Securing Modbus in legacy industrial control systems: A decentralized approach using proxies, Post-Quantum Cryptography and Self-Sovereign Identity

Industrial Control Systems (ICSs) are increasingly vulnerable to cyber threats due to their reliance on legacy protocols like Modbus TCP/IP, which lack built-in security mechanisms. Despite these risks, replacing or upgrading ICS components remains costly and impractical for many critical infrastructures, such as manufacturing, power generation, and transportation. This highlights the urgent need for security solutions that enhance protection without requiring disruptive system overhauls. Building on our previous work, this paper introduces a decentralized security framework based on dedicated proxies that manage cryptographic operations for legacy devices and facilitate secure communication. The architecture leverages Decentralized Identifiers (DIDs) for node identity management, storing DID Documents containing post-quantum public keys in a Distributed Hash Table (DHT). The DHT, composed of proxy nodes, is specifically modified to function as a Verifiable Data Registry (VDR), ensuring data integrity and availability. To support authorization, Verifiable Credentials (VCs) are issued by an operator-controlled Issuer Node, activated solely during new device installations, or maintenance operations. The proposed solution eliminates reliance on a central authority, enhances communication security against quantum threats, and improves resilience through decentralized identity management. Performance evaluations on both physical testbeds and simulated environments analyze handshake latency and system efficiency. Results demonstrate that our approach effectively secures legacy ICSs with an acceptable operational impact, paving the way for more robust and future-proof industrial networks.