Ever since cyber attacks focused on industrial and critical infrastructure settings, the awareness of the security issues of these systems has increased. These industrial control systems (ICS) mainly focus on operation and availability — instead of providing general security features. Moreover, the current Industry 4.0 movement aggravates this security gap by connecting the ICS to the enterprise network, which facilitates targeting these systems. Proper system testing can reveal the system's vulnerabilities and provide remedies. However, security measures are usually neglected or addressed after an emerging incident only, which results in high costs. To maximize the benefit of system testing, we argue that it should be carried out as early as possible, especially to render systems secure-by-design. In this work, we propose an approach for introducing security-by-design system testing by the application of a digital twin. A digital twin is able to represent a system virtually along its lifecycle. To enable security-by-design, the simulation capability of digital twin is harnessed to create a prospective environment of a planned system. This allows detecting vulnerabilities before they can emerge in the real-world and providing a adequate risk strategy. Our work shows how security-by-design system testing is anchored in the security applications along a system's lifecycle. Next to proposing a security-by-design system testing approach with digital twins, we implement a digital twin representing a pressure vessel, and demonstrate how to carry out each step of our proposed approach. During this proof-of-concept, we identify vulnerabilities and show how an attacker can compromise the system by manipulating values of the pressure vessel with the potential to cause over-pressure, which, in turn, can result in an explosion of the vessel.