Page sections
Scan the major sections before moving into the full technical detail.
Post-quantum cryptography for operational technology.
Talk to our security teamSCADA and OT network exposure
Supervisory control and data acquisition (SCADA) networks in energy, water, and transport infrastructure rely on authentication and integrity mechanisms that were designed in an era when quantum computing was a theoretical concern. Industrial protocols — IEC 61850, DNP3 Secure Authentication, ICCP — use RSA or ECDSA for device authentication and command signing. A forged control command delivered to a substation SCADA master or a water-treatment PLC carries consequences that are qualitatively different from a compromised consumer account: the impact is physical and potentially irreversible.
Quanten’s OT engagement begins with a protocol inventory across the IT/OT boundary, mapping which authentication mechanisms are used at each point in the SCADA hierarchy. The output is a risk register ordered by consequence severity and classical security margin, with migration recommendations calibrated to the operational constraints of each asset class.
Engagement deliverables
- IT/OT protocol inventory across SCADA masters, gateways, relays, PLCs, and remote-access paths.
- Gateway-first migration plan for assets that cannot receive firmware or protocol updates in time.
- NIS2 and IEC 62443 evidence notes linking cryptographic changes to security requirements.
NIS2 Directive and IEC 62443 alignment
The NIS2 Directive, effective across EU member states from October 2024, requires operators of essential services in energy, transport, water, and digital infrastructure to implement appropriate technical and organisational measures proportionate to the risk. Cryptographic hygiene — including migration away from algorithms approaching end-of-life — falls directly within the security measures that NIS2 Article 21 enumerates. National competent authorities are beginning to include PQC readiness in their supervisory questionnaires.
IEC 62443, the industrial automation and control systems security standard, addresses cryptographic requirements at the component (SL) level. Quanten maps its algorithm deployment to IEC 62443-3-3 system security requirements and IEC 62443-4-2 component security requirements, providing documentation that supports conformance assessments under both the standard and its national implementations.
- SCADA authentication migration (IEC 61850, DNP3 SA, ICCP)
- NIS2 Article 21 technical measure documentation
- IEC 62443-3-3 and 62443-4-2 alignment artefacts
- IT/OT boundary crypto inventory and risk register
20-year embedded device lifetimes
A protection relay installed in a transmission substation today will still be in service in 2044 or 2045. A firmware-signing key generated at manufacture with RSA-2048 will need to remain trustworthy for that entire period. Under a 2029–2033 CRQC planning scenario, that key is already within the risk window for archive-based attacks on its signature chain. Quanten’s embedded-device strategy addresses two constraints that do not exist in the IT world: severely limited compute resources (many field devices have 32-bit microcontrollers with no hardware accelerator) and the impossibility of a traditional field-wide firmware update campaign in reasonable time.
For constrained devices, Quanten provides tuned implementations of SLH-DSA (hash-based, no lattice math required) and tracks FN-DSA/Falcon for compact NTRU signatures once the implementation and standards profile fit the device class. For devices that cannot be updated at all, the migration path shifts to the gateway layer: a PQC-capable gateway authenticates on behalf of the legacy device and presents a post-quantum signature to the upstream system. Contact our team to discuss the right strategy for your specific device portfolio.