Like organizations in many industries, power utilities are monitoring the rapid evolution of quantum computing and thinking about how they could use it to meet new demands and optimize their grids. But the rise of quantum computing also presents risks and threats that can’t be ignored.

A century of quantum innovation

In 1925, Werner Heisenberg published a paper, “On the quantum reinterpretation of kinematical and mechanical relationships,” in which he proposed to build physics on a new foundation that contradicted the basic principles of Newtonian physics. His groundbreaking ideas spawned an entirely new field of study: quantum mechanics.

Quantum mechanics is still inspiring innovators 100 years later. To celebrate the centenary of Heisenberg’s “Reinterpretation paper,” the UN has proclaimed 2025 the International Year of Quantum Science and Technology (IYQ). The mission of IYQ is to help raise awareness of the importance and impact of quantum science and applications on all aspects of life.

We don’t have to look hard to see the positive impacts of quantum mechanics. For example, it provides the basis for many essential technologies used by modern societies, from transistors and MRI scanners to solar cells, cell phones and the atomic clocks used by the Global Positioning System (GPS).

Quantum mechanics also provides the basis for quantum computing, which is attracting lots of attention and big investments these days. Quantum computers use powerful quantum bits, or qubits, that can harness properties such as entanglement, interference and superposition to perform massive volumes of complex mathematical calculations in parallel. When practical quantum computers arrive on the scene, they will revolutionize virtually every industry and drive innovations that will help solve the world’s big challenges.

But there’s a downside to the fast evolution of quantum computing. Bad actors are waiting to gain access to quantum computers designed to solve the mathematical problems that provide the foundation for many cryptographical algorithms. These are known as cryptographically relevant quantum computers (CRQCs), and their emergence will put many of today’s security technologies at risk.

How the CRQC threat impacts utilities

What does all this have to do with utilities? As providers of critical services, power utilities are already major targets for cyberattacks. Utilities are also embracing software-centric and data-driven operations to keep pace with new demands, which ramps up grid communications and increases their exposure to cyberattacks. If and when bad actors gain access to CRQCs, utilities will face a much more potent threat that could overwhelm their existing cyber defenses with alarming speed.

The IEC 62351-9 standard, which covers cybersecurity key management for power system equipment, acknowledges the danger that CRQCs pose to the security of utility communications. In particular, the standard highlights the threat to the public key, or asymmetric, encryption methods that many utilities rely on to protect grid communications, including Diffie–Hellman (DH), Elliptic-Curve Diffie–Hellman (ECDH) and Rivest–Shamir–Adelman (RSA).

The main threat boils down to this: CRQCs can solve the mathematical problems that provide the basis for public key algorithms. For example, Shor’s algorithm efficiently solves the integer factorization problem used for RSA and the discrete logarithm problem used for DH and ECDH. Bad actors with a CRQC could use Shor’s algorithm to sniff out the data encryption key used to encrypt critical grid communications, compromising their confidentiality. This would provide them with a foothold for launching damaging cyber threats that would compromise the integrity and availability of grid assets.

Bad actors aren’t waiting for CRQCs to arrive. Some are already using methods such as fiber tapping to collect and store encrypted grid communications. Given that grid systems have a long lifespan, the information they capture today will likely remain relevant for many years. If they one day gain access to a CRQC, they will be able to decrypt these messages and look for vulnerabilities in the grid. This harvest now, decrypt later (HNDL) approach will allow them to devise targeted man-in-the-middle (MITM) or denial-of-service (DoS) attacks to disrupt grid operations.

CRQCs can also diminish the protection provided by symmetric encryption methods such as the Advanced Encryption Standard (AES), leaving grid communications more vulnerable to compromise. For example, Grover’s algorithm uses an unstructured search method that cuts the level of security provided by AES by half, reducing the protection of AES-128 to AES-64, which is not strong enough to resist an attack by a quantum computer.

Utilities can’t afford to take a wait-and-see approach with CRQCs and HNDL attacks. It’s time for meaningful action on quantum threats.

How utilities can make their networks quantum-safe

The good news is that help is available now. Power utilities can immediately shield their grid operations infrastructure from any quantum threat by building a multilayer, defense-in-depth security framework around encryption standards and technologies they already use.

The main step in building this framework is to deploy symmetric key encryption technologies at multiple layers of the network. In particular, utilities should deploy MACsec at the data link layer and OTNsec at the optical layer. These technologies use quantum-safe AES-256 encryption, which can’t be compromised by CRQCs using Shor’s algorithm and has a sufficient key length to defend against CRQCs using Grover’s algorithm.

MACsec can be particularly attractive to utilities because it is commonly supported by substation routers and switches. This allows utilities to expand quantum-safe networking all the way to the substation edge throughout their service territory. When the post-quantum cryptography (PQC) standards developed by organizations such as NIST and ETSI are eventually integrated into grid applications, utilities will be able to keep using MACsec to provide an enhanced multilayer quantum defense.

To ensure that MACsec provides maximum protection, the key can be refreshed from time to time. Advanced MACsec implementations can use a trusted random number generator (RNG) source to create high-entropy encryption keys. In addition, instead of relying on traditional public key encryption, which is vulnerable to quantum attacks, these advanced implementations can use the MACsec Key Agreement (MKA) protocol to establish a quantum-safe channel for distribution and rekeying. For the AES-256 encryption used by MACsec, the RNG needs an entropy of 256 bits or more. Robust key management and rekeying practices will further strengthen the protection provided by MACsec.

By using proven encryption technologies to build a quantum-safe networking framework, power utilities can stop worrying about CRQCs, HNDL attacks and other quantum threats. This will give them more freedom to focus on transforming their grids and determining how they can take advantage of exciting quantum innovations over the next 100 years.

Find out more

Solution: Cybersecurity for power utilities