How utilities can keep quantum threats from crashing the grid
Image credit: Nokia
Widespread power outages. Damaged grid assets. Disrupted grid operations. Fires. Injuries. Loss of life. No one likes thinking about the frightening things that could happen if bad actors gain access to a power grid’s operational data.
That’s why power utilities are always working to protect their data from increasingly large, complex and frequent cyber threats. But the challenge is about to get tougher. The rapid evolution of quantum computing means that bad actors could soon have access to a cryptographically relevant quantum computer (CRQC) that can crack existing data encryption schemes and provide them with a gateway to intrude into the grid.
No one knows when this day – known as Q-Day – will come. But one thing is clear: Utilities need to start building quantum-safe networks now.
The quantum threat is real
Quantum computers are the next evolutionary leap of computing technology. Instead of relying on the classical binary bits (0 or 1) used in today’s computers, quantum computers use qubits that can exist in a superposition of both states simultaneously. This remarkable quantum property enables them to perform an enormous number of mathematical calculations in parallel, providing immense computational power far beyond what’s achievable and possible today.
In simpler terms, quantum computers can perform exponentially more operations than current computers in the same amount of time, which means they can support applications that rely on massive and complex sets of mathematical operations. This promises to unlock many positive possibilities for utilities and other industries. The trick is to develop algorithms that can harness these powers.
Unfortunately, quantum computing also creates opportunities for bad actors. Researchers are already publishing algorithms that can break the encryption schemes the world relies on to protect sensitive data. It would take thousands of years for classical computers to use these algorithms to crack the best current encryption methods. If they run on a quantum computer with enough qubits, these algorithms could do it in hours or even seconds.
For example, Shor’s algorithm is a quantum algorithm that can perform prime factorisations of huge integers. Asymmetric encryption algorithms, such as the Rivest–Shamir–Adleman (RSA) public key algorithm, rely on prime factorisation. A bad actor could easily break its encryptions with Shor’s algorithm running on a quantum computer. Public Key Infrastructure (PKI) algorithms are no longer a safe way to encrypt sensitive data.
It’s time for utilities to act
Most people think of quantum computing as a future technology – and of quantum threats as something to worry about later. The reality is that it has evolved from academic interests into early commercialisation stages. While they’re still extremely difficult to build, need to run in highly specialised environments and require unique expertise from many disciplines, quantum computers are becoming increasingly accessible.
So far, only deep-pocketed enterprises and well-funded private institutions, universities and research groups have been able to afford to invest in quantum computing. Nevertheless, this cutting-edge field is rapidly progressing to practical implementations. Utilities must prepare for the imminent quantum era.
Although bad actors may not yet have access to quantum computers, they can still pose a significant threat today. That’s because cutting-edge storage technology now enables almost limitless data storage. Malicious entities could already be harvesting massive volumes of encrypted data on grid assets and operations. When Q-Day arrives, they will be able to decrypt this data to attack the grid. This is the so-called harvest now, decrypt later (HNDL) threat, a ticking time bomb that utilities and other critical infrastructure providers can’t afford to ignore.
How can data harvesting happen? One common way is through fibre tapping to attempt to access in-flight data. If bad actors succeed in decrypting the data, they will be able to analyse grid communications and could try to compromise communications traffic between substations or manipulate an asset’s behaviour. For example, they could inject spoofed traffic to make a turbine spin faster than it should or overwhelm an intelligent electronic device (IED) that performs a critical control function. The effects could be catastrophic.
Utilities can’t wait for these HNDL attacks to happen. They need to start looking ahead and developing new strategies for maintaining the integrity and security of their mission-critical operations networks and encrypted data.
Regulatory compliance requirements may compel utilities to prepare for the post-quantum threat scenario. This will increase the pressure to protect their infrastructure against any attacks.
Are utilities ready for the quantum threat?
Power utilities need to be alert to existing and emerging cyber threats. They also need to be prepared to tackle them. Most are trading microprocessor-based assets for software-based, data-driven operations. Many are also migrating grid communications from legacy TDM and SONET/SDH networks to packet-based IP and Ethernet networks. These changes are essential for automated, digital grid operations. But they also expand the attack surface.
Utilities are generally well prepared for current threats because they have to comply with regulations that call for the encryption of mission-critical data transmissions. But they’re not all prepared to the same degree. And while growing awareness of the quantum threat is a good thing for utilities, protecting the grid from these threats will require utilities to level up their cyber defenses. They will also have to commit to keeping up to date on the latest threats and best practices for mitigating them.
Quantum-safe networks are within reach today
The good news is that there is a security solution that can protect critical grid communications traffic against current and future quantum threats. It’s built around standards-based encryption methods that are familiar to utilities. And it turns the network into a strong first line of defence against quantum attacks on utility infrastructure, including substations, power generation plants and control centres.
We’ve already established that quantum computers and algorithms can crack many existing encryption methods. This means utilities need to move up to quantum-safe encryption to protect their operational data traffic.
Organisations such as the National Institute of Standards and Technology (NIST) in the US and the European Telecommunication Standards Institute (ETSI) are hard at work developing standards for math-based post-quantum cryptography (PQC) algorithms. These algorithms will provide essential protection for critical in-flight data. Prototypes are currently being tested while the standards are being finalised.
What can utilities do to make their networks quantum-safe today? A well-tested strategy is to implement a defence-in-depth approach that protects critical applications by deploying symmetric key encryption technologies at different layers of the network, such as MACsec for the data link layer and OTNsec for the optical layer.
Utilities need to combine these technologies with a trusted random key generator that can generate encryption keys with sufficient entropy so that they can’t be compromised. The keys also need to be long enough and use a quantum-resistant encryption algorithm. It is widely recognized that AES-256 encryption, used by both MACsec and OTNsec, is a robust cryptographic technology that can withstand a quantum attack. AES-256 is immune to Shor’s algorithm because it is not mathematics-based. Its key length is long enough to withstand brute-force attacks that use the quadratic accelerated search capabilities of Grover’s algorithm. In short, AES-256 provides a formidable defence against quantum threats.
By acting now to implement quantum-safe encryption, utilities will be able to protect their data from HNDL attacks today and be ready for anything when Q-Day arrives.
This article was originally published on Energy Central, and is co-authored with Mauricio Subieta and Hansen Chan.