Protecting DNP3-SAB (SAv6): A Quantum-Safe Hybrid Authentication Protocol With Moving Target Defense

Legacy SCADA protocols like DNP3 are vital for smart grid communications but lack robust defenses against modern cyber threats, especially from quantum computing. Current security enhancements, such as DNP3 Secure Authentication (DNP3-SA) and its broadcast variant (DNP3-SAB), are vulnerable due to their reliance on classical cryptography and static configurations. This paper introduces a Quantum-Safe Hybrid Authentication Protocol with Moving Target Defense (MTD), which combines post-quantum ML-KEM lattice-based cryptography with classical ECC-Diffie-Hellman key exchanges to protect against both classical and quantum attacks. The protocol employs MTD to dynamically reconfigure identities and network settings, disrupting reconnaissance and persistent attacks. It includes four phases: synchronization, key agreement, key update, and MTD-driven authentication, ensuring secure, low-latency communication. Formal analysis in universal composability framework confirms mutual authentication and session key secrecy, while Scyther tool verification demonstrates resilience against adversarial exploits. Performance evaluations show efficiency comparable to DNP3-SAB. Overall, this hybrid approach significantly enhances the security of legacy SCADA systems against evolving cyber-physical threats. For the real-world deployment, to benefit wider stakeholders, we provide a handy plug-and-play (HPP) module, which is a takeaway from this research.