From Threat to Control: Preparing OT for the Quantum Transition

In our previous article, 'The Quantum Threat to Operational Technology: Trust Now, Forge Later', we explored how (TNFL) and Harvest Now, Decrypt Later (HNDL) reshape the risk landscape for Operational Technology (OT), and how these quantum-era threats cascade through the Purdue model.

This follow-up introduces a control framework designed to manage 21 distinct quantum risks identified across enterprise, control, and field environments. Each of these risks, from forged firmware and broken PKI chains to ossified hardware trust anchors, maps to a specific layer in the Purdue model and a corresponding set of mitigations.

For each class of risk, there are tangible steps that can be taken today, through technical controls that harden systems, governance measures that embed crypto-agility, and resilience programs that prepare organisations for a decade-long migration. These have been set out in a 21x12 framework aligning each risk to the most relevant controls.

Understanding the Quantum Risk to Operational Technology

Westlands Advisory’s analysis identifies 21 discrete quantum related risks, summarised in the accompanying table. These risks fall into four principal risk types that were explored in the previous article: direct, systemic, amplified, and indirect, which together describe how quantum vulnerabilities manifest, propagate, and impact operations across industrial environments.

Figure 1: 21 Quantum Related Risks

The implications are significant. At the enterprise layer, compromise of a root certificate can cascade into firmware, identity, and update systems below. In the control domain, a forged logic file or firmware image can undermine safety interlocks, change process limits, or disable alarms. At the field level, once authenticity is lost upstream, even devices without encryption can be coerced into unsafe behaviour.

Each of these risks can be traced back to underlying operational pressures in OT environments, including longevity of OT systems, the rigidity imposed by safety and certification processes that result in slow change, and the growing interdependence between IT and OT, where cryptography is increasingly inseparable between the two.

This is why the 21×12 framework matters. It does not attempt to eliminate quantum risk outright but rather to identity and prioritise actions that mitigate the threat. It provides a structured way to see which risks can be reduced today, which require vendor alignment, and which will persist until the next hardware generation.

From Risk to Control

Quantum disruption exposes two intertwined weaknesses in current OT security practice. A dependence on static trust anchors (signatures, certificates, and firmware chains that will one day be forgeable) and fragmented governance including vendor ecosystems and safety regimes that slow cryptographic modernisation.

To address these challenges, Westlands Advisory evaluated 12 practical controls that can mitigate them. The controls fall into three categories. Technical controls protect cryptography itself, Governance controls enable agility across vendors and safety regimes, and Resilience controls preserve safety, integrity, and continuity through the transition.

1. Technical Controls: Protecting Cryptography and Architecture

More than half of the 21 risks can be mitigated through direct technical interventions that replace or supplement vulnerable cryptography. These include dual-signing (ECC & ML-DSA) to secure firmware and logic, hybrid TLS/IPsec to protect data in motion, and HSM-backed key protection to safeguard private keys. Together, they form the first line of defence against TNFL by ensuring that code, identity, and communication remain verifiable even as algorithms evolve.

2. Governance Controls: Ensuring Agility and Accountability

Quantum transition will fail without effective governance. Governance controls act as the connection between technology and compliance. Without them, even technically sound defences remain fragmented, inconsistently deployed, or impossible to certify. This means implementing cryptographic inventories (CBOMs), mandating certificate rotation and PQC-ready PKI, embedding crypto-agility clauses in vendor contracts, and enforcing firmware signing policies. These controls institutionalise preparedness, ensuring that algorithmic upgrades are planned, budgeted, and auditable.

3. Resilience and Maturity Controls: Sustaining Long-Term Readiness

In complex industrial systems, containment and continuity are as critical as prevention. Resilience controls ensure that if quantum-enabled forgery or decryption occurs, its impact is localised and recoverable. This category spans network segmentation, lifecycle replacement planning, and training with PQC testbeds. They ensure that systems, people, and processes can adapt safely over time.

Mapping Quantum Risks to Controls

To move from risk identification to practical mitigation, Westlands Advisory mapped the 21 quantum-related risks against the 12 technical, governance, and resilience controls. The result is a framework that connects where quantum vulnerability appears to how it can be reduced, monitored, or contained.

Each risk was classified by its nature of exposure (direct, systemic, amplified, or indirect) and positioned within the Purdue model from enterprise IT (L5) to field devices (L0). Each control was then assessed for its applicability and current-day feasibility. The result is summarised in the 21×12 matrix below that highlights where investment and coordination should focus first.

Figure 2: 21x12 Risk and Control Matrix

Addressing quantum risk will be a long transition rather than a single event. Every organisation that depends on digital trust, and every industrial system that depends on cryptographically signed firmware, certificates, or telemetry, will need to modernise both its defences and its governance. The 21 risks and 12 controls outlined here highlight that the problem is multi-dimensional and requires a phased approach to reach a PQC mature posture. This starts with understanding the threat and building a cryptographic inventory (CBOM) across IT and OT to prioritise future investments.

Contact Westlands Advisory at info@westlandsadvisory.com for a copy of the report.