Transitioning to post-quantum cryptography in operational technology environments

As cybersecurity strategies evolve, so do the threats posed by emerging technologies, particularly quantum computing. In response to these challenges, the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have initiated proactive steps to facilitate the transition to post-quantum cryptography within Operational Technology (OT) environments. This initiative is part of Secretary of Homeland Security Alejandro N. Mayorkas’ March 2021 vision for enhancing cybersecurity resilience.

Why is quantum computing a threat?

Quantum computing has the potential to disrupt traditional security methods, such as encryption, which protect data and control access to sensitive information. OT systems use cryptography to secure their communications and manage user access. Even though OT systems don’t rely on cryptography as heavily as IT systems (like office networks or personal devices), they’re still at risk, especially when connected to these IT networks.

As quantum computing advances, these systems are increasingly exposed to risks such as unauthorized access, disruption of vital operations, and attacks targeting old, outdated software and equipment.

Vulnerabilities in OT

OT systems, responsible for critical industrial processes, face challenges in the face of quantum computing advancements. Specific vulnerabilities include:

• Connectivity to IT systems: Many OT systems are linked to regular IT networks. This connection can allow hackers using quantum methods to find ways into OT systems.
• Dependency on public-key cryptography: Many OT systems use public-key cryptography for securing communications and controlling access. This reliance makes them potential targets for quantum attacks.
• Legacy systems: Many OT setups still run on older software and hardware that may not support the latest security measures, leaving them more exposed.

The DHS-CISA document urges stakeholders to “prioritize segmentation for outdated OT software and platforms needing lengthy updates.”

Transitioning to post-quantum cryptography (PQC)

Transitioning to PQC is not merely an option but a necessity for OT systems. Here are proactive steps that organizations can take to ensure a smooth migration:

• Identify assets and resources: Organizations should begin by identifying their OT systems, assessing current cryptographic dependencies, and identifying personnel responsible for implementing changes.
• Implement strong network segmentation: By segmenting OT networks, organizations can minimize exposure to quantum threats. This strategy limits unauthorized access to critical systems and protects sensitive data.
• Adopt crypto-agile solutions: Organizations should look for platforms that can adapt to emerging cryptographic standards without requiring major revamps.
• Integrate quantum-specific resilience measures: Strengthening traditional security practices with quantum-resistant measures will help mitigate vulnerabilities. This includes access controls, intrusion detection systems, and robust incident response protocols.
• Prepare for long-term challenges: Moving to PQC will take time and resources, especially when dealing with older systems that require long update cycles. Organizations should anticipate these challenges and be ready to tackle them.

See also: HIPAA Compliant Email: The Definitive Guide

A call to action

As quantum computing becomes more advanced, it’s essential for organizations that rely on OT systems to act now. By proactively implementing the guidance provided by DHS and CISA, organizations can better protect their critical infrastructure from emerging quantum threats. This transition requires a commitment to continuous improvement and adaptation, ensuring that OT systems are resilient against current and future cybersecurity challenges.

FAQs

What is post-quantum cryptography (PQC)?

Post-quantum cryptography are cryptographic algorithms designed to protect against the potential threats quantum computers pose. Unlike traditional cryptographic methods, which may be vulnerable to quantum attacks, PQC aims to protect sensitive data and systems from quantum capabilities.

What are the primary threats to OT systems from quantum computing?

The main threats include unauthorized access to OT networks through compromised encryption, manipulation of data during transmission (e.g., machine-in-the-middle attacks), and the potential for attackers to exploit vulnerabilities in legacy systems that lack quantum-resistant protections.

How can organizations assess their vulnerability to quantum threats?

Organizations can perform a risk assessment that evaluates their current cryptographic methods, identifies dependencies on public-key infrastructure, and examines the potential impact of a quantum-enabled breach on their OT systems and operations.