Francesco Trungadi , Manuel Fabiano , Davide Aloisio , Giovanni Brunaccini , Francesco Sergi , Giovanni Merlino , Francesco Longo
{"title":"保护传统工业控制系统中的Modbus:使用代理、后量子密码学和自我主权身份的分散方法","authors":"Francesco Trungadi , Manuel Fabiano , Davide Aloisio , Giovanni Brunaccini , Francesco Sergi , Giovanni Merlino , Francesco Longo","doi":"10.1016/j.jisa.2025.104199","DOIUrl":null,"url":null,"abstract":"<div><div>Industrial Control Systems (ICSs) are increasingly vulnerable to cyber threats due to their reliance on legacy protocols like Modbus TCP/IP, which lack built-in security mechanisms. Despite these risks, replacing or upgrading ICS components remains costly and impractical for many critical infrastructures, such as manufacturing, power generation, and transportation. This highlights the urgent need for security solutions that enhance protection without requiring disruptive system overhauls.</div><div>Building on our previous work, this paper introduces a decentralized security framework based on dedicated proxies that manage cryptographic operations for legacy devices and facilitate secure communication. The architecture leverages Decentralized Identifiers (DIDs) for node identity management, storing DID Documents containing post-quantum public keys in a Distributed Hash Table (DHT). The DHT, composed of proxy nodes, is specifically modified to function as a Verifiable Data Registry (VDR), ensuring data integrity and availability. To support authorization, Verifiable Credentials (VCs) are issued by an operator-controlled Issuer Node, activated solely during new device installations, or maintenance operations.</div><div>The proposed solution eliminates reliance on a central authority, enhances communication security against quantum threats, and improves resilience through decentralized identity management. Performance evaluations on both physical testbeds and simulated environments analyze handshake latency and system efficiency. Results demonstrate that our approach effectively secures legacy ICSs with an acceptable operational impact, paving the way for more robust and future-proof industrial networks.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"94 ","pages":"Article 104199"},"PeriodicalIF":3.7000,"publicationDate":"2025-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Securing Modbus in legacy industrial control systems: A decentralized approach using proxies, Post-Quantum Cryptography and Self-Sovereign Identity\",\"authors\":\"Francesco Trungadi , Manuel Fabiano , Davide Aloisio , Giovanni Brunaccini , Francesco Sergi , Giovanni Merlino , Francesco Longo\",\"doi\":\"10.1016/j.jisa.2025.104199\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Industrial Control Systems (ICSs) are increasingly vulnerable to cyber threats due to their reliance on legacy protocols like Modbus TCP/IP, which lack built-in security mechanisms. Despite these risks, replacing or upgrading ICS components remains costly and impractical for many critical infrastructures, such as manufacturing, power generation, and transportation. This highlights the urgent need for security solutions that enhance protection without requiring disruptive system overhauls.</div><div>Building on our previous work, this paper introduces a decentralized security framework based on dedicated proxies that manage cryptographic operations for legacy devices and facilitate secure communication. The architecture leverages Decentralized Identifiers (DIDs) for node identity management, storing DID Documents containing post-quantum public keys in a Distributed Hash Table (DHT). The DHT, composed of proxy nodes, is specifically modified to function as a Verifiable Data Registry (VDR), ensuring data integrity and availability. To support authorization, Verifiable Credentials (VCs) are issued by an operator-controlled Issuer Node, activated solely during new device installations, or maintenance operations.</div><div>The proposed solution eliminates reliance on a central authority, enhances communication security against quantum threats, and improves resilience through decentralized identity management. Performance evaluations on both physical testbeds and simulated environments analyze handshake latency and system efficiency. Results demonstrate that our approach effectively secures legacy ICSs with an acceptable operational impact, paving the way for more robust and future-proof industrial networks.</div></div>\",\"PeriodicalId\":48638,\"journal\":{\"name\":\"Journal of Information Security and Applications\",\"volume\":\"94 \",\"pages\":\"Article 104199\"},\"PeriodicalIF\":3.7000,\"publicationDate\":\"2025-08-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information Security and Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2214212625002364\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625002364","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
Securing Modbus in legacy industrial control systems: A decentralized approach using proxies, Post-Quantum Cryptography and Self-Sovereign Identity
Industrial Control Systems (ICSs) are increasingly vulnerable to cyber threats due to their reliance on legacy protocols like Modbus TCP/IP, which lack built-in security mechanisms. Despite these risks, replacing or upgrading ICS components remains costly and impractical for many critical infrastructures, such as manufacturing, power generation, and transportation. This highlights the urgent need for security solutions that enhance protection without requiring disruptive system overhauls.
Building on our previous work, this paper introduces a decentralized security framework based on dedicated proxies that manage cryptographic operations for legacy devices and facilitate secure communication. The architecture leverages Decentralized Identifiers (DIDs) for node identity management, storing DID Documents containing post-quantum public keys in a Distributed Hash Table (DHT). The DHT, composed of proxy nodes, is specifically modified to function as a Verifiable Data Registry (VDR), ensuring data integrity and availability. To support authorization, Verifiable Credentials (VCs) are issued by an operator-controlled Issuer Node, activated solely during new device installations, or maintenance operations.
The proposed solution eliminates reliance on a central authority, enhances communication security against quantum threats, and improves resilience through decentralized identity management. Performance evaluations on both physical testbeds and simulated environments analyze handshake latency and system efficiency. Results demonstrate that our approach effectively secures legacy ICSs with an acceptable operational impact, paving the way for more robust and future-proof industrial networks.
期刊介绍:
Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.