The race is on to build the world’s first useful quantum computer. If the roadmaps published by leading players like IBM and Honeywell are to be believed, we might even get there this decade.
It’s an exciting prospect, particularly as these super-powerful machines offer transformative benefits to almost every industry, including manufacturing.
But quantum computers also pose an existential cybersecurity problem. With exponentially higher processing capability than today’s most powerful machines, they’ll be able to smash through the public-key encryption standards relied on by all industries to protect their information. That’s a huge threat to the security of all sensitive information, past, present and future.
It’s this threat that inspired the US National Security Agency (NSA) to warn, as early as 2015, that we ‘must act now’ to defuse the threat. It’s also why the US National Institute of Standards and Technology (NIST) is racing to standardize new, post-quantum cryptographic solutions for widespread roll-out (algorithms which are quantum-secure, yet can be implemented using today’s technology on companies’ existing systems).
Understanding the threat to manufacturing
No industry can ignore the quantum threat, and manufacturing is no different.
From the interdependent systems of upstream and downstream suppliers to the ageing industrial equipment within their own factories, manufacturers are already inherently vulnerable to cyberattacks.
And that’s before you introduce digital transformation into the mix. Throw in automation, the internet of things (IoT) and increasingly digital, networked supply chains, and you introduce yet more vulnerabilities.
IP theft and cyberespionage are already an endemic problem for the manufacturing sector. Research from Symantec shows that the majority of cyber-espionage attacks seek access to manufacturers’ IP, leading to millions, if not billions, of pounds in lost R&D costs every year.
Quantum computers would leave that IP wide open to hackers – a major concern for manufacturers working in commercially-sensitive industries where billions are spent on R&D. Highly advanced industries, with specialized processes and technologies as well as high barriers to entry, are likely to be targeted first: think semiconductors, aerospace and pharmaceuticals.
The threat is also acute for manufacturers working in sectors relevant to national security.
Although it may take years for functional quantum computers to get into the hands of everyday hackers, nation states will have the resources – and the ambition – to put them to work much earlier.
For hostile nation states, manufacturers involved in the US and UK defense supply chains will be particularly high-value targets. A targeted quantum attack could have a profound impact on defense manufacturers, limiting production volumes and schedules as well as having the potential to trigger a catastrophic failure of weapons systems and equipment.
Getting ahead of the threat
To stay ahead, manufacturing companies need to address the risks they can see… as well as the ones they can’t.
The good news is that NIST’s efforts to standardize post- quantum encryption have been fruitful, and powerful, reliable standards should be confirmed within the next year and a half.
And manufacturers don’t need for that to happen before taking action – there’s plenty they can do to prepare for full quantum readiness.
1. Begin by promoting quantum literacy within your business to ensure that executive teams understand the severity and immediacy of the quantum security threat to your business. Faced with competing priorities, leaders may otherwise struggle to understand why this issue deserves immediate attention and investment.
2. Identify specific risks that could materialize for you. What would a quantum attack look like, and what consequences would your business be facing if sensitive information were to be decrypted?
3. Now look at your use of cryptography. It’s likely that you have layers of protection built up over time by many decision-makers. What standards are you relying on? What data are you protecting, and where? This cryptography audit is crucial, as it will help you to identify weak spots as well as uncovering inconsistencies that need to be ironed out.
4. Once you’ve got a full view of this, you can start planning your migration to a quantum-ready architecture. You may want to bring in a specialist consultant to help you with this, if it’s not your area of expertise. How flexible is your current security infrastructure? How easily can your existing information security system be replaced with another cryptography solution (‘crypto-agility’)? Given that multiple encryption and signature methods will be standardized by NIST with different properties (key size, ciphertext, signature size, and so on), which one is more suitable for a given use case? In order to migrate to new, quantum-ready technology, do you need to rewrite everything, or could you make some straightforward switches?
5. Although post-quantum encryption standards are yet to be finalized, the direction of travel is already clear. Design your security infrastructure to work with NIST’s shortlisted approaches – a good way to build resilience and flexibility into your security architecture ahead of time. This should ensure you comply with whichever standards are eventually announced, and are fully protected from the quantum threat in the meantime.
The quantum threat is serious, and it’s urgent. The NSA, NIST and others are acting now – manufacturers must do the same if they want to ensure their security lasts as long as the products they build.
Ali El Kaafarani
Ali El Kaafarani is CEO and founder of PQShield, a UK-based cybersecurity company specialized in post-quantum cryptography. A spin-out from the University of Oxford, PQShield is a leading contributor to NIST’s landmark project to standardize post-quantum encryption and the only cybersecurity company that can demonstrate quantum-safe cryptography on chips, in applications and in the cloud. The company’s quantum-secure cryptographic solutions work with companies’ legacy systems to protect data now and for years to come.