CISA’s Post-Quantum OT Guidance: Key Takeaways and Next Steps for CISOs

28 Oct 2024 – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a landmark report titled ”Post-Quantum Considerations for Operational Technology.” This publication marks the first dedicated federal guidance on how quantum computing threats specifically impact industrial control systems (ICS) and other operational technology (OT) environments.

The report comes with a clear warning: OT systems could lag behind IT in achieving quantum-resistant security, potentially becoming ”the last remaining platforms to achieve post-quantum cryptographic standards due to long software patching cycles, hardware replacement times, and strict procedures and governance”. For CISOs overseeing critical infrastructure, this message is a wake-up call.

Quantum Threats to OT: Why CISA Is Sounding the Alarm

CISA’s report underscores that the quantum computing threat to OT is both real and distinct from traditional IT environments. While both IT and OT rely on public-key cryptography (PKC) that quantum computers will eventually break, OT has unique characteristics that make quantum risk especially challenging. Notably, far fewer OT systems use encryption than IT systems, but OT’s role in controlling physical processes means a quantum-enabled compromise could be devastating. In fact, implementing post-quantum cryptography (PQC) in OT is expected to be a ”significant and enduring challenge” for critical infrastructure operators.

The CISA guidance highlights that even current-generation OT devices do use asymmetric cryptography in limited but critical ways: for example, VPN connections and remote access gateways, firmware and software update signatures, Secure Boot processes, and encrypted industrial protocols like OPC UA and Modbus TCP. These uses of PKC are fundamental to preserving integrity and authenticity in OT – they authenticate devices, validate code, and protect communications. A future cryptanalytically relevant quantum computer (CRQC) could undermine all of these mechanisms, allowing attackers to ”masquerade as trusted sources, freely tamper with information undetected, or decrypt information used to protect communication channels”. In other words, any public-key-reliant trust in OT can potentially be broken once quantum hacking arrives.

Specific Quantum Risks to Operational Technology Systems

CISA’s report dives into concrete scenarios showing how a quantum-enabled adversary could exploit OT systems. In particular, it calls out several high-risk use cases for OT environments:

• Unauthorized Remote Access: Exploiting vulnerabilities in public-key-based VPNs or remote access tools could give attackers direct entry into OT networks and control systems. Many critical OT interfaces (SCADA workstations, PLC engineering stations, etc.) are only lightly protected by network boundaries today. If an attacker can defeat the cryptography guarding remote connections, they might gain unfettered access to internal OT devices – potentially causing disruptive commands or unsafe operations. The report notes that an adversary leveraging compromised credentials or keys could connect into OT environments and ”cause extensive damage to critical infrastructure systems or threaten human safety”.
• Manipulation of Critical Communications: By launching machine-in-the-middle (MITM) attacks on encrypted OT traffic, an attacker could intercept and alter commands or sensor readings between devices. This means that even if OT protocols are proprietary or obscured, their confidentiality and integrity won’t hold once quantum breaks the encryption underneath. CISA warns that an attacker could ”manipulate or change messages… virtually undetected,” enabling them to mislead operators or even issue malicious control instructions without raising alarms. For instance, a spoofed sensor reading might hide an unsafe condition, or a tampered command might shut down or overload equipment. Such stealthy manipulation of OT data flows could grant effective control of physical processes to the adversary.
• Subverting Secure Boot and Firmware Signing: Many OT systems rely on digital signatures to ensure that only trusted, untampered firmware and software run on critical devices. Features like Secure Boot use PKI-based signatures to verify the BIOS, bootloader, or PLC logic before execution. A quantum-capable attacker could forge those signatures, allowing them to implant persistent malware or backdoors deep in the OT stack. CISA specifically calls out the risk of ”attackers [exploiting] public-key-based Secure Boot protections” to load malicious firmware that evades detection. The result would be highly persistent malware installations with the highest privileges on the device – effectively undermining safety systems or sabotaging process control with little chance of removal. Such quantum-enabled malware could facilitate long-term espionage, data destruction, or even physical damage, all while bypassing current integrity checks.
• Decryption of Sensitive Data (“Harvest Now, Decrypt Later”): Even when attackers cannot immediately disrupt operations, they may passively collect confidential OT data encrypted with today’s algorithms – planning to decrypt it once quantum power is available. CISA notes that adversaries ”could harvest and exfiltrate encrypted OT traffic in real time” if it’s protected by vulnerable public-key ciphers. Later, when they crack the encryption, they might uncover device credentials, network topology details, or proprietary engineering data (like plant designs or control logic). The report acknowledges that confidentiality isn’t always the top concern in OT communications, but losing it could still enable follow-on attacks. For example, decrypted VPN traffic might reveal passwords or enable intellectual property theft. This ”harvest now, decrypt later” tactic is a very real threat for any long-lived sensitive data flowing over OT networks today.

It’s worth emphasizing that these scenarios are not purely hypothetical or ”far future.” As the report notes, even today a well-resourced adversary (think nation-states or advanced cyber criminals) could achieve similar OT compromises using classical methods – quantum computing would simply make these attacks far easier and faster. The bottom line for CISOs is that quantum preparedness in OT is an urgent extension of existing cyber resilience efforts. The consequences of a breach in these environments can be extreme – including physical equipment damage or safety incidents – so waiting until a quantum computer is actually online would be far too late to start securing your OT systems.

Why OT Systems Are Uniquely Hard to Secure (and Slow to Upgrade)

If quantum threats to OT are so serious, why might OT be ”the last to achieve” post-quantum security? CISA’s report does not mince words here: operational technology faces entrenched constraints that make updates and cryptographic agility painfully slow. In fact, OT environments often represent a perfect storm of legacy technology and inflexibility:

• Aging, Outdated Platforms: A large share of OT endpoints run obsolete or unsupported software – far more so than IT endpoints. The report notes that OT accounts for a ”significant proportion of out-of-date operating systems and software platforms… including those considered end-of-life (e.g., Windows XP)”. It’s not uncommon to find decades-old OSes, unpatched firmware, and deprecated libraries still in production on factory floors or in utilities. These legacy systems were never designed with modern cryptography in mind, let alone the hefty new algorithms of PQC, making direct upgrades infeasible.
• Limited Patching Windows & Strict Change Control: Unlike IT, where emergency patching can often be done in days, OT updates might only happen during rare scheduled downtimes (if at all). CISA observes that ”some OT platforms require extensive safety testing after software updates due to complicated process interdependencies or highly sensitive environments”. In industries like manufacturing, energy, or transportation, even minor software changes can risk production outages or safety certification issues. Governance and regulatory procedures add further delays – every change might need sign-off from multiple authorities. These strict processes mean security upgrades in OT often take months or years to implement, even when a critical vulnerability is known.
• Incompatible and Proprietary Systems: Many OT applications have no easy upgrade path to modern cryptography because they rely on vendor-specific or proprietary protocols tied to outdated algorithms. The report points out cases where core OT software only runs on legacy OSes or uses hard-coded crypto that can’t be swapped out. For instance, a control system might only function on Windows XP with an old version of OpenSSL, or a piece of embedded equipment might use a fixed RSA-1024 key that cannot be changed. In some scenarios, the only way to introduce PQC would be to replace the entire system – a costly and disruptive proposition.
• Extremely Long Lifecycles: OT assets are built to last and to comply with rigorous safety standards, which often leads to technology being frozen in time. CISA highlights that OT platforms can remain in operation far longer than IT systems due to compliance and safety requirements. For example, critical infrastructure like power plants or transportation systems might run the same validated equipment for decades. The report even notes ”extreme” cases like nuclear facilities using decades-old but vetted systems to maintain safe operations. Such equipment cannot simply be ripped out or overhauled on a whim – even if its cryptography is outdated – because doing so could violate safety certifications or introduce new risks.

All these factors explain why CISA anticipates OT will trail other domains in the quantum transition. When patch cycles are measured in years (or the device is unpatchable), when hardware replacement requires regulatory green lights, and when every change can impact physical processes, it’s clear that OT environments cannot rapidly pivot to new cryptographic standards. This is a stark contrast to, say, a cloud service that can roll out a software update to support PQC within weeks. CISOs should recognize that their OT assets may be the hardest part of their infrastructure to modernize – and thus need extra attention in planning for a post-quantum world.

(For a deeper discussion on the challenges of upgrading legacy and embedded systems like those in OT, see my articles “Upgrading OT Systems to Post‑Quantum Cryptography (PQC): Challenges and Strategies” on “Quantum Readiness / PQC Migration Is The Largest, Most Complex IT/OT Overhaul Ever – So Why Wait?” )

CISA’s Recommendations: How to Mitigate Quantum Risk in OT Today

Despite the challenges, the new CISA guidance doesn’t leave OT operators without a playbook. On the contrary, it lays out a series of practical steps and best practices to begin shoring up OT defenses against quantum threats now. Here are the major recommendations from the report, coupled with additional insights:

Don’t Wait – Start Planning Now

Perhaps the most urgent takeaway is that OT owners must not defer action until a quantum computer is in hand of adversaries. CISA emphasizes that transitioning to post-quantum cryptography will be a ”complex, multi-year process” and that many preparatory steps can begin immediately. Inventory your systems and cryptography, allocate resources, and identify key personnel now, while quantum computing is still nascent.

The report specifically urges organizations to leverage the DHS Post-Quantum Cryptography Roadmap as a blueprint. That roadmap (released by DHS in 2023) outlines phases like inventorying critical data (to pinpoint what’s at risk of ”harvest now, decrypt later”) and prioritizing which systems to transition first.

For OT, inventory and prioritization are absolutely critical given the legacy issues – you need to map out which devices or applications are using vulnerable crypto, and which of those are most critical to upgrade or isolate. In short: create a post-quantum migration plan specific to your OT environment, and start executing the early steps (discovery, assessment, planning) right away.

Reduce Exposure via Network Segmentation and Zero Trust Architecture

One of CISA’s top recommendations is to minimize your OT attack surface so that even if cryptography is weakened, attackers can’t easily reach critical devices. ”Strong OT network segmentation can be particularly effective,” the report notes, in limiting the blast radius of post-quantum cryptographic failures. This means separating and isolating OT networks from IT and from each other, using demilitarized zones (DMZs), one-way data diodes, jump hosts, and other segmentation strategies. Proper segmentation ensures that a compromised VPN or remote connection doesn’t grant direct access to every PLC on the plant floor.

Notably, CISA suggests prioritizing network isolation for the most at-risk systems: legacy OT gear, end-of-life software, and any platforms that are hard to patch should be cordoned off as much as possible. By containing vulnerable systems behind additional layers of defense, you can buy time and buffer against quantum-enabled intrusions.

This aligns with broader Zero Trust principles as well – assume breach and limit trust, so even if an attacker gets in, they can’t freely move laterally through your OT environment.

Layer Classical and Post-Quantum Protections (“Defense in Depth”)

The report encourages integrating quantum-specific mitigations into traditional cybersecurity practices. In practice, this means doubling down on defense-in-depth controls that can thwart an attack even if encryption fails.

Examples include robust access control (least privilege for OT accounts), continuous intrusion detection/monitoring on OT networks, strict physical security for control systems, and strong incident response plans that account for cyber-physical scenarios.

CISA even mentions using multi-factor authentication (MFA) where feasible to fortify access to critical OT interfaces. (Be aware that many current MFA solutions still rely on PKI under the hood – so while they add a hurdle, they too will need post-quantum upgrades in the long term.)

The key point is to layer compensating controls around vulnerable cryptographic assets. For example, if you’re worried about spoofed commands on an OT network, ensure an out-of-band safety system or alarm can catch anomalies. If you fear firmware tampering, implement runtime application controls or whitelisting on OT devices.

These measures reduce the chances that a single cryptographic break will lead straight to catastrophic failure.

Build Crypto-Agility into OT Systems

A recurring theme is crypto-agility – designing systems to be flexible in the face of evolving cryptography. CISA advises that whenever possible, organizations should adopt OT platforms, software, and devices that support rapid cryptographic updates or dual algorithms. Crypto-agile operating systems and applications allow you to switch out cryptographic primitives (e.g. swap an RSA certificate for a Dilithium post-quantum certificate) without rebuilding the entire system. Given OT’s long lifespans, crypto-agility is a lifesaver: it means you can upgrade encryption in situ when needed.

The report explicitly says OT owners ”should request crypto-agile features in ICS equipment acquisitions” going forward. This might involve using modular cryptographic libraries, supporting firmware updates that can introduce new algorithms, or deploying gateways that can handle post-quantum encryption on behalf of legacy devices. If a device’s built-in crypto can’t be changed, consider encapsulating it – for instance, placing a quantum-safe proxy in front of a legacy sensor network so that communications are upconverted to PQC by the proxy, even if the sensors themselves remain unchanged.

I’ve discussed such approaches in our intro to crypto-agility – the goal is to ”design for swap-out” at the crypto layer, knowing that algorithms will need to evolve. By baking crypto-agility into your OT infrastructure now, you significantly future-proof your operations and reduce the need for wholesale hardware rip-and-replace.

Begin Piloting PQC and Upgrading Encryption

Finally, CISA urges critical infrastructure operators to start implementing the new post-quantum algorithms as they become available. As of August 2024, NIST has released three approved PQC standards (one key exchange and two digital signature schemes), with more on the way. CISA’s guidance is to ”implement the latest post-quantum encryption standards” wherever possible , and to plan on continuously updating as new standards emerge.

This doesn’t mean blindly replace every RSA key overnight – rather, it means identify where you can safely deploy PQC in the near term, such as in test environments, certain VPNs, or internal PKI systems, especially those that protect long-lived sensitive data. Be strategic: you may need to adopt multiple algorithms (different PQC for signatures vs encryption) and account for their performance impact. CISA acknowledges that PQC implementations can be resource-intensive – larger key sizes and heavier computations could ”exceed current hardware capabilities in OT systems”, particularly on older devices. Some legacy controllers might grind to a halt if asked to use a complex lattice-based algorithm for every communication. Plan for this: you might need to upgrade hardware or offload crypto to auxiliary processors for PQC, and work closely with vendors to ensure interoperability. The transition will be gradual, but starting early is crucial. Every new system you deploy from now on should, if possible, be quantum-resistant or at least quantum-ready.

And for existing systems, consider hybrid crypto solutions (combining classical and PQC algorithms) as an interim step to protect critical links like VPN tunnels or control center communications in the next 1-2 years, well ahead of any projected ”Q-day.”

(For more technical insights on secure firmware updates and digital signatures in the quantum era – a key aspect of maintaining trust in OT software – see my explainer on The Future of Digital Signatures in a Post-Quantum World.)

A Milestone for OT Security – and a Call to Action

When I first read through CISA’s Post-Quantum Considerations for OT, my immediate thought was, ”Finally, OT is getting the attention it deserves in the quantum security conversation.” As someone who has worked with both enterprise IT and industrial OT security teams, and have led global OT security practices for some of the largest professional services firms, I can attest that OT has often been the elephant in the room during discussions of post-quantum readiness. This new report is an important milestone because it explicitly acknowledges the elephant: it confronts the reality that our factories, power grids, transportation systems, and other core infrastructures face an uphill battle in the coming quantum revolution, and it provides a roadmap (or at least a compass) for navigating that hill.

What CISA gets right in this guidance is the balance between urgency and pragmatism. On one hand, the report pulls no punches in warning that OT cannot be an afterthought – waiting until 2035 (the original U.S. target for government PQC migration) is not an option for these systems. The stark language about OT potentially being ”the last to achieve” PQC is a deliberate jolt to the community.

On the other hand, CISA clearly understands the constraints: they’re not telling a hospital to rip out its MRI machines or a utility to upgrade every grid sensor overnight. Instead, the recommendations are measured and actionable: segment your networks to contain risk, build crypto-agility so you’re ready to swap in new algorithms, start planning and inventorying now so you’re not caught flat-footed. This dual message of”act now, but smartly” is exactly what CISOs of critical infrastructure need to hear.

From my perspective, one of the most valuable parts of the report is the emphasis on inventory and prioritization. I’ve seen many organizations struggle with ”analysis paralysis” around quantum threats – they know it’s out there but don’t know where to begin. By following the DHS roadmap and actually cataloging where and how your OT systems use cryptography, you get a concrete foundation to build on. You might discover, for example, that only a handful of PLC models in your plant use TLS or code signing – those become your focus for remediation or ring-fencing. Or you might find that a certain control network has a remote access point using vulnerable encryption – that becomes a candidate for early upgrade or additional safeguards. This kind of visibility is golden, and it also helps break down the often siloed knowledge in an organization (IT vs OT teams). CISOs should use the CISA report as an impetus to bring together the right stakeholders – IT security, OT engineers, risk managers – and kick off a quantum readiness working group for OT. If that hasn’t happened yet, it needs to.

Another aspect I applaud is the call for crypto-agility and working with vendors. In OT, almost more than anywhere else, you can’t go it alone – you rely on an ecosystem of vendors for SCADA software, control devices, field sensors, etc. Many of those vendors are already (hopefully) working on quantum-safe product roadmaps. As a CISO, now is the time to start that dialogue with your suppliers. Ask them: Do you offer crypto-agile firmware? When will you support the new NIST PQC algorithms? How can your product be upgraded – software patch, module swap, totally new device? The answers will influence your own strategy. CISA’s guidance to ”request crypto-agile features in ICS equipment” is spot on – it sends a signal to the market that there is demand for quantum-resistant OT solutions. The more customers press their vendors on this, the faster the whole industry will move.

I also want to address a contrarian view that some in the OT world have: ”Why worry about quantum when we haven’t fixed basic security yet?” It’s true that many OT environments still struggle with fundamentals like patching, password management, and network hygiene. A quote in the CISA report from an industry CISO essentially said ”get your cyber basics right before PQC – most OT devices aren’t using crypto at all!”. I understand that sentiment – you don’t want to chase the shiny new thing at the expense of the basics. But I don’t see it as an either/or. Quantum preparedness should be viewed as a complementary extension of good cybersecurity hygiene, not a competing priority. For example, implementing strong network segmentation (one of the PQC mitigations) is also just good practice for containing ransomware or other threats. Conducting a crypto inventory will likely reveal other weaknesses (like outdated protocols) that you can tackle now. In short, you can simultaneously improve your baseline security and lay the groundwork for PQC. In fact, I’d argue that thinking about quantum can drive improvements in your overall program – it forces you to inventory assets, tighten network architecture, and engage in long-term planning, which yield immediate benefits.

So what should CISOs do next? Here’s my personal prescription:

1. Read the CISA report (and share it) with your team and your executive leadership. It lends credibility to the issue when a government agency underscores the risk. Use it to educate stakeholders that this is not science fiction – it’s a strategic business risk to manage.
2. Start the OT cryptography inventory and risk assessment (if you haven’t already). You might leverage frameworks like the one in the DHS roadmap, or consult guides on performing a cryptographic inventory. The goal is to map out where your organization’s OT systems rely on potentially vulnerable cryptography and what would break if those crypto algorithms failed. This also means identifying”crypto dead-ends” – those legacy systems that can’t be upgraded and will need containment or eventual replacement.
3. Enhance your network segmentation now – this is low-hanging fruit. If there are quick wins like isolating a network segment or installing a data diode between enterprise IT and OT, do it. Not only will this help against future quantum attacks, it will raise your resilience against today’s threats too.
4. Push for crypto-agility in all new procurements and projects. Make”quantum-resistant” or”crypto-agile” a checkbox in your RFPs for new OT systems. When upgrading or replacing equipment, choose solutions that are designed to accommodate new algorithms (even if those algorithms aren’t deployed on day one). And where you can’t get that, plan compensating controls.
5. Develop a long-term quantum transition roadmap for your organization. This should align with your overall digital transformation strategy. Set target milestones – maybe by 2025 you’ll pilot a PQC-ready VPN in one plant, by 2027 you’ll have phased out all 1024-bit RSA certs, by 2030 you aim to have all critical systems on PQC or hybrid crypto. Having a timeline (even a rough one) focuses budgeting and R&D efforts. Keep an eye on evolving standards and threat intelligence – for instance, if a breakthrough happens and Q-Day looks closer than expected, you may need to accelerate plans.