Organizations that have signed regulatory PQC readiness attestations without the operational capability to back them face dual exposure: regulatory penalty risk when attestations are tested against actual implementation, and liability risk if an HNDL breach surfaces operational data later decrypted and weaponized against infrastructure or commercial interests. Operational disruption risk is deferred but high-consequence — encrypted OT communications captured today from energy, water, or manufacturing control systems could expose operational logic, safety system configurations, and process parameters to adversaries once quantum decryption becomes feasible. Reputational and regulatory exposure is compounded by the compliance theater dynamic: leadership has affirmed readiness that the security team cannot operationalize.
You Are Affected If
Your OT/ICS environment uses legacy encrypted communications relying on RSA, ECC, or classical Diffie-Hellman key exchange on historian, SCADA, or HMI connections
Your organization has signed or is preparing PQC readiness attestations for NERC CIP, TSA pipeline directives, EPA water sector requirements, or other critical infrastructure regulatory programs
Your OT assets have lifecycles exceeding 10 years with no vendor-provided PQC migration path or firmware update capability
Your OT network allows outbound encrypted communications to vendor remote access endpoints, cloud historians, or third-party monitoring platforms without strict egress controls
Your environment lacks a cryptographic algorithm inventory — you do not have a documented list of which algorithms are in use across which OT asset classes
Board Talking Points
Nation-state actors are collecting our encrypted operational technology communications today with the intent to decrypt them once quantum computing matures — this is an active, ongoing threat, not a future one.
We recommend initiating a formal cryptographic asset inventory for OT systems within the next 90 days and reviewing any regulatory PQC attestations made to date for accuracy before the next audit cycle.
Organizations that take no action are accumulating both a growing data exfiltration liability and regulatory attestation exposure that will be difficult to defend when quantum decryption capability arrives or when regulators begin verifying compliance claims.
NERC CIP — bulk electric system operators are subject to evolving FERC and NERC guidance on supply chain and cryptographic controls; PQC readiness attestations tie directly to CIP-013 and related standards
TSA Pipeline Security Directives — pipeline operators under TSA SD-02C and successors are required to implement cybersecurity measures including encryption; PQC readiness intersects with attestation requirements under these directives
NIS2 (EU) — operators of essential services in EU member states face cryptographic adequacy requirements under NIS2 Article 21; legacy OT cryptography may constitute a reportable risk gap
