Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because harvest-now-decrypt-later (HNDL) campaigns are documented nation-state activity against OT-adjacent networks but cryptographically relevant quantum compute capable of decryption remains years away, creating a deferred rather than immediate exploitation window; however, the exfiltration phase is active today, meaning data is already being collected against which future decryption capability will be applied. Impact is high because the combination of unverifiable PQC attestations and confirmed HNDL exposure creates dual-path harm — regulatory enforcement action against attestations that cannot withstand operational scrutiny, and potential weaponization of decrypted OT operational data (process parameters, network topology, control logic) that could enable physical consequence events or extended strategic leverage against critical infrastructure operators.
Treatment rationale: The attestation credibility gap is an immediate, actionable governance risk requiring remediation before the next regulatory review cycle, while the HNDL threat requires near-term cryptographic inventory and segmentation controls — both are reducible through known actions, making avoidance impractical and acceptance untenable given the regulatory exposure already materialized.
Third-Party / Supply-Chain Risk
OT environments in energy, water, manufacturing, and transportation sectors operate legacy vendor ecosystems — PLCs, RTUs, SCADA platforms, historian software, and industrial communication protocols — where cryptographic agility is constrained by vendor firmware release cycles and long asset lifespans (10–25 years). Per NIST SP 800-161 framing: operators inherit cryptographic risk from OT vendors who have not yet published PQC migration roadmaps or whose hardware cannot support post-quantum algorithm suites without hardware replacement; supply-chain PQC readiness cannot be attested by the operator alone and requires verified roadmap disclosure from each critical OT vendor in the asset inventory. Shared-platform risk also exists for operators using cloud-connected OT data historians or managed SCADA-as-a-service offerings where encrypted telemetry in transit is exposed to third-party network paths subject to HNDL collection.
Loss Exposure (illustrative)
Magnitude: high — illustrative $5M–$50M per operator for a scenario in which an HNDL-collected OT dataset is decrypted and weaponized, anchored to the combination of: regulatory penalty exposure for false attestation, incident response and forensic costs to reconstruct what was exfiltrated over multi-year collection windows, potential operational disruption costs if decrypted control logic enables a subsequent intrusion, and reputational harm for critical infrastructure operators with public-safety mandates; the upper bound reflects large grid or water system operators where decrypted topology data has physical-consequence potential
Frequency: Illustrative: for an operator with confirmed OT network exposure to nation-state reconnaissance activity, HNDL exfiltration may already be in progress — making the collection-phase frequency effectively current; the decryption-and-weaponization event frequency is illustrative at low (once per decade per operator) under current cryptographically relevant quantum compute timelines, but the regulatory attestation enforcement event frequency is moderate (once per 1–3 year regulatory cycle) and independent of quantum timelines
Annualized: Illustrative ALE: regulatory enforcement exposure component (moderate frequency × moderate-high magnitude for attestation failure) is more near-term and more estimable than the HNDL decryption component; a blended illustrative annualized figure of $500K–$3M per operator reflects primarily the regulatory and incident-readiness cost stream, not the tail-risk physical-consequence scenario, which is not reducible to an annual estimate at this confidence level
Basis: Magnitude anchored to: (1) regulatory penalty ranges published under NERC CIP and EPA/AWIA enforcement precedents as order-of-magnitude reference, not specific case citation; (2) forensic scope complexity for multi-year OT telemetry exfiltration, which is structurally larger than a point-in-time IT breach; (3) operational disruption cost asymmetry in OT environments where recovery timelines are constrained by vendor support and hardware lead times; (4) attestation-specific legal exposure as an additive cost layer not present in standard vulnerability scenarios. No third-party benchmark reports cited. All figures are illustrative and operator-specific variables (asset scale, sector, regulatory jurisdiction, existing PQC inventory) will materially shift the range.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Submission of PQC readiness attestations to regulators that are later found unsubstantiated may constitute a material misrepresentation in regulatory filings — verify with counsel whether existing attestations require qualification or correction before the next review period.
• If operational data encrypted over OT network segments is later confirmed exfiltrated as part of an HNDL campaign and subsequently decrypted, this may constitute a reportable security incident or data breach under sector-specific regulatory frameworks (e.g., NERC CIP, AWIA, TSA pipeline directives) — verify with counsel regarding disclosure obligations and timing.
• Cyber-insurance policies with representations-and-warranties provisions tied to cryptographic controls or regulatory compliance posture may be implicated if attestations are found unsupported at claim time — verify with broker whether current policy language creates a warranty condition on PQC readiness representations.
• Contracts with government agencies or critical infrastructure counterparties that reference NIST PQC compliance timelines or CISA quantum-readiness guidance may contain compliance milestones the operator cannot currently meet — verify with counsel regarding notice or cure obligations under those agreements.
