The advent of the quantum era is no longer a question of “if”, but of “when”. Quantum computing is advancing at a breakneck pace, driven by increasing international investment that supports the perpetual developments of key and supporting technologies. While quantum computers could be commercialized within five to seven years, there is an urgent need to prepare the future of embedded systems in the field of the supply chain.
Many institutions are now providing guidance to businesses, so they can anticipate the requirements and dependencies of critical systems as they transition to post-quantum computing. Many countries around the world need to strengthen their defenses against the looming post-quantum cyber threat, dubbed “Y2Q”. Just like the fear of the “year 2000 bug”, post-quantum computing has the same worrying character and the same requirement for massive recoding of software.
While this technology will be much faster and more powerful than conventional computers, it will make all systems and devices vulnerable and pose a significant threat to critical industries, especially those that operate old or long-lived connected devices. .
Securing the supply chain
In recent years, the software supply chain has become the most lucrative target of the moment for threat actors, especially since the impact of an attack can be much greater than if it were directed at an individual. . The attack on SolarWinds in 2020 is a glaring example.
In France, Anssi issued warnings in response to cyberattacks perpetrated in 2021 against critical infrastructure, such as water treatment plants and pipelines. In the rest of the world, these events and the relentless attack attempts (in the context of the war in Ukraine) have generated awareness and the creation of an advice guide co-authored by the American cyber authorities, Australian, Canadian, New Zealand and British: the CSA. This guide proposes actions that critical infrastructure companies and organizations should put in place to protect themselves immediately against cyber threats carried out by states or independent criminal groups.
As the supply chain is increasingly interconnected on an international scale, any point of contact can become a “weak link”, meaning that no company or public service is immune to cyberattacks. This link can be found in enterprise software or in the embedded devices that industry relies on to automate tasks such as managing traffic lights or water and electricity networks.
With many industries already grappling with the consequences of geopolitical tensions and inflation, protecting IT supply chains and critical infrastructure will help businesses and institutions minimize unnecessary costs, maintain business continuity, and even protect human lives.
Threats loom on the horizon
Over the next decade, it will be possible for quantum technology to decrypt traditional public keys to cryptosystems, allowing threat actors to circumvent current encryption methods, and exploit critical systems and embedded devices. . Many of the systems and devices we depend on, including critical infrastructure and connected cars, are built today to last more than 10 years. And since quantum computers won’t be commercialized for another five years, they must be built to withstand future threats.
It is possible to protect products under development against threats, in particular by adopting a “security by design” approach. This offers far more benefits than retroactively recoding devices to withstand future threats. This approach should also be used in the development of smart cities. Vulnerability to quantum encryption attacks will be a major concern for the security of systems dedicated to transportation, buildings and connected utility infrastructure – as well as the people who use them.
As IoT systems and embedded devices become increasingly connected – including critical infrastructure, the threat surface expands. Not only is this perimeter getting wider, but potential attacks can sometimes have deadly consequences. With interconnectivity as the backbone, IoTs (such as streetlights, phones, and on-board cameras with sensors and software) have become commonplace – multiplying the number of vulnerabilities that hackers could exploit.
This digital insecurity (Y2Q) is a particularly insidious problem. This is because threat actors can plant dormant malware or steal encrypted data, while quantum technology is still under development and mobilize that malware or decrypt information later in due time.
Find a solution
“Secure by design” solutions are currently being developed to help companies and administrations prepare for future post-quantum attacks, as well as to prevent potential storms, anticipating is widely recommended. Companies must therefore, from now on, work on a crypto-agile design that can protect against the threats of tomorrow. In such a context, quantum computers could bypass the public encryption key (PKI) used by most organizations to secure sensitive data.
Using quantum-resistant signature systems for low-level device firmware, over-the-air software updates, and software bills of materials (SBOM), mitigates the risk of potential attacks. This will thus address a major security issue for a number of sectors. Quantum computing resilient technology will protect those who depend on – and provide – long life cycle solutions such as critical infrastructure systems, industrial controls, aerospace and military electronics, telecommunications, transportation infrastructure and connected cars.
As the year 2000 approached, businesses around the world spent billions of dollars to avert a possible catastrophe, when the problem was simply adding two digits to the date field. When quantum attacks become possible, this new problem will reach a whole new level and pose a significant threat to industries that sell or operate long-lived tools with updatable software. Therefore, companies and administrations must equip themselves now with the necessary tools to prevent their current security measures from becoming obsolete.