Hybrid OPC UA: Enabling Post-Quantum Security for the Industrial Internet of Things

Cyber-physical systems (CPS) are considered a crucial part for providing connectivity in industrial environments. However, the recent increase in connectivity has led to an extended attack vector. Therefore, it is important that CPS are secured against current and - due to their long life span - also against future threats, such as quantum computers. The security of present communication can be broken once a sufficiently powerful quantum computer is available. To protect against this attack vector, applications and protocols should start utilizing quantum-resistant primitives. One approach that maintains common security guarantees and protects against quantum computer attacks is to use hybrid constructions: a combination of classically secure and quantum-resistant schemes. In this work, we propose a hybrid key exchange mechanism for the industrial communication protocol Open Platform Communications Unified Architecture (OPC UA). We describe four distinct instantiations based on selected quantum-resistant key encapsulation mechanisms (KEMs), namely NewHope, NTRU, CRYSTALS-Kyber, and Saber. We implement our resulting quantum-resistant modifications of OPC UA on two different ARM based platforms and present detailed performance footprints. Finally, we show the feasibility of employing hybrid quantum-resistant key exchange within OPC UA preserving industrial communication against future threats.