ACRIC: Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check
Alessandro Lotto, Alessandro Brighente, Mauro Conti
TL;DR
ACRIC tackles securing legacy OT/ICS where hardware upgrades are impractical by repurposing the existing CRC field for authentication. It combines a secret initialization vector with OTP encryption of the CRC to achieve message authentication and integrity without altering message formats, enabling coexistence of secure and non-secure devices and supporting both point-to-point and broadcast communications. Formal security analysis and real-world experiments on Modbus with commercial devices demonstrate strong security guarantees and a minimal overhead of about 4 μs per message, significantly outperforming traditional HMAC in constrained environments. The protocol-agnostic design and practical cryptographic-management guidance enable scalable, low-cost retrofitting of security in resource-limited legacy networks, with broad applicability across industrial protocols.
Abstract
The increasing integration of modern IT technologies into OT technologies and industrial systems is expanding the vulnerability surface of legacy infrastructures, which often rely on outdated protocols and resource-constrained devices. Recent security incidents in safety-critical industries exposed how the lack of proper message authentication enables attackers to inject malicious commands or alter system behavior, revealing fundamental security weaknesses in existing architectures. These shortcomings have thus prompted new regulations that emphasize the pressing need to strengthen cybersecurity, particularly in legacy systems. Authentication is widely recognized as a fundamental security measure that enhances system resilience. However, its adoption in legacy industrial environments is limited due to practical challenges like backward compatibility, message format changes, and hardware replacement or upgrades costs. In this paper, we introduce ACRIC, a message authentication solution to secure legacy industrial communications explicitly tailored to overcome those challenges all at once. ACRIC uniquely leverages cryptographic computations applied to the CRC field - already present in most industrial communication protocols - ensuring robust message integrity protection and authentication without requiring additional hardware or modifications to existing message formats. ACRIC's backward compatibility and protocol-agnostic nature enable coexistence with non-secured devices, thus facilitating gradual security upgrades in legacy infrastructures. Formal security assessment and experimental evaluation on an industrial-grade testbed demonstrate that ACRIC provides robust security guarantees with minimal computational overhead (~ 4 us). These results underscore ACRIC's practicality, cost-effectiveness, and suitability for effective adoption in resource-constrained industrial environments.