What are the impacts of Post-Quantum Cryptography on cybersecurity of critical utilities providers?

Future quantum computing capabilities pose a significantthreat to the cryptographic foundations that protect the digital infrastructureof critical utility operators such as energy, water, and communications companies.

Cyber intrusions and system and network compromisesleveraging future quantum computing capabilities may threaten dataconfidentiality and integrity or undermine important access controls dependenton public-key cryptography.

What’s the threat?

A ‘cryptanalytically relevant quantum computer’ (CRQC) is a quantum computer powerful enough to break widely used cryptographic algorithms, potentially compromising data confidentiality and integrity or undermining important access controls that are dependent on public-key cryptography.

These algorithms, like RSA and ECC, are essential for securing internet traffic and digital communications. CRQCs are still in the theoretical realm, as current quantum computers lack the necessary size, stability, and qubit count to reliably perform the complex computations required to crack these algorithms.  Experts anticipate that CRQCs could emerge in the 2030s but Governments are taking action now to address the threat.

In October 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published guidance on Post-Quantum Considerations for Operational Technology and the UK’s National Cyber Security Centre has published key milestones for organisations planning their own timeline for migration to post-quantum cryptography.

NCSC expects this process to take a large organisation two the three years and recommends that discovery activities - including documenting your cryptographic inventory – to be completed by 2028.

Post-Quantum Cryptography (PQC) is seen as the primary defensive measure against these threats but migrating to quantum-resistant algorithms brings both opportunities and challenges for cybersecurity in critical infrastructure.

Implications for Critical Utilities Providers

Utility companies are considered high-priority targets due to their role in national security and public safety and  the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged critical infrastructure sectors to begin transitioning to PQC as soon as possible.

The transition is likely to be complex for many CNI operators as industrial control systems (ICS) and operational technologies (OT) rely on legacy hardware and software that are costly and difficult to upgrade.

While PQC addresses quantum-era risks, utilities must continue to defend against conventional cyber threats such as ransomware, phishing, and supply chain attacks, which remain prevalent. And some CISOs have pushed back on the PQC urgency believing the OT world needs to get basic cyber hygiene right before they even think about quantum threats.

The key risks for OT operators include:

• Unauthorised remote access
  Exploiting public-key-dependent remote access functionality could grant attackers direct access to IT and OT networks and supervisory control mechanisms.
• Manipulation of messages
  Machine-in-the-middle attacks have been highlighted where attackers can intercept and modify communications between devices, gaining control of OT systems or misrepresenting system behaviour, impacting the integrity of systems and data.
• Persistent Malware
  Attackers could bypass Secure Boot protections to install malware and create backdoors for persistent access and control.
• ‍Decryption of sensitive information
  Intercepted encrypted OT traffic can be decrypted to uncover credentials, gain network insights, or steal intellectual property. ‘Harvest Now, Decrypt Later’ attacks have been highlighted as a means for adversaries to capture encrypted data today, intending to decrypt it in the future when quantum capabilities are available.

Getting ready for 2035

Post-quantum cryptography is essential for the future cybersecurity of critical utilities providers and the transition will likely require significant investment, careful planning and collaboration across operators, regions and sectors.

Robust risk assessments and early adoption of PQC will be key to maintaining the resilience and trustworthiness of critical infrastructure in the quantum era.

Key PQC recommendations include:

• Plan for Post-Quantum Computing
  Begin planning NOW for the transition to post-quantum cryptography, including inventorying systems and prioritising those judged most vulnerable to future attacks.
• Reduce exposure to quantum threats
  Use traditional cybersecurity practices like network segmentation, access controls, and incident response to reduce vulnerabilities and the impact of potential events.
• Build in ‘Crypto-Agility’
  When planning for future technology investments, consider crypto-agile platforms that allow for rapid updates to cryptographic algorithms without replacing infrastructure.
• Update to Post-Quantum algorithms
  Implement the latest post-quantum encryption standards as they become available. See the NIST website for more information on current options.

As quantum computing capabilities evolve over the next decade, other post-quantum cryptographic standards may yet emerge. Critical infrastructure owners and operators should ensure they are keeping up with future developments.