Quantum threats to critical national infrastructure – be aware but not (necessarily) afraid

Author: Dr Rajiv Shah, MDR Security 

We invite you to either listen to the article or read the below. 

In recent months you may have heard increasing discussion of the threats that quantum computing could pose to cyber security. One trigger for this was the finalisation of proposed new encryption standards by the National Institute of Standards and Technology (NIST) in the US. Then in its December 2024 update to the Information Security Manual (ISM), the Australian Cyber Security Centre (ACSC) issued guidance that organisations should ensure any new systems can be upgraded to “quantum resistant cryptography” (QRC) by 2030. While the ISM is only mandated for Australian Government entities, many critical infrastructure operators will look to this for advice on best cyber security practice. As a consequence, many entities, perhaps including critical infrastructure, entities are asking what these latest updates to the ISM mean for them.

First we need to understand what the threat is. Today, the privacy of most information sent across the internet between two parties depends on “asymmetric encryption” – where each party can use their own “private key” to encrypt their communications, without first needing to agree a common key which someone else might overhear. Some clever maths is used to turn your private key into a public one, in a way that today’s computers cannot practically reverse. This means you can tell someone your public key, but they cannot use that to work out your private key, so can’t decrypt the messages sent to you. However, future “quantum computers” might be able to reverse these calculations, so they could decrypt and read the data without needing to know the private key.

The theory of a quantum computer is well understood, but no-one knows if or when it could be practically built. Estimates from “experts” in the field range typically from 10 to 30 years for one that could actually “crack” encryption in this way. It is likely that at least to build with such devices will be expensive and would need to be used in a targeted manner – RAND Corporation estimated that each time it is run, just the electricity costs could total around $64,000 to crack one key for one session.

So it’s certainly not the case that there is some looming “Q-Day” event when all encryption suddenly becomes insecure. The threat is specifically public-key encryption when used to protect data sent across a network which someone else might be able to eavesdrop on. It is likely to manifest gradually, with those scenarios of high-value data that might be targeted by well-resourced adversaries likely to be targeted first. Even then, it’s likely to be several years before the threat is realised. 

However, this doesn’t mean that entities can sit back and relax. In particular, there is one situation where you may need to take more urgent action if you haven’t already. This is where, if you send data across public networks today that still needs to be kept confidential for many years, you might worry that someone could collect the encrypted data you send now and decrypt it in the future when such a quantum computer is available – sometimes referred to as “Harvest Now, Decrypt Later” attacks. For everyone else, it is a matter of being aware, understanding risk and planning how to respond.

Fortunately, we do have solutions in the form of QRC – new algorithms for asymmetric encryption that are believed to be safe from quantum computer attack. NIST have been running a process for over 10 years to develop, refine and test such algorithms, with proposed solutions now embodied in the recently issued NIST standards. Implementation of these may still take many years – these algorithms need to be incorporated into the various standards that enable current communications, and then implemented on the systems at both ends of every potentially vulnerable link. Some systems may not be able to be upgraded because, for example, the encryption algorithms are hard-coded, and hence may need to be replaced.

Implications for Critical Infrastructure Operators

Critical infrastructure owners and operators should approach the transition to quantum-resistant cryptography (QRC) with a balanced and informed strategy:

1. Future-proof new procurements: For all new procurements involving asymmetric encryption, ensure the vendor has a clear and committed plan to upgrade to QRC, as recommended by the ACSC.

2. Don’t panic to change current systems: There is no need for a hasty replacement of existing systems or adopting complex new encryption overlays. Focus instead on understanding your current cryptographic dependencies.

3. Map and Evaluate Systems: Identify systems that rely on asymmetric cryptography, assess their upgrade potential for QRC, and review vendors’ plans for implementing these upgrades. This mapping should include select supply chain partners.

4. Understand Your Data: Determine what data is being transmitted across your networks, who has access to it, and the required duration of confidentiality.  For ‘business critical data’, review your potential exposure via any 3rd parties that handle such data.

5. Prioritise Risk Areas: Use this information to pinpoint areas vulnerable to “Harvest Now, Decrypt Later” threats that may demand urgent action.

6. Plan Your QRC Transition: With a clear understanding of your systems and risks, develop a prioritised and informed roadmap for QRC implementation that aligns with your operational needs.

By adopting this approach, critical infrastructure operators can manage cryptographic risks effectively, addressing urgent concerns while laying the groundwork for a smooth transition to QRC.

Interested in learning more? Enrol in Pentagram’s online workshop: “SOCI Workshop: Quantum Computing – Security Risk to Critical Infrastructure Sectors‘ on 4 February from 2:30 to 3:30 pm. Featuring special guest speakers: Rajiv Shah, Managing Director, MDR Security and Muria Roberts, Director, QTM-X. Register HERE.

MDR Security is a specialised consulting company that helps organisations to understand technology, to use it safely and securely, and to maximise the opportunities it offers. Find us at www.mdrsecurity.com.au or contact us at [email protected] to learn more.

0
    0
    Your Cart
    Your cart is emptyReturn to Shop