- The paper introduces a dual-layer digital twin cyber-range for live Byzantine fault injection, supporting adaptive system hardening.
- It leverages production-grade BFT deployments and real operational telemetry to conduct systematic what-if experiments and detect protocol vulnerabilities.
- The system integrates industry-standard technologies like TSN, OPC UA, and mTLS to ensure practical, scalable resilience in critical CPS.
ByzTwin-Range: A Digital Twin Cyber-Range for Byzantine Faults in Critical Cyber-Physical Systems
Introduction
Modern critical infrastructures increasingly depend on interconnected cyber-physical systems (CPS) that combine networked sensing, automated control, and software-driven orchestration. This convergence enhances operational efficiency but also greatly expands the attack surface, exposing systems to sophisticated coordinated adversaries capable of triggering both accidental and intentional failures. Addressing the robustness requirements of such environments, Byzantine Fault Tolerant (BFT) protocols have become central for mitigating the risks of arbitrary and malicious system faults. However, evaluating BFT behavior under realistic, time-sensitive operational conditions is fraught with difficulties, as traditional cyber ranges lack adequate timing fidelity and live production testing carries unacceptable risks.
This paper introduces ByzTwin-Range, a dual-layer architecture that tightly integrates a production-grade BFT deployment with a high-fidelity Digital Twin (DT), thereby enabling controlled experimentation, stress testing, and Byzantine fault injection using real operational data. The core innovation is the use of the DT not merely as a static mirror but as a continuously-updated, analytic engine that identifies protocol vulnerabilities, synchrony failures, and configuration weaknesses through systematic “What-if” evaluation. By feeding the resulting insights back into the operational BFT deployment, ByzTwin-Range supports adaptive system hardening and continuous assurance of system liveness and safety under real-world conditions.
Context and Related Work
Emerging deployments of digital twins in CPS security [shitole2021real, dietz2020integrating, eckhart2018towards] and resilience analysis [flammini2021digital, nguyen2022digital, larsen2023fault] have enhanced fidelity in emulating operational environments for intrusion response and fault injection. Digital twins can host protocol and control logic, support replay of live telemetry, and facilitate experimentation difficult or impossible on physical infrastructure alone.
Within the context of BFT, less focus exists on leveraging DTs for practical, timing-aware protocol experimentation. Prior efforts such as TwinBFT [dettoni2013byzantine] proposed virtual replicas to reduce system overhead, while others have shown that the coalescence of blockchain and digital twin technologies can enable coordinated alerting across decentralized operators [sahal2022blockchain]. Platforms such as Bedrock [amiri2024bedrock] move towards systematic evaluation of BFT protocols, but do not address the continuous integration with live plant operations required for effective CPS hardening.
ByzTwin-Range thus sits at the intersection of these efforts, articulating an architectural and methodological framework that bridges operational-grade BFT control, high-fidelity twin-based experimentation, and secure cyber-range-based analysis.
System Architecture
ByzTwin-Range operates by segmenting the critical CPS into two distinct but matched execution planes: the Operational Technology (OT) plane, where physical process control and BFT actuation occur, and the Operational Twin (OTw), which hosts the digital twin, analytics engines, and protocol stress-testing facilities.
High-Level Topology
The twin architectural segmentation is clearly visualized in the high-level system topology.
Figure 1: ByzTwin-Range's high-level topology for integrating BFT real-time control with a digital twin simulation environment.
At the OT level, real-world processes—sensors and actuators—interface with highly redundant PLCs executing local safety logic and watchdog fallback mechanisms. BFT nodes implement supervisory consensus, leveraging deterministic, low-latency Time-Sensitive Networking (TSN) and OPC UA PubSub telemetry, isolated via strict VLAN/TSN segmentation for security and timing determinism.
Bridging the OT and OTw is the Broker and Time Gateway subsystem, which guarantees temporal alignment, deterministic event ordering, secure protocol normalization, and message provenance. These layers prevent experimental activities from influencing live operations and support reproducible replay, indispensable for both forensic analysis and iterative protocol hardening.
The OTw plane, effectively the DT environment, incorporates not only co-simulated functional models (FMUs, HLA federates) but also federated learning (FL) and differential privacy (DP) engines to detect protocol anomalies without leaking raw operational data. Simulation infrastructure (K8s/K3s) orchestrates isolated twin replicas, supporting broad what-if scenario testing, coordinated adversarial behaviors, and complex fault-injection trajectories.
Security Boundary and Synchrony Assumptions
ByzTwin-Range assumes partial synchrony: adversaries can perturb but not fully subvert timing, with bounded numbers of Byzantine replicas (f among $3f+1$), while local PLC safety logic is assumed to remain fail-safe, imposing hardware-enforced fallback in catastrophic conditions. This architectural demarcation preserves a strict security and control boundary: the twin issues only read-only advisories; all actuation remains within the operational BFT cluster.
Operational and Analytical Workflow
The digital twin continuously ingests live OT telemetry via secure, authenticated (mTLS/QUIC) channels, storing operational data in a time-series streaming store and feature store for downstream machine learning. By harnessing real operational data, co-simulation modules run realistic “What-if” and fault-injection experiments, exploring Byzantine attack surfaces including equivocation, inconsistent state reporting, selective message omission, and coordinated replica disruption under timing deviations. Results and advisories are published to the operational BFT system, SIEM/SOC infrastructure, and historian/CMDB for long-term iterative resilience improvements.
Key Contributions
ByzTwin-Range’s technical contributions are primarily architectural and methodological:
- Dual-layer live BFT/Digital Twin co-deployment: Enables protocol configuration mirroring and replay of operational conditions not possible on static testbeds or synthetic cyber-ranges.
- DT-driven, protocol-aware Byzantine fault injection: Facilitates safe evaluation of worst-case behaviors—such as synchrony violations, adversarial timing, correlated node failures—while remaining decoupled from the physical control plane.
- Asymmetric advisory feedback channel: Guarantees experimental results can inform operational adaptation without permitting direct actuation from compromised or manipulated DT environments.
- Integration of industry-standard technologies: Ensures practicality and adoption fidelity, combining OPC UA, TSN, mTLS/QUIC, HLA, FMU, Kubernetes-native deployments, and federated learning to maximize real-world relevance and scalability.
- Continuous validation and adaptive hardening loop: By moving from pre-deployment to continuous co-evaluation, the framework detects configuration drift and timing vulnerabilities that only surface under live operational workloads.
Open Challenges and Future Directions
Several challenges remain open. Ensuring end-to-end real-time deadline adherence across the OT–OTw boundary during BFT protocol view changes or under adversarial delay scenarios is non-trivial. Maintaining a precise, drift-minimized synchronization between operational state and its digital twin—especially over long experiment cycles—requires robust snapshotting and deterministic replay mechanisms. High-fidelity co-simulation of large-scale deployments introduces orchestration and performance burdens, which must be addressed with adaptive fidelity policies and dynamic resource allocation.
Extending the protocol-aware fault-injection engine to capture cross-layer adversarial behavior, multi-domain coordinated attacks, and persistent configuration vulnerabilities will require further research. The next step will be an empirical proof-of-concept evaluating ByzTwin-Range’s effectiveness and overhead across real industrial deployments.
Conclusion
ByzTwin-Range establishes a practical and extensible foundation for the continuous, live-data-driven validation and adaptive hardening of BFT deployments in cyber-physical systems. It leverages state-of-the-art twin and simulation technologies for controlled fault injection, systematic vulnerability discovery, and non-disruptive testing, all within a framework compatible with industrial operational standards. The approach has clear implications for next-generation resilient OT, supporting paradigms of continuous security validation, adversarial testing, and self-hardening infrastructure as essential components of critical infrastructure protection.