Full Report
Transitioning to post-quantum cryptography (PQC) is one of the largest and most impactful changes industrial organizations can implement... The post Industrial systems face structural gap as quantum risks drive urgency for crypto-agility and post-quantum readiness appeared first on Industrial Cyber.
Analysis Summary
# Best Practices: Post-Quantum Cryptography (PQC) & Crypto-Agility
## Overview
These practices address the structural gap in industrial systems (OT/ICS) where long-lived assets are vulnerable to "Harvest Now, Decrypt Later" attacks. The focus is on transitioning to NIST-approved post-quantum algorithms and building "crypto-agile" architectures that allow for cryptographic updates without disrupting physical industrial operations.
## Key Recommendations
### Immediate Actions
1. **Conduct Cryptographic Inventory:** Identify where encryption and digital signatures are currently used across the OT environment (e.g., VPNs, secure remote access, PLC code signing).
2. **Develop a CBOM:** Create a Cryptographic Bill of Materials (CBOM) to document dependencies and identify legacy systems using vulnerable RSA or ECC algorithms.
3. **Risk Assessment:** Prioritize systems with the longest "shelf life" (assets staying in the field for 10+ years) and data with high long-term sensitivity.
### Short-term Improvements (1-3 months)
1. **Vendor Engagement:** Review Product Security Incident Response Teams (PSIRT) advisories and request PQC roadmaps from key OT vendors (Siemens, Rockwell, Schneider Electric, etc.).
2. **Adopt Secure-by-Design Principles:** Integrate PQC requirements into procurement language for any new industrial control system (ICS) or IIoT device.
3. **Implement Hybrid Key Exchange:** Where supported, use a hybrid approach combining classical cryptography with NIST PQC candidates to maintain current compliance while testing quantum resistance.
### Long-term Strategy (3+ months)
1. **Establish Crypto-Agility Frameworks:** Architect systems so that cryptographic providers or algorithms can be swapped via software updates without hardware replacement.
2. **Address Legacy "Structural Gaps":** Replace or wrap legacy PLCs/controllers that cannot support the larger key sizes or higher computational requirements of PQC.
3. **Cross-Convergence Security:** Align IT and OT security teams to ensure unified quantum-readiness across the entire supply chain and cloud-to-edge architecture.
## Implementation Guidance
### For Small Organizations
- Focus on **SME Product Security Playbooks** (e.g., ENISA guidelines).
- Prioritize securing remote access gateways and internet-connected PLCs as these are immediate targets.
- Rely on managed service providers (MSPs) to provide PQC-compliant firmware/software updates as they become available.
### For Medium Organizations
- Implement a formal **CBOM management process**.
- Use the **NIST CSWP 39** framework to conduct a gap analysis of current industrial architectures.
- Focus on "Secure-by-Design" for new factory floor additions or Industry 4.0 digitations.
### For Large Enterprises
- Establish a dedicated **Post-Quantum Readiness Taskforce** spanning IT and OT.
- Influence supply chain standards by mandating crypto-agility in RFPs for all critical infrastructure components.
- Run pilots for PQC in non-critical segments to measure the impact of new algorithms on real-time control system latency.
## Configuration Examples
While specific code is not detailed in the summary, NIST recommendations for PQC transition typically include:
- **Algorithms:** Transitioning to *ML-KEM* (formerly Kyber) for key encapsulation and *ML-DSA* (formerly Dilithium) for digital signatures.
- **Protocol Updates:** Ensuring Transport Layer Security (TLS) implementations are updated to support PQC extensions.
## Compliance Alignment
- **NIST CSWP 39:** Guidance on Quantum Readiness and Crypto-Agility.
- **NIST FIPS 203, 204, & 205:** The official standards for PQC algorithms.
- **CISA/FBI/NSA Joint Advisories:** Regarding PLC security and critical infrastructure protection.
- **Industry 4.0 Standards:** Security requirements for IIoT and cloud-connected industrial systems.
## Common Pitfalls to Avoid
- **"Wait and See" Approach:** Ignoring the threat because a "cryptographically relevant" quantum computer doesn't exist yet; this overlooks data harvested today for future decryption.
- **Hardware Limitations:** Assuming old PLCs can support PQC via simple software patches; PQC often requires more memory and processing power.
- **Operational Downtime:** Attempting "rip and replace" updates without testing for latency impacts on time-sensitive industrial processes.
## Resources
- **NIST Post-Quantum Cryptography Project:** [csrc.nist[.]gov/projects/pqc]
- **NIST CSWP 39 (Quantum Readiness):** [nvlpubs.nist[.]gov/nistpubs/CSWP/NIST.CSWP.39.pdf]
- **Industrial Cyber (Resource Center):** [industrialcyber[.]co]
- **ENISA Secure-by-Design for SMEs:** [enisa.europa[.]eu]