ARC-C: Analytical Framework and Software Tool for Automated Risk-Based Cryptoperiod Calculation in Industrial Control Systems

Over the past decade, industrial control systems (ICSs) and critical infrastructure (CI) have become prime targets for advanced persistent threat (APT) groups and nation-state actors due to their potential for severe impact. This has resulted in the cybersecurity community increasing their focus on ICS/CI threat modelling and defence.

This thesis examines the crucial role of the internal network reconnaissance stage of ICS/CI attacks, particularly those using the OPC UA standard with encrypted in-transit data. We first introduce a comprehensive attack tree outlining data siphoning strategies and highlight the importance of periodic encryption-key rotation to mitigate risk. Noting the lack of clear cryptoperiod guidelines in industry standards, we then present the Automatic Risk-based Cryptoperiod Calculation (ARC-C) framework. ARC-C aims to optimally determine cryptoperiod lengths based on security risks and operational constraints. We demonstrate its application in two realistic ICS environments: a Water Treatment Plant and an Energy Storage System.