Challenge
A major operator of critical infrastructure – think of a national power grid and its control systems – found itself grappling with the question of quantum readiness. The organization’s board and government overseers were increasingly asking: How will quantum computing impact our operational security, and what should we do about it? In this operator’s environment, technology cycles are long. Industrial control systems (ICS) and operational technology (OT) devices in the field often remain in service for decades, and many were not designed with modern cybersecurity in mind, let alone the threat of quantum-assisted attacks. Moreover, the data handled in this sector (such as grid telemetry, outage management information, or even customer usage data) can have a long shelf life and could be targeted by adversaries looking to exploit it years from now.
The challenge was to build a clear picture of quantum risk specific to this environment and to assess how prepared (or unprepared) the organization was to address that risk. This meant answering questions like: Which systems are using vulnerable encryption that could be broken by a future quantum computer? Could an attacker harvest sensitive control system communications now and decrypt them later, potentially revealing how to disrupt services? Are there points in our network that are especially critical (choke-points) where a quantum-enabled breach would be catastrophic? And equally important, does the current staff have the knowledge and skills to begin tackling these quantum-related issues? The operator needed an actionable baseline – a starting point that identified gaps and charted a path forward – all while aligning with any nascent regulatory expectations for national critical infrastructure protection against quantum threats.
How Applied Quantum Helped
We partnered with this critical infrastructure operator to conduct a comprehensive quantum-risk and readiness assessment, serving as the foundation for their quantum-security program. Our engagement was structured in several phases:
1. Quantum-Risk Profile Development: We began by mapping out all the places where quantum vulnerabilities intersected with the operator’s systems and data. This meant performing a detailed cryptographic review of their SCADA systems, communication networks, and data archives. We looked at, for example, the encryption protecting data links between control centers and remote substations – were these using long-term RSA keys that might be exposed by a quantum adversary? We identified instances where sensitive operational data (like system configuration files or emergency response plans) was stored encrypted with algorithms that could be broken in the future. Importantly, we worked with the operator’s threat intelligence team to envision future threat scenarios: for instance, a nation-state adversary intercepting and storing encrypted grid control commands with the intent to decrypt them later and learn how to disrupt electricity distribution. We also scrutinized the physical and network architecture to spot systemic choke-points – key systems whose compromise (via broken encryption or other means) would have an outsized impact on operations. The outcome of this phase was a formal Quantum-Risk Profile document that highlighted specific vulnerabilities and the potential impact of quantum-powered attacks on each.
2. Maturity and Readiness Baseline: Next, we assessed the organization’s current maturity in dealing with emerging threats like quantum. We used a maturity model tailored for cybersecurity in critical infrastructure, expanding it to include quantum-readiness criteria. Through interviews and workshops with IT, OT security teams, and engineering leadership, we gauged awareness levels, existing cryptographic agility (did they have an inventory of crypto assets? any plans for upgrades?), and response plans. Each domain – IT, network, OT – was evaluated. The result was a readiness scorecard that made it clear where the operator was in good shape (for example, perhaps their corporate IT had already started a cryptographic inventory) and where there were gaps (for instance, the OT side might have relied on vendor-provided equipment with unknown cryptographic internals). This baseline served as a wake-up call in some areas; seeing a quantitative maturity score and qualitative assessment helped leadership understand that, for example, while they excelled in traditional cybersecurity, their quantum-specific preparedness lagged.
3. Prioritized Roadmap and Recommendations: With the risk profile and baseline in hand, we formulated a multi-faceted roadmap to enhance quantum readiness. We ensured this roadmap was prioritized – tackling the highest risks and the easiest wins first. Key components of the roadmap included:
-
Post-Quantum Cryptography (PQC) Adoption: We laid out a plan to transition vulnerable cryptographic protocols to quantum-safe alternatives over time. This included working with the operator’s vendors (who supply grid control software and hardware) to ensure they have PQC on their development roadmaps, and recommending pilot deployments of PQC algorithms (like quantum-resistant VPNs for remote site communications) as soon as standards are finalized.
-
Network Security Enhancements: We identified segments of the network where additional measures could mitigate quantum threats. For example, we explored using quantum-enhanced key distribution (such as QKD) on the most critical data links between control centers, providing an extra layer of secure key exchange. We also advised rotating symmetric encryption keys more frequently on critical links to limit any “harvest-now, decrypt-later” exposure.
-
Quantum Sensing Pilots: Given the interest in how quantum technologies could also provide opportunities, we proposed small quantum sensor pilot projects. For example, a quantum magnetometer at a power substation could detect anomalous magnetic fluctuations indicative of equipment issues or tampering beyond classical sensor capability. Another initiative was to integrate a quantum random number generator into control systems to strengthen the quality of cryptographic keys.
-
Workforce Development: Recognizing that people are as crucial as technology, our roadmap recommended a set of training and hiring initiatives. We suggested identifying internal “quantum ambassadors” – staff in security or engineering who would receive specialized training on quantum computing and cryptography, and then champion the topic internally. We also outlined partnerships with local universities and industry groups to stay abreast of quantum advancements, and even to pipeline new talent (for instance, internships or sponsored research on quantum-safe communications for ICS).
4. Governance and Funding: As a final piece, we helped the operator establish governance for this quantum-readiness program. We advised on forming a cross-departmental steering committee (including members from IT security, OT engineering, risk management, and compliance) to oversee execution of the roadmap. We also provided input on building the business case for budget – quantifying the risks in terms of potential downtime or safety incidents averted – so that the program secured necessary funding from executives and, where applicable, government grants or incentives for critical infrastructure protection.
Outcome
Armed with the risk assessment and roadmap, the critical infrastructure operator moved forward decisively in strengthening its defenses against quantum-era threats. The Quantum-Risk Profile we delivered became a cornerstone document, presented to the board and to government regulators as evidence of due diligence. It helped non-technical decision-makers grasp in concrete terms what was at stake (for example, the profile highlighted that certain control system communications, if decrypted, could reveal how to cause a blackout). This urgency helped in obtaining funding and support for the program’s initiatives.
The operator used the maturity baseline as a benchmark to measure progress. Over the following year, the organization improved its readiness scores by executing parts of the roadmap. For instance, they completed a full cryptographic inventory of their OT systems and discovered a handful of legacy devices using weak ciphers, which they then scheduled for upgrade or network isolation. They initiated a procurement requirement that all new equipment must support approved PQC algorithms or be firmware-upgradable to them, embedding crypto-agility into future purchases.
Some quick wins were achieved: one of the first roadmap actions was to deploy upgraded VPN hardware (supporting longer keys and configurable cryptography) for critical site communications. This immediately hardened those links and ensured they can be switched to PQC algorithms once available. The quantum sensor pilots also moved ahead; early results from the substation magnetometer pilot, for example, showed it could detect subtle electrical anomalies correlated with equipment stress, giving engineers a novel predictive maintenance tool. While this was a bonus beyond pure security, it demonstrated to the organization the positive side of engaging with quantum tech and created internal buzz around innovation.
The workforce development efforts paid off as well. The designated “quantum ambassadors” underwent training and started regular briefings for their teams, turning quantum readiness from a niche topic into a part of the organizational culture. The operator even hosted a joint workshop with a local university’s quantum research center, spurring ideas and relationships that could benefit future security efforts.
In summary, the engagement turned an abstract concern into a concrete program. The critical infrastructure operator now has a clear understanding of where its vulnerabilities lie and a pragmatic plan to address them over time. It has sent a strong signal to regulators and the public that it takes the quantum threat seriously and is proactively ensuring the resilience of services that millions of people depend on daily. This case also became a reference for other operators in the sector; our client went on to share non-sensitive portions of its approach at industry forums, helping raise the overall preparedness of the critical infrastructure community.
© 2025 Applied Quantum. All rights reserved