Digital Twinning and Protecting Controlled Unclassified Information

In the increasingly connected and digital world, businesses are sprinting to integrate technological advancements into their corporate fabric. This is evident with the emerging concept of “digital twinning.” Digital twins are virtual representations of real-world objects or systems used to digitally model performance, identify inefficiencies, and design solutions. This helps improve the “real world” product, reduces costs, and increases efficiency. However, this replication of a physical entity in the digital space is not without its challenges. One of the challenges that will become increasingly prevalent is the processing, storing, and transmitting of Controlled Unclassified Information (CUI). If CUI is not protected properly, an idea to save time, money, and effort could result in the loss of critical data.

The Department of Defense’s (DoD) CUI Program website defines CUI as “government-created or owned unclassified information that allows for, or requires, safeguarding and dissemination controls in accordance with laws, regulations, or government-wide policies. It is sensitive information that does not meet the criteria for classification but must still be protected.” In March 2020, DoD published Instruction 5200.48, establishing the official DoD CUI Registry.

Elevating the Discussion on Digital Twins

As aerospace and defense companies continue to embrace the concept of digital twins for an expanding number of use cases, securely transferring and storing the Controlled Unclassified Information (CUI) associated with digital twins is becoming increasingly important. (Image: Smithers)

Digital twinning has evolved from a fantasy for larger enterprises to a reality for many small and medium enterprises in the last decade. Hailed for its potential to revolutionize how we interact with objects and systems in the real world, digital twinning is reliant on many of the other key technologies driving the fourth industrial revolution (Industry 4.0) including:

  • Industrial Internet of Things (IIoT)

  • Cloud computing

  • Artificial intelligence (AI) and machine learning (ML)

  • Augmented and virtual reality

  • Automation and robotics

  • Fifth generation connectivity (5G)

  • Computer aided engineering (CAE)

All of these technologies are catering to the demand for data and its exchange across networks and numerous platforms. Several reports assessing aerospace and defense company investment trends over the last year have shown that the industry will continue to increase its spending on digital twin technology over the next 5-10 years. As an example, a June 2023 survey of 150 aerospace and defense organizations published by Capgemini resulted in 80 percent of those surveyed noting that they have an ongoing digital twin development program. The remaining 20 percent had plans on starting one. According to the report, key factors driving companies to invest in digital twins include increasing sales (63 percent), providing an advanced training environment for employees (68 percent), reducing time to market (70 percent) and reducing development costs (71 percent).

The Department of Defense defines CUI as “government-created or owned UNCLASSIFIED information that allows for, or requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies. It is sensitive information that does not meet the criteria for classification but must still be protected.” As more defense contractors embrace the concept of digital twinning, the processing, storing and transmitting of CUI in a secure and protected manner is a challenge that the industry will have to continue to address. (Image: MuhammadArif)

Additionally, in its 2024 Aerospace and Defense Industry Outlook, Deloitte identified a new and growing use case for digital twins among manufacturers that goes beyond producing a final product. The report notes that some aerospace and defense companies are increasingly considering or evaluating the development of digital twins of the end-to-end processes of their supply chains to obtain a more complete view of the procurement, production and delivery processes. Others are considering the use of digital twin technology to track parts throughout their life span in an effort to improve maintenance schedules and protocols.

The Potential Cost of Innovation

With data breaches making news headlines every day, scrutinizing the security of digital operations is more critical than ever before, especially for the key data held by U.S. DoD contractors. These contractors are global and have been preparing for the release of the Cyber-security Maturity Model Certification 2.0 (CMMC) requirement. CMMC will require a third-party independent assessment to confirm compliance with NIST SP 800-171 for all contractors processing, storing, or transmitting CUI. The data contractors need to protect may be a blueprint, a detailed description of a component, or data that can be fed directly to a CNC machine. However, when the digital component is an exact copy, as they must be for a digital twin, the stakes are significantly higher. Now sensitive data has interfaces and interactions with the real world and other systems.

In this web of digital interconnectivity, it’s essential to consider the route any piece of data takes from the physical to the digital world and back. This is crucial as the more ‘touchpoints’ a digital twin has, the higher the likelihood of a security breach or data corruption issues. For instance, a temperature sensor gathering information on a factory floor could lead data through a series of processes before it is integrated into the digital twin. Each of these processes must be secure and costs associated with these security measures must be considered from the outset.

The potential rewards of digital twinning are significant, but so are the risks. Organizations currently executing digital twinning projects should be compliant with NIST SP 800-171 today. The AI/ML platforms they are using should also be compliant. NIST SP 800-171 is effectively a set of cybersecurity requirements that are designed to safeguard CUI that is stored or managed within the information sharing networks owned and operated by government contractors and subcontractors. The standard outlines specific practices and procedures contractors must adhere to when their networks store or process CUI.

Considerations for all systems/platforms should include but are not limited to:

  • How will the client disseminate the information the contractor required to build the digital twin?

  • How will the contractor securely process and store that data?

  • Who can access the data? In the case of a digital twin project, potential human involvement extends beyond the contractor to a sub-contractor or vendor who handles the AI environment.

  • Who controls the data?

  • Where is the data processed and stored?

  • Who has access to the AI environment for review and testing?

  • What happens to the CUI once the digital twin has served its purpose and testing terminates?

Organizations must weigh the benefits against the costs and risks. The benefits can be substantial, from improving operational efficiencies to providing a platform for innovation, but these are only happily-ever-after’s if they are built on a solid, secure foundation.

The Global Mosaic of Data

In a globalized economy, digital twin data may traverse international borders multiple times a day. This creates a complex patchwork of different regulations and laws, in particular the U.S. International Traffic in Arms Regulation (ITAR). Data isolation laws in various countries further complicate matters, potentially fragmenting the integrity of a digital twin. All robust cybersecurity standards and guidelines must apply to digital twinning along with products and specifications that traditionally have fallen into the CUI category.

A Framework for the Farsighted

Creating a digital twin is not just a technical feat; it is a strategic imperative that touches every facet of modern business. From security to sovereignty and from trust to ethics, the decisions made today about digital twin architecture will reverberate long into the future. Organizations must adopt a farsighted approach to digital twinning, one that is as much about the long-term viability of the technology as it is about the short-term benefits, and balanced against the cybersecurity risks it brings.

This article was written by Robert McVay, Senior Consultant, Information Security Services, Smithers (Akron, OH). For more information, visit here .