Post-quantum security threat

It goes without saying that we are immensely proud of the team at CC – and indeed all the collaborators involved in the project – who have worked diligently and creatively to develop a novel assessment framework for identifying risks and establishing a prioritised mitigation approach to the post-quantum cybersecurity threat. On a broader front, we’re delighted that the energy sector – and particularly the UK energy sector – is taking the lead on such a critical global issue.

In many ways CC has acted as an orchestrator right from the outset – playing a central role in bringing together people with the capabilities to tackle the complex and pressing challenge of post-quantum cryptography (PQC). As a company we have a rare mix of expertise, balancing deep cybersecurity and quantum computing knowledge with strong commercial understanding of the industry. Beyond that, we continue to cooperate with leading figures from academia and energy.

These academic connections were first established at the proposal stage. For example, the project has benefitted from collaboration with quantum researchers from the University of Edinburgh, who have been involved right from the start. Key relationships continue to endure, and as we enter the next phase, the project is being strengthened by further collaboration.

In addition to NESO, two new energy networks have joined the project: National Gas Transmission and SP Energy Networks. They’ve come onboard for this phase of the project to ensure that the tools we are developing will help enable continued security across the whole of the sector. The networks will share important insights throughout the phase and also be involved in testing – trying out the tools in their own environments to evaluate quantum risk.

Innovative PQC tools

At the core of our work are two key capabilities: a quantum‑aware risk management (Q-ARM) tool and a quantum threat tracker (QTT) module. Their development draws on CC’s multidisciplinary expertise, bringing together quantum scientists, cybersecurity specialists, and energy system strategists.

The QTT module combines CC’s quantum expertise with input from our contacts at the University of Edinburgh, giving stakeholders a practical way to anticipate how and when quantum-related threats may emerge. Alongside this, the Q-ARM tool helps system operators identify vulnerable assets, understand potential quantum-enabled attacks, and assess associated risks – all presented in a clear and accessible format.

A central design principle has been usability. Both tools deliver their key functionality without requiring users to understand quantum technologies, instead providing clear, actionable insights without exposing the underlying complexity. This significantly lowers the barrier to adoption, allowing organisations to benefit without investing in specialist expertise.

Cost-effectiveness is also a priority. Rather than encouraging broad interventions, our approach allows operators to focus on the areas of greatest risk, ensuring resources are used efficiently and reducing the likelihood of unintended consequences elsewhere in the system.

This approach also supports the need for rapid action. With the National Cyber Security Centre highlighting a window through to 2031 for critical infrastructure to prepare, there is a clear urgency to act. Our tools help organisations navigate this transition, enabling structured planning and a data-driven view of where the most significant risks are likely to arise.

Quantum risk is a ‘now’ problem

We cannot overstate how timely this progress is. Globally, governments are increasingly focused on the growing quantum threat to critical infrastructure. As quantum computing advances towards breaking current encryption, risk will not arrive as a single ‘Q‑day’ – the point at which quantum computers can reliably defeat today’s cryptography – but as a continuous wave, with different techniques maturing at different times.

To respond effectively, operators must precisely understand their exposure – identifying the types of attack they face, when protections may fail, and how long systems must remain secure. This calls for targeted, cost‑efficient planning rather than broad, generic upgrades.

The core challenge is ensuring that every asset remains secure for as long as it matters. This requires not only robust mitigations, such as PQC, but also clear visibility over when action is needed and how to maintain trusted data flows over time.

Through our work with NESO, and other critical national infrastructure organisations, we’re working on approaches that embed quantum readiness into long-term resilience planning. As one of a small number of UK National Cyber Security Centre‑approved PQC Assured Service Providers, we’re ready to support more organisations in building structured risk assessments, aligning readiness timelines with government guidance, and delivering practical migration strategies.

If this is an area of interest, and you’d like to discuss how to tackle your own post‑quantum cybersecurity challenges, we’d be delighted to hear from you at PQC@cambridgeconsultants.com.