Industrial OT Systems Face Growing Quantum Threat — Why “Harvest Now, Decrypt Later” Is a Present Danger

Summary

A growing body of research and regulatory action is highlighting the acute vulnerability of industrial Operational Technology (OT) systems to quantum computing threats. While cryptographically relevant quantum computers (CRQCs) are not yet a reality, the “harvest now, decrypt later” (HNDL) model makes quantum risk a present-day concern for critical infrastructure operators — particularly given that industrial assets often have operational lifecycles spanning decades.

Most OT environments still rely on RSA and Elliptic Curve Cryptography (ECC) for secure communications, access control, and digital signatures — all of which are vulnerable to quantum algorithms like Shor’s algorithm. Protocols like DNP3 used in SCADA systems are particularly exposed. Meanwhile, the increasing IT/OT convergence creates additional attack surface.

Regulatory momentum is accelerating. The EU’s coordinated roadmap targets the start of PQC transition by end of 2026. The US has set federal migration deadlines of 2030-2035 under CNSA 2.0 and Executive Order 14144. NIST’s first PQC standards (ML-KEM, ML-DSA, SLH-DSA) are finalized, with Falcon expected around late 2026. A critical milestone arrives September 21, 2026, when all FIPS 140-2 validated cryptographic modules move to “Historical” status.

Sources

• Industrial Cyber — Industrial Systems Face Structural Gap in Quantum Readiness
• CISA — PQC Product Categories List
• Palo Alto Networks — Quantum Computing’s Threat to Cybersecurity

Commentary

This is one of those slow-moving threats that is easy to dismiss until the deadline hits. The challenge with OT systems is unique: you cannot just push a firmware update to a turbine controller or a water treatment PLC the way you would patch a web server. Many of these systems were designed before quantum computing was even a theoretical concern, and they will still be running when CRQCs arrive.

The “harvest now, decrypt later” scenario is what makes this urgent today, not tomorrow. Adversaries — particularly nation-states — are almost certainly collecting encrypted OT communications right now, banking on future decryption capability. For any organization operating critical infrastructure, the time to inventory cryptographic dependencies and begin planning the PQC migration is now. The September 2026 FIPS 140-2 sunset is a useful forcing function, but the real deadline is whenever an adversary decides your encrypted data is worth storing.