A Digital Twin-Assisted Threat Modeling Framework for Predicting APT Attack Flows in Industrial Control Systems

Industrial Control Systems (ICSs), which are essential components of critical infrastructures, are inherently complex and vulnerable to cyberattacks. Advanced Persistent Threats (APTs) that target these systems are multi-stage, coordinated attacks that can lead not only to information loss but also to physical damage and loss of life. Traditional threat modeling approaches fall short in adapting to the dynamic nature of ICSs, necessitating new methodologies to predict and prevent such complex attacks. This work presents a digital twin-assisted dynamic threat modeling framework for ICS environments. The framework leverages a knowledge graph that integrates system data and cyber threat intelligence to predict potential attacks. In addition, the digital twin environment enables the validation of mitigation strategies before deployment in the physical system, while also supporting adaptive response and real-time mitigation. To predict the attacker’s next move, we propose a Relational Graph Convolutional Network (RGCN)-based model that utilizes enriched relational data such as tactics, campaigns, groups, techniques, and assets. The proposed RGCN model achieves a recall of 0.887, an F1-score of 0.893, and an AUC of 0.957 in predicting potential attack sequences. These results demonstrate that the model provides reliable and well-balanced predictive performance.