Why we need to quantum-proof embedded systems now

The advent of the quantum era is no longer a question of if, but when. Quantum computing is advancing at a rapid rate, accelerated by increasing global investment backing ongoing developments in both core and supporting technology.

Now that quantum computers could be commercially available in the next five to seven years, there is an urgent need to future-proof embedded systems across the supply chain.

Last week, the Australian Signals Directorate (ASD) published a guide for Australian organisations “to consider anticipating future requirements and dependencies of vulnerable systems” in the transition to post-quantum computing. As such, Australia must shore up its defences against the imminent post-quantum cyber threat, dubbed “Y2Q”, for sharing the same ominous potential and massive software recoding requirement as Y2K.

Quantum computing technology will be much faster and more powerful than classical computers, leaving all systems and devices vulnerable and posing a significant threat to critical industries – particularly those operating legacy or long-life connected devices.

Securing the supply chain

In recent years, we have seen the software supply chain become a “hot” and lucrative target for threat actors, especially as the impact of a supply chain attack can be far greater than targeting an individual victim. A glaring example of this is the SolarWinds attack in 2020.

Australia should heed the warnings of countries around the world that suffered cyber attacks in 2021 against critical infrastructure, such as water treatment plants and pipelines.

These devastating attacks and continued attempts in the context of the Ukraine war have prompted a joint cyber security advisory co-authored by US, Australian, Canadian, New Zealand, and UK cyber authorities, with actions critical infrastructure organisations should implement to immediately protect against state-sponsored and criminal cyber threats.

VIEW ALL

As the supply chain continues to be globally interconnected, any point can become a “weak link”, meaning no organisation or government agency is immune to cyber attacks. This weak link can be in enterprise software, or in embedded devices which industry has come to rely upon to automate tasks such as managing city traffic signals or power and water systems.

With many industries already grappling with the challenging realities of geopolitical tensions and inflation impacting the cost of doing business, protecting IT supply chains and critical infrastructure will help organisations miniminse unnecessary costs, maintain continuity of operations, and even protect human lives from harm.

The pending threats

In the next 10 to 15 years, it will be possible for quantum technology to decrypt traditional public key cryptosystems, allowing threat actors to bypass today’s encryption methods and exploit critical systems and embedded devices.

Many systems and devices that we rely on, including critical infrastructure and connected cars, are being built today to last upwards of 10 years. And with commercial quantum computers as little as five years away, these must be built to withstand future threats.

There is an opportunity to mitigate the threat of quantum decryption attacks against products currently in development, by embedding security by design. This offers far more advantages than retroactively recoding embedded devices to withstand the threats of tomorrow.

A secure-by-design approach must also be taken in the development of “smart city” initiatives, such as Sydney’s smart city strategic framework. Vulnerability to quantum decryption attacks will be a major concern for the safety of connected transport systems, buildings and utility infrastructure – and the people that use them.

As IoT systems and embedded devices become increasingly connected, including critical infrastructure, the threat surface expands. Not only can this be very expansive, but it can have life-threatening implications. With interconnectivity as the backbone, IoT entities like streetlights, phones, and cameras embedded with sensors and software are abundant – therefore multiplying the vulnerabilities that hackers could exploit.

Y2Q is a particularly insidious problem as threat actors can plant malware that remains dormant or steal encrypted data, while quantum technology is still being developed, with a view to mobilising the malware or decrypting the information later.

Working towards a solution

“Secure by design” solutions are being developed to help businesses and government prepare for post-quantum attacks. It’s never too early to start working towards crypto-agile design that guards against an increasingly risky future when quantum computers can bypass public key encryption (PKI) used by most organisations to secure sensitive data.

Using quantum-resistant signature schemes such as dilithium (endorsed by the US National Institute of Standards and Technology – NIST) for low-level device firmware, over-the-air software updates and software bills of material (SBOMs) mitigates the risk of potential quantum computing attacks on critical software updates, addressing a major security concern for a number of industries.

Quantum resistant technology will safeguard those relying on – and delivering – long life cycle assets such as systems in critical infrastructure, industrial controls, aerospace and military electronics, telecommunications, transportation infrastructure, and connected cars.

In the lead up to Y2K, US businesses alone spent upwards of $100 billion to avoid calamity and the issue was simply a matter of adding two digits to the date field. Y2Q, when quantum attacks become possible, is on another level, posing a significant threat to industries selling or operating long-lived assets with updatable software.

Businesses and government must be equipped with the tools they need now to prevent their existing security measures from becoming obsolete.

Jim Alfred is the vice president at BlackBerry Technology Solutions, Certicom.