OT Cryptographic Readiness: Addressing the PQC Attestation Gap

The Crisis of OT Cryptographic Visibility

Operational Technology (OT) environments are currently facing a critical disconnect between regulatory expectations and technical capabilities. As the threat of quantum computing looms, government bodies and industry regulators are increasingly demanding that critical infrastructure providers attest to their post-quantum cryptographic (PQC) readiness. However, according to Dark Reading, many OT asset owners are being forced to provide these attestations without the benefit of specialized tools to inventory their existing cryptographic assets.

This gap results in what analysts call “paperwork security,” where organizations sign off on compliance requirements while remaining blind to the underlying cryptographic vulnerabilities within their Industrial Control Systems (ICS). Unlike standard IT environments, where the SOC can utilize automated scanners to identify SSL/TLS certificates and outdated cipher suites, OT environments rely on legacy systems and proprietary protocols that often lack transparency.

The Challenges of Post-Quantum Cryptography in Industrial Control Systems

Transitioning to PQC is not merely a software update; it requires a fundamental understanding of every cryptographic instance across the network. The challenges of post-quantum cryptography in industrial control systems are compounded by the extreme longevity of OT hardware. Devices deployed twenty years ago may still be in operation, utilizing hardcoded keys or algorithms that are entirely incompatible with modern security standards.

When an APT or other sophisticated actor targets these environments, they often exploit the lack of cryptographic agility. If a specific algorithm is found to have a CVE, IT teams can typically rotate certificates or patch libraries within days. In contrast, OT asset owners may not even know which of their thousands of field devices are utilizing the vulnerable algorithm. This lack of visibility is a major hurdle for those researching how to achieve PQC readiness in OT, as you cannot secure what you cannot see.

The Failure of Manual Inventories

In the absence of specialized OT cryptographic inventory tools, many organizations have reverted to manual spreadsheets to track their keys and certificates. This approach is prone to human error and fails to capture the dynamic nature of modern industrial networks. Manual inventories often miss “hidden” cryptography, such as certificates embedded in third-party firmware or legacy protocols like DNP3 and Modbus that have had security layers bolted on after the fact. This invisibility increases the risk of a Supply Chain Attack, where a compromised library remains undetected within the OT architecture for years.

Technical Recommendations for Defenders

To move beyond empty attestations, organizations must transition toward a Zero Trust framework that incorporates cryptographic observability. This involves shifting from manual documentation to automated discovery processes that can parse OT-specific traffic without disrupting sensitive industrial processes.

Defenders should prioritize the following actions:

• Establish a Cryptographic Bill of Materials (CBOM): Much like a Software Bill of Materials, a CBOM identifies every cryptographic asset, including algorithms, key lengths, and expiration dates. This is essential for identifying systems that will fail to meet PQC standards.
• Map Cryptographic Dependencies: Identify which processes rely on specific certificates. Understanding the TTP of modern attackers often reveals that they target the weakest link in a chain of trust to escalate privileges.
• Evaluate Protocol Compatibility: Determine which legacy protocols can support the larger key sizes required by PQC algorithms without inducing latency that could impact industrial safety.

By focusing on technical visibility rather than mere compliance, OT asset owners can begin the long journey toward quantum resilience and ensure their attestations reflect a genuine security posture.