Empty Attestations: OT Lacks the Tools for Cryptographic Readiness

ICS/OT SECURITY THREAT INTELLIGENCE VULNERABILITIES & THREATS COMMENTARY Empty Attestations: OT Lacks the Tools for Cryptographic Readiness OT asset owners are being asked by regulators to attest to their post-quantum cryptographic readiness without the appropriate tooling, resulting in paperwork dressed up to look like genuine security. Brad McInnis,Founder and CEO,Cyberzero April 13, 2026 5 Min Read SOURCE: NICK GREGORY VIA ALAMY STOCK PHOTO In 2003, 55 million people lost power across the US and Canada because of a software bug and a failure to communicate. Nobody attacked anything. And more than two decades later, the same infrastructure faces sophisticated adversaries who are planning very carefully. Operational technology (OT) operates on a different set of priorities than the rest of us. In IT, confidentiality and integrity come first. In OT — the systems that open and close breakers, adjust voltage, and monitor load and faults — only one thing matters: availability. Security was never part of the original design. And bolting it on later is harder than it sounds when downtime is simply not an option. Many of these systems still run on older protocols with no encryption and weak authentication. Get it wrong, and the consequences aren't a data breach or a regulatory fine. People lose power, water, and heat. The systems that modern life depends on stop working. Quietly at first — then all at once. Related:Industrial Controllers Still Vulnerable As Conflicts Move to Cyber Volt Typhoon, a Chinese state-sponsored threat actor, maintained long-term access inside US critical infrastructure networks using legitimate credentials and native tools. In at least one documented case, Volt Typhoon's access lasted nearly a year. That kind of access is not about theft. It is about positioning for disruption. And because the Canada-US energy grid is deeply interconnected, the threat does not stop at the border. Our security frameworks largely do. But the real question is not what they saw while they were inside. It is what they took with them on the way out. Today asset owners operating critical infrastructure are being asked to attest to their cryptographic readiness; confirm that your encryption is safe in the quantum era and demonstrate that you know what you have. It is a reasonable ask. The problem is most of them have no idea. And the frameworks being used to assess them were never built for the environments in which they operate. This is not a criticism of regulators or asset owners. It is a gap. And until we acknowledge it honestly, we are not solving it. IT environments were designed with the assumption that systems could be interrogated, updated, and occasionally taken offline. OT was not. OT was designed around a completely different priority: availability. These systems were never meant to be patched on a Tuesday night. Many were installed before cybersecurity was even a word. Migrating to post-quantum cryptography in IT environments is already a complex multiyear effort. In OT environments the challenge is greater. Cryptography may be embedded in firmware, hard coded into devices that cannot be upgraded without physical access, or dependent on vendor support cycles measured in decades. Some of those devices operate with as little as 32KB of RAM and lack the processing power to execute modern cryptographic operations. Post-quantum algorithms were not designed for those constraints. Some equipment currently in service was installed before cryptographic standards even existed. Related:Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs Asking an OT asset owner to attest to cryptographic readiness using frameworks built for IT environments is like asking someone to pass a driving test in a vehicle with no dashboard. The requirement exists. The instrumentation does not. OT Data Has Already Been Harvested, Here's the Bigger Risk  Here is what most people are not saying out loud: The data is already being taken. Adversaries collecting encrypted traffic from OT environments today are not waiting to see if they can read it. They are waiting for the moment when they can. That moment is getting closer. Quantum computing doesn't just threaten future communications; it threatens the assumption that everything collected in the past was safe. The ghost that lived inside your network for a year didn't just learn your layout. It may have left with your keys. Now consider a broader scenario. An attacker that harvested encrypted data from your network today can decrypt it once quantum computing makes that possible. That is harvest now decrypt later.  Related:Vehicle Tire Pressure Sensors Enable Silent Tracking But there is a second threat that gets even less attention. If an attacker has collected a vendor's firmware signing keys, they could come back years from now and push a malicious update to every device on your network. Every device accepts it without question because the signature looks legitimate. That is trust now, forge later.  The ghost doesn't need to break back in. It left the door open on the way out. And most operators can't answer the most basic question: Where does cryptography live in their environment? Not because they are negligent. Because these systems were never built to be audited that way.  Cryptography is buried in long-forgotten libraries, embedded in devices installed decades ago, invisible to the tools most security teams rely on. The data does not exist. The process to collect it has never been built. Signing an attestation form does not change that reality. It just creates the appearance of assurance where none exists. When the gap between what is being asked and what can be demonstrated is large enough, organizations do one of two things. Either they invest in genuinely closing the gap, or they invest in looking like they closed it. In under-resourced OT environments operating on thin margins with aging infrastructure and skeleton security teams, the path of least resistance is obvious. Check the box. File the attestation. Move on. The result is a false sense of assurance that may be more dangerous than acknowledged uncertainty. A regulator who believes attestations are meaningful stops asking hard questions. An asset owner who has filed the paperwork stops feeling the urgency. The ghost is still in the grid. Nobody is looking for it anymore. The urgency behind cryptographic readiness requirements is real. NIST released its Post-Quantum Cryptography Standards for a reason, and government timelines exist for a reason. But determining where cryptography lives across an OT environment takes years. For many organizations, a decade may not be enough. But urgency without capability is just pressure. And pressure without the right tools produces paperwork, not security. Before asking asset owners to attest to something, regulators have an obligation to ensure the frameworks, guidance, and tooling exist to make that attestation meaningful. Right now, they do not. Until that changes, attestation requirements are asking people to confirm something they can't verify. That is not security. That is paperwork dressed up as security. The ghost is already inside the grid, walking the halls, looking exactly like it belongs there. The question is whether we find it before it decides to act. Read more about: Opinion About the Author Brad McInnis Founder and CEO, Cyberzero Brad McInnis is the Founder and CEO of cyberzero, a Canadian company focused on post-quantum cryptography. He has over 25 years of experience in cybersecurity operations and applied cryptography across Five Eyes defense and intelligence environments, and previously served as Chief Security Architect at Deloitte. He contributes to NIST post-quantum cryptography working groups. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World More Webinars You May Also Like ICS/OT SECURITY Critical Claroty Authentication Bypass Flaw Opened OT to Attack by Jai Vijayan, Contributing Writer OCT 30, 2025 ICS/OT SECURITY Patch Now: Attackers Target OT Networks via Critical RCE Flaw by Elizabeth Montalbano, Contributing Writer AUG 13, 2025 ICS/OT SECURITY CISO Conversations: How IT and OT Security Worlds Are Converging by Kelly Jackson Higgins JUL 22, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE