The US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have released guidance to help operators of critical infrastructure protect their systems from threats posed by quantum computing.
DHS and CISA have introduced new recommendations aimed at preparing the country’s operational technology (OT) systems for the challenges posed by quantum computers. This effort is part of a broader initiative announced by Homeland Security Secretary Alejandro N. Mayorkas in March 2021, which focuses on strengthening cybersecurity for essential national functions. With quantum computing on the rise, the DHS-CISA guidance aims to assist OT vendors, operators, and owners in transitioning to post-quantum cryptographic solutions to protect critical infrastructure.
Learn more: What is quantum computing and how does it affect cybersecurity?
The Post-Quantum Considerations for Operational Technology guidance outlines a detailed approach to secure OT systems against future quantum-based threats. Unlike information technology (IT) systems, which often use encryption to secure data, OT systems focus more on managing industrial operations. However, some OT systems do use encryption for remote access, data protection, and network security, making them vulnerable to quantum attacks.
The guidance provides several key strategies to enhance security for OT environments:
The guidance acknowledges that OT operators face challenges since their systems often rely on older infrastructure and must meet strict safety and reliability standards. By following these recommendations, OT operators can begin to strengthen their defenses and support national security goals while preparing for future quantum capabilities.
See also: Securing legacy systems within healthcare
Tom Marsland, vice president of technology at Cloud Range, welcomed the DHS-CISA guidance, calling it important for the future of OT security. “The threat of quantum computing to existing cryptographic methods is real. Just six days ago, Chinese scientists claimed to have used quantum computing to break RSA encryption,” Marsland noted, stressing the urgency of addressing quantum vulnerabilities.
Others, like John Terrill, CISO at Phosphorus, expressed concern about pushing OT operators to focus on quantum readiness prematurely. “Cybersecurity is all about building defenses to the level of your expected threat,” he commented. “The OT world needs to get basic cyber hygiene right before they even think about PQC [post-quantum cryptography].”
Operational technology (OT) includes hardware and software used to monitor, control, and manage physical processes, devices, and infrastructure in various industries. Unlike information technology (IT), which primarily handles data and communications, OT focuses on direct interactions with the physical world, often in real-time.
OT systems are integral to industrial control systems (ICS), managing everything from manufacturing lines and power plants to essential services like water treatment and transportation networks. These systems control vital processes—such as regulating temperatures and operating machinery—that keep industries and public services running smoothly. Due to their importance, OT systems often rely on older equipment that is designed to be reliable and resilient, which makes them particularly challenging to secure as cybersecurity needs evolve.
Related: FAQs: What you need to know about cybersecurity
The rapid development of quantum computing poses a serious risk to the public-key encryption methods that currently protect critical infrastructure. While OT systems may seem less vulnerable due to their limited use of cryptography compared to IT systems, they are still at risk, especially when connected to IT networks or when encryption is used for remote access.
As quantum computing evolves, OT environments must proactively incorporate crypto-agile solutions and prepare for post-quantum security needs. Although post-quantum cryptographic standards from the National Institute of Standards and Technology (NIST) are in development, implementing these within OT systems will take time and present unique challenges due to outdated systems and long lifecycle dependencies. The DHS-CISA guidance provides a vital roadmap for U.S. infrastructure as it transitions to quantum-resistant security, ultimately aiming to protect essential services and national resilience.
See also: HIPAA Compliant Email: The Definitive Guide
Quantum computers could break many existing cryptographic protections, particularly those based on public-key cryptography, which might be used in OT systems for tasks like remote access or secure data transmission. If unprepared, OT systems could be compromised by quantum-based attacks, posing serious risks to national security and critical infrastructure.
Crypto-agility refers to the capability of systems to quickly switch between cryptographic algorithms without needing major system overhauls.
Quantum-resistant algorithms are cryptographic methods designed to withstand attacks from quantum computers.