Crypto-Agile Zero Trust Architecture for IT-OT Convergence in Industrial Control Systems: A Digital Twin-Driven Framework over 5G/TSN with Post-Quantum Cryptography

Abstract

The convergence of Information Technology (IT) and Operational Technology (OT) in Industrial Control Systems (ICS) has dissolved the implicit trust boundaries that traditionally protected critical infrastructure. While Zero Trust Architecture (ZTA) is increasingly advocated as the successor to perimeter-based defense for converged industrial environments, existing ZT proposals for ICS rarely address three concurrent realities: (i) the rise of high-fidelity Digital Twins (DTs) as the natural locus of process-aware trust evaluation, (ii) the migration of industrial transport to 5G non-public networks and Time-Sensitive Networking (TSN) with deterministic timing budgets that cannot accommodate naive authentication round-trips, and (iii) the imminent obsolescence of classical asymmetric cryptography due to cryptographically relevant quantum computers, which regulatory frameworks such as NIS2, the EU Cyber Resilience Act, and IEC 62443 already require to be mitigated through crypto-agility. This paper proposes QZT-ICS, a unified ZT framework for IT-OT convergence that (a) uses a synchronized Digital Twin as the policy decision point for continuous, process-aware trust scoring; (b) embeds policy enforcement at the 5G slice and TSN bridge layers to preserve sub-millisecond determinism; and (c) integrates a crypto-agile post-quantum key-establishment and signature layer based on NIST-standardized ML-KEM and ML-DSA, with hybrid classical-PQC modes for legacy field devices. The framework is evaluated through a simulated water-treatment SCADA testbed against false data injection, command injection, and lateral-movement attack classes. Results quantify the trade-off between PQC overhead, TSN scheduling slack, and DT-driven trust evaluation latency, and demonstrate viable deployment paths for brownfield ICS. The paper concludes with a maturity model for staged adoption and open research challenges.