Industry-Specific Quantum Risk 11 min read

Critical National Infrastructure: A Quantum Security Sector Protection Roadmap

The distinctive concern for CNI operators is not data confidentiality alone. It is operational continuity. A compromised authentication channel in an energy SCADA system does not produce a data breach notification; it produces a substation failure. This roadmap addresses the sector-specific constraints, regulatory frameworks, and migration sequencing that apply to CNI operators across energy, transport, water, and financial market infrastructure.

CNI quantum security roadmap diagram showing four-phase migration structure for energy, transport, water, and financial market infrastructure

Critical National Infrastructure: A Quantum Security Sector Protection Roadmap

27 June 2026

Steven Vaile, Director, Quantum Security Defence

The CNI quantum threat: why this sector is different

The distinctive concern for CNI operators is not data confidentiality alone. It is operational continuity. A compromised authentication channel in an energy SCADA system does not produce a data breach notification; it produces a substation failure. When the cryptographic controls protecting the authentication of control commands can no longer be trusted, the physical consequences are not abstract. That is the starting point for quantum security planning in CNI, and it changes the risk calculus relative to enterprise IT in ways that most general quantum security guidance does not fully address.

Nation-state actors are the primary adversary class for CNI HNDL operations. The UK NCSC's 2024 Annual Review named state-aligned actors including Russia, China, and Iran as the primary threat to UK CNI. ENISA's Threat Landscape 2024 identifies critical infrastructure as the sector most frequently targeted by state-sponsored cyber operations across EU member states. These actors have the motive, the capability, and the patience to collect encrypted operational data, strategic planning documents, and authentication materials today for decryption when a cryptographically relevant quantum computer becomes operational. For CNI, the harvest is not speculative. For detail on the specific national quantum programmes driving this threat context, see the companion piece on nation-state quantum programmes and CNI implications.

The Q-Day window sits directly within the operational lifetime of CNI assets being procured today. A power distribution SCADA system installed in 2025 with a 15-year replacement cycle will still be in service when fault-tolerant quantum computers are expected to become operational, based on the current technical literature anchored by the surface code threshold analysis of Fowler et al. (Physical Review A, 2012). The 2033-2035 window is a planning range with significant uncertainty, not a delivery date. For CNI procurement, the practical implication is this: post-quantum cryptographic readiness must be a specification requirement for systems being purchased today, not a retrofit project for systems already installed.

The regulatory landscape: UK, EU, and US frameworks

United Kingdom. CNI operators in the UK are regulated under the Network and Information Systems (NIS) Regulations 2018 (SI 2018/506), which transposed NIS1. The Regulations apply to operators of essential services (OES) in energy, transport, water, health, and digital infrastructure. The NCSC Cyber Assessment Framework (CAF) is the primary assessment instrument; the NCSC produces sector-specific CAF profiles for the major CNI sectors. NIS2 does not apply to UK operators. The UK Cyber Security and Resilience Bill was in consultation as of August 2025 [ASSUMED: verify enacted status before publication] and is the legislative development to track for post-NIS1 requirements.

European Union. NIS2 Directive (EU) 2022/2555 applies to essential and important entities across sixteen sectors, covering energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, and public administration. The cryptography obligation sits in Article 21(2)(h) [VERIFIED — EUR-Lex CELEX:32022L2555, Yuki consensus 2026-05], requiring "appropriate and proportionate" cryptographic controls aligned with "the state of the art." For digital infrastructure entities and certain ICT service providers within NIS2's scope, Commission Implementing Regulation (EU) 2024/2690 (in force 18 October 2024) provides specific technical requirements beyond the Directive's high-level text.

United States. The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) specifies the post-quantum algorithms required for National Security Systems. NSM-10 (National Security Memorandum 10, May 2022) directed US federal agencies and national security system operators to inventory public-key cryptographic systems and prioritise migration to PQC. CISA has published cross-sector quantum guidance at cisa.gov/quantum. For US CNI sectors, NSM-10 and CISA guidance provide the framework; CNSA 2.0 provides algorithm requirements for national security contexts. Non-defence critical infrastructure operators should treat NIST FIPS 203/204/205 and NIST IR 8547 as the technical standard baseline.

OT cryptographic constraints: the hard migration problem

CNI sectors run operational technology protocols that were designed before post-quantum requirements existed as an engineering concern. Modbus/TCP has no native cryptographic layer; security depends on network segmentation and overlay protocols. DNP3 Secure Authentication (DNP3-SA, IEEE Std 1815) uses HMAC-SHA-256 with RSA-2048 or ECDSA for message authentication. Both RSA-2048 and ECDSA are on the NIST IR 8547 deprecation schedule for new deployments by 2030. IEC 62351, the security standard for IEC 61850 power system communications, defines cryptographic requirements for energy sector control networks and is undergoing update to address PQC, but standards development timelines are measured in years, not months.

Processing overhead is a real constraint on constrained OT devices. ML-KEM-768 key generation runs in approximately 0.1-0.2 ms on a modern Intel processor. On an embedded ARM Cortex-M class processor running at 100-200 MHz, typical of many RTUs and PLCs in service, the same operation can take orders of magnitude longer. NIST SP 800-82r3 (2023) addresses OT security architecture and provides the framework for thinking about these constraints. The key point is that the migration strategy cannot be uniform. IT-layer migration to ML-KEM-768 and ML-DSA-65 is straightforward on modern server hardware. OT endpoint migration requires a different approach depending on processor capability.

For constrained OT devices where lattice-based schemes are prohibitive due to processing overhead, hash-based signature schemes provide an alternative. SLH-DSA (NIST FIPS 205) is a stateless hash-based digital signature scheme with conservative security assumptions based on hash function security, requiring no mathematical hardness assumptions beyond collision resistance. LMS (Leighton-Micali Signature Scheme), standardised in NIST SP 800-208, and XMSS are stateful alternatives with smaller code footprints. For OT applications with low signing frequency, such as firmware authentication, certificate signing, and controller authentication at maintenance intervals, hash-based schemes on constrained ARM processors achieve acceptable performance. The signing frequency constraint on stateful schemes (LMS/XMSS) requires careful key management, but this is a solved engineering problem for firmware signing workflows.

Sector-specific roadmap: energy

Energy is the highest-priority CNI sector for quantum security for three reasons: the longest operational lifetime of control systems (15-25 years in active SCADA deployments), the highest cascading failure potential from compromised control communications, and documented nation-state targeting through campaigns including Dragonfly/Energetic Bear (CISA advisory AA20-296A) and Sandworm activity against European energy infrastructure. The HNDL risk for operational telemetry, SCADA command authentication, and strategic infrastructure planning data is active today.

UK energy operators are subject to NIS Regulations 2018 as operators of essential services, with NCSC CAF assessment and Ofgem cybersecurity obligations. EU energy operators fall under NIS2 Annex I. US energy operators are subject to NERC CIP standards; NERC CIP-013 covers supply chain risk management and is the instrument through which PQC vendor readiness requirements can be formalised. NERC guidance on PQC for energy infrastructure should be verified for current status before procurement decisions.

The smart meter and grid communication layer in Great Britain introduces an additional migration challenge. SMETS2 meters and the GB Companion Specification (GBCS) use ECDSA and ECDH for authentication and key agreement. These algorithms are on the NIST deprecation schedule. The migration of GB smart meter cryptography cannot be executed unilaterally by any single operator: it requires coordination between Ofgem, the Data Communications Company (DCC), meter manufacturers, and energy suppliers. Energy operators should engage with the DCC's quantum migration planning workstream to understand the timeline, because their own HNDL risk assessment must account for the schedule the DCC can actually deliver.

Sector-specific roadmap: transport

Transport CNI covers four distinct sub-sectors with different cryptographic profiles. Railways using ERTMS/ETCS carry RSA-based authentication in the GSM-R radio layer and ETCS onboard and trackside units. European standardisation work on PQC-compatible ERTMS through the European Union Agency for Railways is at an early stage [ASSUMED: verify current ERA standardisation workstream status before publication]. Aviation's ACARS and ATC communications systems use separate cryptographic architectures that are largely outside standard TLS frameworks and require sector-specific assessment. Maritime AIS is unauthenticated; GMDSS security relies on network-layer controls.

Vehicle-to-everything (V2X) PKI is the transport sub-sector with the most immediate long-term implications. IEEE 1609.2 (North America) and ETSI TS 103 097 (EU) define the PKI standards for V2X communication; both use ECDSA P-256 or P-384 for certificate signing. Certificates issued today for V2X roadside units will still be in use when Q-Day is expected. EU-mandated C-ITS infrastructure under Commission Delegated Regulation (EU) 2023/195 will need to address PQC in its PKI update cycle. The migration requires coordination across automotive OEMs, roadside unit manufacturers, and PKI certificate authorities. Transport CNI operators should be feeding requirements into the relevant standardisation bodies now, because PQC PKI migration at the scale of a national V2X deployment takes a full procurement and standards cycle to execute.

Sector-specific roadmap: water and utilities

Water sector SCADA systems use Modbus, DNP3, and OPC UA across a mix of proprietary radio, cellular, and fibre links. Many UK water companies operate SCADA systems with embedded controllers running for 15-20 years that cannot be updated in place to support ML-KEM processing overhead. The migration strategy for this sector works in three layers: protocol gateway migration (implement PQC at the IT/OT boundary gateway rather than at the constrained end device), certificate lifecycle management using SLH-DSA or LMS for firmware signing where RSA is currently used, and network re-segmentation to reduce the attack surface for systems that cannot be migrated before end of life. NIST SP 800-82r3 and the IEC 62443 zone-and-conduit security architecture provide the framework for planning these compensating controls.

Ofwat does not yet have explicit quantum security requirements. UK water sector operators of essential services are subject to the NIS Regulations 2018 (SI 2018/506); quantum security falls under the security obligations in Regulation 10 of SI 2018/506 [VERIFIED — SI 2018/506 text; note: Article 13 is the NIS1 Directive provision, not the UK SI] for protecting network and information systems. Operators should engage with the NCSC through the UK Water Industry Cyber Security Advisory Group (WISAG) to understand the competent authority's current expectations on quantum risk assessment for the water sector.

Sector-specific roadmap: financial market infrastructure

Financial market infrastructure holds the longest-lived and most sensitive operational data in the CNI landscape. Central counterparties, central securities depositories, and payment system operators accumulate transaction records, settlement records, and custody data with regulatory retention requirements of 7 years under MiFID II Article 25 [VERIFIED — MiFID II Regulation (EU) 600/2014, Art. 25(1); standard retention period is 7 years]. Data generated today and encrypted with RSA or ECDH key exchange will still be under its confidentiality obligation when Q-Day is expected. That is not a theoretical overlap. DORA Regulation (EU) 2022/2554 applies to FMI operators under Article 2(1); quantum security obligations sit in DORA Article 9(2) and RTS (EU) 2024/1774 Article 6, which requires cryptographic controls aligned with "the state of the art." For the operational HNDL risk detail specific to financial services, see the companion piece on HNDL risk in financial services: regulatory and operational dimensions.

FMI operators are also subject to the Article 28 third-party ICT risk management obligation under DORA. Given the interconnectedness of settlement infrastructure, the PQC readiness of a CCP's primary clearing members, custodians, and technology providers is itself a systemic risk item. A CCP that has migrated its own infrastructure but whose clearing members still connect via RSA key exchange has not eliminated the exposure at the network perimeter.

The four-phase roadmap

Phase 1 — Inventory and classification (0-12 months). Conduct a full cryptographic bill of materials (CBOM) across the IT/OT estate. The CBOM classifies every cryptographic asset against three dimensions: data confidentiality lifetime, migration complexity (constrained OT endpoint versus IT server versus network appliance versus third-party service), and operational criticality. NIST NCCoE SP 1800-38B provides the CBOM methodology for IT assets; NIST SP 800-82r3 provides the OT-specific asset classification framework. Without the CBOM, every subsequent phase decision is made without the data required to prioritise. No other phase should begin until Phase 1 is complete for the highest-criticality systems.

Phase 2 — Immediate risk mitigation (6-18 months, overlapping with Phase 1). Deploy hybrid TLS 1.3 (X25519 plus ML-KEM-768) on IT-layer connections protecting operational data with long confidentiality requirements. This does not require changes to OT endpoints; it operates at the IT-layer connection boundary. IETF RFC 9496 (X-Wing hybrid KEM) and NIST FIPS 203 specify the implementation. Update IT/OT boundary gateway firmware to support ML-KEM-768 and ML-DSA-65 where gateway hardware is on a normal refresh cycle. Prioritise re-encryption or re-keying of stored data already classified as long-lifetime and high-sensitivity. Phase 2 is the mechanism for providing immediate measurable risk reduction while Phase 3's longer-cycle work is under way.

Phase 3 — Protocol and standard migration (18-60 months). Engage with sector-specific standards bodies for OT protocol updates: IEC 62351 for power system communications, IEEE 1815 for DNP3-SA, the ERA for ERTMS, ETSI for V2X PKI. Replace OT communications infrastructure that falls within normal procurement cycles and whose replacement can be planned into existing capex schedules. For OT systems that cannot be updated within the 60-month window due to hardware constraints or operational continuity requirements, implement compensating controls: encrypted overlay at the gateway, physical security uplift at the constrained device, network re-segmentation. Monitor the CMVP for FIPS 140-3 validated PQC modules for OT hardware categories relevant to your sector.

Phase 4 — Full migration and residual risk management (60 months and beyond). Complete migration of all IT-layer systems to FIPS 203/204/205/206-compliant cryptography. For OT systems where migration within 60 months is not feasible due to hardware constraints or operational continuity requirements, document as residual risk with compensating controls, a replacement schedule tied to the normal asset lifecycle, and an annual review against NIST IR 8547 deprecation milestones. Phase 4 is not a clean completion date; it is a managed residual risk position for the tail of the OT estate that cannot migrate within enterprise IT timescales.

NCSC CAF alignment and CISA resources

UK CNI operators subject to NCSC CAF assessment should map their quantum security programme to the relevant CAF outcomes to ensure the programme is visible to the competent authority. CAF Outcome B1 (Service protection policies and processes) covers cryptographic protection of operational data; the CBOM and HNDL risk assessment map here. CAF Outcome B2 (Identity and access control) covers authentication protocols; OT authentication migration under Phase 3 maps here. Presenting the quantum security programme in CAF outcome terms ensures that assessors can evaluate it against the same framework they use for all other security controls.

US CNI operators should consult CISA's Post-Quantum Cryptography Initiative resources at cisa.gov/quantum. CISA's cross-sector guidance aligns with NSM-10's direction to inventory public-key cryptographic systems and prioritise migration for long-lived data and national security applications. Sector-specific CISA advisories, including the Dragonfly/Energetic Bear advisory (AA20-296A) for the energy sector, provide threat intelligence context that should inform the risk scoring in Phase 1's CBOM classification work.

Sources

  1. NCSC Annual Review 2024. ncsc.gov.uk
  2. ENISA Threat Landscape 2024. enisa.europa.eu
  3. Fowler, A.G. et al., "Surface codes: Towards practical large-scale quantum computation," Physical Review A 86(3), 032324 (2012). doi:10.1103/PhysRevA.86.032324
  4. IEC 62443 series. iec.ch/iec62443
  5. NIS Regulations 2018 (SI 2018/506). legislation.gov.uk
  6. NCSC Cyber Assessment Framework. ncsc.gov.uk
  7. NIS2 Directive (EU) 2022/2555. EUR-Lex
  8. Commission Implementing Regulation (EU) 2024/2690. EUR-Lex
  9. NSA CNSA Suite 2.0. NSA CNSA 2.0
  10. NSM-10, May 2022. whitehouse.gov
  11. CISA post-quantum cryptography resources. cisa.gov/quantum
  12. IEEE Std 1815 (DNP3-SA). standards.ieee.org
  13. IEC 62351 series (power system communications security). iec.ch
  14. NIST SP 800-82r3, "Guide to OT Security," 2023. doi:10.6028/NIST.SP.800-82r3
  15. NIST FIPS 205 (SLH-DSA). doi:10.6028/NIST.FIPS.205
  16. NIST SP 800-208 (LMS/XMSS). doi:10.6028/NIST.SP.800-208
  17. CISA advisory AA20-296A (Dragonfly/Energetic Bear). cisa.gov
  18. NCSC advisory on Sandworm. ncsc.gov.uk
  19. NERC CIP-013. nerc.com
  20. ETSI TS 103 097 V2.1.1 (C-ITS Security). etsi.org
  21. Commission Delegated Regulation (EU) 2023/195 (C-ITS). EUR-Lex
  22. NIST NCCoE SP 1800-38B, "Migration to Post-Quantum Cryptography," 2024. nccoe.nist.gov
  23. IETF RFC 9496, "The X-Wing Hybrid KEM," 2024. rfc-editor.org/rfc/rfc9496
  24. NIST FIPS 203 (ML-KEM). doi:10.6028/NIST.FIPS.203
  25. NIST FIPS 204 (ML-DSA). doi:10.6028/NIST.FIPS.204
  26. NIST IR 8547, "Transitioning the Use of Cryptographic Algorithms and Key Lengths," November 2024. doi:10.6028/NIST.IR.8547
  27. MiFID II Regulation (EU) 600/2014. EUR-Lex
  28. DORA Regulation (EU) 2022/2554. EUR-Lex
  29. US National Quantum Initiative Act (Public Law 115-368). congress.gov

About the Author

Steven Vaile, Director, Quantum Security Defence.

View on LinkedIn | View Team | QSecDef Events

Steven Vaile

Steven Vaile

Director, Quantum Security Defence