Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

CISA Urges Critical Infrastructure to Prepare for Post-Quantum Cryptography

The US Cybersecurity and Infrastructure Security Agency (CISA) has outlined the steps that critical infrastructure organizations should take to prepare for the migration to the new post-quantum cryptographic standard.

The US Cybersecurity and Infrastructure Security Agency (CISA) has outlined the steps that critical infrastructure organizations should take to prepare for the migration to the new post-quantum cryptographic standard.

The National Institute of Standards and Technology (NIST) is expected to publish the standard in 2024, but CISA urges stakeholders to prepare in advance, citing potential risks from quantum computing to the entire critical infrastructure.

Quantum computers use qubits, or ‘quantum bits’, to deliver higher computing power and speed in certain scenarios, including solving mathematical problems that the current encryption standards rely on.

As such, quantum computing is expected to become a threat to current cryptographic standards, which support network security and also ensure data confidentiality and integrity.

“In the hands of adversaries, sophisticated quantum computers could threaten U.S. national security if we do not begin to prepare now for the new post-quantum cryptographic standard,” CISA says.

Quantum computers are expected to break public key cryptography (also known as asymmetric encryption, a fundamental element of data encryption in all secure communication, including online banking), impacting the security of business transactions, digital signatures, and customer data.

Symmetric key cryptography, which relies on a single key for data protection, is expected to be less impacted by quantum computers, as long as it starts using longer key sizes, instead of migrating to quantum-resistant algorithms.

“While quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities—including both public and private organizations—must work together to prepare for a new post-quantum cryptographic standard to defend against future threats,” CISA says.

[ READ: NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC ]

Creating an inventory of vulnerable critical infrastructure systems is a first step that should be taken as part of the Post-Quantum Cryptography Roadmap that the Department of Homeland Security (DHS) and NIST have developed, the agency says.

After analyzing the 55 National Critical Functions (NCFs), CISA has identified vulnerabilities that need to be addressed for a successful migration to post-quantum cryptography, and has outlined steps that should be taken towards mitigating them.

CISA says there are several NCFs that will support the migration to post-quantum cryptography across critical infrastructure, thus mitigating the risk posed by quantum computing: internet-based services, identity management services, information technology services, and protection of sensitive information.

According to CISA, a major challenge will be the migration of industrial control systems (ICSs) to post-quantum cryptography, mainly because of the associated costs and because the equipment is often geographically dispersed. Nonetheless, organizations should prepare for this migration by including in their strategies the actions needed to address risks from quantum computing capabilities.

CISA also warns of the unique quantum challenges faced by NCFs that depend on long-time data confidentiality, including “catch-and-exploit campaigns in which adversaries capture data that has been encrypted using current encryption algorithms and hold on to such data with the intention of decrypting it when a quantum computer capable of breaking the encryption is available.”

Organizations in this category include those responsible for the security of nation’s sensitive data, industrial trade secrets, personally identifiable information (PII), personal health information (PHI), and sensitive justice system information.

“Although NIST will not publish the new post-quantum cryptographic standard until 2024, CISA urges leaders to start preparing for the migration now by following the Post-Quantum Cryptography Roadmap. Do not wait until the quantum computers are in use by our adversaries to act. Early preparations will ensure a smooth migration to the post-quantum cryptography standard once it is available,” CISA notes.

Related: Senators Introduce Bipartisan Quantum Computing Cybersecurity Bill

Related: QuSecure Scores Post-Quantum Cybersecurity Contract Worth More Than $100M Annually

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...