Sandbox-Enabled Digital Twin for Cyber-Physical Systems

Abstract

Firmware/software in cyber-physical system (CPS) embedded devices/controllers can have vulnerabilities stemming from multiple sources such as weak security practices, outdated libraries, or supply chain attacks that induce adversarial effects under plant state-based triggers. However, pre-deployment validation of CPS controllers typically relies on digital twins that model controller logic as a black box. On the other hand, side channel monitoring and anomaly detection of CPS controller firmware/software is complementary, but is typically exercised with synthetic inputs or under specific CPS operational profiles and does not simultaneously track software execution and CPS plant evolution. To bridge this gap, we present a closed-loop digital twin framework that hosts unmodified controller binaries in a Linux sandbox (SaMOSA) with its I/O rerouted to an external plant simulator. The framework captures four time-synchronized side channels (hardware performance counters, system calls, disk activity, network activity) alongside plant state and provides orchestration hooks for automated, repeatable, parameterized runs. We demonstrate the framework on an OpenPLC runtime controlling a Modbus-connected IEEE 14-bus power system, and also briefly discuss application to robotics systems. The synchronized traces correlate internal controller execution with plant events, providing an observability foundation for online testing, coverage analysis, and vulnerability detection.