CertiFlash: A Cryptographic Framework for Secure Firmware and Logic Updates in SCADA and Industrial IoT Networks

Across the world’s electrical substations, water-treatment plants, and manufacturing lines, a single engineer with valid credentials and a laptop can today push new control logic to a programmable logic controller (PLC) and change the physical behaviors of safety-critical equipment within minutes. Firmware and ladder-logic updates on SCADA and industrial IoT systems are privileged operations: an attacker installing a malicious update controls the physical process. Existing protections concentrate install authority in a single party with no externally verifiable record; compromise of the vendor key, the engineering workstation, or any operator credential suffices to deliver an attacker-chosen payload to a PLC. CertiFlash binds every update to four independent approvals: a vendor signature, a FROST-Ed25519 threshold signature from an operator quorum, a per-session nonce from the PLC, and a monotonic counter. Every decision is recorded in an append-only Merkle transparency log. The PLC verifies the aggregate with a standard RFC 8032 Ed25519 verifier, requiring no FROST-specific device code. Four security properties (authenticity, authorization, rollback resistance, auditability) are machine-checked in Tamarin under a Dolev–Yao adversary with up to t − 1 compromised operators and corroborated through ten attack scenarios. The implementation runs with concurrent Modbus TCP and Siemens S7 traffic, blocks all attacks, signs in 27–192 ms (k = 3–10), keeps ML-DSA-65 within 6% of Ed25519 from 1 KiB to 10 MiB, and sustains 30.1 updates/s on 100 PLCs. The operator-quorum signature remains FROST-Ed25519: the design is partially post-quantum in the evaluated version. The framework maps to IEC 62443-3-3 SR 3.4 and NIS2 Article 21(2)(d–e).