CRITICAL UK INFRASTRUCTURE IS UNPREPARED FOR QUANTUM THREATS

Quantum attacks could hit critical national infrastructure hardest, exposing vulnerabilities in legacy systems and interdependent networks.  

Quantum computing is advancing rapidly, and when it reaches scale, it will have the power to break the encryption that underpins our digital world. For critical national infrastructure (CNI), this is a matter of public safety, national security, and economic stability. 

CNI faces significant vulnerability to the threats posed by quantum computing. Today’s public-key cryptography, which secures communications, protects sensitive data and underpins control systems, will not withstand quantum attacks. 

Algorithms like Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC) are the mathematical locks that protect today’s digital communications, and are embedded in countless systems, from power grids to railway signalling and air traffic control.

They keep sensitive data confidential, prove that people are who they claim to be, and ensure that sensor readings have not been tampered with. Without them, modern infrastructure would be much easier to deceive or hijack.

These algorithms rely on mathematical problems that are extremely difficult for conventional computers to solve, which is why they have been trusted for decades.

However, quantum computing could completely change this. Once practical quantum machines become available, they will be able to break these algorithms with ease, turning what was once considered unbreakable into a key vulnerability. This shift could happen almost overnight, leaving critical infrastructure dangerously exposed unless proactive steps are taken now.

Supervisory Control and Data Acquisition (SCADA) systems are used to monitor and control processes in power grids, water treatment plants, oil and gas pipelines, manufacturing and transport – and are among the most vulnerable targets. They rely heavily on RSA and ECC for authentication and secure remote access. Legacy SCADA systems often use outdated or weakly encrypted protocols, making them prime targets for the “harvest now, decrypt later” strategy. 

Adversaries are already capturing encrypted operational data today, with plans to decrypt it using quantum computers in the future. This could allow them to manipulate power grids, water systems and other infrastructure. 

The consequences of a quantum-enabled breach are immense. For example: 

• Energy networks could suffer blackouts or equipment damage if attackers spoof SCADA commands.  
• Financial services could face large-scale fraud and market disruption, undermining trust in the global economy.  

• Telecommunications backbones and satellite links could be intercepted or manipulated, cutting off connectivity that other sectors depend on. 

• Defence systems, with their decades-long secrecy requirements, could see strategic communications compromised.  

• Healthcare organisations could experience exposure of sensitive patient data and disruption to clinical operations.  

• Transport and water networks, which are increasingly reliant on remote management, could face cascading failures that threaten public safety. 

These sectors share common risk factors: heavy reliance on vulnerable cryptographic protocols, long-lived assets that cannot be upgraded quickly, and operational environments where disruption has immediate, real-world consequences. 

Migrating to post-quantum cryptography is not a quick fix. It will likely involve a multi-year undertaking that requires demands careful planning and execution.

Organisations will need to conduct extensive discovery exercises to understand where cryptography is used, followed by rigorous testing to ensure new algorithms integrate seamlessly with existing systems. Implementation cannot happen in one sweep either – it must be phased to maintain operational continuity and avoid service outages.

The complexity is compounded by legacy systems that were never designed for cryptographic agility, stringent regulatory requirements, and physical infrastructure that cannot be easily replaced.

These factors make PQC migration one of the most challenging technology transitions of the coming decade.

The UK’s National Cyber Security Centre (NCSC) has set clear timelines: complete discovery and initial planning by 2028, execute high-priority migrations by 2031 and achieve full migration by 2035. These dates reflect the scale of the task – and the urgency to act now. For detailed guidance, the NCSC’s roadmap for PQC migration is a valuable resource. 

With six decades of experience securing Britain’s most critical systems, Roke understands the operational realities of infrastructure protection.

Our approach to post-quantum cryptography is built around three core principles: continuity, resilience and relevance.

• Continuity means ensuring that essential services remain operational throughout the migration process, with no compromise to safety or availability.
• Resilience focuses on creating systems that can withstand not only quantum threats but also future technological shifts, embedding flexibility and robustness into every layer.
• Finally, relevance. We tailor our solutions to sector-specific requirements, recognising that the challenges faced by energy providers differ from those in finance, healthcare or defence.

This approach is fully aligned with the UK National Cyber Security Centre’s guidance. 

We work with clients to assess cryptographic landscapes, identify risks and dependencies, and develop tailored migration strategies that minimise disruption. Our expertise spans national security, defence and industrial systems, ensuring solutions are practical, robust and future-ready. 

Quantum codebreakers are coming. For operators of critical infrastructure, the time to act is now. Contact us to begin mapping where encryption is used, understanding your system dependencies, and planning for migration in line with NCSC timelines.