Pk-IOTA: Blockchain empowered Programmable Data Plane to secure OPC UA communications in Industry 4.0
Rinieri Lorenzo, Gori Giacomo, Melis Andrea, Girau Roberto, Prandini Marco, Callegati Franco
TL;DR
Pk-IOTA addresses practical OPC UA deployment challenges by marrying a P4-programmable data plane for in-network certificate validation with an IOTA-based decentralized PKI. This approach offloads trust management from devices to the network and the ledger, enabling real-time certificate issuance and revocation with tamper-proof guarantees. Experimental results show only modest handshake overhead ($\approx$14%) and feasible resource usage across components, indicating viability for large-scale ICS deployments. The work demonstrates robust protection against Rogue Server, Rogue Client, and Middleperson attacks under the Purdue ARC threat model, offering a scalable, low-cost alternative to centralized PKI and GDS-centric setups.
Abstract
The OPC UA protocol is becoming the de facto standard for Industry 4.0 machine-to-machine communication. It stands out as one of the few industrial protocols that provide robust security features designed to prevent attackers from manipulating and damaging critical infrastructures. However, prior works showed that significant challenges still exists to set up secure OPC UA deployments in practice, mainly caused by the complexity of certificate management in industrial scenarios and the inconsistent implementation of security features across industrial OPC UA devices. In this paper, we present Pk-IOTA, an automated solution designed to secure OPC UA communications by integrating programmable data plane switches for in-network certificate validation and leveraging the IOTA Tangle for decen- tralized certificate distribution. Our evaluation is performed on a physical testbed representing a real-world industrial scenario and shows that Pk-IOTA introduces a minimal overhead while providing a scalable and tamper-proof mechanism for OPC UA certificate management.