Securing Modbus in legacy industrial control systems: A decentralized approach using proxies, Post-Quantum Cryptography and Self-Sovereign Identity

IF 3.7 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Francesco Trungadi , Manuel Fabiano , Davide Aloisio , Giovanni Brunaccini , Francesco Sergi , Giovanni Merlino , Francesco Longo
{"title":"Securing Modbus in legacy industrial control systems: A decentralized approach using proxies, Post-Quantum Cryptography and Self-Sovereign Identity","authors":"Francesco Trungadi ,&nbsp;Manuel Fabiano ,&nbsp;Davide Aloisio ,&nbsp;Giovanni Brunaccini ,&nbsp;Francesco Sergi ,&nbsp;Giovanni Merlino ,&nbsp;Francesco Longo","doi":"10.1016/j.jisa.2025.104199","DOIUrl":null,"url":null,"abstract":"<div><div>Industrial Control Systems (ICSs) are increasingly vulnerable to cyber threats due to their reliance on legacy protocols like Modbus TCP/IP, which lack built-in security mechanisms. Despite these risks, replacing or upgrading ICS components remains costly and impractical for many critical infrastructures, such as manufacturing, power generation, and transportation. This highlights the urgent need for security solutions that enhance protection without requiring disruptive system overhauls.</div><div>Building on our previous work, this paper introduces a decentralized security framework based on dedicated proxies that manage cryptographic operations for legacy devices and facilitate secure communication. The architecture leverages Decentralized Identifiers (DIDs) for node identity management, storing DID Documents containing post-quantum public keys in a Distributed Hash Table (DHT). The DHT, composed of proxy nodes, is specifically modified to function as a Verifiable Data Registry (VDR), ensuring data integrity and availability. To support authorization, Verifiable Credentials (VCs) are issued by an operator-controlled Issuer Node, activated solely during new device installations, or maintenance operations.</div><div>The proposed solution eliminates reliance on a central authority, enhances communication security against quantum threats, and improves resilience through decentralized identity management. Performance evaluations on both physical testbeds and simulated environments analyze handshake latency and system efficiency. Results demonstrate that our approach effectively secures legacy ICSs with an acceptable operational impact, paving the way for more robust and future-proof industrial networks.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"94 ","pages":"Article 104199"},"PeriodicalIF":3.7000,"publicationDate":"2025-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625002364","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Industrial Control Systems (ICSs) are increasingly vulnerable to cyber threats due to their reliance on legacy protocols like Modbus TCP/IP, which lack built-in security mechanisms. Despite these risks, replacing or upgrading ICS components remains costly and impractical for many critical infrastructures, such as manufacturing, power generation, and transportation. This highlights the urgent need for security solutions that enhance protection without requiring disruptive system overhauls.
Building on our previous work, this paper introduces a decentralized security framework based on dedicated proxies that manage cryptographic operations for legacy devices and facilitate secure communication. The architecture leverages Decentralized Identifiers (DIDs) for node identity management, storing DID Documents containing post-quantum public keys in a Distributed Hash Table (DHT). The DHT, composed of proxy nodes, is specifically modified to function as a Verifiable Data Registry (VDR), ensuring data integrity and availability. To support authorization, Verifiable Credentials (VCs) are issued by an operator-controlled Issuer Node, activated solely during new device installations, or maintenance operations.
The proposed solution eliminates reliance on a central authority, enhances communication security against quantum threats, and improves resilience through decentralized identity management. Performance evaluations on both physical testbeds and simulated environments analyze handshake latency and system efficiency. Results demonstrate that our approach effectively secures legacy ICSs with an acceptable operational impact, paving the way for more robust and future-proof industrial networks.
保护传统工业控制系统中的Modbus:使用代理、后量子密码学和自我主权身份的分散方法
工业控制系统(ics)越来越容易受到网络威胁,因为它们依赖Modbus TCP/IP等传统协议,而这些协议缺乏内置的安全机制。尽管存在这些风险,但对于制造业、发电和交通运输等许多关键基础设施而言,更换或升级ICS组件仍然是昂贵且不切实际的。这凸显了对安全解决方案的迫切需求,即在不需要破坏性系统检修的情况下增强保护。在我们之前工作的基础上,本文介绍了一个基于专用代理的分散安全框架,该框架可以管理遗留设备的加密操作并促进安全通信。该体系结构利用去中心化标识符(DID)进行节点身份管理,将包含后量子公钥的DID文档存储在分布式哈希表(DHT)中。由代理节点组成的DHT被专门修改为可验证数据注册表(VDR),确保数据完整性和可用性。为了支持授权,可验证凭据(vc)由运营商控制的颁发者节点颁发,仅在新设备安装或维护操作期间激活。提出的解决方案消除了对中央权威的依赖,增强了针对量子威胁的通信安全性,并通过分散的身份管理提高了弹性。在物理测试平台和模拟环境上的性能评估分析了握手延迟和系统效率。结果表明,我们的方法有效地保护了传统的ics,并具有可接受的运营影响,为更强大和面向未来的工业网络铺平了道路。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Journal of Information Security and Applications
Journal of Information Security and Applications Computer Science-Computer Networks and Communications
CiteScore
10.90
自引率
5.40%
发文量
206
审稿时长
56 days
期刊介绍: Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信