Empty Attestations: OT Lacks the Tools for Cryptographic Readiness

The fundamental mismatch between IT and OT security models is at the heart of today’s risk. While corporate networks can be taken offline for updates, industrial control systems that manage power grids, water treatment, and manufacturing must stay online 24/7. Most of these devices were installed before encryption was standard, running on minimal hardware—sometimes as little as 32 KB of RAM—making retrofitting modern cryptographic suites impractical. Consequently, attackers can infiltrate using legitimate credentials, linger for months, and exfiltrate encrypted traffic without raising alarms.

Quantum computing amplifies this danger by turning today’s “secure” ciphertext into a future liability. Adversaries are already harvesting OT traffic, storing it for later decryption once quantum algorithms become viable. Even more alarming is the potential theft of firmware‑signing keys; with those, a threat actor could push malicious updates that appear authentic, compromising every device on a network without needing another breach. This “harvest‑now, decrypt‑later” model erodes the traditional assumption that past data remains forever protected.

Regulators are responding with attestation mandates that require asset owners to prove post‑quantum readiness. However, the assessment frameworks are borrowed from IT environments and lack the instrumentation to locate cryptography within opaque, legacy OT stacks. Until standards, tooling, and vendor support evolve to expose and upgrade embedded cryptography, attestations will remain paper‑based checkboxes. Industry leaders must prioritize developing lightweight, OTA‑compatible post‑quantum algorithms and invest in inventory tools that map cryptographic assets across the OT landscape, turning regulatory pressure into genuine resilience.