Preparing Manufacturing for Post-Quantum Security

🚨 NEW PEER-REVIEWED RESEARCH: PQC Migration Timelines Excited to share my latest paper published in MDPI Computers: "Enterprise Migration to Post-Quantum Cryptography: Timeline Analysis and Strategic Frameworks." The transition to Post-Quantum Cryptography (PQC) represents a watershed moment in the history of our digital civilization. Organizations planning for a 3-5 year "upgrade" will fail. The reality is a 10-15-year systemic transformation. Key Contributions: 📊 Realistic Timeline Estimates by Enterprise Size: Small (≤500 employees): 5-7 years Medium (500-5K): 8-12 years Large (>5K): 12-15+ years ⚠️ Critical Finding: With FTQC expected 2028-2033, large enterprises face a 3-5 year vulnerability window—migration may not complete before quantum computers break RSA/ECC. 🔬 Novel Framework Analysis: Causal dependency mapping (HSM certification, partner coordination as critical paths) "Zombie algorithm" maintenance overhead quantified (20-40%) Zero Trust Architecture implications for PQC 💡 Practical Guidance: Crypto-agility frameworks and phased migration strategies for immediate action. Strategic Recommendations for Leadership: 1. Prioritize by Data Value, Not System Criticality: Invert the traditional triage model. Systems protecting long-lived data (IP, PII, Secrets) must migrate first, regardless of their operational uptime criticality, to mitigate SNDL. 2. Fund the "Invisible" Infrastructure: Budget immediately for the expansion of PKI repositories, bandwidth upgrades, and HSM replacements. These are long-lead items that cannot be rushed. 3. Establish a Crypto-Competency Center: Do not rely solely on generalist security staff. Invest in specialized training or retain dedicated PQC counsel to navigate the mathematical and implementation nuances. The talent shortage will only worsen. 4. Demand Vendor Roadmaps: Contractual language must shift. Procurement should require vendors to provide binding roadmaps for PQC support. "We are working on it" is no longer an acceptable answer for critical supply chain partners. 5. Embrace Hybridity: Accept that the future is hybrid. Design architectures that can support dual-stack cryptography indefinitely, viewing it not as a temporary bridge but as a long-term operational state. 6. Implement Automated Discovery: You cannot migrate what you cannot see. Deploy automated cryptographic discovery tools to continuously map the cryptographic posture of the estate, identifying shadow IT and legacy instances that manual surveys miss. The quantum clock is ticking. Start planning NOW. https://lnkd.in/eHZBD-5Y 📄 DOI: https://lnkd.in/ejA9YpsG #PostQuantumCryptography #Cybersecurity #QuantumComputing #PQC #InfoSec #NIST #CryptoAgility

By 2035, quantum computers could break today’s RSA/ECC, threatening everything from over-the-air updates to payments, V2X, charging, telematics, and dealer systems. And “harvest-now, decrypt-later” means data we encrypt today may be readable tomorrow. Thankfully, there’s a path forward with Post-Quantum Cryptography (PQC). So here's what we’re doing (and what I recommend): 1️⃣ Prioritize what matters: Classify apps/data by sensitivity & lifespan (vehicles, keys, firmware, contracts). Tackle the critical 10% first. 2️⃣ Start pilots now: Stand up PQC for key exchange and signatures (NIST picks: CRYSTALS-Kyber, Dilithium, plus FALCON/SPHINCS+ where appropriate). Wrap legacy with interim controls where upgrades aren’t yet feasible. 3️⃣ Engineer for the edge/IoT: Plan for constrained ECUs and long service lives; align PQC with model year cycles and sunset plans to avoid hardware rip-and-replace. 4️⃣ Educate & govern: A cross-functional council (CISO, engineering, legal, procurement) to drive roadmap, metrics, and auditability. Quantum risk isn’t a future storm; it’s a countdown. Organizations that move now will secure their platforms and earn customer trust in the next digital economy. #Cybersecurity #PQC #RiskManagement 📸: BCG

The imperative to prepare for the transition to quantum-safe cryptography doesn't necessarily mean an immediate switch. Consider these two critical aspects: ☝ Complexity of Cryptographic Algorithm Transition: Transitioning cryptographic algorithms is a complex undertaking. A quick examination within your organization or with your service providers may reveal the use of obsolete algorithms like SHA-1 or TDEA. For example, the payment card industry still employs TDEA, despite its obsolescence was announced in 2019. It's essential to enhance your organization's cryptography management capabilities before embarking on the transition to quantum-safe cryptography. ✌ Scrutiny Required for New PQC Algorithms: The new Post-Quantum Cryptography (PQC) algorithms are relatively recent and warrant careful examination. Historically, we have deployed cryptographic algorithms on a production scale only after several years of existence, allowing comprehensive scrutiny. While PQC standardization offers some security assurances, it doesn't cover the software implementations deployed in your environment. Consider employing phased deployments and hybrid implementations to avoid compromising the existing security provided by classical cryptography. Recent news, as mentioned in this article, highlights the immaturity of implementations of new PQC algorithms. While the title might be somewhat misleading, it's crucial to recognize that occasional flaws in implementations, like those found (and solved) in various instances of Kyber, serve as reminders. As we transition to these new implementations, we must first gain control over our cryptography. Here's a suggested action plan: 🚩 Cryptography Management: Prioritize gaining control over your cryptography. 🚩 Understanding Quantum-Safe Cryptography: Familiarize yourself with the development of quantum-safe cryptography. 🚩 Transition Plan Preparation: Follow recommendations to prepare a comprehensive transition plan. Some of my favourite resources are: - Federal Office for Information Security (BSI)'s "Quantum-safe cryptography" (https://lnkd.in/dqkSAQSP) - Government of Canada CFDIR's "BEST PRACTICES AND GUIDELINES" (https://lnkd.in/d-w_Nbfj) - National Institute of Standards and Technology (NIST)'s "Migration to Post-Quantum Cryptography" (https://lnkd.in/dYMKnqBb) 🚩 Decision-Making: Make informed decisions based on the acquired knowledge. In summary, a thoughtful and phased approach is key to ensuring a smooth transition to quantum-safe cryptography. https://lnkd.in/dxAgF2ac #cryptography #quantumcomputing #security #pqc #cybersecurity

🔐Word o’ the Day | Year | Decade: Crypto-agility, Baby! Yesterday morning, I did a fun fireside chat with Bethany Gadfield - Netzel at the FIA, Inc. Expo in Chicago. We talked about cyber resilience, artificial intelligence, Rubik’s cubes, and that thing called quantum! A question came up at the end, “What can firms actually do today to begin transitioning to post-quantum cryptography?” So thought I would take the opportunity to share my thoughts more broadly on this important, but not super well understood, topic: 1. Don’t wait. The clock for quantum-safe cryptography is already ticking. NIST released its first set of post-quantum standards last year (https://lnkd.in/esTm8uPw) and CISA put out a “Strategy for Migrating to Automated Post-Quantum Discovery and Inventory Tools” last year as part of its broader Post Quantum Cryptography (PQC) Initiative (https://lnkd.in/evpF4umv). h/t Garfield Jones, D.Eng.! 2. Inventory & prioritize. Map all cryptographic usage: what keys, certificates, protocols, and data streams exist today? Which assets hold long-lived value and are at risk of “harvest-now, decrypt-later”? Build a migration roadmap that prioritizes highest-risk systems (e.g., financial settlement platforms, inter-bank links, legacy encryption). 3. Establish crypto-agility. Ensure your architecture supports swapping algorithms, updating certificates, & layering classical + post-quantum primitives without a full system rebuild. This kind of flexibility is key for resilience. 4. Pilot and migrate. Use the new NIST-approved algorithms; experiment first on less time-sensitive systems, validate performance and interoperability, then scale to mission-critical applications. NIST’s IR 8547 report provides a framework for this transition. 5. Vendor & supply-chain alignment. Ask your vendors & service providers: “What’s your PQC transition plan? When will you support NIST-approved post-quantum algorithms? Are your update paths crypto-agile?” If the answer isn’t clear or (as a former boss of mine used to say) they look at you like a “pig at a wristwatch,” you’ve got a potentially serious third-party risk. 6. Board and Exec engagement. Position this not as an IT problem but a fiduciary risk and resilience imperative. The transition to quantum-safe cryptography is multi-year and multi-layered—waiting until it’s urgent means it will be too late.

𝗗𝗮𝘆 𝟴: 𝗗𝗮𝘁𝗮 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗮𝗻𝗱 𝗣𝗼𝘀𝘁 𝗤𝘂𝗮𝗻𝘁𝘂𝗺 𝗥𝗲𝗮𝗱𝗶𝗻𝗲𝘀𝘀 In today’s hyper-connected world, data is the new currency and the perimeter, and it is essential to safeguard them from Cyber criminals. The average cost of a data breach reached an all-time high of $4.88 million in 2024, a 10% increase from 2023. Advances in 𝗾𝘂𝗮𝗻𝘁𝘂𝗺 𝗰𝗼𝗺𝗽𝘂𝘁𝗶𝗻𝗴 further threaten traditional cryptographic systems by potentially rendering widely used algorithms like public key cryptography insecure. Even before large-scale quantum computers become practical, adversaries can harvest encrypted data today and store it for future decryption. Sensitive data encrypted with traditional algorithms may be vulnerable to retrospective attacks once quantum computers are available. As quantum technology evolves, the need for stronger data protection grows. Google Quantum AI recently demonstrated advancements with its Willow processors, which 𝗲𝗻𝗵𝗮𝗻𝗰𝗲𝘀 𝗲𝗿𝗿𝗼𝗿 𝗰𝗼𝗿𝗿𝗲𝗰𝘁𝗶𝗼𝗻 𝘂𝘀𝗶𝗻𝗴 𝘁𝗵𝗲 𝘀𝘂𝗿𝗳𝗮𝗰𝗲 𝗰𝗼𝗱𝗲. These breakthroughs underscore the growing efficiency and scalability of quantum computers. To address these threats, Enterprises are turning to 𝗮𝗴𝗶𝗹𝗲 𝗰𝗿𝘆𝗽𝘁𝗼𝗴𝗿𝗮𝗽𝗵𝘆 to prepare for Post Quantum era. Proactive Measures for Agile Cryptography and Quantum Resistance: 1. 𝗔𝗱𝗼𝗽𝘁 𝗣𝗼𝘀𝘁-𝗤𝘂𝗮𝗻𝘁𝘂𝗺 𝗔𝗹𝗴𝗼𝗿𝗶𝘁𝗵𝗺𝘀 Transition to NIST-approved PQC standards like CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+. Use hybrid cryptography that combines classical and quantum-resistant methods for a smoother transition. 2. 𝗗𝗲𝘀𝗶𝗴𝗻 𝗳𝗼𝗿 𝗔𝗴𝗶𝗹𝗶𝘁𝘆 Avoid hardcoding cryptographic algorithms. Implement abstraction layers and modular cryptographic libraries to enable easy updates, algorithm swaps, and seamless key rotation. 3. 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗲 𝗞𝗲𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 Use Hardware Security Modules (HSMs) and Key Management Systems (KMS) to automate secure key lifecycle management, including zero-downtime rotation. 4. 𝗣𝗿𝗼𝘁𝗲𝗰𝘁 𝗗𝗮𝘁𝗮 𝗘𝘃𝗲𝗿𝘆𝘄𝗵𝗲𝗿𝗲 Encrypt data at rest, in transit, and in use with quantum resistant standards and protocols. For unstructured data, use format-preserving encryption and deploy data-loss prevention (DLP) tools to detect and secure unprotected files. Replace sensitive information with unique tokens that have no exploitable value outside a secure tokenization system. 5. 𝗣𝗹𝗮𝗻 𝗔𝗵𝗲𝗮𝗱 Develop a quantum-readiness strategy, audit systems, prioritize sensitive data, and train teams on agile cryptography and PQC best practices. Agile cryptography and advanced data devaluation techniques are essential for protecting sensitive data as cyber threats evolve. Planning ahead for the post-quantum era can reduce migration costs to PQC algorithms and strengthen cryptographic resilience. Embrace agile cryptography. Devalue sensitive data. Secure your future. #VISA #PaymentSecurity #Cybersecurity #12DaysofCyberSecurityChristmas #PostQuantumCrypto

We just published the full Applied Quantum PQC Migration Framework - the complete methodology for migrating enterprise cryptography to post-quantum standards - freely, under Creative Commons (CC BY 4.0). https://pqcframework.com The framework is an 8-phase lifecycle covering everything from executive mandate and business case through discovery, CBOM, risk scoring, roadmap, pilots, infrastructure modernization, and vendor governance. It includes cross-cutting sections on crypto-agility architecture, maturity models, metrics, regulatory mapping, and skills. It comes with four sector-specific extensions: - Financial Services (banking, payments, capital markets) - Telecommunications - Government & Defense - Critical Infrastructure / OT This is not another repackaging of NIST guidance or a theoretical migration model. I embedded some hard-earned lessons into it. The framework in parts deliberately diverges from conventional industry approaches where practical experience has shown they don't work. E.g. minimum-viable CBOM, risk-driven discovery scoping, vendor governance first. When I take these more pragmatic positions, I defend each one with evidence, and importantly, we've worked with regulators who have accepted and in some cases adopted these approaches. If you've been reading PostQuantum.com, you know I've always shared what I've learned openly - the articles on CBOM, crypto-agility, hybrid cryptography, vendor governance, the "Rethinking" series. This framework is the most structured version of that same commitment: putting the complete methodology out there so practitioners can use it, adapt it, and build on it. Publishing under CC BY 4.0 means anyone can use it - including commercially - with proper attribution. No ambiguity about where this work originates. If you're a CISO figuring out how to start, a program manager staring at a multi-year migration, a security architect navigating hybrid deployment, or a consultant helping clients get quantum-ready - this is for you. https://pqcframework.com #pqc #postquantum #quantumsecurity #quantumready #quantumresistance #pqcframework #pqcmigration #pqcmigrationframework

EY’s perspective on securing against #quantum #risks emphasizes that quantum #computing is rapidly evolving from a theoretical concern into a material cybersecurity threat that requires immediate strategic action. The core issue lies in the vulnerability of widely used cryptographic algorithms, such as RSA and elliptic curve cryptography, which could be broken by sufficiently advanced quantum computers. This creates a systemic risk to sensitive data, including financial information, intellectual property, and personal records. A central concept highlighted is the “harvest now, decrypt later” threat model, in which adversaries collect encrypted data today with the intention of decrypting it in the future as quantum capabilities mature. This makes quantum risk a present-day problem, particularly for data requiring long-term confidentiality. EY stresses that organizations must adopt a proactive and structured approach to quantum readiness. A foundational step is to conduct a comprehensive cryptographic inventory, identify sensitive #data, and map existing #encryption methods. This enables organizations to assess which systems are most exposed and prioritize remediation efforts. Transitioning to post-quantum cryptography (PQC) is a complex, multi-year transformation that requires careful planning, integration into existing #technology roadmaps, and alignment with emerging standards. Organizations are encouraged to build crypto-agility, allowing them to adapt encryption methods as technologies and standards evolve. EY also highlights the importance of #governance, #compliance, and #workforce readiness. Quantum resilience requires enterprise-wide coordination, including policy development, regulatory alignment, continuous monitoring, and personnel training. EY frames quantum cybersecurity not just as a technical upgrade but as a strategic #transformation initiative. Organizations that act early can strengthen resilience, improve cyber maturity, and gain a competitive advantage, while those that delay risk long-term exposure to data breaches, regulatory challenges, and erosion of #digital #trust.

I've given talks about Post Quantum Cryptography the past few years and pretty much everyone has appreciated the heads up, for those that haven't made it to a talk here are the highlights of what you need to do to prepare for Quantum Computers. 1) Build organizational readiness: • Educate and align the C-suite on the urgency of quantum risk and make the business case for a multi-year investment, i.e. get budget. • Identify personnel responsible for migration execution across different teams, i.e. assign a point person for this project. 2) Discover what you have and assess if the systems are ready: • Get an inventory of you hardware and software assets to identify encryption protocols and categorize them (PQ ready, depreciated, really old). • Assess whether hardware assets have sufficient compute to support PQC algorithms (most systems will but the OS might not be ready) • Figure out which systems will require upgrades or replacements. • Identify vendors and partners that you use and discuss their PQC roadmaps, migration support capabilities. [This one is key, talk to your vendors, find out what they are doing, or not doing!] 3) Begin getting Quantum ready • Buy the hardware / software and replace or upgrade whatever does not support PQ cryptography • Test things! Run proof-of-concept deployments in controlled environments (i.e. your test environment) and use a hybrid approach that combine current and post-quantum algorithms. 4) Deploy Quantum ready solutions • Roll out your solutions / new hardware & software in phases, starting with your high priority systems (Duh). • Ensure configurations enforce quantum-safe algorithms by default and automatically block deprecated algorithms when possible (this will be harder than you might think). • Update your security policies to manage both current and quantum-safe network traffic as you transition. • For the old stuff you can't get rid of, use proxy solutions to make IoT devices (like hospitals, manufacturing, etc.) quantum-ready until they can be updated directly. Last but not least, be prepared to change encryption schemes going forward, what we call, Crypto Agility. 5) Keep patching your stuff • Now that you have a list of your hardware and software and what kind of encryption is uses, do this: • Monitor your inventory for vulnerabilities or new threats. Keep in mind that PQ standards are new and they will likely change over time. • Establish a process to replace or update vulnerable algorithms There, you've now just read my talk, but you missed all my jokes and fun stories, but you got the details / important take aways. 😃 😁 😀 If you want the Internal Control Questionnaire (#ICQ) I put together for some auditor friends, message me here and I'll send it to you.

The more I examine infrastructure modernization, the more I question what problem we believe we are actually solving Most organizations frame modernization around AI readiness, cloud acceleration, faster networks, denser compute. Those are legitimate drivers. Capital is being deployed with the expectation that these platforms will carry the business for the next decade. But beneath those investments sits a quieter layer that rarely makes the headline slide: the durability of the cryptographic foundation. #QuantumComputing is still developing in uneven ways, yet #adversaries do not wait for perfection. Data that moves across enterprise networks today often carries long-term value — intellectual property, customer data, strategic plans, regulated information. If that data is encrypted with algorithms that may not withstand future quantum capabilities, modernization may introduce long-term exposure if cryptographic durability is not considered. Harvest-now-decrypt-later reflects how patient actors operate. Standards bodies, including the National Institute of Standards and Technology (NIST), have begun formalizing and publishing quantum-resistant cryptographic standards. Transition planning is moving from theory into procurement cycles, vendor roadmaps, and regulatory discussions. When I speak with business and technology executives, the question is no longer whether post-quantum #cryptography matters. It is whether their teams have actually mapped where cryptography lives across the enterprise. Certificates, APIs, service-to-service traffic, SaaS integrations, operational technology, legacy systems. In many environments, that inventory is incomplete. Without visibility, there is no migration path. Without crypto-agility, there is no graceful transition. This is where infrastructure and security converge in a very practical way. Modernization decisions affect inspection points, key management systems, hardware acceleration, vendor dependencies, and the ability to swap algorithms without rewriting platforms. An architecture that cannot absorb cryptographic change is not modern in any meaningful sense. It is simply newer. Modernization is a long-term commitment. It deserves a foundation that can withstand long-term shifts. If you are investing heavily in infrastructure over the next several years, it is worth asking whether that architecture can endure a cryptographic transition without disruption. That is a strategic question now, even if it still carries technical language. If your organization is beginning to confront that question, our World Wide Technology #PQC Readiness Workshop is designed to help leadership teams assess exposure, understand dependencies, and begin shaping a practical path forward. #SecureAllTogether

📣New NCSC Guidance on PQC Migration Timelines The UK’s National Cyber Security Centre (NCSC) just released a new publication to help organizations prepare for the shift to post-quantum cryptography (PQC). This 16-page paper outlines the key steps for migration, how different sectors may need to adapt, and timelines for navigating this multi-year transition. “Timelines for Migration to Post-Quantum Cryptography” breaks down key activities and recommended milestones to guide long-term planning: 📌 By 2028 • Complete discovery of crypto dependencies • Create your initial PQC migration plan 📌 By 2031 • Migrate highest-priority systems • Refine your roadmap based on ecosystem maturity 📌 By 2035 • Complete full PQC migration across your estate “It will not be possible to avoid PQC migration, so preparing and planning now will mean you can migrate securely and in an orderly fashion.” 💬 Link to the guidance in the comments. #technology #innovation #informationsecurity