Towards Situational Aware Cyber-Physical Systems: A Security-Enhancing Use Case of Blockchain-based Digital Twins

The complexity of cyberattacks in Cyber-Physical Systems (CPSs) calls for a mechanism that can evaluate critical infrastructures' operational behaviour and security without affecting the operation of live systems. In this regard, Digital Twins (DTs) provide actionable insights through monitoring, simulating, predicting, and optimizing the state of CPSs. Through the use cases, including system testing and training, detecting system misconfigurations, and security testing, DTs strengthen the security of CPSs throughout the product lifecycle. However, such benefits of DTs depend on an assumption about data integrity and security. Data trustworthiness becomes more critical while integrating multiple components among different DTs owned by various stakeholders to provide an aggregated view of the complex physical system. This article envisions a blockchain-based DT framework as Trusted Twins for Securing Cyber-Physical Systems (TTS-CPS). With the automotive industry as a CPS use case, we demonstrate the viability of the TTS-CPS framework in a proof of concept. To utilize reliable system specification data for building the process knowledge of DTs, we ensure the trustworthiness of data-generating sources through integrity checking mechanisms. Additionally, the safety and security rules evaluated during simulation are stored and retrieved from the blockchain, thereby establishing more understanding and confidence in the decisions made by the underlying systems. Finally, we perform formal verification of the TTS-CPS.


Introduction
Characterized by computation, networking, and physical components, Cyber-Physical Systems (CPSs) interface the digital and physical worlds [1] to enable the realization of the Industry 4.0 vision [2]. Due to the fact that Industrial Control System (ICS)-a subset of CPSs have a direct impact on the environment they operate in, ensuring that such systems meet specific security and safety requirements is paramount [3]. Several seminal examples of ICS-tailored malware have demonstrated how severe the consequences of these incidents can be [3,4].
For instance, the cyber attack on the Ukrainian power grid in 2015 (BlackEn-ergy3) [5] and a follow-up attack in 2016 (Industroyer) [6] disconnected several substations, causing a power outage. Similarly, Stuxnet [7] targeting Iran uranium enrichment plant and Triton [8] targeting a petrochemical plant in Saudi Arabia are among the most prominent examples of cyber espionage. By exploiting loopholes in the system infrastructure, the attackers gain a foothold and launch covert attacks or Advanced Persistent Threats (APTs) [2]. Consequently, such attacks degrade the overall system performance, cause significant economic loss, and pose human safety risks. Therefore, the specifically designed ICS-tailored covert attacks require a solution that, without obstructing the ongoing operations, can monitor and analyze the physical process to detect security loopholes in the CPS at an early stage (for instance, design phase), thereby reducing incident response time [2].
Digital Twins (DTs) are considered one such solution. Being the virtual replicas of their physical counterparts, DTs share the expected operational behaviour of the underlying systems [2] and provide a sustainable strategy for analyzing, monitoring, and predicting the behaviour of a system [9]. To do so, DTs collect data from multiple sources, such as installed sensors and actuators at the factory floor, historical production data derived from product lifecycle data, and domain knowledge. Following a closed feedback loop, DT inspects for data inconsistencies between the physical entity and virtual entity and feed back the simulation data to the physical entity to adopt better calibration and testing strategies [10]. To fully harness the features of DT, the data used by the DT needs to be trustworthy and secure. For instance, reasoning about the current state of a data object entails a complete lineage of processes chain [11].
Additionally, the requirement of data trustworthiness becomes more critical as it may affect the next system generation where DT data can be used as historical data. Unreliable data used as historical data in guiding future system iterations can lead to significant deviations from the system's desired behaviour. In this regard, leveraging blockchain technology allows industries to manage data on a distributed ledger while ensuring trusted DT data coordination [4,12]. A provenance-enabled blockchain-based DT assure the traceability and solidity of data, thereby establishing more confidence in the decisions made by the underlying systems [2]. Thus, combining blockchain and DT can reshape the industry such that blockchain ensures secure data management and DTs use reliable data as input to extract actionable insights [10].
In the information security domain, the concept of building the process knowledge of DTs is primarily based on either utilizing (i) system specification data to model the physical counterpart based on engineering artifacts [13,14,18], or (ii) Machine learning methods to learn security-related aspects based on sensor data [21,22] without obtaining process knowledge from DTs [2]. Focusing are trustworthy, which is critical to ensure input data quality. Similarly, the need for data storage is also not given due attention. Thus, trustworthy process knowledge for DTs is required to address the limitation in current knowledge.
We focus on the existing research work covering the initial development phase of DTs, which consists of obtaining process knowledge through system specification approaches. Most importantly, we narrow down the existing works based on the objective of using DT, i.e., a situational awareness enabler. Table 1 summarizes relevant works on specification-based DTs. Moreover, Table 1 also shows that in recent years there has been an increased interest in using DTs to secure CPSs. The specification-based approaches (summarized in Table 1) utilize technical, topological, and control artefacts of the underlying system that are maintained throughout the system engineering process [2]. There exist many works on blockchain-based DTs. [4] provides a comprehensive review of the design solutions for blockchain-based DTs in the industrial domain. However, the existing blockchain-based schemes lack the details on how the DTs are constructed and how DT security operation modes can be used to secure CPSs.
Furthermore, they vary in terms of utilizing DTs and are therefore beyond the scope of this paper. [16] proposed only a theoretical blockchain-based framework while neglecting the prototypical implementation.
Compared to the existing works, the proposed TTS-CPS scheme ensures that the generation of a virtual environment through system specification data is based on trustworthy data-generating sources owing to Integrity Checking Mechanisms (ICMs). Additionally, integrating blockchain makes the simulation environment reliable. In this work, we investigate the significance of integrating blockchain-based DTs in the CPS. We focus on specification-based DTs.
More precisely, we propose an blockchain-based DTs framework for supporting security-enhancing use case of DTs in the CPS. Our main contributions can be summarized as follows: • To support a situational-aware environment, we propose a blockchainbased DT framework as Trusted Twins for Securing Cyber-Physical Sys-tems (TTS-CPS). By leveraging blockchain with DTs, we can track the accountable entity for adding or updating the Safety and Security (S&S) rules and ensure the trustworthiness of data generating sources through ICMs.
• Through a prototypical implementation supporting the simulated network topology, Human Machine Interfaces (HMIs), Programmable Logic Controllers (PLCs), and physical devices (e.g., robotic arm, motor), we demonstrate the feasibility of the TTS-CPS framework for an assembly line in the automotive industry.
• We perform formal verification of the TTS-CPS.
The rest of the paper is organized as follows. Table 2 lists all the acronyms used in the paper. Section 2 outlines the proposed framework for the CPS.
Section 3 presents the evaluation results and discusses the formal modelling and verification of the proposed approach. Finally, Section 4 concludes the paper with an outlook on future research directions.  its clone counterparts span engineering to operational lifecycle phases. Thirdly, the data layer connects the physical and virtual environment by utilizing behavioural data. The behavioural data can be either static data (such as the range of sensor data) or dynamic data (such as real-time sensor data). The process knowledge of the DT is acquired from the specification-based artefacts.

TTS-CPS
Fourthly, the storage layer stores data in the knowledge base, which other layers can utilize. Finally, the interface allows data/security analysts to repeat and reproduce simulations based on user-specified parameters and feedback during repetitive testing. Generally, the role of data/security analysts is (i) to utilize the controlled, supportive virtual environment during replication (record and replay events [15]) and simulation (trial and error) modes, and (ii) to spot deviations from a defined or learned baseline to alert system. Among various security-enhancing use cases of DTs, including security testing, incident response, automated security, etc. [2], we are using DTs as an anomaly detection tool. More specifically, the objective of DT is to identify data inconsistencies between PE and VE.
To further elaborate the connection between the components of the proposed framework, we refer to between PE and its clone counterpart VE to ensure data consistency between the two spaces is performed. The DT operation modes (simulation, replication, and data analytics) that support monitoring, behavioural analysis, and replaying of CPS events are part of the VE component. The blockchain ledger enforces secure data management by storing data and recalling data or events.
In the following, we compare the proposed TTS-CPS framework with existing solutions closely aligned with our scope, i.e., securing CPS and using specification-based process knowledge for DTs.

Comparison with existing frameworks
The DT paradigm qualifies for different enterprises to various implementation degrees [23] mainly due to (i) application-specific building blocks (such as  assets, process knowledge, data sources) of DTs, (ii) objective of using DTs (such as cyber-situational awareness, predictive maintenance, resource optimization), and (iii) the level of details and granularity. Considering the objective of using DTs to secure CPS, existing solutions such as CPS Twinning framework( [15,24]) utilize system specification data (i.e., EK and DK) to model the physical counterpart. However, these frameworks lack the concept of trusted twins, i.e., trustworthy process knowledge for DTs due to the absence of blockchain-based storage in addition to the approach of leveraging system specification data as ICMs. TTS-CPS (adapted from [15,24]) also uses specification-based process knowledge for DTs. However, we put emphasis on data trustworthiness and security which is the critical parameter in DTbased CPS security. Therefore, in addition to EK and DK, we have considered additional components such as RG and blockchain-based data storage. More specifically, we have used EK, DK, and RG (together as ICMs) to establish trusted twins.
Note that for TTS-CPS, we have mainly considered critical components to establish trusted twins. However, there could be additional components depending on the objectives of using DTs or application-specific requirements.
For instance, with the similar objective of anomaly detection, [10] envisioned a blockchain-based DT framework for the Industrial Internet of Things (IIoT).
The main components of their proposed framework include (i) data wrangler (responsible for data conversion and data cleaning to transform the data into a unified form), (ii) data fusion (responsible for accumulating data from multiple DTs to cross-validate the observations to increase data consistency and trustworthiness), and (iii) data synchronization (responsible for digital-physical mapping and checking for data inconsistencies between physical and virtual space). In this paper, we focus on the TTS-CPS components that promote trusted twins, and we reflect on the need for additional components, such as those in [10], for future research in Section 4.

Integrity Checking Mechanisms (ICMs)
The data layer mainly consists of ICMs. In the following, we discuss subcomponents of the ICMs in detail. The quality of the data matters at par with quantity for ensuring precise predictions and decision-making in critical infrastructures operating under the presence of a complex threat landscape and high volume and variety of big data [4]. Although stringent security guarantees are inherited from the blockchain, ensuring the trustworthiness of datagenerating sources is equally essential for critical CPS [2]. Since DTs act as the input data sources, DTs need to be built on reliable data. Therefore, a tri-fold ICMs is defined by the TTS-CPS framework. Firstly, Engineering Knowledge Thirdly, Rule Generator (RG) cross-validate the device data with overlapping fields of view by comparing pre-defined device performance parameters, S&S rules, and provenance data.To give an example, RG takes input from EK and DK to generate S&S rules while taking into account the provenance data to obtain the trustworthiness of data. To sum up, ICMs provide reliable system specification data for building the process knowledge of DT at design phase.
Based on specification-based process knowledge, DT acts as an anomaly detection tool. Additionally, the virtual network setup retrieves data from the blockchain, which establishes more understanding and confidence in the decisions made by the underlying systems.

Engineering Knowledge (EK)
Engineering Knowledge (EK) provides the design specifications of the technical, topological, and control artefacts at device-level, network-level, and systemlevel that are essential to generating the virtual environment's network setup.
The device-level information includes construction details (e,g., name, type, make, model), functional details (e.g., operating conditions in terms of standards), and configuration details (e.g., IP and MAC address, I/O channels, control logic). The network-level information includes topology and communication path through logical connections and endpoints. The system-level information includes relationships among components/processes concerning data aggregation, conditional rules, and constraints. Each asset (including sensors) can be identified with asset ID (A ID ) and sensor ID (S ID ), whereas the associated configuration settings can be represented as χ.
Sensors are notoriously prone to calibration errors and arguably explain the root cause of aberrant behaviour or erroneous data. Ignoring such minor variations in the system behaviour may collapse the whole system or may incur drastic effects on the system's long-term behaviour. Calibration errors manifest when sensors report values that are offset from the ground truth. Given that factory calibration conditions may not necessarily be relevant to physical environment needs and sensors wear out over time, calibration is necessary to increase the sensor's accuracy and resiliency against random errors [25]. Therefore, to ensure data quality before data collection, sensors and actuators must be calibrated to ensure the measurement accuracy according to a known standard and verified to ensure the correct operation according to operating specifications. Exercising C&V operations of Internet of Things (IoT) sensors must be carried out periodically for ageing management and fault diagnosis.
Each type-k sensor s(k) ∈ K where K = {1, . . . , k, . . . , K} collects timestamped sensor data D s(k),t . To ensure that D s(k),t are within the predefined bounds, the following Consistency Check (CC) is performed: where both τ min s(k) and τ max s(k) ∈ τ define the lower and upper bounds respectively.

Domain Knowledge (DK)
Domain Knowledge (DK) provides domain-specific knowledge from experts in various fields such as engineers (electrical, mechanical, instrumentation and control), supply chain participating entities, security professionals in Security Operations Center (SOC), etc. Moreover, it also includes asset historical data (A h ω ) derived from lifecycle data (such as design and development; operation and maintenance; and decommissioning). Once generated, DK can be used as a reference by different organizations and tailored accordingly to meet their specific needs.

Rule Generator (RG)
Rule Generator (RG) takes input from EK and DK to generate S&S rules while taking into account the provenance data (D P ). Depending on the underlying CPS infrastructure, S&S rules can be based on threshold data (upper τ max s(k) and lower τ min s(k) bounds), consistency checks (pre-defined performance parameters), and constraints (data accessibility and auditability) [2]. For instance, trends/patterns (e.g., heat or vibration), consistency checks (e.g., conveyor belt speed-variable), conditional limits for device data (e.g., minimum and maximum temperature), access control (e.g., authentication and authorization based on roles and access levels), etc.
To detect the presence of malicious or accidental disruptions, the system needs to respond effectively by invoking the appropriate defence mechanisms, whereas the inability to impose such strategy results in long-term loss. Therefore, to detect misconfigurations and malicious activities, S&S rules must be integrated into a CPS. S&S rules monitor and analyze the device or process in the virtual environment and learn about the presence of an attack or abnormal behaviour by collecting data over such events. Based on the incident data, the derived patterns as S&S rules can be formulated, tested, and transmitted to the physical environment. Thus, monitoring the physical system state through time, outliers, and changes can uncover anomalies or malicious activities by enabling the detection of possible S&S rules violations in terms of deviations or patterns from a defined benign behaviour.
Introducing S&S rules at DT's design and development phase can lower security and incident-response costs. Moreover, it makes later lifecycle phases (such as operation and maintenance; and decommissioning) less prone to errors and incidents [17]. To do so, S&S rules can be defined at device-level or process-level.
For instance, through EK defining a safe state based on the regular operation of the device, verifying the specific service provided by the process, deriving a white-list from network-level monitoring based on the authorized addressing and routing information, detecting unknown devices, identifying unidentified connections, determining abnormal changes in the control logic, enforcing finecoarse-grained policies and constraints, etc. [4]. Similarly, rules can also be extracted from thresholds or consistency checks defined during the calibration phase and equipment history data from product lifecycle data.
While reasoning about the current state and the chained actions on a data object (such as who, when, where, why, and how ), provenance data (D P ) can aid in generating device-, network-, and system-level rules. D P is a complete process lifecycle along with environment settings, input parameters, action and events performed on data [26] and can be constructed as suggested in [11]. The key role of D P is to enforce traceability in the CPSs while traversing through the process and can be stored on the blockchain to reconstruct the process chain on demand. D P can be reconstructed based on the data provided by EK, C&V, and DK. Additionally, it can also serve as a basis for implicit security rules.
For instance, D P under a process-specific settings (P ID ) can identify who is the accountable entity E ID generating or updating rule R ID defined as R D for A ID or S ID .
Similarly, D P can be derived from EK, C&V, and DK to construct rules as follows. From EK, what are the configuration settings (χ) defined for S ID affixed to A ID ?
From C&V, which threshold settings (τ ) are optimal for A ID based on A c ω (i.e., on/off, run rate, speed) and D s,t from S ID ?
From DK, how A ID behaved under χ?
Depending on the severity of the cyber situation, S&S rules needs to be generated or updated to make the system respond effectively and avoid longterm loss. Assign R ID

4:
R ID ← R D

5:
Associate R ID with A ID and/or S ID

6:
Store R ID at blockchain 7: else 8: Update R D of R ID

9:
Store R ID at blockchain 10: end if rule description (R D ) is updated. Finally, the newly generated or updated rules are stored in the blockchain.

Digital-physical mapping
In CPSs, as physical assets start operating, DTs run synchronously with their physical counterparts while integrating data from multiple sources, such as EK, DK, PE, to generate an abstract view of overall phenomena with the key objective to track data inconsistencies between PE and VE. Inconsistencies between the two spaces call for the adoption of better strategies that evolve DTs and physical counterparts to support accurate prediction and optimization of the underlying processes [2,28].
To describe the process, its corresponding actors, systems and artefacts, In the first phase, see Fig. 3b, the security analyst receives the specification data from the physical device and saves this data to the knowledge base. The

Digital twins operation modes
DTs operate in the three operation modes to support the comprehension of emergent system behaviour, namely replication, simulation, and data analytics.  For replication mode (as showcased in Fig. 4), VE and PE must be constantly connected such that VE must continuously provide digital tracing of PE events by mirroring data through log files, sensor measurements, network communication, etc. Depending on the underlying process requirements, VE data can be recorded and replay after a specific time interval or even offline. Based on closed-loop operation between the digital-physical mapping, the replication mode can provide testing and training platform where system can be trained on how to respond against advanced stealthy attacks, and defensive strategies can be tested before transmitting to real-world systems, for instance, red-blue team exercises for cybersecurity training opportunities and cyber ranges [29].
The simulation mode (as showcased in Fig. 5) Figure 5: Simulation mode of digital twin.
Data analytics and optimization use asset's behavioural data, sensor data, and system current state or history data as valuable input to extract actionable insights while utilizing the predictive capability of machine learning algorithms available through threat intelligence. Threat intelligence can analyze the massive volume of data in real-time, learn useful patterns, and detect the presence of vulnerabilities, threat actors or inadvertent disruptions in the system, and can trigger the appropriate defence mechanisms autonomously to minimize the threat landscape [2].
For instance, threat intelligence can be integrated into the Security Information and Event Management (SIEM) [18] to check the adherence of S&S rules.
Note that we only focus on the simulation mode of specification-based DT in the current work.

Scenario specification
In the following, we demonstrate the use case scenario of the automotive industry. For the sake of simplicity, we divide it in two sub-scenarios showcased in Fig. 6 and Fig. 7.  Figure 6: Scenario specification of assembly line in the automotive industry. Secondly, the welding operation on the chassis is performed by a robotic arm at Station B (as shown in Fig. 7). To do so, the welding gun applies appropriate current and pressure at the welding spot measured through Sensor3:

Station B Station
Current and Sensor4: Pressure. Another sensor (Sensor5: Temperature) measures the temperature during the welding process and is bounded by a threshold to avoid material deterioration. To monitor tool wear data, the robotic arm is equipped with sensors (such as vibration, force cutting, acoustic emission).
During manufacturing processes, machine unavailability (equipment deterioration or machine malfunctioning) and uncertain disturbances (due to urgent job arrival or job tardiness) usually occur, leading to performance and production disruption. Therefore, we keep monitoring tool wear data of robotic arms op- To illustrate how to achieve optimal operating conditions ( * ) for a given process (P ID ), we discuss the following three conditions (i) how to maintain a safe distance (can be achieved through d) between adjacent vehicles frame on the conveyor belt and how to maintain temperature bounded by a threshold to avoid material deterioration during welding process by robotic arm?, (ii) how to enforce data consistency between PE and VE?, and (iii) how to estimate the asset capacity (A ) for the next production process (P next ID )? in Algorithm 2, Algorithm 3, and Algorithm 4. The simulation results are presented in Section 3.1.

Algorithm 2 Simulation mode: conveyor belt
motor is off. on C and P . For example, if the inputted values of C and P are closer to τ max c,p , the value of ∆ t will be higher which is ideally an appropriate assumption. We based our task completion (task status == 1) on a pre-defined task duration, i.e., delay (d) so that the object moves to the next Station (for instance, paint shop) to undergo the next physical process. After the task completion, o temp begins to decrease until it reaches at room temperature (init temp) as shown in Fig. 9d. Start welding task 6: o temp = init temp + ∆ t ∆ t is decided based on C and P . A λ can be defined as serving 5 objects.

12:
Check equipment health

13: end if
During the welding process, the welding gun is exposed to heat and pressure, thereby causing deformation of the welding electrodes [30]. Since maintaining equipment health defines the production quality, reduce production downtime and utility cost; therefore, we also record tool wear data. For the sake of simplicity, we based our asset capacity (A λ ) on the number of objects (o count ) being welded by the robotic arm. Upon reaching the maximum asset capacity (A max λ ), the equipment health should be monitored before initiating the next production process.
In replication mode, the input knowledge (for example, actions and events in PE) are required to reproduce the same stimuli in the VE. Therefore, the realtime sensor data (D s(k),t ) and asset current state (A c ω ) from PE and threshold values (τ min s(k) and τ max s(k) ) from ICMs are recorded. The recorded events are then replayed in VE. Given that the PE is mirrored to VE by its configuration settings, specification, and current events, the DT's replication mode should deliver the same results. To do so, data consistency checks are induced between the PE and the VE as outlined in Algorithm 4. The consistency checks (CCs), for example, speed-variable CC, can be harnessed for a variety of security monitoring and operations purposes. If any inconsistent event is encountered, for instance, D s(k),t exceeds lower or upper bounds, the CC fails to meet the defined operational behaviour of the system. Since we pre-define S&S rules for our situational aware CPS framework, therefore, the appropriate rules can be triggered to deal with such abnormal situations. However, in the course of advanced stealthy attacks, S&S rules might be limited to detecting known misbehaviour. Therefore, under such circumstances, depending on attack intensity, the scheduling service is called to inspect device or network log data for fault diagnosis or process calibration service is called to reconfigure the settings. In the worst-case scenario, the affected device or service can be switched off to avoid further loss.
The suggested measures are tested and verified first at the VE and afterwards regulated on the PE. Note that, the degree of state replication accuracy between PE and VE depends on the trade-off between budget and fidelity [31]. S&S can be generated or updated based on the new incident data.

Data storage: blockchain-based digital twins
DTs control and program the lifecycle of physical assets to support product servitization to end-users [2]. However, such advantages of DT are based on an assumption about data trust, security, and integrity [2]. Data trustworthiness matters more for safety-critical systems where slight dysfunction due to erroneous data may lead to wrong decisions that could imply loss of life or economic disaster. Maliciously or mistakenly, in real-life scenarios, data breaches could occur due to several reasons [4]. Therefore, mining actionable insights from the collected data demands a data storage infrastructure to disseminate reliable and secure data [10]. In this regard, provenance-enabled blockchain-based DTs can be used to ensure trustworthy DTs throughout the product lifecycle [10].
While ensuring efficient data retrieval, the next question is what should be stored on the blockchain. Data-driven CPS primarily relies on the critical data and data-generating sources that can facilitate track and trace solutions, in addition to user-or application-specific requirements. By following [10], in TTS-CPS, we limit the time-consuming frequent access to the blockchain-based storage system by explicitly separating the less dynamic (or static) data and the real-time dynamic data. For instance, data from the ICMs can be considered less dynamic data as it infrequently changes with time along the lifecycle of the physical counterpart, such as provenance data, device configuration settings, system's historical data, policies and access levels. Similarly, to strengthen the rationale for integrating blockchain with DT, S&S rules must be stored and retrieved from the ledger (as shown in Fig. 2) to ensure their reliability.
In essence, blockchain inherently retains the history of modifications and thus can circumvent illegal data modification that may lead to other data-related problems.
Being the virtual replicas of their physical counterparts, the DTs shares the operational behaviour of the underlying physical process or device [3,2]. On the flip side, the attackers may exploit the valuable knowledge about the system accessible through DTs to put DTs into a malicious state [4,32]. Thus to avoid DTs use case as abuse case, DTs can be audited (for instance, changing the simulation setup parameter or state data) by using provenance-aware blockchain-based solutions.

Implementation and Evaluation
In order to evaluate the proposed framework, a simulation for a DT of an assembly line is implemented. The proof of concept demonstrates that the virtual environment conforms to the defined ICMs. Additionally, for building the process knowledge of DTs, acquiring reliable system specification data from blockchain establishes confidence in the DTs, thereby avoiding DT abuse cases.
In the following, we demonstrate the viability of the proposed framework in a proof of concept, including the generation of DTs and the formal verification.

Simulation and results
For our use case scenario showcased in Fig. 6 and Fig 7,     or security professionals about the system's abnormal condition to carry out the investigation by tracking and tracing the entities. Additionally, the log files acquired from multiple instances of simulation can be scrutinize to gain more insights into the underlying events. The log files can be used to generate or update rules upon the execution of simulation. The logged events can be further utilized by Security Information and Event Management (SIEM) [18] and/or threat hunting [2].
We have used Hyperledger Fabric-a permissioned blockchain to store and retrieve ICMs and other information significant to the process. The simulation mode runs independently of its physical counterpart and provide trial and error approach [2] while monitoring the states or events of the physical process.
Therefore, specification data can be retrieved and stored before and after the simulation, respectively. After repeatedly resetting the model through a broad range of specified conditions, the obtained results can be used to update the twin and eventually the physical asset. Fig. 8 showcases a conveyor belt scenario, whereas Fig. 9 showcases a robotic arm operating on a conveyor belt.
The simulation setup is implemented based on the specification data (such as ICMs).

Formal verification of the TTS-CPS
This section presents the formal verification of our blockchain-based DT model. In the verification process, we demonstrate the correctness of the base system. We need system specification and properties to verify a proposed model or a system [35]. We have used bounded model checking to evaluate the correctness of the underlying properties. The simulation model of conveyor belt and robotic arm (as discussed in Section 2.4.2) is first translated into Satisfiability Modulo Theories Library (SMT-Lib) and then the Z3 Solver is used to perform the verification. More details about SMT-Lib and Z3 Solver can be obtained from [35] and [36]. In bounded model checking, the goal is to evaluate the correctness of the system inputs that drives the system into a state where the system always terminates after a finite number of steps. Formally, bounded model checking is defined as a Kripke Structure and a bound k, where the problem is to find M |= k Ef . In bounded model checking problem, an execution path is tried to be searched in a Kripke structure M of length k that satisfies a formula f . We have verified the blockchain-based DT framework by proving the correctness of conveyor belt and robotic arm stated in Algorithm 2 and Algorithm 3 respectively. We have translated the aforesaid algorithms into SMT-Lib and then defined certain correctness properties to verify the algorithms using the Z3 solver.
SMT has their roots in Boolean Satisfiability (SAT) Solvers. It is generally used and is a part of automated deduction in for satisfiability of formulas over some theories on interests [37]. A common benchmark framework and input platform is provided by the SMT that usually helps in evaluating the systems [38]. The SAT and SMT solver performs differently in a way that SAT evaluates the satisfiability of propositional formulas. On the other hand, SMT performs the satisfiability of first-order logic formulas based on underlying theories. [39]. Deductive verification is one of the many fields in which SMT has been used. Considering the sensitive nature of recent computer sciences applications, which involves modeling and planning, performing formal analysis and verification through SMT is considered an important task. [38]. Some examples are available in [40] and [41]. Several solvers supports the implementation of SMT-lib. Some examples includes NuSMV, CVC4, OpenSMT, and SathSAT5.
The classification of the solvers can be done based on the underlying theories, logic, and interface [39]. In our study, we have used a theorem prover, namely Z3, which is developed by Microsoft for checking automated satisfiability. It evaluates if the model satisfies the properties specified in SMT-lib. More information regarding the use and application of Z3 can be found in [42]. R is the set of transitions, such that R ⊆ S × SL is the set of labels.
The bounded model checking problem is to find an execution path in M of length k that satisfies a formula f . Kripke structure, which is a state transition graph, is used to represent the behaviour of the system [35]. In Kripke structure nodes are the set of reachable states of the system, edge represents the transitions, and label functions map nodes to the set of properties hold in the state. A path in a Kripke structure can be stated as an infinite sequence of states represented ρ = S 1 , S 2 , S 3 . . . such that for ∀i ≥ 0, (S i , S i+1 ) ∈ R. The model M may produce a path set = S 1 , S 2 , S 3 . . . . To describe the property of a model some formal language, such as Computation Tree Logic (CTL*), CTL, or Linear Temporal Logic (LTL) can be used.
Definition 2 (SMT Solver [44]) Given a theory and a formula f , the SMT solvers perform a check whether f satisfies or not.
To perform the verification of the models using Z3 (an SMT Solver), we unroll the model M and the formula f that provides M k and f k , respectively.
Moreover, the said parameters are then passed to Z3 to check if M k |= Γ f k [38].
The solver will perform the verification and provide the results as satisfiable (sat) or unsatisfiable (unsat). If the answer is sat, then the solver will generate a counterexample, which depicts the violation of the property or formula f .

Moreover
, if the answer is unsat, then the formula or the property f holds in M up to the bound k (in our case, k is execution time).
We have identified certain properties, which we have verified in the conveyor belt and robotic arm algorithm. The properties are as follows. The verification results of the properties are shown in Fig. 10. The time on y-axis represents the execution time taken by the solver to verify each property.
As stated above, if the properties are not violated, the solver generates "unsat", which depicts that the solver was unable to find any sequence of executions within the models that violate the stated properties.

Conclusion and Outstanding Challenges
In this work, we have targeted two critical challenges, i.e., (i) how to establish a situational-aware and secure CPS through DTs and (ii) how to establish An interesting direction for future work is to investigate how to construct a fault-tolerant system. In other words, in the course of undesirable incidents, it is essential to improve the system resilience during which the system enters a failsafe state and maintain an adequate control of the physical process. Another open direction is to extend our work to carry out localization of attack, i.e., upon anomaly detection, finding the root cause of the deviation and localizing the compromised node (sensor or actuator). Furthermore, we plan to incorporate smart contracts to automate event-based processes such as triggering the appropriate defence mechanisms through S&S rules and modifying simulation setup parameters [4]. Such automation ensures the benign behaviour of DTs, particularly during the replication mode due to cyclic updates.
In general, several other technical challenges need to be addressed, for instance, data trustworthiness, particularly in hierarchical DTs or a combination of DT instances that mimic the bigger picture of the CPS. Such issues become more challenging due to data fusion from multimodal systems and uncertain scenarios due to the dynamism and complexity of underlying (sub) systems.
Other issues such as data storage and performance implications stemming from blockchain and DTs' integration also need due attention. [4] provides a detailed discussion on the challenges that impede the successful implementation of blockchain-based DTs in the industry.