We’ve received a few proposed sessions on quantum cryptography in OT in our S4x26 Call For Presentations. This isn’t new. We’ve received these every year this decade. They don’t get selected.
Why?
S4’s motto is Create The Future. While timelines vary, there is a growing consensus that cryptographic algorithms will need to withstand attacks powered by quantum computing systems. This would seem to be an important topic.
The answer is simple. We see very little cryptography in OT below Purdue Level 2. Not weak proprietary encryption algorithms. Not the current recommended crypto algorithms. The upgrade to quantum cryptography assumes there is something to upgrade.
Most disappointing is the lack of adoption of CIP Security and Modbus Security protocol enhancements. These are well designed protocols supported by each protocol’s biggest vendor, Rockwell Automation and Schneider Electric respectively. New deployments, green fields, could be deployed with the necessary authentication, and encryption along for the ride. They are not.
It’s hard to bang the drum for quantum cryptography in a plaintext world.
An intermediate area that is of small interest is crypto agility. If / when cryptography gets added to OT systems it shouldn’t be designed with locked in or hard to change algorithms. It would be cruel to imagine the OT security world finally adding source and content authentication to only learn that it could be easily broken by newly available quantum computing.
Crypto agility is the ability to update or replace a crypto algorithm or protocol in a device and system without a major overhaul or replacement. This agility is of great benefit for systems with lifetimes measured in decades. Could crypto agility be added to a PLC? An engineering workstation or HMI? What’s the best way to do this?
There is more encryption used above Purdue Level 2. This is typically part of protocols that apply to IT and OT, such as TLS and SSH. It’s not an issue the OT community will need to address on its own, with the possible exception of OPC UA.