Why securing OT for the quantum era starts with hardware, supply chains, and honest architecture
“In OT, you’re not just looking at today’s risk, you’re designing for what might still be running 20 years from now.”
That’s the quiet but powerful insight from Cassie Crossley, VP of Supply Chain Security at Schneider Electric, in the latest episode of Shielded: The Last Line of Cyber Defense. And if your organization relies on long-lived operational technology (OT) systems, utilities, manufacturing, critical infrastructure, this is a conversation you can’t afford to skip.
In industries where downtime isn’t just costly, but dangerous, the quantum migration journey looks completely different. You’re not just swapping algorithms. You’re working with devices you can’t patch, systems that outlive most vendors, and encryption decisions that are embedded in physical chips.
The Painful Truth: Most OT Systems Don’t Get Updated
While the cybersecurity industry races toward post-quantum cryptography (PQC), most OT environments are still running on TLS 1.0. “In almost all cases, especially with hardware involved, you are not trying to change out that one product line if you don’t have to,” Cassie explained. “It’s running. We don’t want to modify it.”
That’s not an excuse. It’s the lived reality of industrial cybersecurity, where the system may be controlling water flow or managing a power grid, and where changes must pass rigorous safety and compliance hurdles. For many OT systems, encryption isn’t updated not because it’s overlooked, but because the risks of change outweigh the theoretical risks of exposure.
And that’s where the true challenge lies: You can’t secure what you can’t or won’t touch. Yet the quantum threat is real. So, how do you prepare?
Crypto Agility Isn’t Just About Algorithms, It’s About Architecture
Years ago, Schneider Electric launched a crypto agility program. Not because of PQC hype, but because of real-world risk: a dependency on a third-party crypto library that needed to be replaced. What they discovered was that agility isn’t something you bolt on, it’s something you build into your architecture from the start.
“We had to re-evaluate our products, chips, and supply chains,” Cassie explained. “There wasn’t one standard solution. It required analysis, and sometimes, significant architectural rework.”
This is especially true in OT environments where encryption is tightly bound to specific hardware. Many chips can’t support newer crypto models. Others require complete requalification to make even the smallest changes. The shift to crypto agility wasn’t just about crypto, it was about preparing for an unknowable future in systems designed for reliability over flexibility.
Inventory, Then Prioritize
When asked where organizations should begin, Cassie was clear: “Getting an inventory, that really helps.”
Surprisingly, many companies, even large manufacturers, don’t have visibility into what encryption is running on their systems, which suppliers are involved, or what components came from where. Without that foundational knowledge, any migration plan is a guess.
“Inventory allows you to prioritize by risk,” Cassie said. “You need to know which systems are long-lived, what encryption is used, and whether it aligns with your regulatory or compliance requirements.”
For companies in regulated sectors, especially utilities, compliance expectations like FIPS 140 or NERC CIP may already be on their radar. But many still operate legacy systems under waiver agreements, assuming that future readiness will catch up eventually. Cassie warns that this approach is not sustainable in the quantum era.
Threat Modeling Needs to Mature
“Instead of just looking for vulnerabilities, we need to start threat modeling properly, considering things like the Purdue model, defense in depth, and quantum,” Cassie said.
She emphasized that PQC migration is not a one-time task or a cryptographic patch. It requires deep systems thinking, future-aware design, and the ability to anticipate attack surfaces that don’t even exist yet.
That includes shifting assumptions: not every device will be online, not every system can be updated, and not every risk is technical. Many are architectural, operational, or buried in years-old procurement decisions.
Supply Chain Risk Starts With the Chips
One of the most striking parts of the episode is Cassie’s emphasis on hardware bill of materials (HBOMs). While software SBOMs are becoming standard in security conversations, HBOMs remain a blind spot. And yet, Cassie shared, organizations like the U.S. government are already requesting them, with country-of-origin details included.
The problem? There’s no universal standard, and many manufacturers aren’t prepared to respond.
“You can’t just say, ‘Let’s change the chip,’” she noted. “There are interoperability concerns, vendor dependencies, and qualification processes that take time and resources. You have to know what’s in your system from the start.”
Brownfield vs. Greenfield: One Migration Doesn’t Fit All
Organizations often treat crypto upgrades like a single roadmap. But Cassie highlighted the key difference between brownfield (legacy) and greenfield (new build) environments.
Legacy systems require containment, risk prioritization, and strong segmentation. New systems should be designed with crypto agility and post-quantum readiness baked in. Mixing the two under a single strategy often leads to friction and failure.
In other words, PQC migration isn’t just about algorithms. It’s about asset classification, product design, and strategic patience.
Final Takeaway: Quantum Isn’t the Urgent Problem, Legacy Is
While post-quantum threats are real, Cassie is more concerned about the risks that are already here.
“There are still OT environments that have code compiled and installed from the 1980s,” she said. “Those systems are still running. And they’re not going to be replaced just because we have a new encryption standard.”
The message is that Quantum is coming, but if you wait until it arrives, you’ll be stuck with systems that can’t adapt.
Want to hear how one of the world’s leading OT companies is preparing for the post-quantum era, without breaking what already works?
Tune into the full episode of Shielded: The Last Line of Cyber Defense with Cassie Crossley, now available on Apple Podcasts, Spotify, and YouTube.