With the increasing digitization of critical infrastructures, highly organized threat actors pose significant threats to the confidentiality, integrity, and availability of IoT systems. While implementing security controls enhances cybersecurity, a residual risk persists. Driven by legal mandates, critical infrastructure operators must now address these residual risks through incident response measures. Given the heterogeneity and resource constraints of IoT systems, there is an urgent need for innovative incident response strategies. The NIST Incident Response Lifecycle provides a framework for this dissertation, which explores the application of digital twins in incident response for IoT systems. By adhering to the four phases of the NIST Incident Response Lifecycle, this dissertation advances three key areas: Digital Twins, Preparation & Detection, and Response & Learning. First, this dissertation extends the role of digital twins beyond mere incident response. Second, it addresses the Preparation & Detection phases of the NIST Incident Response Lifecycle, focusing on integrating smaller IoT devices and considering situational awareness in intrusion detection systems both in hosts and networks. Subsequently, this dissertation delves into the Containment, Eradication, Recovery, & Post-Incident phases, tailoring incident response processes to organizational IoT systems' nuances and automating reactive and proactive playbooks for security orchestration, automation, and response.
With the rise of new legal requirements and highly organized threat groups, this dissertation strives to contribute to more secure critical infrastructures with incident responses for IoT systems.