Evaluating Cryptographic Vulnerabilities Created by Quantum Computing in Industrial Control Systems

Michael J. D. Vermeer, Chad Heitzenrater, Edward Parker, Alvin Moon, Domenique Lumpkin, Jalal Awan, Patricia A. Stapleton

ResearchPublished Oct 4, 2023

Industrial control systems (ICSs) and operational technology (OT) used in critical infrastructure are increasingly converging with enterprise information technology (IT). As this happens, OT systems' security posture must adapt to a new threat landscape and adopt some of the same security controls as those used in enterprise IT, especially cryptographic controls that rely on public-key cryptography, which are ubiquitous in enterprise IT systems. Although many industrial networks are still in the early stages of adopting some of these controls, a new threat to this foundational element of modern information security looms ahead: quantum computing. Quantum computing will eventually be able to break the public-key cryptography algorithms currently used throughout IT infrastructure, undermining foundational tools used to maintain information security across the country's critical infrastructure.

To prepare for the future capabilities of quantum computing, a concerted effort is underway across the United States to migrate to post-quantum cryptography (PQC), but this migration will have unique implications for ICSs and OT systems. Despite the convergence of IT and OT, significant differences remain between IT and OT environments, and the cryptographic vulnerabilities created by quantum computing will not affect IT and OT the same way. These differences have implications both for how OT systems will need to be prepared for the migration to PQC and for mitigation priorities. Thus, this report provides a framework for evaluating quantum computing–related cryptographic vulnerabilities in critical infrastructure ICSs and OT systems to better understand the implications of the migration to PQC and to identify mitigation priorities.

Key Findings

  • The highest risks were those that attacked certificates used in signing (authenticating devices and software); targeted roots of trust or privileged users or were at the highest levels (Purdue levels 3, 4, 5, and demilitarized zone) and lowest level (0) of the ICS hierarchy; and tampered with data, denied service, or elevated user privilege on the system (especially at higher Purdue levels).
  • Medium risks were those that targeted other levels of ICSs, unprivileged users, identity at other levels of the hierarchy, or broader cyber activities to enable threats.
  • The lowest risks were those that affected a single device, session, or user; had limited ability for impact because of other controls; or focused on activities, such as information disclosure, that had limited temporal value.
  • The challenges of mitigating vulnerabilities in key exchange were assessed as low, in digital certificates as medium, and in code-signing as high. Code-signing vulnerabilities should be the highest priority for mitigation, especially for signature verification in embedded devices.

Recommendations

  • Incorporate quantum computing risk into threat modeling and planning.
  • Prioritize vulnerabilities in code-signing.
  • Plan for cryptographic agility in embedded devices.
  • Assess how new key-exchange mechanism and certificate standards will be incorporated into industrial protocols and into ICS/OT software applications.
  • Assess how new key-encapsulation mechanism and certificate standards will affect ICS/OT environments.
  • Implement interim mitigation measures where communication confidentiality is a high priority.

Order a Print Copy

Format
Paperback
Page count
80 pages
List Price
$20.00
Buy link
Add to Cart

Topics

Document Details

  • Availability: Available
  • Year: 2023
  • Print Format: Paperback
  • Paperback Pages: 80
  • Paperback Price: $20.00
  • Paperback ISBN/EAN: 1-9774-1188-6
  • DOI: https://doi.org/10.7249/RRA2427-1
  • Document Number: RR-A2427-1

Citation

RAND Style Manual
Vermeer, Michael J. D., Chad Heitzenrater, Edward Parker, Alvin Moon, Domenique Lumpkin, Jalal Awan, and Patricia A. Stapleton, Evaluating Cryptographic Vulnerabilities Created by Quantum Computing in Industrial Control Systems, Homeland Security Operational Analysis Center operated by the RAND Corporation, RR-A2427-1, 2023. As of October 10, 2024: https://www.rand.org/pubs/research_reports/RRA2427-1.html
Chicago Manual of Style
Vermeer, Michael J. D., Chad Heitzenrater, Edward Parker, Alvin Moon, Domenique Lumpkin, Jalal Awan, and Patricia A. Stapleton, Evaluating Cryptographic Vulnerabilities Created by Quantum Computing in Industrial Control Systems. Homeland Security Operational Analysis Center operated by the RAND Corporation, 2023. https://www.rand.org/pubs/research_reports/RRA2427-1.html. Also available in print form.
BibTeX RIS

This research was sponsored by the National Risk Management Center (NRMC) and conducted by the Infrastructure, Immigration, and Security Operations Program of the RAND Homeland Security Research Division.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.