For those managing heterogeneous operational technology (OT) environments, the time is now to be thinking about quantum-safe industrial networks. The standards are here, but the devices are not ready.
The National Institute of Standards and Technology (NIST) finalized three post-quantum cryptography (PQC) standards on Aug. 13, 2024. ML-KEM, the Module-Lattice-Based Key-Encapsulation Mechanism standard, handles key encapsulation. ML-DSA, the Module-Lattice-Based Digital Signature standard, covers digital signatures. SLH-DSA, the Stateless Hash-Based Digital Signature Standard, provides a hash-based backup option.
Algorithms exist. The implementation guidance exists. Enterprise information technology (IT) teams have already started integrating these into transport layer security (TLS) stacks and certificate infrastructures. Operational technology is a different story.
Walk into any manufacturing facility built before 2015. You will find programmable logic controllers (PLCs) running firmware that cannot be updated. Communication stacks are hardcoded into silicon. The protocols used were designed when 64 KB of RAM felt generous. These devices were never built to swap cryptographic primitives. Many lack the computational headroom to run lattice-based algorithms at all.
Recent benchmarking studies paint a clear picture. Researchers testing ML-KEM on microcontrollers like the ESP32 and Raspberry Pi Pico found the implementations failed due to memory constraints. Only devices with sufficient resources and modern runtimes could handle the computational demands. A typical Siemens S7-300 PLC from the mid-2000s falls well below that threshold.
OT systems face a timing problem. Quantum computing capabilities continue to advance. Regulatory frameworks like the EU Cyber Resilience Act will require products with digital elements to meet cybersecurity standards by December 11, 2027. Procurement teams are already adding quantum readiness clauses to supplier questionnaires. But the equipment controlling critical processes cannot be upgraded to meet these requirements directly.
The quantum threat timeline remains uncertain: Estimates range from five to 15 years for cryptographically relevant quantum computers. But the “harvest now, decrypt later” threat exists today, as data captured from inadequately protected systems accumulates in adversary archives.
Why direct migration fails in OT environments
The usual IT playbook does not work here. In enterprise environments, you upgrade the operating system, patch the libraries, rotate certificates and move on. Three constraints make this approach impossible for most industrial systems.
Constraint 1. Memory and compute limitations. ML-KEM-768 [enhanced security], the recommended security level for most applications, requires 1,184 bytes for public keys, 2,400 bytes for secret keys and 1,088 bytes for ciphertexts (result of encryption performed on plaintext using an algorithm called a “cipher”). These numbers seem small until you consider devices designed with 32 KB or 64 KB of total RAM. The polynomial arithmetic underlying lattice cryptography demands scratch space that does not exist on legacy hardware.
Lightweight implementations help but do not solve the fundamental problem. Researchers have achieved impressive optimizations. One 2024 study reduced CRYSTALS-Kyber [purpose-built algorithm to resist quantum attacks] to around 4,777 lookup tables (LUTs) and 2,661 flip-flops [circuit with two states] on field programmable gate arrays (FPGA), making it viable for newer constrained devices. But these implementations target hardware designed in the last five years, not equipment from 2005.
Constraint 2. Deterministic timing requirements. Industrial control loops operate on fixed cycles. A PLC scanning inputs, executing logic and updating outputs every 10 milliseconds cannot tolerate variable cryptographic latency. Safety-critical systems depend on this determinism. Adding asymmetric cryptographic operations to the communication path introduces timing variability that can push cycle times past acceptable thresholds.
The issue compounds in safety instrumented systems (SIS). IEC 61511 defines safety integrity levels (SIL) based on the probability of failure on demand. Introducing untested cryptographic overhead into these loops requires recertification. For many facilities, the recertification process costs more than the equipment itself.
Constraint 3. Protocol semantics and interoperability. Modbus, BACnet and similar industrial protocols were designed for reliable communication over constrained links. They assume trusted network segments. Adding security at the protocol layer changes message formats, timing characteristics and interoperability guarantees.
A BACnet MS/TP [master-slave/token-passing] device expects specific frame structures and timing. Wrapping that traffic in quantum-resistant tunnels works fine at network boundaries. Modifying the protocol itself breaks compatibility with decades of deployed equipment and software.
The gateway architecture
Given these constraints, the practical path forward places cryptographic processing at network boundaries rather than on endpoints. The approach is not novel in concept. Protocol translation gateways have existed for years. What changes is the specific requirement set and the cryptographic layer.
Figure 1: The gateway sits between protected network segments and external connections.
The gateway sits between protected network segments and external connections (Figure 1). On the external interface, it terminates quantum-resistant sessions using ML-KEM for key establishment and ML-DSA for authentication. Internally, it speaks native industrial protocols without modification. Three functional blocks make this work:
Protocol translation engine. Handles bidirectional conversion between legacy protocols and secure transport. Modbus remote terminal unit (RTU) becomes Modbus transmission control protocol (TCP) wrapped in TLS 1.3 [the latest transport layer security protocol] with post-quantum cipher suites. BACnet MS/TP converts to BACnet/IP with equivalent protection. The translation preserves message semantics while changing the security envelope.
Key management module. Maintains cryptographic material for both classical and post-quantum algorithms. Hybrid key establishment combines elliptic curve Diffie-Hellman (ECDH) with ML-KEM, providing defense-in-depth during the transition period. If either algorithm is compromised, the other maintains security. This follows NIST’s recommendation for phased migration.
Timing buffer. Absorbs cryptographic processing latency to maintain downstream determinism. Variable-time operations on the external interface get smoothed before forwarding to industrial segments. This requires careful queue management to avoid introducing its own delays.
Regarding the deployment topology, the gateway deploys at trust boundaries within the network architecture. Not every segment needs one. Critical production networks connecting to enterprise systems or external partners get protection first. Internal segments communicating only with local human-machine interfaces (HMIs) may not require quantum resistance immediately.
A typical manufacturing environment might deploy gateways at the interface between the production network and enterprise IT (Figure 2), remote access points for vendor support, connections to cloud-based monitoring or analytics platforms and links to external partners or supply chain systems. Each deployment point gets its own assessment for threat exposure and data sensitivity.
Figure 2: IT versus OT environments for PQC migration.
Implementation considerations
Moving from architecture to deployment reveals practical challenges that academic papers rarely address. Beware of the following implementation challenges.
Certificate infrastructure. Post-quantum certificates are larger than their classical counterparts. ML-DSA-65 signatures run approximately 3,300 bytes. Certificate chains containing multiple ML-DSA certificates can exceed 10 KB easily. Gateway implementations need to handle these sizes without exhausting buffer space during handshakes.
The timing of certificate issuance matters too. Most commercial certificate authorities do not yet offer post-quantum certificates. Organizations deploying this architecture may need internal public key infrastructure (PKI)-capable of issuing hybrid or pure post-quantum certificates. Planning this infrastructure takes months.
Firmware update pathways. Gateways themselves become high-value targets. They hold cryptographic keys and sit at trust boundaries. The update mechanism must be secure against both classical and quantum adversaries. Signed firmware using ML-DSA, verified boot chains and secure key storage are baseline requirements.
Remote update capability introduces its own risks. A compromised update channel gives attackers a direct path to every gateway in the fleet. Organizations must balance operational convenience against the security implications of remote management interfaces.
Monitoring and anomaly detection. Protocol translation creates opportunities for attack detection. The gateway sees traffic patterns on both sides of the boundary. Deviations from expected behavior, unusual command sequences or timing anomalies can indicate compromise attempts.
Building this detection capability requires a baseline to be established for each protected segment. Industrial protocols often exhibit predictable patterns. A bottling line scans the same inputs and outputs every cycle. Deviations from this pattern warrant investigation.
Prioritizing segment migrations
Not every network segment warrants immediate migration. Resource constraints force prioritization. I use a framework based on three factors: data sensitivity, exposure duration and attack surface (Figure 3).
Figure 3: Use the network segment prioritization matrix to establish a framework based on data sensitivity, exposure duration and attack surface.
Data sensitivity. Some industrial data maintains value for decades. Process recipes, quality parameters and equipment configurations may constitute trade secrets with long-term competitive value. Networks carrying this data face “harvest now, decrypt later” threats where adversaries capture encrypted traffic today and wait for quantum computers to break the encryption.
Other data loses value quickly. Real-time sensor readings for process control matter in the moment but become irrelevant within hours. Protecting this traffic against future quantum attacks provides less benefit.
Exposure duration. Equipment with long operational lifespans faces greater cumulative risk. A PLC installed today might run for fifteen years. Traffic captured from that system remains vulnerable throughout its operational life, plus whatever retention period adversaries maintain.
Systems scheduled for replacement within five years present different risk profiles. The encrypted traffic captured today must remain secure only until replacement, plus retention. This changes the urgency calculation.
Attack surface. External-facing systems demand priority attention. Remote access portals, cloud integrations and partner connections expose traffic to potential capture. Internal segments communicating only within physically secured facilities present lower immediate risk.
The framework produces a prioritized list. External connections carrying sensitive, long-lived data go first. Internal segments with short-lived operational data wait until resources permit.
Looking forward
The quantum threat timeline remains uncertain (Figure 4): Estimates range from five to 15 years for cryptographically relevant quantum computers. But the “harvest now, decrypt later” threat exists today, as data captured from inadequately protected systems accumulates in adversary archives.
Figure 4: Quantum threat timeline estimates range from five to 15 years for cryptographically relevant quantum computers.
Gateway-based architectures provide a migration path that respects operational constraints. They protect critical traffic without requiring impossible upgrades to legacy equipment. They enable crypto-agility at trust boundaries where organizations can actually implement changes.
The EU Cyber Resilience Act creates additional pressure. Products placed on the EU market after December 2027 must meet cybersecurity requirements, including security update capabilities and vulnerability handling. Organizations supplying into European markets need quantum-ready strategies now.
For those managing heterogeneous OT environments, the message is straightforward. Start mapping what you have. Identify trust boundaries. Assess data sensitivity and exposure. Plan gateway deployments at critical interfaces. The standards exist. The architectural patterns exist. The remaining challenge is execution.
