The quantum imperative
In every industry, there’s an imperative to bring cryptography systems up-to-date. The world of industrial automated controls is certainly no different. While quantum computers capable of breaking current public key encryption are not yet widely available, there are a number of threats to long-lifecycle, industrial, and security devices. Already, adversaries are able to harvest data that could be retroactively decrypted (harvest-now-decrypt-later), and in addition, many devices manufactured today are likely to have lifetimes of 10-20 years – far beyond the expected arrival of cryptographically relevant quantum computing.
It’s a significant security debt, and it’s one that’s augmented by the fact that Industry 4.0 and the Industrial Internet of Things (IIoT) have led to new ways for components to connect, closing the ‘air gap’ and introducing the serious potential of cyber threats to previously isolated systems. These are then, important drivers towards modernizing the cryptography at a foundational layer.
PQC in industrial controls
The solution is the proactive integration of post-quantum cryptography (PQC) – a technology that’s designed for resilience against a quantum attack, based on a new field of NIST-standardized algorithms.
PQC remains the best way to future-proof embedded industrial control systems, not just against the imminent quantum threat, but for years to come. It’s a point that’s reinforced by government regulation, and increasingly, industry standards. For instance, the US Cybersecurity and Infrastructure Security Agency (CISA) regularly issues advisories and guidelines for ICS protection, applying to industry as well as critical infrastructure. There are many more bodies around the world engaged in similar effort in the regulatory landscape.
Technical considerations
Historically, PQC algorithms have required significant computational resources, making it a challenge to implement them on resource-constrained embedded devices. There’s the question of whether legacy devices should simply be replaced by new PQC-enhanced equivalents – a potentially costly and complex operation. As the question has shifted from ‘why’ we need to upgrade our systems, it’s focused much more keenly on the ‘how’ – given these challenges.
At PQShield, we’ve spent a long time considering exactly that. It’s why we’ve developed PQMicroLib, a powerful cryptographic library that provides integration flexibility – running with as little as 13kB of RAM and deployable as a brownfield, avoiding rip-and-replace, or greenfield solution for the next generation of hardware. PQMicroLib is not only efficient enough to be deployed via firmware to resource-constrained systems, but it’s highly optimizable, enabling manufacturers to build security-by-design into next-gen platforms.
We’re also one of the world’s leading experts in side-channel protection of post-quantum cryptography. In the ICAS world, PLCs, SCADA systems and other data control and monitoring components are likely to be vulnerable to physical detection of encrypted information. PQC solutions, such as PQMicroLib, need to be hardened with built-in countermeasures against such physical threats – something we’ve built into our ultra-secure product set based on groundbreaking research and verification.
Conclusion
We believe that PQC is a strategic imperative, building long-term business continuity, security against the next generation of threats, and confidence in the systems of tomorrow. As technology continues to evolve, the devices and processes we use every day to keep our data and operations secure will need to adapt with the threat landscape, and at PQShield we’re actively supporting the effort, staying one step ahead of the attack. Checkout PQMicroLib today!