Wouldn’t it be great if power utilities had an easy way to use deep data analysis to deploy their assets in the perfect places, predict and prevent outages, and optimize the flow of electricity through the grid? This dream is about to become reality because the rapid evolution of quantum computing will soon let them do all this and more, transforming power delivery as we know it.
But there’s an unpleasant or even harmful side to the quantum story. In the wrong hands, a quantum computer could become a powerful tool for attacking the grid. How? Someday, a bad actor will gain access to what’s known as a cryptographically relevant quantum computer, or CRQC, that can smash the encryption methods utilities use to protect critical operational technology (OT) and IEC 61850 communications. Preparing to address this reality is the only way to mitigate the future risk.
This day, known colloquially as Q-Day, could arrive within a decade. There’s much debate about the exact timeline. But this much is clear: None of a utility’s many stakeholders — executives, workers, customers, communities, investors — wants to see or suffer the consequences of a quantum-based attack, which can run the gamut from power outages and ruined infrastructure to fires or potentially loss of life.
All of this evokes one simple message: Utilities need to start building quantum-safe communications networks now.
Quantum attacks are a clear and present danger
Quantum computing represents the next big evolutionary leap in the computing world. The classical computers we all know and love work with bits that store information in binary form. But quantum computers work with qubits, which can exist in multiple states due to the quantum principle of superposition. This means they can simultaneously perform many complex calculations at lightning speed. Even the most powerful classical computers can’t do that.
By tapping into the power of qubits, quantum computers can support applications that involve chewing through huge, complicated sets of mathematical calculations. They have the potential to tackle big business, logistical and societal challenges that have thus far been out of reach. With this, it’s hardly surprising that governments and enterprises are working, investing and competing so hard to develop practical quantum computers.
So, where’s the threat? Well, as they tend to do, bad actors will be eagerly awaiting the arrival of this groundbreaking technology, and looking for ways to use it for purposes that are not typically aligned with the goals of the utility they are targeting. They already have access to two key algorithms that could enable them to breach the confidentiality of utility OT communications. Shor’s algorithm can crack asymmetric cryptography methods that rely on the complexity of integer prime factorization and discrete logarithm problems. Grover’s algorithm can cut the protection provided by symmetric encryption keys with quadratic acceleration.
Thankfully, no one has been able to take advantage of these algorithms because they are designed to operate on quantum circuits that consist only of qubits. But with a powerful enough CRQC, a bad actor could align it for their purposes in a matter of hours or minutes. This would mean new levels of risks to be mitigated for utilities, along with other critical industries.
Power utilities need quantum-safe networks now
Even though their adversaries don’t yet have CRQCs, utilities need to treat the quantum threat as a zero-day vulnerability or, in simpler terms, a “today problem.” That’s because these adversaries might already be using fiber tapping and advanced storage to collect and stockpile massive volumes of encrypted grid telemetry. This information is of no use to them immediately. However, after Q-Day, they could have the means to decrypt it, compromise its confidentiality and gain vital intelligence about the inner workings of the grid.
This threat, known as ‘harvest now, decrypt later’ (HNDL), isn’t a problem that power utilities should wait to address. If bad actors do succeed in getting CRQCs and decrypting OT communications, they will be able to use what they learn to design tailored man-in-the-middle (MITM) or denial-of-service (DoS) attacks on the grid.
What could this look like in real life? Bad actors like a cyber activist might use a confidentiality breach as an on-ramp to issue spoofed commands to take control of vital intelligent electronic devices (IEDs) or try to engulf core grid management servers with DoS attacks. They might also use a targeted MITM attack to take control of a key set of grid assets or disrupt vital inter-substation communications. These types of attacks have already occurred. In one case, hackers compromised a water treatment facility and made the water toxic. In another, hackers damaged wind turbines by issuing commands that made them spin too fast.
The need for action on quantum security is also urgent because the threat is coming at a time of great change for utilities. Many utilities are transitioning to software-centric, data-driven operations and shifting grid communications from legacy TDM- and SONET/SDH-based networks to new IP and Ethernet networks.
These changes will empower utilities to use technology-based standards such as IEC 61850 and digitalized OT to support automated and adaptive operations in substations and across the grid. This will help them prepare for their most pressing challenges, including keeping pace with new demands created by power-hungry AI applications, the increasing adoption of electric vehicles and heat pumps, and the electrification of industries.
Grid modernization with its numerous advantages also comes with the disadvantage that bad actors have new tools to attack. And CRQCs, qubits and quantum algorithms will be very potent weapons. The need for a rock-solid quantum-resistant defense is becoming more urgent.
Cybersecurity compliance is more important than ever
Power utilities typically have a strong defense against existing threats and are highly attuned to new threats because they need to comply with cybersecurity regulations, such as NIS and NIS2 in the EU and NERC CIP in North America. These regulations help ensure that they use technologies such as encryption to maintain the confidentiality and integrity of mission-critical data as it moves through their networks.
It's true that quantum threats will be tougher to handle than any cybersecurity threats utilities are facing today. After all, they will have the potential to penetrate the encryption schemes that currently protect OT communications in the grid. To stay ahead of the bad guys and maintain regulatory compliance, utilities will need to build on their considerable security experience and threat awareness, continuously evaluating and reinforcing their existing strategies.
Quantum-safe networking is possible today
The good news is that the cybersecurity world is keenly aware that the pending arrival of practical quantum computers poses an existential threat to long-trusted encryption methods. Major standards organizations such as ETSI and NIST are hard at work developing and testing standards for post-quantum cryptography (PQC) algorithms. NIST released three PQC standards in August 2024. Once the security industry adopts and implements these standards, utilities will be able to use them to protect their critical communications against bad actors with CRQCs.
There’s even better news: Utilities don’t have to wait anxiously for the arrival of standardized PQC algorithm implementation to make their networks and critical OT communications quantum-safe. They can take advantage of existing encryption technologies—some of which they already use—to transform their grid communications networks into a tough first line of defense against any quantum threat.
The best way for utilities to become quantum-safe is to adopt a defense-in-depth approach that protects critical applications with symmetric encryption at different layers of the network. Utilities can get this level of protection by deploying symmetric encryption technologies that use a key size of at least 256 bits at different layers of the network, such as OTNsec for the optical layer (layer 1) and MACsec for the data link layer (layer 2).
These technologies use AES-256 encryption, which offers an excellent defense against encryption-busting quantum algorithms. Shor’s algorithm can’t crack it, and Grover’s algorithm can’t overcome its long key size. Utilities will be able to rely on AES-256 from today and keep using it after they adopt standardized PQC algorithms. That’s the very definition of a multilayer defense.
To maximize the protection provided by OTNsec and MACsec, utilities should combine them with a trusted source that can generate 256-bit session keys with high entropy. With quantum-safe encryption in place, they can then bolster their defenses with capabilities such as access control lists, network segmentation and firewalls.
How should utilities go about choosing a quantum-safe networking solution? The key is to look for solutions that are flexible and scalable enough to evolve to protect grid application needs 24/7, starting today. The best solutions will integrate seamlessly with the existing network and security environment and complement the long-awaited PQC algorithms once they get the nod from NIST, ETSI and other standards bodies.
Don’t wait for Q-Day!
The quantum threat is a clear and present danger, but robust and reliable protection is available to utilities today. By evaluating their existing encryption methods and working with a trusted partner to deploy quantum-safe encryption now, utilities will be able to pursue their OT modernization and IEC 61850 ambitions to take on their big challenges without worrying about existing HNDL threats or future post-quantum attacks.
