Inside Cybersecurity

April 12, 2024

Daily News

CISA targets operational technology for upcoming guidance on migrating to post-quantum cryptography

By Jacob Livesay / December 6, 2023

The Cybersecurity and Infrastructure Security Agency is working on guidance for operational technology and industrial control system owners to help with implementing quantum-resistant encryption algorithms, according to agency official Natasha Eastman.

CISA launched its Post-Quantum Cryptography Initiative in July 2022. Eastman said the initiative is focused on fostering public-private collaboration and providing support to critical infrastructure and government networks to secure networks against quantum-enabled threats.

Eastman leads the PQC initiative and spoke about the effort at a quantum event on Tuesday hosted by General Dynamics Information Technology. She was joined on a panel by GDIT's Matt Hayden and Jerome Johnson of Amazon Web Services.

Natasha Eastman

Natasha Eastman, Chief, CISA's Post Quantum Cryptography Initiative

Eastman emphasized the level of preparedness for PQC migration among OT and ICS operators differs from the IT and communications sector. She said, “A lot of the vendors in the IT and comms space that we talk to every day are already looking at this. They already have folks assigned. They have people on staff that know this issue. In the OT and ICS space, we’re years behind.”

She noted that vendors have a responsibility to lead in terms of private sector PQC migration, while owners and operators have a related responsibility in making sure their vendors are adequately preparing for quantum-enabled threats.

Eastman said CISA is working with OT and ICS operators to engage vendors in the IT and communications space and send an economic “demand signal” to make it clear that products must be developed in ways that align with PQC migration efforts.

CISA’s upcoming guidance on the “OT and ICS issue” is expected to be published “just after the [December] holidays,” Eastman said.

Hayden, a former senior cyber official at DHS, emphasized the scale of the PQC migration process. He said the process would not be a simple “rip and replace” of outdated cryptography, but a complex undertaking which currently lacks “an easily scalable solution.”

The Biden administration issued a national security memorandum in 2022 requiring most federal data to be encrypted using quantum-resistant algorithms by 2035.

The National Institute of Standards and Technology is working to standardize PQC algorithms for entities to implement into their systems. NIST issued in August a series of draft Federal Information Processing Standards for three quantum-resistant algorithms selected through a multi-year evaluation process.

Hayden said the federal government faces a challenge in emphasizing the urgency to critical infrastructure owners of addressing quantum risks.

The government needs to be “almost an evangelist,” Hayden said, to convince owners “that there is a risk that they cannot see or touch that is going to impact their systems at a date in the future that you can’t tell them, and they have to act immediately.”

Hayden spoke with Inside Cybersecurity following the panel discussion. He said CISA’s guidance should help industry to gain a better understanding of the risks posed by quantum-enabled threats.

Specifically, Hayden said frameworks for assessing operational technology risks related to cryptography would be helpful to industry. Risk-based frameworks can help network managers prioritize their investments in PQC migration, Hayden said, especially in lower-resourced critical infrastructure organizations like those in the water sector.

The former DHS official noted budgeting for implementation would be vital. Hayden said federal agencies and critical infrastructure organizations alike “have to really put some markers down to get resources in place to hit the ground running.”

Hayden also noted the need to establish continuous monitoring for cryptographic dependencies across networks. He pointed to shared services as one way to help entities with this effort in the future, saying, “Shared services can come into play, but we haven’t hit that yet.”

The GDIT event also included conversations with OMB official Nick Polk, Energy Department CIO Ann Dunkin, NIST’s Bill Newhouse and Adele Merritt of the Office of the Director of National Intelligence on how various federal entities are preparing for quantum in terms of cybersecurity and more broadly with research and development efforts. -- Jacob Livesay (