#insights

Post-quantum cryptography (PQC) protects industrial OT systems against future threats posed by quantum computers, a critical issue for companies managing essential and critical infrastructure. Today, organisations must be aware of and aligned with the NIS2 Directive and the Cyber Resilience Act (CRA), both aimed at ensuring operational continuity for essential entities and critical sectors in an ever‑evolving threat landscape.

Why is PQC becoming urgent for industrial OT?

Quantum computers will break the encryption currently used in PLCs, SCADA systems and protocols such as TLS or SSH, exposing sensitive data across factories, energy networks and transport systems. Attackers are already “harvesting” encrypted traffic today with the intention of decrypting it in the future. This is why it is crucial to identify these risks early through rapid assessments, protecting the business before it is too late.

Clear, proven standards

NIST has already approved algorithms such as Kyber for key exchange and Dilithium for digital signatures. These algorithms are secure and efficient, even for constrained OT devices. Hybrid implementations (classical + PQC) are particularly attractive, as they do not disrupt day‑to‑day operations and have been tested in real environments to keep latency low.

European regulations impacting operations

NIS2 and the CRA require crypto‑agility in critical infrastructures from 2026 onwards, with transitional periods extending to 2030 for legacy systems. IEC 62443 already incorporates PQC for industrial control systems (ICS). At Sener, we carry out tailored NIS2 compliance assessments, delivering sector‑specific roadmaps that help avoid fines and unplanned downtime, aligned with the Spanish industrial context.

Real OT challenges — and how to address them

Legacy OT devices often struggle to handle larger PQC keys, and upgrading them without interrupting production is complex. Our secure OTA update verification services and hybrid cryptographic modes address these challenges effectively.

Step‑by‑step recommendations

1. Cryptographic inventory: mapping vulnerabilities and conducting an initial diagnostic.
2. Laboratory testing: integrating Kyber and Dilithium into key protocols and measuring real operational impact.
3. Phased migration: prioritising new equipment and business‑critical systems; where required, incorporating zero‑trust architectures and Purdue model segmentation.
4. MDR monitoring: 24/7 monitoring with quantum‑aware alerts, compliant with Spain’s ENS framework.

In sectors such as defence and critical infrastructure, the transition to new cybersecurity models requires combining multiple layers of protection. Integrating post‑quantum cryptography with hybrid approaches and sector‑specific certification schemes enables these challenges to be addressed in a gradual, coherent manner, particularly in areas such as energy and transport.

Drawing on experience in OT cybersecurity and frameworks such as IEC 62443 and NIS2, these approaches allow organisations to assess risks, plan realistic migration paths and strengthen the resilience of industrial systems against emerging technological scenarios. Anticipation and regulatory alignment thus become key pillars in safeguarding operational continuity and industrial sovereignty.