Enabling Secure and Scalable Digital Twins through Virtualized Infrastructure

The implementation of Digital Twins in industrial environments has moved far beyond standalone simulation servers. Today’s Digital Twins are highly connected, scalable, and secure virtual environments that mirror the behavior of real-world assets, processes, and control systems.

To achieve this, successful deployments must integrate hardware, virtualization layers, networking, and cybersecurity standards into a unified architecture. At Prosera, we’ve been virtualizing and deploying Digital Twin environments since 2009, starting with VMware 3.1 and now leveraging the latest technologies from Microsoft and Dell to deliver secure, modern solutions.

This white paper outlines our approach to Digital Twin deployment and explains how infrastructure, security, and virtualization come together to support reliable industrial simulation platforms.

Cybersecurity Foundation: ISA/IEC 62443

Modern Digital Twins are no longer isolated training systems. They are connected to corporate networks, control systems, and cloud services. This connectivity creates opportunities for collaboration and advanced use cases, but also introduces cybersecurity risks that must be addressed by design.

ISA/IEC 62443 is an internationally recognized cybersecurity standard specifically developed for industrial automation and control systems. It provides a risk-based framework for securing OT (Operational Technology) environments across multiple layers:

• Security Levels (SL): Defines increasing levels of protection, from basic defenses to high-resilience architectures.

• Zones and Conduits: Encourages segmenting systems to limit attack surfaces and control data flows.

• Defense in Depth: Promotes layered security across devices, networks, and applications.

• Lifecycle Security: Embeds security into every stage of the system lifecycle, from design through operation and decommissioning.

Why this matters:
Digital Twin environments, when connected, can become an entry point into production systems if not designed correctly. Aligning with ISA/IEC 62443 ensures that security is built into the architecture, not bolted on afterward.

Virtualization: The Backbone of Modern Digital Twins

Virtualization is the enabling technology behind scalable and maintainable Digital Twin deployments. It allows multiple simulation environments to run efficiently on shared physical infrastructure while maintaining strict isolation between systems.

Below are the five critical layers of a typical Digital Twin virtualization stack:

1 Hypervisor

The hypervisor is the foundational software layer that abstracts physical hardware and allows multiple virtual machines to run on a single server.

• Examples: VMware ESXi, Microsoft Hyper-V

• Key functions: resource allocation (CPU, memory, storage), isolation between virtual machines, and hardware management.

2 Virtual Machine (VM)

A virtual machine is a fully isolated computing environment that runs on top of the hypervisor.

• Each VM behaves like a physical server.

• Enables multiple systems to coexist on shared hardware.

• Allows controlled snapshots, rollback points, and rapid scaling.

3 Virtual Networking

Virtual networking provides the logical communication layer between VMs, physical interfaces, and external systems.

• Supports VLANs, virtual switches, firewalls, and routing.

• Enables controlled segmentation, which is critical for security zoning under ISA/IEC 62443.

• Reduces physical cabling and improves flexibility.

4 Operating System (OS)

Each VM runs its own operating system, which provides the platform for industrial applications.

• Examples: Windows Server, Windows 10 IoT Enterprise, Red Hat Enterprise Linux

• Proper OS hardening and patching are essential security controls within the overall system.

5 Industrial Software Application

This is the layer where the Digital Twin functionality lives.

• Examples include process simulators, training environments, historian databases, and control system emulators.

• Applications can be scaled, updated, and secured independently of the underlying hardware.

• Standardized deployment images make it possible to replicate systems globally with consistency.

Infrastructure and Deployment Methodology

Our deployment approach combines robust hardware, virtualization best practices, and cybersecurity standards to deliver reliable and secure Digital Twins:

1. Staging First: All systems are built and validated in-house before field deployment.

2. Right-Sizing Hardware: We design for performance and growth, avoiding undersizing that limits future scalability.

3. Structured Networking: We implement only the VLANs and segments required to meet security and functional needs.

4. Layered Security: We align system segmentation, access control, and policies with ISA/IEC 62443 principles.

5. Comprehensive Documentation: Every build is fully documented in Functional Design Specifications and Operational Manuals to reflect the as-built configuration.

Benefits of Virtualized Digital Twin Deployments

• Security: Defense-in-depth architecture aligned with ISA/IEC 62443.

• Scalability: Easily expand or replicate environments without major hardware redesigns.

• Flexibility: Support multiple training and engineering use cases from the same infrastructure.

• Maintainability: Simplified updates, patching, and lifecycle management.

• Cost Efficiency: Reduced physical footprint and optimized resource usage.

Introducing the Virtual Dynamic Simulator (VDS)

At Prosera, we define the Virtual Dynamic Simulator (VDS) as the technical backbone of the Digital Twin, a complete integration of hardware, virtualization software, operating systems, industrial software for control system emulation, and process simulation software.

The VDS provides a centralized, virtualized platform to host simulation models, control system emulation, and user interfaces. Built on Microsoft Hyper-V and Dell infrastructure, it delivers flexibility, scalability, and secure remote accessibility, all optimized for training, engineering, and lifecycle support.

Architecture Overview

• Host Servers:
  • Dell PowerEdge servers configured for virtualization and high-availability simulation workloads.

• Virtual Machines (VMs):
  • Operator Stations
  • Instructor Station with training controls
  • Engineering Station for simulation model management
  • Application and History Stations (as needed)

• Networking and Access:
  • Isolated simulation network for control and model integration
  • Remote thin clients for operators and instructors (up to 4 monitors)
  • Centralized switching using Hirschmann GRS105 for reliable connectivity
  • Remote desktop access via secure protocols (Remote Desktop Connection or equivalent)

Key Features

• Snapshot Management: Instructors can freeze and restore plant states during training (e.g., steady-state operation, pre-startup, alarm states).

• Scenario Deployment: Execute predefined or ad hoc scenarios, including failure modes, upset conditions, and process disturbances.

• Multi-role Access: Engineers, trainers, and operators can access the VDS concurrently without impacting training integrity.

• Scalability: System is designed to accommodate additional VMs or hardware as training needs grow or control system modernization proceeds.

The VDS makes the Digital Twin operational, accessible, and secure, transforming it from a static model into a living environment for operator training, control strategy testing, and engineering innovation. To learn more about how we can help you design and deploy a secure, scalable Virtual Dynamic Simulator for your Digital Twin environment, contact the Prosera team.