Upgrading ICS to post-quantum cryptography will be demanding, as CISA outlines plans for critical infrastructure
The U.S. Cybersecurity and Infrastructure Agency (CISA) said that upgrading ICS (industrial control system) to post-quantum cryptography will be a challenge, as deployed cryptography-dependent ICS hardware is costly, and the associated equipment is often geographically dispersed.
“However, organizations should make necessary preparations for migration to post-quantum cryptography,” the agency said in its latest CISA Insights document titled ‘Preparing Critical Infrastructure for Post-Quantum Cryptography.’ It “urges ICS organizations to ensure that their hardware replacement cycles and cybersecurity risk management strategies account for actions to address risks from quantum computing capabilities.”
CISA observed while outlining on Wednesday action that critical infrastructure stakeholders should take to prepare for their future migration to the post-quantum cryptographic standard that the National Institute of Standards and Technology (NIST) will publish in 2024.
The document identifies that nation-states and private companies are actively pursuing the capabilities of quantum computers. While quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities across public and private organizations, must work together to prepare for a new post-quantum cryptographic standard to defend against future threats.
To help critical infrastructure partners prepare for the adoption of post-quantum cryptography, CISA analyzed how each of the 55 NCFs (national critical functions) is vulnerable to quantum computing capabilities, the CISA document said. CISA also examined NCF-specific systems’ challenges when migrating to post-quantum cryptography. The results of this analysis identified the urgent vulnerabilities and NCFs that are most important to address first to enable a successful migration to post-quantum cryptography.
CISA analyzed each NCF based on its vulnerability to the expected impacts of quantum computing on the nation’s critical infrastructure, according to the document. The agency ranked each NCF as high, medium, or low priority based on the urgency of its dependencies on the current cryptographic standards, the scope and scale of organizations and systems that will require updates, and the relative costs to organizations to upgrade to the new standard. CISA also ranked factors impacting each NCF’s migration as exacerbating, neutral, or mitigating. These factors include the availability of human capital and the status of migration preparations.
The CISA document included an assessment developed by the Homeland Security Operational Analysis Center (HSOAC), a federally funded research and development center operated by the RAND Corporation, which identifies three NCF areas that the U.S. government and private industry should prioritize.
Several NCFs will enable the migration of most functions to post-quantum cryptography. Success in providing this support will mitigate risk for most users. The dependence on ICS is an area of concentrated vulnerability because of the long replacement life cycle of ICS hardware and the wide geographic distribution of equipment. Finally, NCFs with long secrecy lifetimes will require significant support to ensure the nation’s most sensitive data remains secure.
CISA will also continue to provide insight on how quantum computing capabilities impact NCFs going forward, the document said.
Several NCFs will directly support the migration to post-quantum cryptography across the critical infrastructure community by providing products, patches, and other software and firmware updates that integrate the new cryptographic standard. Most NCFs and the critical infrastructure they support depend on these enabling functions to execute the migration successfully and secure their sensitive information.
CISA said that the four NCFs likely to be the most important in supporting successful migration include providing Internet-based content, information, and communication services, identity management and associated trust support services, IT products and services, and protecting sensitive information.
“CISA recommends that stakeholders responsible for these NCFs partner closely with NIST, DHS, and other government agencies to ensure their preparedness to not only migrate themselves, but also to support the migration of digital communications across other NCFs,” the document said. “Action will be required of stakeholders across all NCFs, but only after these four create products and services that enable further updates to take place.”
The NIST chose last month the initial group of encryption tools designed to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in digital systems. The four selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard, expected to be finalized in about two years.
Last October, the U.S. Department of Homeland Security (DHS) and NIST laid out a roadmap to help organizations protect their data and systems and reduce risks related to the advancement of quantum computing technology. The plan was set to raise awareness and guide federal, state, local, tribal, and territorial partners, critical infrastructure owners and operators, and others in the private sector. The measures would help organizations protect their data and systems and reduce risks related to the advancement of quantum computing technology.
Alejandro N. Mayorkas, Secretary of Homeland Security, also outlined his vision for cybersecurity resilience last March and identified the transition to post-quantum encryption as a priority. As a result, government and critical infrastructure organizations must take coordinated preparatory actions now to ensure a fluid migration to the new post-quantum cryptographic standard that the NIST will publish in 2024.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
