The US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have released guidance to help operators of critical infrastructure protect their systems from threats posed by quantum computing.
What happened
DHS and CISA have introduced new recommendations aimed at preparing the country’s operational technology (OT) systems for the challenges posed by quantum computers. This effort is part of a broader initiative announced by Homeland Security Secretary Alejandro N. Mayorkas in March 2021, which focuses on strengthening cybersecurity for essential national functions. With quantum computing on the rise, the DHS-CISA guidance aims to assist OT vendors, operators, and owners in transitioning to post-quantum cryptographic solutions to protect critical infrastructure.
Learn more: What is quantum computing and how does it affect cybersecurity?
Going deeper
The Post-Quantum Considerations for Operational Technology guidance outlines a detailed approach to secure OT systems against future quantum-based threats. Unlike information technology (IT) systems, which often use encryption to secure data, OT systems focus more on managing industrial operations. However, some OT systems do use encryption for remote access, data protection, and network security, making them vulnerable to quantum attacks.
The guidance provides several key strategies to enhance security for OT environments:
- Network segmentation: By dividing OT networks into smaller, well-defined sections, operators can limit how far a cyberattack could spread and better contain any security issues. This makes it harder for attackers, especially those using quantum technology, to access critical systems.
- Crypto-agility: Operators are encouraged to use systems that are "crypto-agile," meaning they can easily switch to stronger encryption methods as new, quantum-resistant algorithms become available. This flexibility is recommended for OT systems, which often have long operational lifespans and infrequent updates.
- Quantum-resistant algorithms: Although new standards for post-quantum cryptography are being developed by the National Institute of Standards and Technology (NIST), DHS and CISA recommend that OT operators start looking into early options for quantum-resistant algorithms. Organizations can test these algorithms in controlled settings to see how well they work with their existing systems.
- Updating lifecycles and maintenance schedules: Given that many OT systems still use outdated software and hardware. Operators are advised to incorporate quantum resilience into their long-term maintenance plans, ensuring they gradually update their encryption methods as needed.
The guidance acknowledges that OT operators face challenges since their systems often rely on older infrastructure and must meet strict safety and reliability standards. By following these recommendations, OT operators can begin to strengthen their defenses and support national security goals while preparing for future quantum capabilities.
See also: Securing legacy systems within healthcare
What was said
Tom Marsland, vice president of technology at Cloud Range, welcomed the DHS-CISA guidance, calling it important for the future of OT security. “The threat of quantum computing to existing cryptographic methods is real. Just six days ago, Chinese scientists claimed to have used quantum computing to break RSA encryption,” Marsland noted, stressing the urgency of addressing quantum vulnerabilities.
Others, like John Terrill, CISO at Phosphorus, expressed concern about pushing OT operators to focus on quantum readiness prematurely. “Cybersecurity is all about building defenses to the level of your expected threat,” he commented. “The OT world needs to get basic cyber hygiene right before they even think about PQC [post-quantum cryptography].”
In the know
Operational technology (OT) includes hardware and software used to monitor, control, and manage physical processes, devices, and infrastructure in various industries. Unlike information technology (IT), which primarily handles data and communications, OT focuses on direct interactions with the physical world, often in real-time.
OT systems are integral to industrial control systems (ICS), managing everything from manufacturing lines and power plants to essential services like water treatment and transportation networks. These systems control vital processes—such as regulating temperatures and operating machinery—that keep industries and public services running smoothly. Due to their importance, OT systems often rely on older equipment that is designed to be reliable and resilient, which makes them particularly challenging to secure as cybersecurity needs evolve.
Related: FAQs: What you need to know about cybersecurity
Why it matters
The rapid development of quantum computing poses a serious risk to the public-key encryption methods that currently protect critical infrastructure. While OT systems may seem less vulnerable due to their limited use of cryptography compared to IT systems, they are still at risk, especially when connected to IT networks or when encryption is used for remote access.
Bottom line
As quantum computing evolves, OT environments must proactively incorporate crypto-agile solutions and prepare for post-quantum security needs. Although post-quantum cryptographic standards from the National Institute of Standards and Technology (NIST) are in development, implementing these within OT systems will take time and present unique challenges due to outdated systems and long lifecycle dependencies. The DHS-CISA guidance provides a vital roadmap for U.S. infrastructure as it transitions to quantum-resistant security, ultimately aiming to protect essential services and national resilience.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
What are quantum computing threats to OT systems?
Quantum computers could break many existing cryptographic protections, particularly those based on public-key cryptography, which might be used in OT systems for tasks like remote access or secure data transmission. If unprepared, OT systems could be compromised by quantum-based attacks, posing serious risks to national security and critical infrastructure.
What does “crypto-agility” mean?
Crypto-agility refers to the capability of systems to quickly switch between cryptographic algorithms without needing major system overhauls.
What are quantum-resistant algorithms?
Quantum-resistant algorithms are cryptographic methods designed to withstand attacks from quantum computers.
Tshedimoso Makhene
