Is Critical Infrastructure Ready for Quantum?

There is no doubt that quantum technology will deliver a magnitude of benefits, solving very specific problems that even the fastest supercomputers cannot solve. Consider the impact quantum applications will have on satellite communications, autonomous driving vehicles, and molecular mapping capabilities.

Yet, many exciting innovations that quantum technology promises may never be realized if we don’t take a proactive posture first to protect our data and systems, and prepare for the future. Collectively, we want to realize all of the benefits of quantum without compromising security.

The fact is, quantum computers will be able to break the cryptography underlying public key infrastructure (PKI), posing an unprecedented problem for encryption and authentication that enterprises put their trust in today. The services and infrastructure that we depend on most for our security, governance, public health, and safety are already at risk for cyber-attacks. That risk will increase exponentially with the advent of quantum computers.

The NIST National Cybersecurity Center of Excellence (NCCoE) has already put in place several practices “to ease the migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks,” according to its latest update.

Cryptography is the foundation of digital trust

Core industries including energy, automotive, and Internet of Things manufacturing, depend on a trusted, cryptographic architecture for security at multiple levels:  a threat to cryptography is a serious threat to digital trust.

Broken cryptography can result in unauthorized access to sensitive information and lack of control over connected devices. Consider the impact on a nuclear plant, an autonomous vehicle, or an embedded pacemaker.

Quantum technology will have a tremendous effect on organizations’ trust infrastructure. Imagine a pyramid, with cryptography at every layer, the glue holding everything together. If one layer erodes, it could wreak havoc on our trust infrastructures in every industry and sector with catastrophic results.

The energy sector, especially, has already been vulnerable to cyber-attacks. Today’s exploits generally happen in the top layers: compromised user credentials, admin system misconfiguration. With quantum computing, the most trusted elements – identity infrastructure, platform, architecture – become easier to attack, leading to more severe breaches.

Planes, trains, and automobiles…and energy grids

Airplanes, automobiles, satellites, energy grids. These durable, critical devices are highly vulnerable to attack, as these connected devices have long in-field lives requiring their software/firmware signing trust anchors to be updated. Imagine a state-sponsored hack intercepting and then forging software updates for a satellite.

Let’s take a look at the automotive industry. It is currently undergoing an electrification process. In a few years, every new vehicle sold will have some degree of autonomy built in. Quantum technology can help here a great deal; for example, with designing more efficient and safe batteries.

At the same time, these vehicles will increasingly rely on software that will need to be updated periodically to fix issues or add new functionality. Today, these updates are mostly performed manually when physically servicing the vehicle.

The next big OS war is in your dashboard, says a Wired article. Consider this. New cars roll off the assembly line with 100 million lines of code; this number will easily double with autonomous features. It will become essential to ensure that over-the-air (OTA) updates are authenticated and secure.

In order to perform these updates, automobile manufacturers need to build in and deploy quantum-safe, updatable components. Quantum-safe mechanisms will verify that the updates are not forged and are coming from the original equipment manufacturers.

Imagine the billions of dollars of cost savings if car manufacturers could update a component and handle cryptographic changes and eliminate recalls for electric issues – without requiring in-person maintenance and updating.

Recalls are common; recent electrical issue recalls: Kia recalled more than 200,000 vehicles this year; Fiat Chrysler Automobiles recalled more than 182,000 vehicles in 2019; and Volkswagen recalled 679,000 cars in 2018. Imagine the improved user experience these updates will offer: increased well-being and safety and less hassle of not having to schedule an appointment.

In the energy sector, we have seen power grids become the target for nation-orchestrated cyber-attacks, where equipment has been in place for decades. “The power sector has become a prime target for cyber criminals in the last decade, with cyberattacks surging by 380% between 2014 and 2015,” according to an article in Power Technology. EV charging stations, the intersection of two critical infrastructures – transportation and energy – could be exploited to harm other sections, warns E&E News.

A system that is vulnerable now will be exponentially more at risk when quantum technologies arrive. What can organizations do now to strengthen and future-proof their cryptographic infrastructures?

Organizations with mission-critical security requirements can strengthen and start future-proofing their cryptographic infrastructures today. They can start preparing for quantum computing now by making their systems crypto agile.

A good first step is to inventory systems and algorithms. A few questions to determine quantum preparedness urgency:

  • How many years does the device need to be secured for?
  • How long does the information need to remain confidential?

If the answer to either question is more than seven years – jet engines, pacemakers, cars — start preparing today. Bridging the gap between current and quantum-safe security will require a new approach. Many organizations are looking to adopting a crypto agile posture without affecting existing systems, adherence to standards, and end users.

The ISARA Catalyst Agile Digital Certificate Technology is an example of a crypto agility methodology for creating an enhanced X.509 digital certificate that simultaneously contains two sets of cryptographic subject public keys and issuer signatures. Enhanced X.509 certificates are compliant with industry standards and, if incorporated, will enable organizations to meet compliance. This allows organizations to perform a gradual migration by upgrading their most critical, at-risk assets in phases and with full backwards compatibility.

NIST urges, “It is critical to begin planning for the replacement of hardware, software, and services that use public-key algorithms now so that the information is protected from future attacks.”

Currently, cybersecurity threats are like plugging a kitchen sieve. When quantum comes, the threats will be like plugging the Hoover Dam. Unless organizations take a proactive crypto agile posture today.

What’s Hot on Infosecurity Magazine?