The Quantum Threat to Operational Technology: Trust Now, Forge Later (TNFL)
The Overlooked Quantum Threat to Operational Technology
Earlier this year, we explored the challenges enterprises face in transitioning to quantum-safe architectures. Much of today’s discussion rightly centres on the threat of Harvest Now, Decrypt Later (HNDL), the risk that derives from adversaries already capturing encrypted data, waiting for quantum computers powerful enough to decrypt it in the future.
Far less attention is paid to the equally consequential risk of Trust Now, Forge Later (TNFL), where a quantum computer, once capable of breaking RSA or ECC, could forge digital signatures and certificates that underpin digital trust.
HNDL breaks secrecy. TNFL breaks trust.
For Operational Technology (OT) environments, industrial control systems, energy networks, and safety-critical automation, this threat is arguably more severe. While HNDL undermines confidentiality (the secrecy of data and communications), TNFL compromises integrity and authenticity, threatening the safety and reliability of industrial processes. A forged firmware signature, a counterfeit controller identity, or a falsified logic file could all lead to unsafe operations or physical damage long before any ciphertext is decrypted.
For critical infrastructure, TNFL poses a unique challenge. Industrial systems depend on long-lived devices, rigid update cycles, and certified safety processes that make cryptographic transitions difficult. Equipment deployed today may still be operating well into the 2030s or 2040s, by which time quantum attacks are expected to be possible by nation-state actors.
Two quantum algorithms define the nature of this risk.
• Shor’s algorithm breaks all widely deployed public-key cryptography (RSA, DSA, ECC, and Diffie-Hellman) used for digital signatures and key exchange, enabling TNFL attacks.
• Grover’s algorithm provides a quadratic speed-up in brute-forcing symmetric encryption, effectively halving key strength. For example, reducing AES-128 to roughly 64-bit security, increasing HNDL exposure for VPN and TLS sessions.
When Trust Fails: The Post-Quantum Risk to Industrial Systems
Most OT environments already operate with limited encryption, but rely deeply on digital signatures and certificates to ensure that firmware, logic, and data originate from authentic sources. When those signatures can be forged, the foundation of operational integrity collapses.
Consider a simple example such as programmable logic controllers (PLCs) that run safety and control processes in power plants. Each time an update or patch is applied, the PLC verifies that the code has been signed by the vendor’s private key (RSA or ECC) before accepting it, providing assurance that authentic code is running on the device. In a post-quantum world, that assurance disappears. An adversary with access to a Cryptanalytically Relevant Quantum Computer (CRQC) could forge the vendor’s digital signature, producing what appears to be a legitimate firmware image but which could disable alarms, alter safety logic, or subtly change process limits.
The same logic extends beyond firmware. The signatures that secure engineering logic, update catalogues, configuration files, and even time-synchronisation sources could all be forged once quantum computers reach sufficient scale to break public-key cryptography.
Mapping Quantum Risk Across the Purdue Model
To frame this challenge more clearly, OT environments can be viewed through the Purdue Enterprise Reference Architecture, which separates IT and OT into layered trust zones. Each level carries different exposure to quantum threats and requires a tailored mitigation strategy. Westlands Advisory (WA) has identified 21 distinct quantum risks across these layers, which will be described in an accompanying paper. The following section summarises these risks at a high level, showing how quantum exposure cascades down the Purdue model and where the focus for mitigation should begin.
• At the top (L5–L4): the priority is preserving digital trust, migrating PKI, TLS, and remote-access systems to hybrid post-quantum algorithms and tightening certificate lifecycles.
• In the mid-layers (L3–L2): the focus shifts to maintaining system integrity through dual-signing, cryptographic agility, and verified update pipelines in firmware and software supply chains.
• At the base (L1–L0): where legacy and longevity dominate, the goal becomes containment, enforcing segmentation, monitoring, and planned hardware refresh cycles.
Quantifying Quantum Risk
Not all quantum-related weaknesses are equal. Understanding how they manifest helps organisations prioritise which risks to address first. We distinguish four types: Direct, Systemic, Amplified, and Indirect.
• Direct risks occur where a cryptographic failure compromises a single service, protocol, or device. These are the immediate points of impact from a quantum-enabled attack. For example, a VPN session decrypted once its handshake is broken or a firmware signature forged using Shor’s algorithm. Direct risks are the root cause from which others emerge.
• Systemic risks are structural weaknesses that extend across products, ecosystems, or entire supply chains. They arise when a single cryptographic dependency is replicated widely such as secure elements, TPMs, or PKI roots that are RSA/ECC-only and cannot be upgraded, or vendor toolchains that hard-code obsolete algorithms.
• Amplified risks act as multipliers, worsening or extending the effect of other risks. Examples include revocation plumbing failures (OCSP/CRL) that keep compromised certificates “valid,” or flat network architectures that allow forged trust to propagate deeper into OT.
• Indirect risks do not stem from cryptographic failure itself but inherit its consequences through integration. For instance, a plaintext fieldbus may not be vulnerable in isolation but becomes exploitable after a TNFL event compromises a higher-level gateway or controller.
Understanding these layers helps CISOs and engineers separate where quantum vulnerability begins from where it will ultimately have the greatest operational impact.
Start Planning Now
Many of the classic barriers to OT cybersecurity maturity remain unchanged including unclear ownership, lack of mandate, and constrained budgets. To these, we can add two quantum-specific challenges, limited awareness and complacency about the time required to modernise. History offers a warning regarding the time it takes to update cryptographic processes - the move from DES to AES, or from SHA-1 to SHA-2, each took more than a decade to complete. CISOs should start the journey to PQC now.
In a follow-up paper, we will outline the 21 quantum-related risks identified across the Purdue model and the 12 controls that form the foundation for post-quantum maturity.