Called ‘Network Security in a Quantum Future’, the project is investigating the quantum threat to energy cybersecurity in the UK. We plan to develop a novel assessment framework and prioritised mitigation approach. Ultimately, the aim is about societal good – ensuring the security of infrastructure in a post-quantum era.  

Concerns around this emerging menace are surfacing widely. In its TechnoVision report on tech trends to watch out for, Capgemini referred to a ‘cyber arms race’ being underway. The report highlights that new threats, driven by the development of quantum computing, may render current encryption standards obsolete. The objective of our project is to help the energy industry understand the timeline, nature and priority of such threats, so that effective mitigation strategies can be put in place. 

After the idea for the initiative was first hatched, I teamed up with contacts in my network at Warwick and Edinburgh universities and wrote a proposal for ESO, the electricity system operator for Great Britain. The organisation runs competitions that invite innovators to help it to address key challenges. They liked the proposal, and after further joint development the project won funding from the Strategic Innovation Fund, an Ofgem programme managed in partnership with the government’s Innovate UK national innovation agency. 

Deep tech expertise 

I’m really excited by this opportunity for CC to provide significant value to the UK’s critical energy sector in the first instance – and hopefully transfer it further afield to other industries and geographies after that. We’re bringing our deep tech expertise to bear on a crucial challenge for the world’s energy system operators.  

It’s important for governments and critical infrastructure providers not to be complacent. While the threat of quantum may still be a decade away, the potential impact on cybersecurity will be dramatic.  With quantum’s step change in computing power classical computers, the security threat is real and inevitable, and all the roadmaps indicate that it’s coming faster than initially expected. 

The answers to the quantum computing dilemma won’t be available off the shelf. We must really push the limits of innovation to get to grips with both the challenges and the mitigations. What’s particularly stimulating for me is that we’re orchestrating such a great team to confront the issue. On one hand we’ve got brilliant academics, including Jim Smith and Carsten Maple at Warwick plus Chris Dent and Petros Wallden in Edinburgh.  

Then there’s the CC team of quantum experts, cybersecurity specialists and energy system strategists who are able to bring practical deep tech expertise to the table. And our partners at ESO are providing deep insight into their operational and cybersecurity requirements and challenges, ensuring our approach and recommendations are grounded in the real needs of the energy network. 

Post quantum cryptography (PQC) 

At the heart of our thinking is public key cryptography (PKC), and post quantum cryptography (PQC), which is a class of mitigations for PKC. Used across both enterprise and consumer-based applications and systems, PKC-based approaches to cybersecurity have been relatively easy to implement. And given current attack tools and methods, PKC has been largely sufficient to protect systems and data to date. Such encryption methods are widely used and broadly effective today, so in some ways society’s approach to cybersecurity has become somewhat lazy.  

Current PKC protocols will be readily broken by quantum computers in the future – a threat that will need to be mitigated by a transition to PQC methods of encryption. But this is not a simple process. For example, in embedded or integrated systems, post quantum cryptography often requires longer keys and more computational resource, adding cost and complexity to systems. Some elements within the energy network will be significantly more vulnerable than others, or may have more critical impact on energy availability if they are disabled or disrupted. So, planning the transition from PKC to PQC requires a great deal of care, consideration and potential alternative strategies.  

It follows that if we’re really going to understand the threat to energy, we’ve got to focus on what the industry really cares about in terms of protocols and other key aspects of current practice. Only by understanding the industry’s current and future needs can we inform a robust mitigation strategy. In other words, are there ways of delivering PQC that are better for the energy sector? And what about further mitigations beyond PQC? 

The landscape is complex, but we’re clear on the scope of our project. We want to provide the energy sector with a clear understanding of the quantum computing threat, as well as how to protect itself. This means creating a framework for identifying risks to energy network cybersecurity, and future system requirements. It will allow energy providers to generate realistic timeframe estimates and readiness indicators. 

The task of identifying points of concern and potential vulnerabilities will go hand-in-hand with a consideration of the security lifespan of energy systems. Designing a methodology for mitigation is the next crucial step. 

Cybersecurity mitigations 

Fundamentally, the challenge is about providing effective and fit-for-purpose cybersecurity for the length of time you care about, for any given system asset. Our task is not just to establish effective mitigations, but to provide ways for the energy industry to understand how and when it needs to act to ensure that assets and energy flows remain secure. So, this is as much about value for customers and operational efficiency as it is about societal good and national security. That’s a potent mix.     

I’ll keep you posted on developments as the various phases of the project play out. Meanwhile if there are any aspects of the topic you’d like to explore in more detail, please contact me. I’d be happy to continue the conversation. 

Expert authors