Quantum-Safe Energy: The Impact of Post-Quantum Cybersecurity on Critical IT and Power Infrastructures
- Cedric KTORZA
- Dec 8, 2025
- 12 min read
Updated: Dec 15, 2025
Introduction: Why Quantum-Safe Cybersecurity Matters Now
Quantum is no longer science fiction for cybersecurity.
As quantum computing progresses, today’s public-key cryptography – the backbone of VPNs, TLS, digital certificates, smart grid communications and remote operations – will eventually become vulnerable. Critical infrastructures such as power grids, data centers and industrial facilities are particularly exposed, because their assets are designed to last decades and cannot be “swapped out” overnight.
In 2024, NIST published the first three post-quantum cryptography (PQC) standards (FIPS 203, 204 and 205), defining quantum-resistant algorithms that will replace current public-key schemes.nist.gov At the same time, cyberattacks on utilities are rising sharply, with some analyses showing attacks on the energy sector doubling since 2020.iea.org For energy and IT leaders, the question is no longer if they should prepare for quantum-safe security, but how fast.
In this article, we explore what “quantum-safe energy” means, how post-quantum cybersecurity will transform critical IT and energy infrastructures, and how Score Group and its Noor divisions can help you prepare a pragmatic, phased transition.
From Classical Security to Quantum Risk
How quantum computing breaks today’s cryptography
Most modern infrastructures rely on public-key algorithms such as RSA and ECC for key exchange, VPN tunnels, TLS handshakes and digital signatures. These schemes are based on mathematical problems (integer factorisation, discrete logarithms) that classical computers cannot solve efficiently. A sufficiently powerful quantum computer, using Shor’s algorithm, could solve these problems in polynomial time, rendering current public-key protections ineffective.
This has two critical implications for IT and energy operators:
Future decryption of data captured today – adversaries can intercept and store encrypted traffic now to decrypt it later once quantum capabilities mature (“harvest now, decrypt later”).cisa.gov
Loss of system integrity and control – forged digital signatures and compromised keys could allow attackers to impersonate control centers, falsify sensor data or push malicious firmware to field devices.
Why energy and utilities are especially exposed
According to the International Energy Agency (IEA), electricity systems are becoming highly digitalised, connecting millions of devices, sensors and control systems. This dramatically expands the attack surface and increases the risk that a cyber incident could trigger physical damage and widespread outages.iea.org Recent analyses show cyber incidents against utilities have been growing rapidly since 2018, with average breach costs in the energy sector exceeding USD 4.7 million in 2022.iea.org
More digitalisation – smart grids, EV charging, DER integration, AI-based optimisation – is essential to decarbonisation, but it also means that the cryptography choices you make in the 2020s will still be protecting assets in the 2030s and 2040s. Quantum risk, in other words, is a long-tail risk on long-lived infrastructure.
What Does “Quantum-Safe Energy” Really Mean?
Protecting both IT and OT layers
Quantum-safe energy is not just about encrypting a few data flows. It is about ensuring that the full stack of your critical operations – from corporate IT to operational technology (OT) – remains trustworthy in a post-quantum world:
IT layer: data centers, cloud environments, WAN networks, VPNs, identity and access management, remote workforce, business applications.
OT layer: SCADA systems, PLCs, RTUs, protection relays, substation automation, BMS/GTB, smart meters, EV charging stations, industrial sensors and IoT devices.
Data-in-motion and data-at-rest: field telemetry, control commands, logs, backups and long-term archives that may remain sensitive for decades.
Quantum-safe design ensures confidentiality, integrity and availability across these layers, even when adversaries have access to quantum capabilities.
Post-quantum cryptography as the new foundation
To address the threat, NIST has led a multi-year international process to select new cryptographic algorithms that can withstand quantum attacks. In 2022, it announced four primary candidates (CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, SPHINCS+), and in August 2024 it published three corresponding FIPS standards for key encapsulation and digital signatures.nist.gov In March 2025, a fifth algorithm (HQC) was added as a backup key encapsulation mechanism.csrc.nist.gov
For operators of critical IT and energy infrastructures, these PQC standards will become the default for:
Securing TLS, VPNs and tunnel protocols between data centers, control rooms and field sites.
Protecting firmware and configuration updates to OT devices with quantum-safe signatures.
Ensuring that long-lived logs, design data, operational records and compliance archives cannot be decrypted retroactively.
Beyond algorithms: architecture and lifecycle
Becoming quantum-safe is not only an algorithm upgrade. It means:
Designing architectures that can evolve cryptography over time (“crypto-agility”).
Separating trust domains so that compromise in one area (for example, an IoT sensor network) does not cascade into core grid operations.
Embedding quantum risk considerations into asset procurement, lifecycle management and regulatory compliance.
Traditional vs quantum-safe cryptography in critical infrastructures
Aspect | Traditional public-key (RSA/ECC) | Quantum-safe / PQC | Impact on IT & energy operations |
|---|---|---|---|
Security assumption | Hard to factor large integers or solve discrete logs on classical computers | Based on lattice, code-based or hash-based problems believed secure even with quantum computers | Traditional schemes become breakable once large-scale quantum machines exist; PQC remains resistant |
Algorithm examples | RSA, ECDSA, ECDH | ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA (SPHINCS+), HQC | Energy and IT systems must gradually replace legacy algorithms in protocols and devices |
Key and signature size | Compact keys and signatures | Generally larger keys and/or signatures, varying by algorithm | Network design, bandwidth planning and device storage must factor PQC overhead |
Longevity | Secure against classical attackers only | Designed for both classical and quantum-capable attackers | Better suited to assets with lifetimes of 20–40 years (substations, transformers, buildings) |
Risk to archived data | Encrypted archives may be decrypted once quantum attacks are practical | Archives remain protected against foreseeable quantum attacks | Critical for compliance logs, design blueprints, market data and customer records |
The Business Impact on Critical IT and Energy Infrastructures
Quantum risk meets a rising cyber threat level
Cyberattacks on utilities and power companies are already increasing, driven by geopolitical tensions, ransomware groups and opportunistic criminals. The IEA highlights a substantial and growing threat, with recent incidents disabling remote controls for wind farms, disrupting metering systems and stealing customer data.iea.org As grids digitalise, a successful attack can cascade quickly across interconnected IT and OT networks, impacting many services at once.iea.org
Quantum computing adds a new dimension: even if attackers cannot yet break your cryptography in real time, they can collect encrypted traffic and archives today for future exploitation. This particularly affects infrastructures where data must remain confidential for decades — grid design, industrial IP, long-term contracts, critical incident logs, and customer PII.
IT infrastructures: data centers, cloud and digital workplace
On the IT side, quantum-safe transformation will impact:
Data centers and cloud – PQC-ready TLS and VPNs for interconnects, backup replication, hybrid cloud connections and remote administration.
Identity, PKI and certificates – migration of certificate authorities and signing services to quantum-resistant algorithms.
Digital workplace and remote access – quantum-safe protection of remote access gateways, collaboration platforms and zero-trust architectures.
Business continuity (PRA/PCA) – ensuring disaster recovery networks and off-site backups are protected against long-term decryption risk.
These topics are at the heart of Noor ITS, the Score Group division that designs and operates resilient IT infrastructures, data centers, cloud solutions and cybersecurity controls across the full lifecycle.
Energy systems: grids, buildings and mobility
On the energy side, the quantum transition intersects with smart grid modernisation and the energy transition itself. The IEA estimates that required grid expansion over the next decade will reach around 16 million km of new lines, with about half of cumulative investment by 2030 dedicated to digitalisation and modernisation.iea.org As more assets are connected, every new interface becomes a potential cryptographic dependency.
Quantum-safe considerations will affect:
Smart substations and distribution automation – secure command, measurement and protection channels.
Building energy management (GTB/GTC) – secure remote control of HVAC, lighting, and on-site generation or storage.
Mobility infrastructure – EV charging networks, fleet charging depots, and V2G services relying on secure communications and billing.
On-site renewables and microgrids – secure coordination between PV, storage, backup generation and load control.
Noor Energy, Score Group’s energy-focused division, works exactly at this intersection of performance, digital control and sustainability, and will be central to integrating quantum-safe principles into future-ready energy architectures.
Industrial operations and smart industry
Industrial sites, manufacturing facilities and critical process industries combine long-lived OT with increasingly digital, sensor-rich environments. Quantum-safe security here must take into account:
Legacy controllers and field devices that cannot easily support new algorithms.
Layered networks where OT is progressively exposed to IT and cloud analytics.
Industrial IoT platforms aggregating sensor data for AI-based optimisation and predictive maintenance.
Through Noor Industry, Score Group supports industrial players with tailored digital and energy solutions, creating a natural framework to embed post-quantum considerations in their industrial cybersecurity roadmaps.
Regulation, Standards and Global Guidance
NIST PQC standards as a reference point
Many organisations – even outside the United States – will align their cryptographic roadmap to the NIST PQC standards. FIPS 203 (ML-KEM, based on CRYSTALS-Kyber), FIPS 204 (ML-DSA, based on CRYSTALS-Dilithium) and FIPS 205 (SLH-DSA, based on SPHINCS+) provide the first stable set of quantum-resistant algorithms suitable for general use.nist.gov HQC adds a further option as a backup key encapsulation mechanism.csrc.nist.gov
For CIOs and CISOs, these standards form the basis of procurement and architecture decisions, including which protocols, vendors and devices will be acceptable in a quantum-ready environment.
Guidance for critical infrastructure operators
Government agencies are clearly signalling the urgency for critical infrastructure. A joint factsheet from CISA, NSA and NIST provides a quantum-readiness roadmap, urging organisations – especially operators of critical infrastructure – to start inventorying cryptographic assets and planning migration now.cisa.gov The IEA and OECD also stress the need to enhance cyber resilience across electricity systems to withstand sophisticated cyberattacks.oecd.org
In practice, regulators, customers and insurers will increasingly expect critical infrastructure operators to demonstrate a plan for transitioning to quantum-safe cryptography over the coming decade.
A Practical Quantum-Safe Roadmap for IT and Energy Infrastructures
1. Build a cryptographic inventory and risk assessment
The starting point is visibility. Organisations must understand where and how cryptography is used across both IT and OT:
Protocols: TLS, IPsec, SSH, proprietary vendor protocols.
Devices: routers, firewalls, VPNs, smart meters, relays, PLCs, IoT gateways.
Applications and services: SCADA, BMS, billing systems, customer portals, cloud apps.
Data classes: operational data, customer data, IP, compliance and regulatory records.
From there, you can map which systems are most exposed to “harvest now, decrypt later” risk, and which assets have the longest expected lifetime. This prioritisation is essential for a cost-effective roadmap.
2. Design crypto-agile architectures
Because cryptographic standards will continue to evolve, infrastructures should be made “crypto-agile” – able to support multiple algorithms and roll out changes without massive redesigns. This may include:
Upgrading PKI and key management systems to handle PQC algorithms and hybrid schemes (classical + PQC).
Segmenting networks so that pilot deployments of PQC do not disrupt critical operations.
Implementing abstraction layers in applications that hide cryptographic changes from business logic.
Noor ITS can support this by reviewing existing architectures, modernising networks and data centers, and designing cloud and hybrid environments ready to host PQC-enabled services.
3. Prioritise long-lived and high-impact assets
For energy and industrial infrastructures, some assets and communications channels are particularly critical:
Substation and plant control links that cannot be easily replaced once deployed.
Long-term archival systems and regulatory logs.
Remote access and vendor maintenance channels into OT environments.
Inter-utility and TSO/DSO data exchanges.
By focusing first on these long-lived, high-impact elements, you reduce the probability that a future quantum attacker could compromise system integrity or confidentiality where it matters most.
4. Integrate PQC into digital and energy transformation programmes
Quantum-safe security should not be managed as a separate, isolated project. It makes more sense – operationally and financially – to embed it into ongoing digital and energy programmes:
Smart grid upgrades and grid-edge projects.
Building energy management modernisation (GTB/GTC, IoT sensors, automation).
EV charging and sustainable mobility rollouts.
Cloud migrations and data center consolidation.
AI and advanced analytics deployments based on OT/IT convergence.
Noor Technology, which focuses on AI, IoT, RPA and smart connectivity, can help ensure that new digital services are designed “quantum-by-design”, with crypto-agility and PQC readiness in mind from the outset.
5. Strengthen monitoring, incident response and resilience
Even with PQC, no system is perfectly secure. Organisations must reinforce:
Continuous monitoring of both IT and OT networks for anomalous behaviours.
Incident response procedures that include scenarios involving cryptographic failures or key compromise.
Business continuity and disaster recovery plans that assume partial or full loss of specific trust anchors (for example, a CA compromise).
Here, Score Group’s integrated approach to energy, digital and new tech – “where efficiency meets innovation” – supports a holistic resilience strategy that goes beyond point solutions.
How Score Group and Its Noor Divisions Support Quantum-Safe Transformation
Score Group: an integrator at the crossroads of energy and digital
Score Group positions itself as a global integrator, bringing together energy performance, digital infrastructures and innovative technologies in a single architecture. Through its divisions Noor Energy, Noor ITS, Noor Technology and Noor Industry, the Group designs and deploys tailor-made solutions adapted to each organisation’s operational, strategic and environmental challenges.
In the context of quantum-safe energy and post-quantum cybersecurity, this integrated positioning is a major asset: quantum risk does not respect organisational silos. It simultaneously affects your IT stack, your energy systems and your industrial operations.
Noor ITS: securing the digital backbone
Noor ITS focuses on IT infrastructures, cybersecurity, data centers, cloud and digital workplaces. In a quantum-safe journey, Noor ITS can help you:
Assess your current cryptographic posture across networks, VPNs, PKI and applications.
Design crypto-agile architectures that can adopt PQC standards as vendors and protocols mature.
Secure data centers and cloud environments that host your critical OT and energy platforms.
Integrate resilience (PRA/PCA) so that business continuity is preserved during and after cryptographic migrations.
Noor Energy: intelligent, secure energy performance
Noor Energy specialises in energy management, building management systems, sustainable mobility and renewables. In a quantum-safe context, its role includes:
Ensuring that smart meters, BMS/GTB/GTC and on-site generation/storage systems are integrated via secure, future-ready communications.
Supporting the deployment of EV charging and green mobility with robust cybersecurity architectures.
Embedding security and PQC considerations into energy performance contracts and long-term energy strategies.
Noor Technology and Noor Industry: innovation and industrial reality
Noor Technology implements solutions based on AI, RPA, IoT and smart connectivity, while Noor Industry translates these capabilities into industrial environments. Together, they can:
Secure IoT and sensor networks that feed AI and predictive maintenance systems.
Design smart connecting solutions (for example, IoT gateways) ready for PQC-enabled protocols when they become available.
Support industrial players in modernising OT and integrating digital tools without sacrificing long-term cryptographic robustness.
Across all these divisions, Score Group’s signature remains the same: solutions adapted to each of your needs, aligning energy efficiency, operational performance and digital trust.
To learn more about Score Group’s integrated approach and its Noor divisions, you can visit the Group’s website: Score Group – Energy and Digital Solutions Integration.
FAQ: Quantum-Safe Energy and Post-Quantum Cybersecurity
What is post-quantum cryptography and why does it matter for energy companies?
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to remain secure even against attackers equipped with large-scale quantum computers. NIST’s PQC standards, finalised in 2024 and extended in 2025, provide such algorithms for key exchange and digital signatures.csrc.nist.gov For energy companies, PQC matters because grids, substations, metering systems and industrial plants depend on secure remote control and data exchange. Many of these assets will still be operating 20–30 years from now, when quantum capabilities may be mature. Preparing now prevents future attackers from decrypting today’s captured traffic or forging trusted commands.
When should operators of critical infrastructures start preparing for quantum-safe security?
Leading agencies such as CISA, NSA and NIST recommend that organisations – especially critical infrastructure operators – begin preparations immediately.cisa.gov Even if practical quantum attacks are years away, migration will take a long time because of legacy systems, vendor dependencies and regulatory constraints. A realistic approach is to start with an inventory of cryptographic usage, identify long-lived and high-impact assets, and embed quantum-safe requirements into new projects from today. This way, you avoid locking in non-quantum-safe technologies that will be hard and expensive to replace later.
How can we assess which systems in our OT environment are most vulnerable to quantum threats?
Begin with a combined OT and IT cryptographic inventory. Map all uses of public-key cryptography in your SCADA systems, substation automation, BMS, EV charging and industrial control networks. Identify where long-lived keys are used, where data must remain confidential for long periods and where compromised signatures could allow control of critical devices. Cross-reference this with asset lifetime (for example, 20–40 years for some electrical infrastructure) and connectivity level. Systems that are both highly connected and long-lived should be prioritised. Many organisations work with integrators like Score Group to perform this assessment efficiently and in coordination with IT security teams.
Will I need to replace all my existing OT equipment to become quantum-safe?
In most cases, no. Many OT devices cannot be upgraded easily, but you can protect them through surrounding architectures. Options include segmenting networks, using quantum-safe VPNs and gateways to shield legacy protocols, and deploying hybrid cryptographic schemes that combine classical and PQC algorithms during the transition. Over time, procurement policies should require new OT equipment to support PQC-capable stacks or to be crypto-agile. The key is to design a phased plan where the most critical and exposed functions are protected first, rather than aiming for an immediate, full replacement of all hardware.
How does quantum-safe security fit with other initiatives like zero trust and smart grid modernisation?
Quantum-safe security is a natural extension of broader initiatives such as zero trust, OT segmentation, smart grid rollouts and cloud migrations. Zero trust principles emphasise strong authentication, encrypted communications and continuous verification – all of which depend on cryptography. As you upgrade networks, deploy smart meters, integrate EV charging or move SCADA components to cloud platforms, you can include PQC readiness as a design requirement. This reduces duplication of effort and ensures that your modernisation investments remain robust throughout the quantum era, rather than requiring a second major overhaul later.
What’s Next?
Quantum-safe energy is not a distant research topic; it is a strategic dimension of today’s digital and energy transformations. By aligning IT, OT and innovation initiatives around a clear post-quantum roadmap, organisations can protect their critical infrastructures, maintain regulatory trust and support the energy transition with confidence.
At Score Group, our divisions Noor ITS, Noor Energy, Noor Technology and Noor Industry can help you assess your current posture, design crypto-agile architectures and integrate quantum-safe principles into your energy and digital projects. To discuss your specific context and priorities, you can reach out through the contact options available on Score Group’s website and start building your own quantum-safe roadmap today.
