Comprehensive Report on Post-Quantum Cryptography (PQC) Management
Post-Quantum Cryptography (PQC) refers to cryptographic algorithms that are secure against an attack by a quantum computer. As quantum technologies progress, transitioning from classical to quantum-resistant algorithms is becoming a critical mandate for enterprises, governments, and critical infrastructure operators.
We set off looking to see how much work (how big is the bread box) it is to truly prepare an established organization to be PQC ready. What was revealed was:
If you haven’t started your quantum readiness journey, you’re already behind—because the data you encrypt today may be the data attackers decrypt tomorrow.
We used our research to drive our PQC management processes, craft our industry targeted operational management frameworks, and to build out our approach for PQC Readiness Assessments. We wanted to share a glimpse into the overall process and let you know OT SOC Options is prepared to help your teams understand the "how" and lead the charge for your organization.
- First, you'll need to figure out everything in your system that uses cryptography. Think of it as taking inventory of all your digital security tools. To do this, you can use automated scanners to look for things like digital certificates, how keys are being used, and any software libraries that handle encryption. NCC Group recommends starting with your TLS endpoints (that's the stuff that secures your website connections) and your PKI stores (where you keep your certificates). Pay extra attention to older systems, as they might be using older encryption methods like RSA or ECC.
- Next, you'll want to flag any of those older encryption methods that might be vulnerable to future quantum computer attacks. Things like RSA and ECC fall into this category. You can label these using your inventory tools, basically adding a note that says, 'Hey, this might need an update later.' For example, you could tag any RSA-2048 keys with a label like "quantum vulnerable." Tools like Venafi or free options like cfssl can help with this.
- Finally, you can use specialized tools to get a detailed look at your cryptography setup. Start with things like sslscan, testssl.sh, or the Qualys SSL Labs online scanner. These will tell you which encryption methods you're actually using and how strong they are. The NCC Group guide, specifically Chapter 2, has a list of some basic tools to get you started.
Risk Assessment & Prioritization
- Okay, so now that you know what crypto you have, you need to figure out what's most important. Think of it like deciding what valuables you'd save first in a fire. To do this, you can use a simple chart. On one side, you'd rate how critical the data is – how bad would it be if it got out? On the other, how likely is it to be exposed? Combine those two ratings, and you'll know what to focus on. ENISA, in their guidelines, suggests doing this based on your industry, because a bank's priorities are different from, say, a power company's.
- Next up, you have to think about future threats, specifically the 'Harvest Now, Decrypt Later' problem. Basically, this is the idea that someone could steal your encrypted data today and then crack it with a quantum computer years down the line. To deal with this, you need to figure out what data absolutely has to stay secret for a long time – things like personal information or trade secrets. Then, you'll want to move that data to encryption methods that are safe from quantum attacks, just to be on the safe side.
- Alright, so when it comes to actually making your systems quantum-safe, you'll want to use the new encryption methods that the National Institute of Standards and Technology, or NIST, has picked. They've done the hard work of figuring out what's best.
- For things like securing your website connections (TLS) and VPNs, they've chosen CRYSTALS-Kyber. It's fast and efficient, and basically replaces the older RSA-style key exchanges. NIST themselves called it a really good all-around choice.
- And for digital signatures, which are like digital handshakes that prove something is authentic, you've got a few options: CRYSTALS-Dilithium is the main one for software, like signing firmware updates. Then there's SPHINCS+, which is a bit slower, but it's good to have as a backup because it uses different math than the others. That way, if someone ever figures out how to crack the math behind Dilithium, you've got another layer of security. NIST has a table summarizing these details if you need a quick reference.
- So here's the game plan for actually switching over to these new quantum-safe methods:
- First, don't just ditch your old systems all at once. It's much safer to do what's called a 'hybrid deployment.' Think of it as wearing both a belt and suspenders. You'd combine your existing encryption methods, like RSA, with the new quantum-safe ones, like Kyber. So, for example, you'd have your website connections use both RSA and Kyber at the same time. Cloudflare and Google have been experimenting with this in their TLS setups, and you can read about it in some research papers on arXiv.
- Next, you've got to put your new systems through their paces. You need to see how they handle real-world stress. This means running simulations in your testing environments, with the same kind of traffic your systems usually get. You can use tools like Apache JMeter or Locust to measure how much lag you're getting. You'll also want to compare how fast the new quantum-safe algorithms are compared to the old ones. Research papers on arXiv have some benchmarks you can check out.
- Finally, you'll need to integrate these new methods into all your existing security infrastructure. That means updating things like your certificate authorities, your VPNs, your web servers, your secure messaging apps, and your cloud services. Keep an eye out for updates from your vendors that support these new quantum-safe algorithms. For example, the OpenSSL project is working on patches, and cloud providers like AWS are publishing their plans for quantum-safe encryption.
- Alright, let's talk about how to make this transition as smooth as possible, and how to stay on top of things:
- First, don't just flip a switch and change everything at once. You want to do a 'phased deployment.' Start by rolling out the new quantum-safe stuff on services that aren't super critical. Basically, test the waters first. While you're doing this, you'll want to collect lots of data, or 'telemetry,' so you can see how things are performing. If you run into any problems, you'll need a clear plan to roll back to your old systems. Accenture suggests even testing with a small group of internal 'sandbox' users first, to catch any early issues.
- And finally, you need to stay up-to-date on all the latest developments in quantum threats and any changes from NIST. You should assign someone on your team, maybe a cryptography expert, or add this to your existing risk management team's responsibilities. That person will need to keep an eye on NIST's updates and subscribe to newsletters from organizations like ENISA, so you're always aware of any new threats or changes in the standards.
Governance & Auditability
- Well, so now we're talking about the paperwork and keeping track of everything:
- First, you'll need to update your security rules and make sure you're following any relevant regulations, like ISO/IEC 19790. Basically, you'll need to rewrite your security policies to include the new quantum-safe algorithms that you're using. ISO 19790, for example, says you need to document all the algorithms you're using. ENISA also emphasizes this point in their guidelines.
- And finally, you'll want to make sure your audit logs are keeping a close eye on any changes to your encryption. Your security information and event management (SIEM) system should be logging things like updates to your crypto libraries and any changes to your keys. For example, it should flag any TLS certificates that are using an encryption method that's not on your approved quantum-safe list.
What's next? So we've talked about what to do, now let's talk about how to do it. There are a few different frameworks out there to help you manage this whole quantum-safe transition.
ENISA's Evaluation Framework:
- Think like a hacker: ENISA says you should start by figuring out who might want to attack you, how they might do it, and where they might try to break in. They have a five-step process to help you with this.
- Balance security and speed: You need to figure out which quantum-safe methods give you the best security without slowing everything down too much. ENISA has tables that compare different algorithms.
- Tailor your plan: Different industries have different needs. ENISA gives specific advice for things like telecom and finance. For instance, they tell telecom companies to start the transition earlier because their certificates tend to last a long time.
- Get everyone on board: You need to teach your developers, IT staff, and managers about quantum threats and quantum-safe cryptography. NIST has videos and online courses to help with this.
- Take stock of your crypto: Just like we talked about earlier, you need to find everything in your system that uses cryptography.
- Test it out: Build a safe space, like a sandbox, to test out the new quantum-safe algorithms.
- Roll it out and check it: Set up a system to automatically deploy and verify the new cryptography, including things like code signing.
Accenture's Enterprise Strategy:
- See where you stand: Accenture has a model that helps you rate how ready your organization is for quantum threats, from "clueless" to "fully prepared."
- Protect your crown jewels: Figure out which data is the most important and needs to be protected for the longest time, like medical records or intellectual property. Label this data so it gets the highest priority.
- Get buy-in from the top: Create a team to manage this transition and make sure your executives understand the risks. Accenture has a dashboard you can use to track progress.
Cloud-Native Transition (from research papers):
- Make your cloud work: If you're using microservices and Kubernetes, you'll need to use things like sidecar containers or service meshes to handle the new quantum-safe certificates. The research papers suggest adding quantum-safe encryption at the entry point of your system.
- Secure your secrets: If you're using HashiCorp Vault to manage your API keys and other secrets, you'll need to use plugins that support quantum-safe key generation.
- Sign your code securely: Your automated build and deployment pipelines should use quantum-safe code signing tools like BouncyCastle or AWS Signer.
Now there's the pragmatic stuff: how this whole quantum-safe transition is going to affect your day-to-day operations and your budget.
- Bigger files and slower handshakes: The new quantum-safe certificates and signatures are larger than the old ones. Expect certificate sizes to increase by 3 to 5 times. You might also see slight delays in SSL handshakes, but we're talking milliseconds here.
- More CPU usage: Your servers might have to work a bit harder, especially during TLS handshakes. On older servers, you might see handshake times go up by 10 milliseconds or more. It's a good idea to run tests to see exactly how much your systems will be affected.
- Memory issues for small devices: Some of the new algorithms, like SPHINCS+, use a lot of memory. This could be a problem for small devices like IoT devices. You might need to look for lighter alternatives or upgrade your hardware.
Infrastructure Adaptation:
- Upgrading your hardware security modules (HSMs): Your HSMs, which are used to store and manage cryptographic keys, will need to support the new algorithms. Check with your vendors for their upgrade plans.
- Using quantum-safe certificate management platforms: You'll need platforms that can issue and manage quantum-safe certificates. Make sure they can automate the certificate lifecycle.
- Training your team: Your IT staff will need to learn about quantum cryptography. Consider sending them to courses or hosting training sessions with experts.
- Hiring consultants: If you're a large company, you might need to hire consultants to help with the transition. This could cost anywhere from $150,000 to $500,000 per year for a 6 to 12 month engagement. But you really should check with us first as as our OT SOC Options consortium will beat any other bid.
Governance and Audit Overhead:
- Dealing with increased compliance: You'll need to update your data protection assessments to reflect the new quantum-safe controls.
- Adding cryptographic assessments to your audits: You'll need to add regular reviews of your cryptographic systems to your audit checklists.
Bottom Line and What You Should Do:
Basically, you need to start planning for this now. Don't wait.
Here's what you should be doing:
- Establishing a crypto-agility posture - Get your systems ready to adapt to new encryption methods quickly. Think of it as building in flexibility.
- Integrating hybrid algorithm models - Start using both your old and new encryption methods at the same time, like a hybrid approach.
- Utilizing ENISA/NIST frameworks for phased implementation - Use the frameworks from ENISA and NIST to break this big project into smaller, manageable steps.
- Budgeting for additional resource demands and tool upgrades - Start budgeting for the extra resources and upgrades you'll need.
Seriously, putting this off is a bad idea. If you wait until quantum computers proliferate, you're going to be facing a much bigger, and more expensive, cleanup job.
First 90 Days: Action Plan by Role
To move from planning to execution, here’s a breakdown of tangible next steps over the first 90 days—organized by key roles. DM me to ask "how".
Security Leadership / CISO
- Day 0–15: Establish a PQC transition steering group
- Day 15–45: Approve a PQC inventory and readiness assessment
- Day 45–90: Define a high-level migration policy
IT Operations / Infrastructure
- Day 0–15: Begin asset and service inventory
- Day 15–45: Flag vulnerable crypto protocols and components
- Day 45–90: Establish test environments for hybrid PQ solutions
Security Engineers / Architects
- Day 0–15: Review NIST and ENISA documentation
- Day 15–45: Conduct proof-of-concept with PQC libraries
- Day 45–90: Benchmark performance and draft integration notes
- Day 0–15: Review regulatory landscape and map relevant obligations
- Day 15–45: Draft policy updates for crypto lifecycle and audit
- Day 45–90: Initiate stakeholder education
Executive Sponsors / Board Liaison
- Day 0–30: Approve pilot resourcing and secure funding
- Day 30–90: Report progress to board
Quantum Readiness Scorecard
Springing into Quantum Readiness: What Progress Looks Like
Quantum readiness doesn’t flip on with a switch—it unfolds in phases, like the seasons. Most organizations start with limited visibility and legacy systems, but with attention and intention, measurable progress starts to bloom.
You’ll begin to see your crypto inventory evolve from static spreadsheets to automated scans. Post-quantum algorithms move from theory to test environments. Policies shift from outdated to forward-looking. And your teams, once unsure, begin speaking the language of resilience.
There are recognizable signs along the way that tell you where your organization stands—whether you're still frozen, actively growing, or fully in bloom.
?? Curious how to gauge your organization's stage? I’ve put together a simple scorecard to help teams self-assess.
?? DM me if you'd like the full Scope of the PQC Readiness Assessment process or a copy of our Quantum Readiness Scorecard—no buzzwords, just clarity.
? Ready to spring into action? Start your PQC journey today. #PostQuantum #CyberSecurity #QuantumReady #PQC #RiskManagement #OTSOCOptions
- ENISA PQC Evaluation Framework: ENISA Report
- NIST PQC Algorithm Announcement: NIST News
- NCC Group Guidance: NCC Article
- Accenture Enterprise Report: Accenture Insights
- Technical Paper on PQC Cloud Integration: arXiv Paper
OT SOC Options
(a division of Yoink Industries LLC)
Mission Statement and Overview
Mission Statement:
Driving Operational Technology (OT) Cybersecurity forward towards maturity, by seamlessly integrating expert knowledge, advanced technologies, and streamlined processes to enhance the efficacy and resilience of OT Cybersecurity programs across critical industries.
Company Overview:
OT SOC Options is a consortium of independent OT Cybersecurity professionals, combining decades of technical expertise and executive oversight, to tackle the unique challenges of operational technology, cyber/physical, IIoT, and ICS security. Partnering with regional and global Managed Security Service Providers (MSSPs), we cater to both large enterprises and SMBs, delivering tailored solutions that bridge the gap between advanced cybersecurity measures and operational integrity.
We focus on fostering operational maturity by blending strategic insights, robust technologies, and proven frameworks and processes to elevate the security posture of OT environments. Our mission is to empower organizations with comprehensive, effective OT Cybersecurity programs that drive efficiency and reliability while safeguarding critical infrastructure and operational assets.
