sparse graphs, meeting industrial constraints. This design choice, consistent with ISO 23247’s separation of concerns, ensures that security monitoring is rigorous yet non-intrusive to operational processes.
Rather than prescribing a single algorithm, the framework is intentionally algorithm-agnostic: it specifies where detection logic runs and how it interacts with DT synchronization and response, while allowing practitioners to select techniques that match their threat model and data properties. In all cases, detection performance should be assessed using standard metrics such as detection accuracy, FPR, and MTTD, alongside operational indicators like detection latency and resource overhead in the CE. These metrics provide a basis for comparing alternative detectors implemented within the same architectural slot.
A practical consideration for DT anomaly detection is the computational cost of ML inference and training relative to industrial constraints. Classical model inference, once trained, can be lightweight. Still, algorithms that rely on similarity search over large reference banks, require linear compare operations over every stored sample, which becomes expensive when thousands of devices are scanned at the edge. Kernel-based SVMs offer very efficient inference after training. Yet, their training cost grows quadratically to cubically with sample size, depending on kernel choice, making them unsuitable for continuous retraining in fast-changing production networks. By contrast, neural reconstruction models such as autoencoders or temporal convolutional networks exhibit linear inference cost proportional to network depth and time-window length, enabling long detection horizons within deterministic compute budgets. Recent lightweight transformer architectures restrict attention to fixed or windowed temporal patches, avoiding quadratic time-step comparisons. Online statistical detectors, including CUSUM, EWMA, DDM, ADWIN, DDM/EDDM variants, and other sliding-window divergence tests, scale in linear time on rolling buffers and require minimal memory.
Figure 7 illustrates the integration of the proposed anomaly detection FE within the CE of the ISO 23247 architecture, highlighting its interaction with synchronization FE and the Application & Service Sub-Entity. This visual emphasizes the modular placement of our detection logic without deviating from the standard framework structure.

6.3. Incident Response

Detection is only half of the cybersecurity loop. The framework should also include incident response mechanisms to swiftly mitigate or contain attacks once detected. In the ISO 23247 architecture, this functionality corresponds to the device control sub-entity of the DCDCE, which is responsible for transmitting commands and adjustment values back to the physical system. Within the DCDCE, we leverage this sub-entity to enact response measures on the industrial process. In the proposed framework, when an anomaly is confirmed as a security incident, the system can issue appropriate control actions via the DCDCE’s Controlling and Actuation FEs, effectively enabling the DT to intervene in the physical process. This typically involves commands to isolate a compromised device, adjust process set-points, or switch to a safe mode of operation, which is analogous to an automated ICS incident response.
Our approach is strengthened by the integration of the DT’s predictive capabilities into the response loop. Before executing any drastic action on the real system, the DT can simulate the response scenario using the CE’s Simulation FE. This allows “what-if” analysis of various countermeasures in the virtual model before deployment. For example, if a sensor is suspected to be spoofed, the twin can be used to virtually disable that sensor and observe the impact on the process, helping determine a safe mitigation strategy. Only after verifying the outcome within the DT environment does the framework issue commands to the actual process, such as ignoring a compromised sensor or shutting down a related actuator. This DT-driven response planning is a novel extension consistent with ISO 23247’s modular architecture, through the utilization of the CE’s computation power while relying on the DCDCE for execution.
The proposed incident response FE also interfaces with the ISO 23247 UE, which represents higher-level user applications and interfaces. Upon detecting an incident, the framework immediately raises alerts to human operators or security personnel through the UE’s visualization and Human-Machine Interface (HMI) components. The CE’s Operation & Management sub-entity also includes a Presentation FE that creates user interfaces for data visualization, which fulfills a similar role to the UE’s interface in the ISO model. Operators can view anomaly alerts and system status via dashboards, like Kibana [85] that highlight the twin–physical discrepancies. The integration with operator tools aligns with ISO’s notion of the UE using DT data for decision support. Additionally, the framework can follow predefined incident response playbooks, mapping detected attack types to specific response workflows. These playbooks can be informed by industry standards, such as actions aligned with ISA/IEC 62443 [17] guidelines for industrial incident response.
All response actions, whether automated or manual, are logged and fed back into both the physical system and its DT: the DCDCE relays any control actions to the physical equipment while the twin updates its state to reflect those interventions, maintaining post-incident alignment. Verifiability is enforced at two levels. First, every candidate response is exercised in the DT using the CE’s Simulation FE before any actuation command is sent to the DCDCE, ensuring that process and safety constraints are not violated under the proposed mitigation. Second, each automated response workflow is encoded as an explicit playbook with preconditions, postconditions, and human-override checkpoints, aligned with industrial guidance such as ISA/IEC 62443 for incident response in safety-critical environments. All executed actions and their justifications are surfaced through the UE and CE presentation FEs, providing an auditable trail for post-incident review. The closed-loop design guarantees that the DT remains an accurate representation even as the system undergoes rapid changes during incident handling.
Figure 8 illustrates the incident response FE as a multi-entity mechanism that bridges the CE’s Synchronization FE, the DCDCE’s Device Control sub-entity, and the user interface FE. This figure highlights the framework’s modular response loop, which leverages DT foresight while ensuring safe interaction with the physical process.

6.4. Adaptive System Learning and Evolution

Industrial environments and threat landscapes are dynamic; hence, the proposed cybersecurity DT framework is designed for continuous learning and adaptation. While ISO 23247 does not explicitly define a self-learning mechanism, its flexible architecture allows us to incorporate this capability principally within the CE. The CE’s analytical features are extended with a feedback loop so that the DT improves itself over time using new data. In ISO terms, this aligns with the CE’s Application & Service sub-entity, particularly the Anomaly Detection FE, which we introduce to augment the standard, and the Analytical Service FE, working together to refine models and detection logic using historical information. It also relates to the CE’s Operation and Management sub-entity’s Maintenance FE, which is responsible for monitoring performance and conducting proactive improvements such as software updates.
One aspect of adaptation is model drift handling. Over time, the physical process or its usage may shift. The framework monitors for such gradual changes and adjusts the twins’ parameters to maintain accuracy. For instance, if the average value of a sensor slowly increases under normal conditions, the twin’s model can recalibrate its expected range accordingly, preventing false positives from benign drift. This periodic recalibration can be automated via adaptive filters or scheduled model re-identification, leveraging the CE’s Maintenance FE to apply updates that keep the twin “tuned” to the real system’s current state.
Another aspect is ML model evolution. Each detected incident and each false alarm provides valuable data to improve the anomaly detection algorithms. The proposed framework continuously aggregates these cases in a historical database. At regular intervals, the anomaly detection models are retrained or fine-tuned using the expanded dataset of normal and attack examples. This typically involves incorporating newly observed attack patterns into supervised models or expanding the normal behavior profile for unsupervised models to reduce false alarms on new legitimate behavior. The CE’s anomaly detection FE facilitates this by applying advanced algorithms, like CNNs or RNNs, that require significant data and computational power. As new data streams in, the anomaly detection FE incrementally refines its pattern recognition capabilities. Over time, this leads to improved detection of novel threats and fewer spurious alerts, as the DT “learns” from experience. Notably, without a standardized architecture, DT implementations can suffer interoperability issues [86].
The architecture’s modular design further aids adaptation. It allows new detection microservices or updated analytics modules to be integrated seamlessly as the threat landscape evolves. For example, if a more effective ICS intrusion detection algorithm emerges, it can be added to the DT’s analysis layer without overhauling the entire system. This extensibility is crucial for the long-term sustainability of the security framework. In summary, the adaptive learning FE, mapped to the CE’s anomaly detection and maintenance FEs, transforms the DT from a static representation into a living, improving system. Over time, the DT not only detects incidents but also learns from them, continuously tightening the security posture and keeping pace with emerging threats.
Figure 9 presents the adaptive learning FE situated within the CE, spanning the Application & Service, Operation & Management, and Resource Access sub-entities. This figure emphasizes how the DT’s learning capability transforms it from a passive monitor into an actively improving cyber–physical guardian.

6.5. Security Capabilities

The proposed ISO 23247-aligned framework enables and supports concrete cybersecurity activities. Rather than restating architectural details, it highlights operational functions, like threat modeling, attack simulation, detection, response, adaptive learning, and forensics, and maps each function to ISO entities and the framework’s FEs. The goal here is twofold: first, to show what security work becomes possible when detection, response, and learning are embedded in a synchronized DT, and second, to provide a clear reference for validation, tool integration, and future implementation efforts. The discussed functions are summarized in Figure 10, which shows the mapping between them and the suggested FEs, and are elaborated below.
Although many DT systems operate as real-time mirrors for monitoring or simulators for optimization, security-engineered DT frameworks that sustain a traceable incident workflow and rehearse mitigations before plant actuation remain uncommon. This work contributes by clarifying how incident evidence informs DT engineering decisions and by detailing what security operations become possible when detection, containment, learning, and forensics are co-located within DT entities without altering the ISO 23247 baseline structure.
  • Threat modeling: The synchronized DT captures both cyber and physical states, making it possible to construct detailed adversary models that go beyond abstract attack trees. It allows for replicating specific techniques such as sensor spoofing or PLC command manipulation, and tracing their cascading effects across processes, control loops, and network dependencies. This is enabled primarily by the Data Ingestion & Synchronization FE, which provides the high-fidelity mirror required for modeling, and leverages the CE’s existing Simulation FE to trace propagation.
  • Attack simulation and testing: Cyber attacks can be injected directly into the DT without endangering live assets by using the CE’s simulation environment. Operators can replay known incidents, test novel attack vectors, and perform red-team penetration testing in a controlled setting. This aligns with the Anomaly Detection FE, which integrates with the CE’s Simulation FE to evaluate vulnerabilities and countermeasures.
  • Real-time monitoring and detection: Unlike SIEM-driven detection that relies mainly on log analysis, DT-enabled monitoring combines sensor readings, actuator states, and network telemetry into a live cyber–physical model. Residual analysis compares predicted values with actual observations, while ML classifiers identify more complex anomalies. This dual approach is realized through the Anomaly Detection FE, which operates in the CE’s Application & Service sub-entity and extends its analytical services.
  • Response planning: Incident response playbooks can be virtually tested in the DT as “what-if” scenarios before being executed in the real plant. For example, isolating a compromised pump can be simulated to check for cascading load effects. This function is mapped to the Incident Response FE.
  • Adaptive learning: Detection and response models improve over time by retraining on new data and feedback from past incidents. The framework adapts to gradual system changes while also incorporating new attack signatures, reducing false positives and blind spots. This is supported by the Adaptive Learning FE, which builds on the CE’s Application & Service sub-entity for model refinement and the Operation & Management Maintenance FE for continuous updates.
  • Forensic analysis: Every synchronization event, alert, and response is logged with timestamps, producing reliable records for root-cause analysis, compliance, and continuous improvement. This function is supported by the Data Ingestion & Synchronization FE, ensuring provenance of data, and the Incident Response FE, capturing operator and system actions, with existing CE Synchronization and UE Presentation FEs providing the audit trail and visualization.

6.6. Overview

Throughout the design of the cybersecurity-centric DT framework depicted in Figure 11, we have ensured a tight alignment with ISO 23247, a foundational standard for DT reference architectures in manufacturing. This deliberate approach, detailed across this section, serves a dual purpose: it guarantees consistency with established DT principles while simultaneously extending the framework’s capabilities to directly address modern industrial cybersecurity challenges. By formally mapping each of our four proposed FEs (Data Ingestion & Synchronization, Anomaly Detection, Incident Response, and Adaptive Learning) to specific ISO 23247 entities and their respective functionalities, we have created a robust, yet modular, architecture. This structure avoids the need to reinvent the core DT model, instead providing a clear and standardized method for enhancing it with essential security features.
The framework’s strength lies in its ability to operationalize the security requirements identified in Section 5. For instance, the Data Ingestion & Synchronization FE, realized within the DCDCE, addresses the need for secure, low-latency data flow (NFR1, SR2, SR4), which is often a point of failure in less-structured systems. Similarly, the Anomaly Detection FE, housed in the CE, fulfills the core functional requirements of real-time threat identification (FR1, SR1), leveraging ML models to achieve a low false positive rate (NFR3). This clear separation of concerns, consistent with the ISO 23247-2 standard, ensures that security analytics are non-intrusive to real-time physical control.
The Incident Response FE demonstrates the framework’s proactive nature by using the DT’s predictive capabilities to simulate and validate countermeasures before execution on the physical asset. This crucial step, which leverages the CE’s simulation capabilities and the DCDCE’s control functions, directly addresses the need for isolated response testing (SR3). Finally, the Adaptive Learning FE ensures the framework’s long-term viability by enabling continuous model refinement and adaptation to evolving threats, thereby addressing scalability (NFR2) and configurability (DR3). This continuous feedback loop transforms the DT from a static replica into an intelligent, self-improving guardian of the industrial environment.
In summary, the proposed framework embodies a convergence of best practices from both DT architecture and industrial cybersecurity. The formal alignment with ISO 23247 not only facilitates clarity and consistency in its design but also provides a clear pathway for practical adoption and implementation in real-world industrial settings. It offers a tangible model for achieving next-generation cybersecurity resilience and serves as a blueprint for safeguarding CI in an increasingly interconnected and threat-prone landscape.
To illustrate the practical potential of the proposed framework, we consider its application to widely used ICS testbeds such as SWaT [87] and WADI [88]. These datasets capture realistic water treatment and distribution processes under both normal and attack scenarios, making them suitable proxies for CI environments. Within this context, the Data Ingestion & Synchronization FE would align the DT with raw telemetry streams, while the Anomaly Detection FE would employ ML-based models to distinguish legitimate process variations from injected attacks. Moreover, the Incident Response FE could then be validated by simulating containment strategies such as isolating compromised pumps or reverting unauthorized set-point changes, first within the DT environment before issuing real-world control actions. Finally, the Adaptive Learning FE would leverage repeated exposure to diverse attack scenarios in these datasets to refine detection thresholds and response playbooks over time.
For anomaly detection on SWaT and WADI, the framework would employ a combination of unsupervised and supervised ML algorithms to balance generalization and accuracy. Unsupervised models such as autoencoders and one-class SVMs would learn normal operational patterns from clean segments of the datasets, flagging deviations without requiring extensive attack labels. In parallel, supervised classifiers like Random Forests, SVMs, or LSTMs could be trained on labeled attack scenarios to capture domain-specific threats more effectively. Detection performance would be evaluated using standard metrics such as precision, recall, F1-score, and ROC-AUC, alongside operationally critical measures including false positive rate (targeting <2%) and detection latency.
While this use case remains theoretical, it demonstrates how the framework could be instantiated and experimentally validated in controlled settings, providing a foundation for future empirical research and real-world deployments.

7. Conclusions

This study systematically investigated how DTs can be engineered to strengthen cybersecurity incident detection and response in industrial environments. A systematic review of 19 works published between 2020 and 2025 revealed common design patterns, like real-time anomaly detection, AI-assisted response, and simulation-based testing, alongside notable gaps, such as limited end-to-end validation, insufficient integration with legacy OT, and fragmented adherence to security standards. Building on this evidence, we distilled a consolidated set of functional, non-functional, security-specific, and domain-specific requirements. These requirements were then translated into a structured, ISO 23247-aligned CS-DT framework. The proposed framework integrates edge analytics, autonomous playbooks, forensic logging, and role-based access control, while remaining modular enough to plug into existing industrial stacks without requiring a full overhaul.
Our findings confirm a clear trend: a shift from static DT replicas toward adaptive, AI-enabled twins capable of closing the loop from detection to mitigation. Despite this progress, the survey part of this work underscores ongoing challenges in achieving interoperability, a deficiency in performance assessments anchored in benchmarks, and limited deployment of real-world testbeds. These issues must be resolved to truly enhance the cyber-resilience of OT environments leveraging DTs.
The proposed design mitigates several deficiencies in existing DT-based security frameworks, but significant avenues for future exploration remain. The framework’s design is based on a specific literature set, and its practical interoperability with the wide range of legacy OT protocols requires further investigation. Subsequent studies should prioritize instantiating and validating the framework using benchmark ICS testbeds such as SWaT and WADI. This includes assessing how the Data Ingestion & Synchronization FE manages complex telemetry streams, testing the effectiveness of ML-based Anomaly Detection under diverse attack scenarios, and evaluating the safety and reliability of DT-driven Incident Response strategies before deployment. Future work should also explore how Adaptive Learning can refine detection thresholds and response playbooks over time, ensuring resilience against novel threats. Such testbed-driven validation will provide empirical grounding for the framework and pave the way for its integration into real-world CI environments.
From a practical perspective, the proposed framework offers implementation guidance for industrial cybersecurity practitioners by formalizing the integration of data ingestion, anomaly detection, incident response, and adaptive learning within a standards-aligned DT architecture. It provides a structured pathway for reducing detection latency, improving containment reliability, and enabling safe validation of response strategies in replicated environments. These implications support both industrial operators seeking operational resilience and system designers aiming to embed security-by-design principles in DT deployments.
In light of increasingly complex cyber threats and the evolution of industrial systems, DTs represent a formidable foundation for developing adaptive, intelligent, and context-conscious defense strategies. The work at hand advances that vision by bridging the gap between theoretical constructs and practical execution, offering a tangible model for next-generation cybersecurity resilience in industrial sectors. With further enhancements and stringent validation, CS-DTs may soon serve as an essential component in safeguarding CI.

Author Contributions

Conceptualization, K.E.K.; methodology, K.E.K.; writing—original draft preparation, K.E.K.; writing—review and editing, K.E.K.; visualization, K.E.K.; supervision, V.G. and S.K. All authors have read and agreed to the published version of the manuscript.

Funding

This work is supported by the Research Council of Norway through the SFI Norwegian Centre for Cybersecurity in Critical Sectors (NORCICS) project no. 310105.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in this study are included in the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
AIArtificial Intelligence
CECore Entity
CIAConfidentiality, Integrity, and Availability
CICritical Infrastructure
CNICritical National Infrastructure
CNNConvolutional Neural Network
CPMSCyber–Physical Manufacturing Systems
CPSCyber–Physical Systems
CPTCyber–Physical Twin
CS-DTCybersecurity Digital Twin
CTICyber Threat Intelligence
CVSSCommon Vulnerability Scoring System
DCDCEData Collection and Device Control Entity
DLDeep Learning
DLTDistributed Ledger Technology
DDoSDistributed Denial-of-Service
DoSDenial-of-Service
DRDomain-specific Requirement
DTDigital Twin
EPICElectric Power and Intelligent Control
FEFeature Element
FDIFalse Data Injection
FLFederated Learning
FRFunctional Requirement
GANGenerative Adversarial Network
GNSSGlobal Navigation Satellite System
HMIHuman Machine Interface
ICTInformation and Communication Technology
IDPSIntrusion Detection and Protection System
IDSIntrusion Detection System
IECInternational Electrotechnical Commission
IIoTIndustrial Internet of Things
IoTInternet of Things
IRIncident Response
ISAIntegrated State Awareness
ISOInternational Organization for Standardization
ITInformation Technology
ITSIntelligent Transportation Systems
KNNK-Nearest Neighbors
MitMMan-in-the-Middle
MLMachine Learning
MTBFMean Time Between Failures
MTTDMean Time to Detect
MTTRMean Time to Recovery
MUDManufacturer Usage Description
NFRNon-Functional Requirement
NISTNational Institute of Standards and Technology
OMEObservable Manufacturing Element
OPC-UAOpen Platform Communications Unified Architecture
OTOperational Technology
PLCProgrammable Logic Controller
PVPhotovoltaic
RERequirements Engineering
RLReinforcement Learning
SCADASupervisory Control and Data Acquisition
SDNSoftware-Defined Networking
SEDTSecurity-Enhancing Digital Twin
SEISecure Embedded Intelligence
SGCSSmart Grid Control Systems
SIEMSecurity Information and Event Management
SLRSystematic Literature Review
SMESmall and Medium-Sized Enterprise
SNSSmart Nuclear Systems
SOCSecurity Operations Center
SOARSecurity Orchestration, Automation, and Response
SRSecurity Requirement
SSCSystem Structures and Components
SVMSupport Vector Machine
TCATemporal Convolutional Autoencoders
UEUser Entity
V2IVehicle-to-Infrastructure
VANETVehicular Ad-Hoc Network
VMVirtual Machine
XAIExplainable Artificial Intelligence

References

  1. Kampourakis, V.; Gkioulos, V.; Katsikas, S. A systematic literature review on wireless security testbeds in the cyber-physical realm. Comput. Secur. 2023, 133, 103383. [Google Scholar] [CrossRef]
  2. Farwell, J.P.; Rohozinski, R. Stuxnet and the future of cyber war. Survival 2011, 53, 23–40. [Google Scholar] [CrossRef]
  3. Reed, J. Cost of a Data Breach: The Industrial Sector. 2024. Available online: https://www.ibm.com/think/insights/cost-of-a-data-breach-industrial-sector (accessed on 3 February 2026).
  4. Guardian, T. More Than 25% of UK Businesses Hit by Cyber-Attack in Last Year, Report Finds. 2025. Available online: https://www.theguardian.com/business/2025/jun/30/uk-businesses-hit-by-cyber-attack-last-year-report (accessed on 3 February 2026).
  5. Nair, A. Cyberattack Downtime Costs by Industry: Key Stats. 2025. Available online: https://technologyradius.com/statistic/cyberattack-downtime-costs-by-industry (accessed on 3 February 2026).
  6. Kampourakis, K.E. Digital Twins for Incident Detection and Response. In Proceedings of the Research Challenges in Information Science, Seville, Spain, 20–23 May 2025; Grabis, J., Vos, T.E.J., Escalona, M.J., Pastor, O., Eds.; Lecture Notes in Business Information Processing; Springer: Cham, Switzerland, 2025; Volume 548. [Google Scholar] [CrossRef]
  7. Holmes, D.; Papathanasaki, M.; Maglaras, L.; Ferrag, M.A.; Nepal, S.; Janicke, H. Digital twins and cyber security–solution or challenge? In Proceedings of the 2021 6th South-East Europe Design Automation, Computer Engineering, Computer Networks and Social Media Conference (SEEDA-CECNSM), Preveza, Greece, 24–26 September 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 1–8. [Google Scholar]
  8. Faleiro, R.; Pan, L.; Pokhrel, S.R.; Doss, R. Digital twin for cybersecurity: Towards enhancing cyber resilience. In Proceedings of the International Conference on Broadband Communications, Networks and Systems, Virtual Event, 28–29 October 2021; Springer: Cham, Switzerland, 2021; pp. 57–76. [Google Scholar]
  9. Por, L.Y.; Dai, Z.; Leem, S.J.; Chen, Y.; Yang, J.; Binbeshr, F.; Phan, K.Y.; Ku, C.S. A systematic literature review on the methods and challenges in detecting zero-day attacks: Insights from the recent crowdstrike incident. IEEE Access 2024, 12, 144150–144163. [Google Scholar] [CrossRef]
  10. Suhail, S.; Iqbal, M.; Hussain, R.; Jurdak, R. ENIGMA: An explainable digital twin security solution for cyber–physical systems. Comput. Ind. 2023, 151, 103961. [Google Scholar] [CrossRef]
  11. Kampourakis, V.; Gkioulos, V.; Katsikas, S. A step-by-step definition of a reference architecture for cyber ranges. J. Inf. Secur. Appl. 2025, 88, 103917. [Google Scholar] [CrossRef]
  12. Kampourakis, V. Secure Infrastructure for Cyber-Physical Ranges. In Proceedings of the Research Challenges in Information Science: Information Science and the Connected World, Corfu, Greece, 23–26 May 2023; Nurcan, S., Opdahl, A.L., Mouratidis, H., Tsohou, A., Eds.; Springer: Cham, Switzerland, 2023; pp. 622–631. [Google Scholar]
  13. Conti, M.; Donadel, D.; Turrin, F. A Survey on Industrial Control System Testbeds and Datasets for Security Research. IEEE Commun. Surv. Tutor. 2021, 23, 2248–2294. [Google Scholar] [CrossRef]
  14. Elayan, H.; Aloqaily, M.; Guizani, M. Digital twin for intelligent context-aware IoT healthcare systems. IEEE Internet Things J. 2021, 8, 16749–16757. [Google Scholar] [CrossRef]
  15. Khan, L.U.; Han, Z.; Saad, W.; Hossain, E.; Guizani, M.; Hong, C.S. Digital twin of wireless systems: Overview, taxonomy, challenges, and opportunities. IEEE Commun. Surv. Tutor. 2022, 24, 2230–2254. [Google Scholar] [CrossRef]
  16. NIST. Cybersecurity Framework. 2025. Available online: https://www.nist.gov/cyberframework (accessed on 3 March 2025).
  17. ISA. ISA/IEC 62443 Series of Standards. 2025. Available online: https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards (accessed on 3 March 2025).
  18. ISO 23247; Automation Systems and Integration—Digital Twin Framework for Manufacturing. ISO: Geneva, Switzerland, 2021. Available online: https://www.iso.org/standard/78743.html (accessed on 20 August 2025).
  19. Rowan, N.J. Digital technologies to unlock safe and sustainable opportunities for medical device and healthcare sectors with a focus on the combined use of digital twin and extended reality applications: A review. Sci. Total Environ. 2024, 926, 171672. [Google Scholar] [CrossRef]
  20. Jang-Jaccard, J.; Nepal, S. A survey of emerging threats in cybersecurity. J. Comput. Syst. Sci. 2014, 80, 973–993. [Google Scholar] [CrossRef]
  21. Zafar, M.H.; Langås, E.F.; Sanfilippo, F. Exploring the synergies between collaborative robotics, digital twins, augmentation, and industry 5.0 for smart manufacturing: A state-of-the-art review. Robot. Comput.-Integr. Manuf. 2024, 89, 102769. [Google Scholar] [CrossRef]
  22. Alotaibi, B. Utilizing blockchain to overcome cyber security concerns in the internet of things: A review. IEEE Sens. J. 2019, 19, 10953–10971. [Google Scholar] [CrossRef]
  23. Homaei, M.; Mogollón-Gutiérrez, Ó.; Sancho, J.C.; Ávila, M.; Caro, A. A review of digital twins and their application in cybersecurity based on artificial intelligence. Artif. Intell. Rev. 2024, 57, 201. [Google Scholar] [CrossRef]
  24. Hakiri, A.; Gokhale, A.; Yahia, S.B.; Mellouli, N. A comprehensive survey on digital twin for future networks and emerging Internet of Things industry. Comput. Netw. 2024, 244, 110350. [Google Scholar] [CrossRef]
  25. Somma, A.; De Benedictis, A.; Esposito, C.; Mazzocca, N. The convergence of Digital Twins and Distributed Ledger Technologies: A systematic literature review and an architectural proposal. J. Netw. Comput. Appl. 2024, 225, 103857. [Google Scholar] [CrossRef]
  26. Jeremiah, S.R.; El Azzaoui, A.; Xiong, N.N.; Park, J.H. A comprehensive survey of digital twins: Applications, technologies and security challenges. J. Syst. Archit. 2024, 151, 103120. [Google Scholar] [CrossRef]
  27. Lampropoulos, G.; Siakas, K. Enhancing and securing cyber-physical systems and Industry 4.0 through digital twins: A critical review. J. Softw. Evol. Process 2023, 35, e2494. [Google Scholar] [CrossRef]
  28. Sifat, M.; Choudhury, S.; Das, S.; Ahamed, M.; Muyeen, S.; Hasan, M.; Ali, M.; Tasneem, Z.; Islam, M.; Islam, M.; et al. Towards electric digital twin grid: Technology and framework review. Energy AI 2023, 11, 100213. [Google Scholar] [CrossRef]
  29. Lacerda, T.C.; von Wangenheim, C.G. Systematic literature review of usability capability/maturity models. Comput. Stand. Interfaces 2018, 55, 95–105. [Google Scholar] [CrossRef]
  30. Creswell, J.W.; Poth, C.N. Qualitative Inquiry and Research Design: Choosing Among Five Approaches; Sage Publications: Thousand Oaks, CA, USA, 2016. [Google Scholar]
  31. Autiosalo, J.; Vepsäläinen, J.; Viitala, R.; Tammi, K. A feature-based framework for structuring industrial digital twins. IEEE Access 2019, 8, 1193–1208. [Google Scholar] [CrossRef]
  32. Yu, W.; Patros, P.; Young, B.; Klinac, E.; Walmsley, T.G. Energy digital twin technology for industrial energy management: Classification, challenges and future. Renew. Sustain. Energy Rev. 2022, 161, 112407. [Google Scholar] [CrossRef]
  33. Zheng, Y.; Yang, S.; Cheng, H. An application framework of digital twin and its case study. J. Ambient. Intell. Humaniz. Comput. 2019, 10, 1141–1153. [Google Scholar] [CrossRef]
  34. Suhail, S.; Iqbal, M.; McLaughlin, K.; Lee, B.; Imtiaz, B. A framework for enhancing cyber incident response with Security-Enhancing Digital Twins in Cyber-Physical Systems. Internet Things 2025, 31, 101547. [Google Scholar] [CrossRef]
  35. Sunkara, K.C.; Dhasmana, G.; K S, R.; Yadav, M.N.; Desai, I.; Shankar, R. Cyber Twin Technology for AI-Driven Real-Time Software Security in IoT Ecosystems. In Proceedings of the 2024 4th International Conference on Mobile Networks and Wireless Communications (ICMNWC), Tumkuru, India, 4–5 December 2024; IEEE: Piscataway, NJ, USA, 2024; pp. 1–7. [Google Scholar]
  36. Balta, E.C.; Pease, M.; Moyne, J.; Barton, K.; Tilbury, D.M. Digital twin-based cyber-attack detection framework for cyber-physical manufacturing systems. IEEE Trans. Autom. Sci. Eng. 2023, 21, 1695–1712. [Google Scholar] [CrossRef]
  37. Allison, D.; Smith, P.; Mclaughlin, K. Digital twin-enhanced incident response for cyber-physical systems. In Proceedings of the 18th International Conference on Availability, Reliability and Security, Benevento, Italy, 29 August–1 September 2023; pp. 1–10. [Google Scholar]
  38. Empl, P.; Schlette, D.; Zupfer, D.; Pernul, G. SOAR4IoT: Securing IoT assets with digital twins. In Proceedings of the 17th International Conference on Availability, Reliability and Security, Vienna, Austria, 23–26 August 2022; pp. 1–10. [Google Scholar]
  39. Varghese, S.A.; Ghadim, A.D.; Balador, A.; Alimadadi, Z.; Papadimitratos, P. Digital twin-based intrusion detection for industrial control systems. In Proceedings of the 2022 IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events (PerCom Workshops), Pisa, Italy, 21–25 March 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 611–617. [Google Scholar]
  40. Krishnan, P.; Jain, K.; Buyya, R.; Vijayakumar, P.; Nayyar, A.; Bilal, M.; Song, H. MUD-based behavioral profiling security framework for software-defined IoT networks. IEEE Internet Things J. 2021, 9, 6611–6622. [Google Scholar] [CrossRef]
  41. Dietz, M.; Vielberth, M.; Pernul, G. Integrating digital twin security simulations in the security operations center. In Proceedings of the 15th International Conference on Availability, Reliability and Security, Virtual Event, 25–28 August 2020; pp. 1–9. [Google Scholar]
  42. Ji, C.; Niu, Y. A hybrid evolutionary and machine learning approach for smart city planning: Digital twin approach. Sustain. Energy Technol. Assess. 2024, 64, 103650. [Google Scholar] [CrossRef]
  43. Menezes, C.; Cunha, H.; Siqueira, G.; Santos, M.; França, B.; Lopes, Y. Metaverse framework for power systems: Proposal and case study. Electr. Power Syst. Res. 2024, 237, 111039. [Google Scholar] [CrossRef]
  44. IEC 61850; Communication Networks and Systems for Power Utility Automation. International Electrotechnical Commission: Geneva, Switzerland, 2020.
  45. Wang, R.; Venugopalan, S.; Adepu, S. Safety Analysis for Cyber-Physical Systems Under Cyber Attacks Using Digital Twin. In Proceedings of the 2024 IEEE International Conference on Cyber Security and Resilience (CSR), London, UK, 2–4 September 2024; IEEE: Piscataway, NJ, USA, 2024; pp. 1–8. [Google Scholar]
  46. MQTT. MQTT Software. 2025. Available online: https://mqtt.org/software/ (accessed on 25 March 2025).
  47. Kandasamy, N.K.; Venugopalan, S.; Wong, T.K.; Leu, N.J. An electric power digital twin for cyber security testing, research and education. Comput. Electr. Eng. 2022, 101, 108061. [Google Scholar] [CrossRef]
  48. Sen, Ö.; Schmidtke, F.; Carere, F.; Santori, F.; Ulbig, A.; Monti, A. Investigating the cybersecurity of smart grids based on cyber-physical twin approach. In Proceedings of the 2022 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Singapore, 25–28 October 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 439–445. [Google Scholar]
  49. Yigit, Y.; Panitsas, I.; Maglaras, L.; Tassiulas, L.; Canberk, B. Cyber-twin: Digital twin-boosted autonomous attack detection for vehicular ad-hoc networks. In Proceedings of the ICC 2024-IEEE International Conference on Communications, Denver, CO, USA, 9–13 June 2024; IEEE: Piscataway, NJ, USA, 2024; pp. 2167–2172. [Google Scholar]
  50. Epiphaniou, G.; Hammoudeh, M.; Yuan, H.; Maple, C.; Ani, U. Digital twins in cyber effects modelling of IoT/CPS points of low resilience. Simul. Model. Pract. Theory 2023, 125, 102744. [Google Scholar] [CrossRef]
  51. Yigit, Y.; Kinaci, O.K.; Duong, T.Q.; Canberk, B. TwinPot: Digital twin-assisted honeypot for cyber-secure smart seaports. In Proceedings of the 2023 IEEE International Conference on Communications Workshops (ICC Workshops), Rome, Italy, 28 May–1 June 2023; IEEE: Piscataway, NJ, USA, 2023; pp. 740–745. [Google Scholar]
  52. Onaji, I.; Tiwari, D.; Soulatiantork, P.; Song, B.; Tiwari, A. Digital twin in manufacturing: Conceptual framework and case studies. Int. J. Comput. Integr. Manuf. 2022, 35, 831–858. [Google Scholar] [CrossRef]
  53. Stojkovic, M.; Butt, J. Industry 4.0 implementation framework for the composite manufacturing industry. J. Compos. Sci. 2022, 6, 258. [Google Scholar] [CrossRef]
  54. Garcia, H.E.; Aumeier, S.E.; Al-Rashdan, A.Y.; Rolston, B.L. Secure embedded intelligence in nuclear systems: Framework and methods. Ann. Nucl. Energy 2020, 140, 107261. [Google Scholar] [CrossRef]
  55. Stafford, V. Zero trust architecture. NIST Spec. Publ. 2020, 800, 207. [Google Scholar]
  56. Kampourakis, K.E.; Gkioulos, V.; Kavallieratos, G.; Lin, J.C. Digital Twin-Enabled Incident Detection and Response: A Systematic Review of Critical Infrastructures Applications. Int. J. Inf. Secur. 2025, 24, 194. [Google Scholar] [CrossRef]
  57. ISO/IEC/IEEE 29148; Systems and Software Engineering—Life Cycle Processes—Requirements Engineering. International Organization for Standardization: Geneva, Switzerland, 2018. Available online: https://www.iso.org/standard/72089.html (accessed on 20 August 2025).
  58. ISO 23247-2; Automation Systems and Integration—Digital Twin Framework for Manufacturing Part 2: Reference Architecture. International Organization for Standardization: Geneva, Switzerland, 2021.
  59. IEC 62443-3-3; Industrial Communication Networks—Network and System Security—Part 3-3: System Security Requirements and Security Levels. International Electrotechnical Commission: Geneva, Switzerland, 2013.
  60. NIST SP 800-82 Rev. 3; Guide to Operational Technology (OT) Security. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2023.
  61. NIST SP 800-61 Rev. 3; Incident Response Recommendations and Considerations for Cybersecurity Risk Management. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2025.
  62. NIST SP 800-30 Rev. 1; Guide for Conducting Risk Assessments. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2012.
  63. NIST SP 800-207; Zero Trust Architecture. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020.
  64. IEC 62351-14; Power Systems Management and Associated Information Exchange—Data and Communications Security—Part 14: Cyber Security Event Logging. International Electrotechnical Commission: Geneva, Switzerland, 2022.
  65. Alcaraz, C.; Lopez, J. Digital twin: A comprehensive survey of security threats. IEEE Commun. Surv. Tutor. 2022, 24, 1475–1503. [Google Scholar] [CrossRef]
  66. ISO/IEC 27005:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Risk Management. International Organization for Standardization: Geneva, Switzerland, 2022.
  67. VanDerHorn, E.; Mahadevan, S. Digital Twin: Generalization, characterization and implementation. Decis. Support Syst. 2021, 145, 113524. [Google Scholar] [CrossRef]
  68. Shao, G.; Frechette, S.; Srinivasan, V. An analysis of the new ISO 23247 series of standards on digital twin framework for manufacturing. In Proceedings of the International Manufacturing Science and Engineering Conference, New Brunswick, NJ, USA, 12–16 June 2023; American Society of Mechanical Engineers: New York, NY, USA, 2023; Volume 87240, p. V002T07A001. [Google Scholar]
  69. Elastic. Lightweight Shipper for Logs. 2025. Available online: https://www.elastic.co/beats/filebeat (accessed on 30 May 2025).
  70. Elastic. Centralize, Transform & Stash Your Data. 2025. Available online: https://www.elastic.co/logstash (accessed on 30 May 2025).
  71. Kang, M.S.; Lee, D.H.; Bajestani, M.S.; Kim, D.B.; Noh, S.D. Edge Computing-Based Digital Twin Framework Based on ISO 23247 for Enhancing Data Processing Capabilities. Machines 2024, 13, 19. [Google Scholar] [CrossRef]
  72. Jia, P.; Wang, X.; Shen, X. Digital-twin-enabled intelligent distributed clock synchronization in industrial IoT systems. IEEE Internet Things J. 2020, 8, 4548–4559. [Google Scholar] [CrossRef]
  73. Hietala, J. Real-Time Two-Way Data Transfer with a Digital Twin via Web Interface. Master’s Thesis, Aalto University, Aalto, Finland, 2020. [Google Scholar]
  74. Jiang, Y.; Li, M.; Li, M.; Liu, X.; Zhong, R.Y.; Pan, W.; Huang, G.Q. Digital twin-enabled real-time synchronization for planning, scheduling, and execution in precast on-site assembly. Autom. Constr. 2022, 141, 104397. [Google Scholar] [CrossRef]
  75. Wang, J.; Li, Y.; Gao, R.X.; Zhang, F. Hybrid physics-based and data-driven models for smart manufacturing: Modelling, simulation, and explainability. J. Manuf. Syst. 2022, 63, 381–391. [Google Scholar] [CrossRef]
  76. Kamoi, R.; Kobayashi, K. Why is the mahalanobis distance effective for anomaly detection? arXiv 2020, arXiv:2003.00402. [Google Scholar] [CrossRef]
  77. Kampourakis, K.E.; Chatzoglou, E.; Kambourakis, G.; Serpanos, D. Balancing the act? Resampling versus imbalanced data for Wi-Fi IDS. Int. J. Inf. Secur. 2025, 24, 47. [Google Scholar] [CrossRef]
  78. Zheng, Z.; Zhang, Z.; Wang, L.; Luo, X. Denoising temporal convolutional recurrent autoencoders for time series classification. Inf. Sci. 2022, 588, 159–173. [Google Scholar] [CrossRef]
  79. Huang, X.; Tang, J.; Shen, Y. Long time series of ocean wave prediction based on PatchTST model. Ocean Eng. 2024, 301, 117572. [Google Scholar] [CrossRef]
  80. Peng, X.; Lin, Y.; Cao, Q.; Cen, Y.; Zhuang, H.; Lin, Z. Traffic anomaly detection in intelligent transport applications with time series data using informer. In Proceedings of the 2022 IEEE 25th International Conference on Intelligent Transportation Systems (ITSC), Macau, China, 8–12 October 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 3309–3314. [Google Scholar]
  81. Shumway, R.H.; Stoffer, D.S.; Shumway, R.H.; Stoffer, D.S. ARIMA models. In Time Series Analysis and Its Applications: With R Examples; Springer: Cham, Switzerland, 2017; pp. 75–163. [Google Scholar]
  82. Sundermeyer, M.; Schlüter, R.; Ney, H. Lstm neural networks for language modeling. In Proceedings of the INTERSPEECH 2012, ISCA’s 13th Annual Conference, Portland, OR, USA, 9–13 September 2012; Volume 2012, pp. 194–197. [Google Scholar]
  83. Koay, A.M.; Ko, R.K.L.; Hettema, H.; Radke, K. Machine learning in industrial control system (ICS) security: Current landscape, opportunities and challenges. J. Intell. Inf. Syst. 2023, 60, 377–405. [Google Scholar] [CrossRef]
  84. Mishra, A.K.; Paliwal, S. Mitigating cyber threats through integration of feature selection and stacking ensemble learning: The LGBM and random forest intrusion detection perspective. Clust. Comput. 2023, 26, 2339–2350. [Google Scholar] [CrossRef]
  85. Elastic. Discover, Iterate, and Resolve with ES|QL on Kibana. 2025. Available online: https://www.elastic.co/kibana (accessed on 30 May 2025).
  86. Acharya, S.; Khan, A.A.; Päivärinta, T. Interoperability levels and challenges of digital twins in cyber-physical systems. J. Ind. Inf. Integr. 2024, 42, 100714. [Google Scholar] [CrossRef]
  87. Goh, J.; Adepu, S.; Junejo, K.N.; Mathur, A. A dataset to support research in the design of secure water treatment systems. In Proceedings of the International Conference on Critical Information Infrastructures Security, Paris, France, 10–12 October 2016; Springer: Cham, Switzerland, 2016; pp. 88–99. [Google Scholar]
  88. Ahmed, C.M.; Palleti, V.R.; Mathur, A.P. WADI: A water distribution testbed for research in the design of secure cyber physical systems. In Proceedings of the 3rd International Workshop on Cyber-Physical Systems for Smart Water Networks, Pittsburgh, PA, USA, 18–21 April 2017; pp. 25–28. [Google Scholar]
Information 17 00286 g001
Figure 1. DT connection with the physical asset.
Figure 1. DT connection with the physical asset.
Information 17 00286 g001
Information 17 00286 g002
Figure 2. Structured screening and selection process, including database retrieval counts, duplicate removal, eligibility filtering, and final inclusion.
Figure 2. Structured screening and selection process, including database retrieval counts, duplicate removal, eligibility filtering, and final inclusion.
Information 17 00286 g002
Information 17 00286 g003
Figure 3. Evolution of DT-based Cybersecurity Studies by Lifecycle Focus.
Figure 3. Evolution of DT-based Cybersecurity Studies by Lifecycle Focus.
Information 17 00286 g003
Information 17 00286 g004
Figure 4. Coverage of DT-based cybersecurity dimensions by industrial sector. Numbers indicate the number of works examined in each dimension.
Figure 4. Coverage of DT-based cybersecurity dimensions by industrial sector. Numbers indicate the number of works examined in each dimension.
Information 17 00286 g004
Information 17 00286 g006
Figure 6. Integration of the data ingestion and synchronization FE within the DCDCE. An ellipse indicates the existence of more sub-entities within that entity.
Figure 6. Integration of the data ingestion and synchronization FE within the DCDCE. An ellipse indicates the existence of more sub-entities within that entity.
Information 17 00286 g006
Information 17 00286 g007
Figure 7. Integration of the ML-Based anomaly detection FE within the CE. An ellipse indicates the existence of more sub-entities within that entity.
Figure 7. Integration of the ML-Based anomaly detection FE within the CE. An ellipse indicates the existence of more sub-entities within that entity.
Information 17 00286 g007
Information 17 00286 g008
Figure 8. Integration of the incident response FE within the DCDCE. An ellipse indicates the existence of more sub-entities within that entity.
Figure 8. Integration of the incident response FE within the DCDCE. An ellipse indicates the existence of more sub-entities within that entity.
Information 17 00286 g008
Information 17 00286 g009
Figure 9. Integration of the Adaptive Learning FE within the CE.
Figure 9. Integration of the Adaptive Learning FE within the CE.
Information 17 00286 g009
Information 17 00286 g010
Figure 10. Functions mapping to suggested FEs.
Figure 10. Functions mapping to suggested FEs.
Information 17 00286 g010
Information 17 00286 g011
Figure 11. Enhanced ISO 23247-based framework.
Figure 11. Enhanced ISO 23247-based framework.
Information 17 00286 g011
Table 1. Comparative relevance of related works across key DT cybersecurity criteria. ⬤, ◐, and ◯ represent a full and comprehensive, a partial or limited, and no coverage of the topic, respectively.
Table 1. Comparative relevance of related works across key DT cybersecurity criteria. ⬤, ◐, and ◯ represent a full and comprehensive, a partial or limited, and no coverage of the topic, respectively.
WorkDTCybersecurityIncident DetectionIncident ResponseIndustrial Env.Framework
Homaei et al. [23]
Hakiri et al. [24]
Somma et al. [25]
Jeremiah et al. [26]
Lampropoulos et al. [27]
Sifat et al. [28]
This work
Table 2. Detailed inclusion and exclusion criteria applied during structured literature screening.
Table 2. Detailed inclusion and exclusion criteria applied during structured literature screening.
Inclusion-ExclusionDescription
InclusionDT IntegrationThe work must include a theoretical (described but not validated) or practical DT implementation.
Cybersecurity Incident HandlingThe study must focus on cybersecurity incident detection, response, or both.
Industrial Environment FocusThe work must focus on industrial systems.
FrameworkThe work must propose a new framework or architecture.
LanguageThe work must be written in English.
ExclusionPublication TypeNon-peer-reviewed content such as preprints, conference abstracts, book reviews, editorials, blogs, and grey literature
ScopeStudies not directly addressing cybersecurity or DTs in industrial sectors, including mini-reviews and position papers without original contributions.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kampourakis, K.E.; Gkioulos, V.; Katsikas, S. Cybersecurity Digital Twins for Industrial Systems: From Literature Synthesis to Framework Design. Information 2026, 17, 286. https://doi.org/10.3390/info17030286

AMA Style

Kampourakis KE, Gkioulos V, Katsikas S. Cybersecurity Digital Twins for Industrial Systems: From Literature Synthesis to Framework Design. Information. 2026; 17(3):286. https://doi.org/10.3390/info17030286

Chicago/Turabian Style

Kampourakis, Konstantinos E., Vasileios Gkioulos, and Sokratis Katsikas. 2026. "Cybersecurity Digital Twins for Industrial Systems: From Literature Synthesis to Framework Design" Information 17, no. 3: 286. https://doi.org/10.3390/info17030286

APA Style

Kampourakis, K. E., Gkioulos, V., & Katsikas, S. (2026). Cybersecurity Digital Twins for Industrial Systems: From Literature Synthesis to Framework Design. Information, 17(3), 286. https://doi.org/10.3390/info17030286

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop