In 2003, 55 million people lost power across the US and Canada because of a software bug and a failure to communicate. Nobody attacked anything. And more than two decades later, the same infrastructure faces sophisticated adversaries who are planning very carefully.
Operational technology (OT) operates on a different set of priorities than the rest of us. In IT, confidentiality and integrity come first. In OT — the systems that open and close breakers, adjust voltage, and monitor load and faults — only one thing matters: availability.
Security was never part of the original design. And bolting it on later is harder than it sounds when downtime is simply not an option.
Many of these systems still run on older protocols with no encryption and weak authentication. Get it wrong, and the consequences aren’t a data breach or a regulatory fine. People lose power, water, and heat. The systems that modern life depends on stop working. Quietly at first — then all at once.
Volt Typhoon, a Chinese state-sponsored threat actor, maintained long-term access inside US critical infrastructure networks using legitimate credentials and native tools. In at least one documented case, Volt Typhoon’s access lasted nearly a year. That kind of access is not about theft. It is about positioning for disruption. And because the Canada-US energy grid is deeply interconnected, the threat does not stop at the border. Our security frameworks largely do. But the real question is not what they saw while they were inside. It is what they took with them on the way out.
Today asset owners operating critical infrastructure are being asked to attest to their cryptographic readiness; confirm that your encryption is safe in the quantum era and demonstrate that you know what you have.
It is a reasonable ask. The problem is most of them have no idea. And the frameworks being used to assess them were never built for the environments in which they operate.
This is not a criticism of regulators or asset owners. It is a gap. And until we acknowledge it honestly, we are not solving it.
IT environments were designed with the assumption that systems could be interrogated, updated, and occasionally taken offline. OT was not. OT was designed around a completely different priority: availability. These systems were never meant to be patched on a Tuesday night. Many were installed before cybersecurity was even a word.
Migrating to post-quantum cryptography in IT environments is already a complex multiyear effort. In OT environments the challenge is greater. Cryptography may be embedded in firmware, hard coded into devices that cannot be upgraded without physical access, or dependent on vendor support cycles measured in decades. Some of those devices operate with as little as 32KB of RAM and lack the processing power to execute modern cryptographic operations. Post-quantum algorithms were not designed for those constraints. Some equipment currently in service was installed before cryptographic standards even existed.
Asking an OT asset owner to attest to cryptographic readiness using frameworks built for IT environments is like asking someone to pass a driving test in a vehicle with no dashboard. The requirement exists. The instrumentation does not.
OT Data Has Already Been Harvested, Here’s the Bigger Risk
Here is what most people are not saying out loud: The data is already being taken. Adversaries collecting encrypted traffic from OT environments today are not waiting to see if they can read it. They are waiting for the moment when they can. That moment is getting closer.
Quantum computing doesn’t just threaten future communications; it threatens the assumption that everything collected in the past was safe. The ghost that lived inside your network for a year didn’t just learn your layout. It may have left with your keys. Now consider a broader scenario. An attacker that harvested encrypted data from your network today can decrypt it once quantum computing makes that possible. That is harvest now decrypt later.
But there is a second threat that gets even less attention. If an attacker has collected a vendor’s firmware signing keys, they could come back years from now and push a malicious update to every device on your network. Every device accepts it without question because the signature looks legitimate. That is trust now, forge later.
The ghost doesn’t need to break back in. It left the door open on the way out.
And most operators can’t answer the most basic question: Where does cryptography live in their environment? Not because they are negligent. Because these systems were never built to be audited that way.
Cryptography is buried in long-forgotten libraries, embedded in devices installed decades ago, invisible to the tools most security teams rely on. The data does not exist. The process to collect it has never been built.
Signing an attestation form does not change that reality. It just creates the appearance of assurance where none exists.
When the gap between what is being asked and what can be demonstrated is large enough, organizations do one of two things. Either they invest in genuinely closing the gap, or they invest in looking like they closed it.
In under-resourced OT environments operating on thin margins with aging infrastructure and skeleton security teams, the path of least resistance is obvious. Check the box. File the attestation. Move on.
The result is a false sense of assurance that may be more dangerous than acknowledged uncertainty. A regulator who believes attestations are meaningful stops asking hard questions. An asset owner who has filed the paperwork stops feeling the urgency. The ghost is still in the grid. Nobody is looking for it anymore.
The urgency behind cryptographic readiness requirements is real. NIST released its Post-Quantum Cryptography Standards for a reason, and government timelines exist for a reason. But determining where cryptography lives across an OT environment takes years. For many organizations, a decade may not be enough.
But urgency without capability is just pressure. And pressure without the right tools produces paperwork, not security.
Before asking asset owners to attest to something, regulators have an obligation to ensure the frameworks, guidance, and tooling exist to make that attestation meaningful. Right now, they do not. Until that changes, attestation requirements are asking people to confirm something they can’t verify. That is not security. That is paperwork dressed up as security.
The ghost is already inside the grid, walking the halls, looking exactly like it belongs there. The question is whether we find it before it decides to act.
