Nation-State Quantum Programmes: CNI Implications and Threat Modelling
Most post-quantum security guidance is written for enterprise IT. The threat models describe office networks, SaaS platforms, and enterprise PKI hierarchies. Critical national infrastructure, energy generation and distribution, water treatment, healthcare systems, is a different problem. The data lifetimes are longer, the patching cycles are slower, and the disruption potential of a future decryption event is not a data breach notification. It is a power cut.
This article is addressed specifically to CNI security officers, OT/ICS security leads, and critical infrastructure regulators. It covers why CNI is a priority target for harvest-now-decrypt-later collection, how the investment figures from national quantum programmes translate into a threat framing, and what a structured quantum risk assessment looks like for energy, water, and healthcare sectors. For the enterprise security context covering the same geopolitical landscape, see the companion enterprise article.
Why CNI Is a Priority HNDL Target: Three Structural Reasons
Harvest-now-decrypt-later (HNDL) collection is the strategy of capturing encrypted communications today and storing them for decryption when a cryptographically relevant quantum computer (CRQC) becomes available. Not every encrypted dataset is worth the storage cost. CNI operational data is particularly attractive for three structural reasons.
Data lifetime. CNI systems operate on asset replacement cycles of 15 to 40 years. Substations, generation equipment, water treatment control systems, and hospital networks run on hardware and configurations that change slowly. Operational data tied to that infrastructure, including network topology, vulnerability assessments, SCADA configuration, and maintenance records, has intelligence value that persists for decades. An adversary who harvests encrypted OT communications from an energy grid in 2026 may hold material worth exploiting against the same infrastructure in 2035 [VERIFIED: CISA, "Implementing Post-Quantum Cryptography in Federal Systems"; NCSC UK, "Post-quantum cryptography: preparing for a post-quantum world"].
Protocol exposure. Many CNI OT systems communicate over protocols that carry no transport encryption in their base specifications: IEC 61850 GOOSE messaging and Sampled Values, used in substation automation, do not include encryption in the base standard. Modbus/TCP and DNP3 without DNP3 Secure Authentication v5 (IEEE 1815-2012) have no cryptographic protection by default. Where VPN or TLS wrappers protect wider-area communications, those wrappers rely on RSA or ECDH for key establishment, which is quantum-vulnerable. The combination of slow firmware patching and quantum-vulnerable encryption at the transport layer creates a long harvest window.
Strategic disruption value. CNI disruption produces effects disproportionate to the cost of the attack. An adversary who acquires the configuration data, vulnerability landscape, and network topology of an energy grid gains the ability to plan disruption operations more precisely than would otherwise be possible. The Five Eyes joint advisory on PQC migration (CISA, NSA, NIST, NCSC UK, CCCS Canada, ASD Australia, August 2023) explicitly identifies energy, water, and transportation as priority sectors for PQC migration, specifically naming them alongside federal civilian government networks and the defence industrial base [VERIFIED: CISA/NSA/NIST joint advisory, "Quantum-Readiness: Migration to Post-Quantum Cryptography," August 2023, Section II].
The Investment Context: What Nation-States Are Spending
National quantum programme investment figures from official sources, as of 2023-2024 public data:
- United States: approximately $3.7 billion committed through the CHIPS and Science Act (2022) and National Quantum Initiative Reauthorization Act (2023), distributed across NIST, NSF, Department of Energy, and Department of Defence programmes [VERIFIED: NQI Reauthorization Act, 2023; CHIPS and Science Act H.R.4346, Subtitle B].
- United Kingdom: £2.5 billion over ten years under the National Quantum Strategy (March 2023) [VERIFIED: HM Government, National Quantum Strategy, March 2023, p. 5].
- European Union: approximately €1 billion over 2018-2030 through the EU Quantum Flagship programme managed under Horizon Europe [VERIFIED: European Quantum Flagship, qt.eu].
- China: approximately $15 billion or more in committed investment over 2016-2030, anchored in the National Laboratory for Quantum Information Sciences in Hefei. This figure is derived from non-Chinese sources and cannot be independently audited from outside China; treat it as an order-of-magnitude estimate [ASSUMED: McKinsey Quantum Technology Monitor; ODNI Annual Threat Assessment 2024 for US intelligence community characterisation of Chinese quantum investment].
The ODNI 2024 Annual Threat Assessment identifies China as "the most comprehensive and serious threat to US national security" and specifically notes continued investment in quantum communications and quantum computing as part of China's broader technology competition strategy [VERIFIED: ODNI Annual Threat Assessment 2024]. The assessment does not claim China has achieved CRQC capability. What it characterises is sustained strategic investment at a scale that CNI security planners need to factor into their threat models.
For the enterprise security framing of this investment picture, see the enterprise companion article.
Energy Sector: 40-Year Assets and Unencrypted OT Protocols
The energy sector faces a compound HNDL risk that other CNI sectors do not face to the same degree: the combination of extremely long asset lifetimes, slow patching cycles, and base-level OT protocols without transport encryption.
At the protocol level, the exposure is structural. IEC 61850 GOOSE (Generic Object Oriented Substation Events) and Sampled Values, the real-time messaging protocols used in substation automation and protection relay communication, do not include transport encryption in their base specifications. DNP3 Secure Authentication v5 (IEEE Std 1815-2012) provides optional message authentication between SCADA master and remote terminal units, but authentication is not encryption, and even SA v5 does not provide confidentiality. Wide-area SCADA communications that do use IPsec or TLS rely on RSA or ECDH for key establishment [VERIFIED: IEC 61850-8-1 standard; IEEE Std 1815-2012; NIST IR 8228].
Smart metering infrastructure adds a distinct exposure vector. The UK's SMETS2 infrastructure uses DLMS/COSEM for communication between smart meters, the Data Communications Company (DCC), and energy suppliers. The DLMS/COSEM security profile employs ECDH for key agreement and AES-128 for symmetric encryption. ECDH is quantum-vulnerable. Over-the-air firmware updates to SMETS2 meters are managed through the DCC and subject to SMETS certification requirements. Migrating the estimated 30 million SMETS2 meters in the UK [ASSUMED: verify current DCC deployment statistics from OFGEM before publication] to ML-KEM-based key agreement requires DCC system updates, meter firmware updates with SMETS recertification, and coordination across metering equipment manufacturers. That is not a fast migration path.
The operational data at risk, network topology, substation configuration, maintenance schedules, vulnerability assessments, has intelligence value that extends across the 20-40 year asset replacement cycle. An adversary harvesting encrypted energy grid communications in 2026 may be planning against infrastructure that will still be operating in 2045.
Water Sector: Active Targeting and Long Replacement Cycles
Water infrastructure sits at the intersection of two risk factors that rarely appear together in other sectors: documented evidence of active nation-state targeting and asset replacement cycles of 15-25 years.
CISA Advisory AA21-008A (January 2021) documented an actor's access to water treatment control systems in Oldsmar, Florida, including attempted manipulation of chemical dosing parameters. That incident involved direct access, not cryptanalysis [VERIFIED: CISA Advisory AA21-008A]. The significance for HNDL threat modelling is that it confirms water infrastructure is an active target for nation-state-associated actors. The HNDL threat is a second vector, not an alternative to direct intrusion: an adversary capable of and motivated to attempt direct access to water control systems has an obvious interest in accumulating harvested operational data from those systems for future use.
Water treatment and distribution SCADA systems commonly use Modbus/TCP or DNP3 for local protocol communication, with IPsec VPNs or TLS providing the transport layer over wide-area connections to remote pumping stations and treatment plants. Those VPN and TLS sessions use RSA or ECDH for key establishment. The 15-25 year asset replacement cycles mean that operational configuration data, pump schedules, chemical dosing parameters, alarm setpoints, network topology, harvested today retains operational intelligence value well within the Q-Day window of 2033-2035.
UK water operators are subject to the NIS Regulations 2018 (SI 2018/506), which require "appropriate and proportionate technical and organisational measures" to manage risks to the security of network and information systems [VERIFIED: NIS Regulations 2018, Regulation 10; NCSC UK NIS Regulations guidance for water sector]. NCSC UK's position is that PQC migration represents an appropriate measure for organisations in the Q-Day planning horizon. The regulatory obligation to act exists before specific algorithm mandates arrive.
Healthcare: Genomic Data, PACS Archives, and GDPR Retroactive Liability
Healthcare CNI faces a fundamentally different HNDL risk profile from energy or water. The concern is not operational disruption. It is long-term confidentiality of patient records, and a specific legal argument about retroactive liability that security teams and legal advisers need to understand now.
Under GDPR Article 9, genomic data and health records are special category data, subject to the highest standard of protection. NHS record retention periods range from 8 years post-last-contact for adult records to 25 years for certain specialist records including mental health and maternity [VERIFIED: NHS Records Management Code of Practice 2021]. Hospital imaging archives (PACS/DICOM) contain decades of patient data. HL7 FHIR R4 API traffic and DICOM over TLS both rely on TLS with ECDH or RSA key establishment [VERIFIED: HL7 FHIR R4 standard; DICOM PS 3.15 Security and System Management Profiles].
If an adversary harvests encrypted NHS or equivalent healthcare data today and decrypts it following a future CRQC, that constitutes a breach of the original data with full retroactive liability under GDPR Article 32 and GDPR Recital 83, which explicitly identifies encryption as the relevant security measure [VERIFIED: GDPR Article 32; GDPR Article 9]. GDPR's protection obligation applies at the time of processing. Processing data under encryption that is known to be quantum-vulnerable, while a credible Q-Day window exists and migration is technically available, is increasingly difficult to defend as meeting the "state of the art" standard in Article 32. That interpretation is the direction the regulatory logic is developing, not yet a ruling.
The regulatory gap in the healthcare sector is notable. The NHS Data Security and Protection Toolkit (DSPT), the annual self-assessment framework for NHS organisations, does not yet include PQC-specific controls as of the time of writing [VERIFIED: NHS DSPT, dsptoolkit.nhs.uk, no PQC controls as of August 2025; ASSUMED, verify DSPT status as of June 2026 before publication]. Healthcare providers operating under a DSPT that does not require PQC planning are meeting a standard that does not yet reflect the regulatory obligation that Article 32 is moving towards. For the HNDL liability framing in regulated financial services, which has moved further on this question, see the HNDL financial services analysis.
Threat Modelling for CNI: A Four-Component Framework
CNI quantum risk assessment does not require quantum physics expertise. It requires four structured assessments applied to each system in scope.
Data lifetime assessment. Identify operational and patient data types whose confidentiality requirements extend into the 2033-2035 CRQC window. For energy: grid topology and vulnerability data. For water: SCADA configuration and operational parameters. For healthcare: genomic data, long-term patient records, imaging archives. Any data category requiring protection beyond 7-8 years from 2026 is within the risk window [INFERRED: synthesis of Five Eyes advisory priority framing and Gidney-Ekerå 2021 CRQC resource estimate anchor].
Cryptographic exposure inventory. Identify all encrypted communications protecting CNI operations. Focus on: inter-site VPN connections (IPsec), SCADA/OT protocol wrappers (TLS), remote access (SSH, VPN), and operational data archives. Map each to the key establishment algorithm in use. RSA and ECDH are quantum-vulnerable. AES-256 symmetric encryption is quantum-safe.
Asset replacement cycle alignment. Where OT hardware will be replaced within 3-5 years as part of normal asset lifecycle, build PQC-capable cryptography into the procurement specification now. This is substantially more cost-effective than retrofitting systems after deployment. Procurement specifications that do not reference ML-KEM or ML-DSA support are locking in quantum-vulnerable cryptography for the next 15-25 years.
Nation-state attribution context. Use CISA, NCSC, and Five Eyes advisory threat intelligence to assess whether your CNI sector has been specifically identified as an active HNDL collection target. The Five Eyes 2023 advisory and ODNI annual threat assessments are the authoritative public references. CISA's documented water sector intrusion attempts (AA21-008A) establish a specific sector threat precedent.
The Mosca inequality provides the risk decision gate. For a water utility whose SCADA communications must be protected until 2045 (X = 19 years from 2026) and whose OT firmware migration cycle is 5 years (Y = 5), the migration decision point is 2026 [VERIFIED: Mosca inequality framework, Mosca (2015)]. CNI organisations with data lifetime requirements extending to 2040 are already past the comfortable decision point. Apply the Mosca inequality to your own systems using the QSECDEF Quantum Threat Assessment tool.
Regulatory Obligations: NIS 2, NIS Regulations, and GDPR Article 32
CNI operators in the UK are subject to the NIS Regulations 2018 (SI 2018/506), Regulation 10 of which requires appropriate and proportionate technical and organisational measures for the security of network and information systems [VERIFIED: NIS Regulations 2018]. For EU CNI operators, NIS 2 (Directive (EU) 2022/2555) exceeded the NIS Regulations in scope and requirement, with a transposition deadline of 17 October 2024 for EU member states [VERIFIED: NIS 2 Directive, Article 21(2)]. NIS 2 Article 21(2)(i) requires essential entities to implement "policies and procedures regarding the use of cryptography and, where appropriate, encryption." It does not explicitly reference post-quantum cryptography or mandate PQC migration. The PQC migration obligation follows by inference: a CRQC-vulnerable cipher will not satisfy the "appropriate" standard once Q-Day enters the credible threat window. The "appropriate" standard in both frameworks is not static: it evolves with the threat landscape and the available technical countermeasures [INFERRED: PQC migration as the inference from Article 21(2)(i) "appropriate" standard; NIST FIPS 203 as the established countermeasure establishing the "state of the art" bar].
For healthcare specifically, GDPR Article 32's requirement for security measures "appropriate to the risk" must be read against the developing consensus that PQC migration is the appropriate measure for protecting long-lived sensitive data in the Q-Day planning window. The "state of the art" standard cited in Article 32 is the operative lever: as ML-KEM becomes the established standard for quantum-safe key establishment, continued deployment of RSA or ECDH for healthcare data in transit becomes harder to defend as meeting that standard.
NIS 2 transposition status across EU member states should be verified before publication [ASSUMED: the 17 October 2024 deadline has passed; some member states may have transposed late; verify current status as of June 2026]. For UK CNI operators, the NIS Regulations 2018 remain the operative framework post-Brexit, though the UK is expected to introduce updated network and information systems regulations aligned with NIS 2 scope in the coming legislative cycle.
Sources
- CISA/NSA/NIST joint advisory, "Quantum-Readiness: Migration to Post-Quantum Cryptography," August 2023. cisa.gov
- NCSC UK, "Post-quantum cryptography: preparing for a post-quantum world." ncsc.gov.uk
- NIST IR 8547. doi:10.6028/NIST.IR.8547 (November 2024)
- ODNI Annual Threat Assessment 2024. dni.gov
- HM Government, National Quantum Strategy, March 2023. gov.uk
- CISA Advisory AA21-008A. cisa.gov (January 2021)
- NIS Regulations 2018 (UK), SI 2018/506. legislation.gov.uk
- NIS 2 Directive (EU) 2022/2555. eur-lex.europa.eu
- GDPR Article 32 and Article 9. gdpr-info.eu
- NHS Records Management Code of Practice 2021. nhsx.nhs.uk
- IEEE Std 1815-2012, DNP3 Secure Authentication v5. standards.ieee.org
- NIST IR 8228. doi:10.6028/NIST.IR.8228
- Mosca, M., "Cybersecurity in an era of quantum computing," IEEE position paper (2015). uwaterloo.ca/~mmosca