Papers
Topics
Authors
Recent
Search
2000 character limit reached

Trust, but Verify: ByzTwin-Range, a Digital Twin Cyber-Range for Byzantine Faults

Published 20 Apr 2026 in cs.DC | (2604.18049v1)

Abstract: Critical infrastructures increasingly rely on interconnected and software-driven Cyber-Physical Systems (CPS), exposing operational processes to both accidental failures and sophisticated adversarial behavior. While Byzantine Fault Tolerant (BFT) protocols offer robustness against arbitrary faults, evaluating their behavior under realistic cyber-physical conditions remains challenging: traditional cyber ranges lack timing fidelity, and testing in production environments is unsafe. This paper introduces ByzTwin-Range, a dual-layer architecture that integrates a production-grade BFT deployment with a Digital Twin (DT) to enable controlled experimentation, stress testing, and Byzantine fault injection using live operational data. The DT mirrors real system state, executes "What-if" analyses through co-simulation and emulation, and identifies synchrony vulnerabilities, i.e., misconfigured timeouts, timing-sensitive false suspicions, and adversarial delay exploits, configuration weaknesses, and adversarial behaviors that may undermine BFT guarantees. Insights from the twin are fed back into the operational deployment through a secure advisory channel, supporting continuous validation and adaptive hardening. The proposed design leverages industry-standard technologies (Open Platform Communications Unified Architecture, Time-Sensitive Networking, Functional Mock-up Unit/High-Level Architecture, QUIC/mutual TLS) to maximize feasibility and compatibility with existing industrial workflows. ByzTwin-Range establishes a practical foundation for next-generation, BFT-aware cyber ranges and paves the way for more resilient CPSs through continuous testing, differential-privacy-enabled analytics, and future proof-of-concept implementations.

Summary

  • The paper introduces a dual-layer digital twin cyber-range for live Byzantine fault injection, supporting adaptive system hardening.
  • It leverages production-grade BFT deployments and real operational telemetry to conduct systematic what-if experiments and detect protocol vulnerabilities.
  • The system integrates industry-standard technologies like TSN, OPC UA, and mTLS to ensure practical, scalable resilience in critical CPS.

ByzTwin-Range: A Digital Twin Cyber-Range for Byzantine Faults in Critical Cyber-Physical Systems

Introduction

Modern critical infrastructures increasingly depend on interconnected cyber-physical systems (CPS) that combine networked sensing, automated control, and software-driven orchestration. This convergence enhances operational efficiency but also greatly expands the attack surface, exposing systems to sophisticated coordinated adversaries capable of triggering both accidental and intentional failures. Addressing the robustness requirements of such environments, Byzantine Fault Tolerant (BFT) protocols have become central for mitigating the risks of arbitrary and malicious system faults. However, evaluating BFT behavior under realistic, time-sensitive operational conditions is fraught with difficulties, as traditional cyber ranges lack adequate timing fidelity and live production testing carries unacceptable risks.

This paper introduces ByzTwin-Range, a dual-layer architecture that tightly integrates a production-grade BFT deployment with a high-fidelity Digital Twin (DT), thereby enabling controlled experimentation, stress testing, and Byzantine fault injection using real operational data. The core innovation is the use of the DT not merely as a static mirror but as a continuously-updated, analytic engine that identifies protocol vulnerabilities, synchrony failures, and configuration weaknesses through systematic “What-if” evaluation. By feeding the resulting insights back into the operational BFT deployment, ByzTwin-Range supports adaptive system hardening and continuous assurance of system liveness and safety under real-world conditions.

Emerging deployments of digital twins in CPS security [shitole2021real, dietz2020integrating, eckhart2018towards] and resilience analysis [flammini2021digital, nguyen2022digital, larsen2023fault] have enhanced fidelity in emulating operational environments for intrusion response and fault injection. Digital twins can host protocol and control logic, support replay of live telemetry, and facilitate experimentation difficult or impossible on physical infrastructure alone.

Within the context of BFT, less focus exists on leveraging DTs for practical, timing-aware protocol experimentation. Prior efforts such as TwinBFT [dettoni2013byzantine] proposed virtual replicas to reduce system overhead, while others have shown that the coalescence of blockchain and digital twin technologies can enable coordinated alerting across decentralized operators [sahal2022blockchain]. Platforms such as Bedrock [amiri2024bedrock] move towards systematic evaluation of BFT protocols, but do not address the continuous integration with live plant operations required for effective CPS hardening.

ByzTwin-Range thus sits at the intersection of these efforts, articulating an architectural and methodological framework that bridges operational-grade BFT control, high-fidelity twin-based experimentation, and secure cyber-range-based analysis.

System Architecture

ByzTwin-Range operates by segmenting the critical CPS into two distinct but matched execution planes: the Operational Technology (OT) plane, where physical process control and BFT actuation occur, and the Operational Twin (OTw), which hosts the digital twin, analytics engines, and protocol stress-testing facilities.

High-Level Topology

The twin architectural segmentation is clearly visualized in the high-level system topology. Figure 1

Figure 1: ByzTwin-Range's high-level topology for integrating BFT real-time control with a digital twin simulation environment.

At the OT level, real-world processes—sensors and actuators—interface with highly redundant PLCs executing local safety logic and watchdog fallback mechanisms. BFT nodes implement supervisory consensus, leveraging deterministic, low-latency Time-Sensitive Networking (TSN) and OPC UA PubSub telemetry, isolated via strict VLAN/TSN segmentation for security and timing determinism.

Bridging the OT and OTw is the Broker and Time Gateway subsystem, which guarantees temporal alignment, deterministic event ordering, secure protocol normalization, and message provenance. These layers prevent experimental activities from influencing live operations and support reproducible replay, indispensable for both forensic analysis and iterative protocol hardening.

The OTw plane, effectively the DT environment, incorporates not only co-simulated functional models (FMUs, HLA federates) but also federated learning (FL) and differential privacy (DP) engines to detect protocol anomalies without leaking raw operational data. Simulation infrastructure (K8s/K3s) orchestrates isolated twin replicas, supporting broad what-if scenario testing, coordinated adversarial behaviors, and complex fault-injection trajectories.

Security Boundary and Synchrony Assumptions

ByzTwin-Range assumes partial synchrony: adversaries can perturb but not fully subvert timing, with bounded numbers of Byzantine replicas (ff among $3f+1$), while local PLC safety logic is assumed to remain fail-safe, imposing hardware-enforced fallback in catastrophic conditions. This architectural demarcation preserves a strict security and control boundary: the twin issues only read-only advisories; all actuation remains within the operational BFT cluster.

Operational and Analytical Workflow

The digital twin continuously ingests live OT telemetry via secure, authenticated (mTLS/QUIC) channels, storing operational data in a time-series streaming store and feature store for downstream machine learning. By harnessing real operational data, co-simulation modules run realistic “What-if” and fault-injection experiments, exploring Byzantine attack surfaces including equivocation, inconsistent state reporting, selective message omission, and coordinated replica disruption under timing deviations. Results and advisories are published to the operational BFT system, SIEM/SOC infrastructure, and historian/CMDB for long-term iterative resilience improvements.

Key Contributions

ByzTwin-Range’s technical contributions are primarily architectural and methodological:

  • Dual-layer live BFT/Digital Twin co-deployment: Enables protocol configuration mirroring and replay of operational conditions not possible on static testbeds or synthetic cyber-ranges.
  • DT-driven, protocol-aware Byzantine fault injection: Facilitates safe evaluation of worst-case behaviors—such as synchrony violations, adversarial timing, correlated node failures—while remaining decoupled from the physical control plane.
  • Asymmetric advisory feedback channel: Guarantees experimental results can inform operational adaptation without permitting direct actuation from compromised or manipulated DT environments.
  • Integration of industry-standard technologies: Ensures practicality and adoption fidelity, combining OPC UA, TSN, mTLS/QUIC, HLA, FMU, Kubernetes-native deployments, and federated learning to maximize real-world relevance and scalability.
  • Continuous validation and adaptive hardening loop: By moving from pre-deployment to continuous co-evaluation, the framework detects configuration drift and timing vulnerabilities that only surface under live operational workloads.

Open Challenges and Future Directions

Several challenges remain open. Ensuring end-to-end real-time deadline adherence across the OT–OTw boundary during BFT protocol view changes or under adversarial delay scenarios is non-trivial. Maintaining a precise, drift-minimized synchronization between operational state and its digital twin—especially over long experiment cycles—requires robust snapshotting and deterministic replay mechanisms. High-fidelity co-simulation of large-scale deployments introduces orchestration and performance burdens, which must be addressed with adaptive fidelity policies and dynamic resource allocation.

Extending the protocol-aware fault-injection engine to capture cross-layer adversarial behavior, multi-domain coordinated attacks, and persistent configuration vulnerabilities will require further research. The next step will be an empirical proof-of-concept evaluating ByzTwin-Range’s effectiveness and overhead across real industrial deployments.

Conclusion

ByzTwin-Range establishes a practical and extensible foundation for the continuous, live-data-driven validation and adaptive hardening of BFT deployments in cyber-physical systems. It leverages state-of-the-art twin and simulation technologies for controlled fault injection, systematic vulnerability discovery, and non-disruptive testing, all within a framework compatible with industrial operational standards. The approach has clear implications for next-generation resilient OT, supporting paradigms of continuous security validation, adversarial testing, and self-hardening infrastructure as essential components of critical infrastructure protection.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.