Digital twin oriented architecture for secure and QoS aware intelligent communications in industrial environments

In modern networking industrial environments, characterized by the integration of Operation Technology and Information Technology, there is a strong need to ensure both safety and security of operations and communications. In this regard, IEC 62443 zones and conduits represent powerful high-level abstractions stressing the importance of clearly separating machines in relation to safety requirements and of clearly defining inter-machine communication security requirements. However, their actual implementation is still demanded to human-centric error-prone procedures performed by technicians directly on network elements, without any integrated plant-wide point of view. To overcome these issues, first of all we originally state the need of applying the Digital Twin approach to zones and conduits, making easier the definition and management of inter-machine security requirements. For instance, industrial technicians can specify that communication among two zones should always flows through a ciphered conduit with a given algorithm and key length, at the cost of increased latency. Secondly, we state the need of exploiting an intelligent reasoner to monitor the current state of the environment (represented by asset and network Digital Twins), actively reconfiguring them in case desired requirements are not satisfied. Then, the reasoner allows to enforce requirements while also considering the fulfillment of a proper trade-off between security and performance, e.g., by reducing the ciphering complexity to ensure prompt packet dispatching whenever required. Performance results based on our working prototype demonstrate the feasibility and efficiency of the proposed solution under stringent requirements typical of industrial environments. In particular, in terms of better flexibility we proved that our orchestrator is able to create a new Digital Twin in less than 2.5 s in a typical edge node with a medium load. In addition, proposed routing policies based on our machine learning reasoner led to the satisfaction of well-defined low latency requirements (250 ms) while avoiding packet dropping.