Evaluating Cryptographic Vulnerabilities Created by Quantum Computing in Industrial Control Systems
ResearchPublished Oct 4, 2023
Migration to post-quantum cryptography to prepare for future capabilities of quantum computing has implications for industrial control and operational technology systems. These implications affect how system owners and operators and other stakeholders should prepare for the migration and prioritize mitigation options.
ResearchPublished Oct 4, 2023
Industrial control systems (ICSs) and operational technology (OT) used in critical infrastructure are increasingly converging with enterprise information technology (IT). As this happens, OT systems' security posture must adapt to a new threat landscape and adopt some of the same security controls as those used in enterprise IT, especially cryptographic controls that rely on public-key cryptography, which are ubiquitous in enterprise IT systems. Although many industrial networks are still in the early stages of adopting some of these controls, a new threat to this foundational element of modern information security looms ahead: quantum computing. Quantum computing will eventually be able to break the public-key cryptography algorithms currently used throughout IT infrastructure, undermining foundational tools used to maintain information security across the country's critical infrastructure.
To prepare for the future capabilities of quantum computing, a concerted effort is underway across the United States to migrate to post-quantum cryptography (PQC), but this migration will have unique implications for ICSs and OT systems. Despite the convergence of IT and OT, significant differences remain between IT and OT environments, and the cryptographic vulnerabilities created by quantum computing will not affect IT and OT the same way. These differences have implications both for how OT systems will need to be prepared for the migration to PQC and for mitigation priorities. Thus, this report provides a framework for evaluating quantum computing–related cryptographic vulnerabilities in critical infrastructure ICSs and OT systems to better understand the implications of the migration to PQC and to identify mitigation priorities.
This research was sponsored by the National Risk Management Center (NRMC) and conducted by the Infrastructure, Immigration, and Security Operations Program of the RAND Homeland Security Research Division.
This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.
RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.