A Digital Twin-Integrated Framework for Dual Insider and External Cyber Threat Detection in Critical Infrastructure

The convergence of Information Technology (IT) and Operational Technology (OT) has significantly increased the cyber exposure of critical infrastructure systems such as power grids, healthcare platforms, transportation networks, and industrial control environments. These systems face dual cybersecurity risks from external adversaries, including ransomware and advanced persistent threats, as well as insider threats originating from authorized or compromised users whose actions often resemble legitimate behavior. This paper presents a Digital Twin-integrated cybersecurity framework for the simultaneous detection of insider and external cyber threats in heterogeneous critical infrastructure environments. The proposed framework maintains a continuously synchronized virtual replica of the operational system and integrates behavioural profiling, sequence-aware network traffic analysis, and contextual anomaly validation within a five-layer closed-loop architecture. A hybrid ensemble detection approach combining Isolation Forest, One-Class Support Vector Machine, Random Forest, and LSTM-based sequence modelling is employed to enhance detection accuracy while reducing false positives. Experimental evaluation using the CIC-IDS2018 dataset for external attacks and the CERT Insider Threat dataset demonstrates detection accuracies of 95.2% for insider threats and 97.1% for external attacks, with an average detection latency of 38 ms and a false positive rate below 2%. The results indicate that Digital Twin-based contextual modelling can significantly improve the precision and responsiveness of intrusion detection mechanisms in IT/OT-converged critical infrastructure systems.