Cleantech and Quantum Computing: Critical Infrastructure Cybersecurity
The clean technology industry, or “cleantech,” is the newest arm of our critical infrastructure and accounts for approximately 20% of U.S. power generation. In fact, we have already realized some of the benefits of increased use of cleantech to store solar energy and release it back to the grid, in one example to prevent an energy crisis during recent heatwaves in California.
The newest wave of computing, quantum computing, is promising to revolutionize how we model and allocate energy throughout our grid to eliminate blackouts and other power-related failures. The share of energy generated from cleantech is only going to increase with time and thus benefit from the optimization brought about by quantum computing.
Quantum computing, however, is a double-edged sword and its interaction with cleantech will be complex. While we will see many gains from its increased efficiency and predictive modeling, quantum computing is a powerful technology that can be leveraged to disrupt instead of help the power grid. How will this happen? As part of America’s energy grid, cleantech solutions are constantly threatened by malicious actors who want to disrupt U.S. critical infrastructure. Cleantech companies rely on cryptography to protect their data and IT environments while securing energy delivery to the correct place at the correct time.
In the wrong hands, quantum computing can break the cryptography used by cleantech and the power grid at large. Using this type of attack, malicious actors could take control of devices that control both the distribution and generation of power with ruinous potential consequences. Recall the Colonial Pipeline breach in May 2021 when a ransomware attack infected some of the pipeline’s digital systems, shutting it down for several days. Its effects were widespread, including, for example, causing a jet fuel shortage for many airline carriers and disrupting airports. People panicked, and there was a run on gas stations in many states, including back East, where some people filled plastic bags with gasoline.
To help defend against attacks like these, post-quantum cryptography (PQC) is being developed to ensure that society can reap the benefits of quantum computing and cleantech without worrying about the potential harm brought about by bad actors. PQC is exactly what it sounds like – cryptography for the post-quantum era (i.e., cryptography that is not vulnerable to quantum computing attacks). Multiple PQC technologies are available now to enable cleantech to remain secure in the face of this new and serious threat. The federal government has also made significant moves that helped the cause of implementing quantum-resilient cybersecurity across government branches. First, a White House memorandum in May mandated that all agencies using National Security Systems (NSS) start the upgrade process to quantum-resilient cybersecurity. The memorandum went even further, requiring these agencies to identify instances of non-quantum-resilient algorithms and provide a timeline to transition these NSS to quantum-resilient standards. Secondly, the National Institute of Standards and Technology (NIST) announced one of the final choices for standardization of post-quantum algorithms on July 5, two years earlier than expected.
The Cleantech Industry and Risk Exposure(s)
Cleantech encompasses a wide range of businesses that include renewable energy production, new recycling technologies and other forms of environmentally friendly technology. From a cybersecurity perspective, cleantech is a target in two ways.
The first has to do with cleantech as a business model. It is an industry that relies on closely guarded trade secrets and intellectual property. Cleantech companies are vulnerable to data breaches. If their priceless patented information and proprietary research data are breached, these companies might go out of business. Cleantech firms are also exposed to the risk of disruption. This could put American cleantech players at a competitive disadvantage internationally.
The second area of risk exposure involves cleantech that has been deployed. Cleantech solutions are making their way into America’s critical infrastructure. For example, wind and solar power driven by the latest in cleantech innovations are part of the U.S. electric power grid. As such, they are exposed to the same kinds of cybersecurity threats that target gas, coal and nuclear power plants, as well as transmission infrastructure. A successful attack could disrupt power distribution on a monumental scale. Sophisticated attackers, including nation-state actors, may want to attack this electrical infrastructure with the goal of destabilizing the United States. For this reason, the Cybersecurity, and Infrastructure Security Agency (CISA), part of the Department of Homeland Security (DHS), includes electrical generation as one of its National Critical Functions.
Cleantech Security Practices
Cleantech companies’ cybersecurity practices depend on context. As businesses, they use standard cybersecurity countermeasures like firewalls, virtual private networks and data encryption to mitigate risks of data breaches and business disruption. As part of the national energy grid, cleantech solutions are subject to various industry and government cybersecurity frameworks to ensure that they comply with the high-security needs of a critical asset.
Furthermore, some companies that are part of the “Bulk Electric System” (BES) need to adhere to standards set out by the North American Electric Reliability Corporation (NERC). The NERC Critical Infrastructure Protection (NERC CIP) standards guide power utilities and related businesses on cybersecurity practices. For example, NERC CIP 011 deals with the “protection of BES cyber system information.” The CISA also requires power utilities to comply with the NIST 800-53 Cybersecurity Framework (NIST CSF), which is like NERC CIP.
The Quantum Threat Changes Cleantech’s Status Quo
Cryptography is essential for data protection and systemic defense at cleantech companies, as well as for cleantech solutions that are deployed. For years, existing cryptographic technologies, such as 1024- or 2048-bit asymmetric keys, were mostly unbreakable. Unless someone made an error in their configuration and installation (a common enough occurrence), encrypted data was usually safe. That is quickly changing.
Quantum computers, which could demonstrate enough power to break our current encryption in the next few years, will be able to process cryptography cracking processes at an exponentially faster speed than is possible even with today’s fastest conventional supercomputers. That 1024-bit key, which would now take centuries to break using classical computers, could be broken by a quantum computer in a matter of minutes.
This is not good news for cleantech. (Nor is it good news for any entity protecting data with encryption.) All that valuable intellectual property might as well be sitting on an open file share. Without PQC, it means the systems that power cleantech businesses will be defenseless against hackers. Cleantech solutions that are part of the power grid will be similarly exposed. Armed with quantum computers, malicious actors will be free to bring American electrical generation and distribution to a standstill.
Mitigating the Quantum Threat
CISA and others are not waiting around to find out what this quantum attack on American critical infrastructure will look like; the agency published guidance titled Preparing for Post-Quantum Cryptography this year. The guidance, prepared in collaboration with NIST, sets out several steps that critical infrastructure companies must take over the next couple of years to prepare for the oncoming quantum threat. It is recommended that companies begin to inventory their critical data and systems. They must then inventory their cryptographic technologies and internal standards. This includes public-key cryptography, which is most vulnerable to quantum attacks, as well as other cryptosystems.
Post-Quantum Cryptography
Cleantech companies that want to get out ahead of the quantum threat as well as be compliant with CISA guidelines need to start moving toward post-quantum cryptography. This is an innovative approach to cryptography that changes the way keys are generated, managed and used. The technology uses what is known as “lattice-based cryptography,” which generates encryption keys by means of a highly complex mathematical “lattice” of calculations. This approach makes it nearly impossible, even for a quantum computer, to crack. The lattice’s pattern makes it extremely hard for the attacker to know where to begin. Other types of algorithms provide similar protection from the quantum threat and will ensure that data and critical systems will remain secure decades into the future.
It’s understandable that cleantech organizations make good targets for cybercriminals, and this will be especially true when they can leverage quantum technology for destruction. The threat is real, and the time to act is now, considering it will take many years to prepare today’s cleantech networks to defend against quantum attacks. The good news is that industry requirements, standards recommendations and PQC technology are all here and available today to help the cleantech sector on its journey toward quantum resiliency.
