A Two-Decade-Old Warning Still Going Unheeded
In 2003, a software bug and a breakdown in communications knocked out power for 55 million people across the United States and Canada. No adversary launched an attack. No one exploited a vulnerability. The grid simply failed because of poor tooling and poor communication. More than twenty years later, that same infrastructure now faces sophisticated state-sponsored threat actors who are not reacting — they are planning.
Operational technology (OT) — the systems that open and close breakers, adjust voltage, and monitor electrical load and faults — operates under a fundamentally different security philosophy than traditional IT. In IT, confidentiality and integrity are the primary concerns. In OT, there is only one priority: availability. The systems must stay on. They must keep running. Downtime is not an acceptable outcome.
Security was never baked into the original design of these systems. Adding it retroactively is far more difficult than it sounds when any interruption carries real-world consequences for the people who depend on electricity, clean water, and heat.
The Adversary Already Inside
Many OT systems continue to operate on legacy protocols that offer no encryption and only weak authentication mechanisms. The stakes of getting this wrong are not a data breach or a regulatory fine. They are cascading infrastructure failures affecting millions of people.
Volt Typhoon, a Chinese state-sponsored threat actor, demonstrated exactly how dangerous this exposure has become. The group maintained persistent, long-term access inside US critical infrastructure networks by using legitimate credentials and native operating tools — a technique that made detection extremely difficult. In at least one documented case, Volt Typhoon's access lasted nearly a year. This was not espionage aimed at data theft. It was positioning for potential disruption. Because the US-Canada energy grid is deeply interconnected, the threat does not respect national borders, even if security frameworks largely do.
But beyond what adversaries saw while they were inside these networks, the more pressing question is what they may have taken with them on the way out.
What Post-Quantum Readiness Actually Requires
Regulators are now asking critical infrastructure asset owners to attest to their cryptographic readiness — to confirm that their encryption is resilient in the quantum era and to demonstrate that they have a clear picture of the cryptographic assets in their environments. On its face, this is a reasonable and necessary requirement. In practice, most OT operators have no way to fulfill it honestly.
The frameworks being used to evaluate them were designed for IT environments. OT was not. IT systems were built with the assumption that they could be interrogated, updated, and occasionally taken offline for maintenance. OT was built around the opposite assumption. Many of these devices were installed before the word "cybersecurity" entered common usage. They cannot be patched on a Tuesday night.
Migrating to post-quantum cryptography in IT is already a complex, multiyear effort. In OT, the challenge is exponentially greater:
- Cryptography may be embedded in firmware and hard-coded into devices that require physical access to upgrade.
- Vendor support cycles are often measured in decades, not years.
- Some operational devices run on as little as 32KB of RAM and lack the processing capacity to execute modern cryptographic operations.
- Post-quantum algorithms were not designed for those hardware constraints.
- Some equipment currently in service was installed before modern cryptographic standards even existed.
Asking an OT asset owner to attest to cryptographic readiness using IT-centric frameworks, as Brad McInnis, Founder and CEO of Cyberzero, describes it, is like asking someone to pass a driving test in a vehicle with no dashboard. The requirement is real. The instrumentation is not.
Harvest Now, Decrypt Later — and a Second, Quieter Threat
There is a dimension of this problem that rarely gets discussed openly: the data has already been collected. Adversaries harvesting encrypted traffic from OT environments today are not waiting to see whether they can currently read it. They are stockpiling it, waiting for the moment when quantum computing makes decryption feasible. That moment is approaching.
This is the harvest now, decrypt later attack model. Quantum computing does not only threaten future communications — it retroactively threatens the assumption that everything collected in the past was protected. A threat actor that spent nearly a year inside a critical infrastructure network did not just map the environment. It may have left with cryptographic keys.
There is also a second, less-discussed threat: the trust now, forge later scenario. If an attacker harvested a vendor's firmware signing keys during a period of unauthorized access, that actor could return years later and push a malicious firmware update to every device on the network. Every device would accept it without question because the cryptographic signature would appear legitimate. The attacker does not need to break back in. The door was left open on the way out.
The Attestation Problem: Paperwork as a Substitute for Security
Most OT operators today cannot answer a foundational question: Where does cryptography live in their environment? This is not a product of negligence. These systems were never architected to be audited in this way. Cryptographic implementations are buried in long-forgotten libraries, embedded in devices installed decades ago, and invisible to the scanning and monitoring tools most security teams rely on. The data needed to answer the question does not exist. The process to collect it has never been built.
When the gap between what regulators are asking and what organizations can actually demonstrate grows large enough, two responses emerge. Either organizations invest in genuinely closing the gap, or they invest in appearing to have closed it. In under-resourced OT environments operating on thin margins with aging infrastructure and skeleton security teams, the path of least resistance is clear: check the box, file the attestation, and move on.
The consequence is a false sense of assurance that may be more dangerous than acknowledged uncertainty. A regulator who believes attestations carry weight stops asking hard questions. An asset owner who has filed the paperwork stops feeling urgency. The adversary is still in the network. Nobody is actively looking for it anymore.
NIST Standards Exist — But So Does a Capability Gap
The urgency behind post-quantum cryptography requirements is legitimate. NIST released its Post-Quantum Cryptography Standards for substantive reasons, and government timelines were established with real threat modeling behind them. But determining where cryptography lives across an OT environment is not a weeks-long project. For most organizations, it takes years. For some, a decade may not be sufficient.
Urgency without capability is just pressure. And pressure without the right tools produces paperwork, not security.
Before requiring asset owners to attest to something, regulators have an obligation to ensure that the frameworks, guidance, and tooling exist to make those attestations meaningful. Currently, they do not. Until that changes, cryptographic readiness attestations are asking operators to confirm something they have no reliable way to verify.
The Ghost in the Grid
The adversary is already inside. It is walking the halls of critical infrastructure, using legitimate credentials, looking exactly as though it belongs there. The question is not whether the threat is real — it is whether the security community, regulators, and asset owners will find it before it decides to act.
Signing a form does not change that reality. It only creates the appearance of assurance where none exists. Real security requires real tooling, real visibility, and an honest acknowledgment of the gap between what OT environments can demonstrate today and what they are being asked to confirm.
Source: Dark Reading