Are your secrets safe from the future? Cybersecurity in industrial automation and control systems 

In Ian McEwan’s novel ”What We Can Know” future scholars use technology yet to be invented to examine events from our era. The protagonist, searching from the future, seeks a poem lost in time by analysing public archives, but also private messages that people of our time thought were confidential.

While emails, texts, images, videos, and other media files on servers and networks are currently encrypted, they may later be compromised. Even our deeply private messages could be available for thorough analysis. In fact, future actors might uncover more about us than we ever knew, not only accessing all our communications but also interpreting them in ways we cannot yet imagine. Even connecting them to events like the day of our death.

If McEwan’s dystopian vision makes you uneasy, you can always decide not to read the book, or you can choose to comfort yourself within the promises of WhatsApp’s end-to-end encryption. Nevertheless, I suggest giving the novel a chance — after all, it is McEwan — and reflect on whether we are safe enough from what lies ahead.

The current cybersecurity threat: Data collection for future decryption

The practice of storing data with the intention of decrypting it later is already well established. It even has its own acronym: HNDL (Harvest Now, Decrypt Later).

Currently, individuals and institutions retain significant volumes of data. While some information may be stored without the owner’s knowledge or even consent, numerous parties are legally obligated to preserve their data for a long time. For instance, classified government documents, personal health records, financial transaction histories, legal contracts, and patents are frequently archived for decades.

In the event of a cyberattack, it is generally presumed that unauthorized duplication of stored data poses minimal risk, as the information is protected by encryption algorithms widely considered unbreakable. However, things may change, and it is important to evaluate potential risks posed by future advancements in technology.

Quantum computing will break existing encryption systems

Currently, the leading threat comes from advancements in the field of quantum technology. Quantum computing is an intriguing area where progress is made at an astonishing speed. If the rapid pace of development continues, we may soon see significant breakthroughs across various scientific fields. Potential benefits range from improved solar cells and personalized treatments for Alzheimer’s disease to innovative lithium-air batteries, better power grid management, enhanced extreme weather predictions, and improved carbon dioxide capture systems.

But advancements in quantum computing may also void current encryption systems. Especially asymmetric (public-key) encryption methods are subject to the risk of failure. These systems are currently secure because they rely on mathematical problems— such as factoring large numbers or solving discrete logarithms on elliptic curves—that are difficult to solve quickly on classical computers. Quantum computers, however, can solve these problems more efficiently.

For classical computers, solving the mathematical challenges becomes exponentially harder as the key length increases, making decryption impossible within the lifetime of a human, or even within the expected lifetime of the universe. In contrast, quantum computers use superposition and entanglement to evaluate many possibilities at once, allowing them to solve certain challenges much faster. When quantum computers reach sufficient stability and complexity, common encryption methods like RSA, ECC, and Diffie–Hellman will become vulnerable and can be easily compromised.

Secure by Design – Cybersecurity in embedded software development

If thinking about the future makes us uneasy, what can we say about the present? Can we rely on the encryption used by instant messaging apps? Are our secrets genuinely protected within our embedded systems? Is there reason to be concerned about the security of our communication networks?

The level of risk varies depending not only on the technologies involved, but also on what is at stake. For instance, it is usually less critical if a private message to a friend becomes public than if a company’s intellectual property is exposed, or if an outside party takes control of a device.

As a consumer, you can try to keep your data secure by using reliable apps, choosing strong passwords, turning on multi-factor authentication, and making sure your devices and software are always up to date.

As a device manufacturer, you need to increase your effort significantly. The manufacturer must adopt the Secure by Design approach and consider cybersecurity already in the design and development stages. Just as car safety is planned well before the final touches are added, industrial and consumer device or application security must be integrated into the core features — they can not simply be added later.

In practice, this involves steps like the following:

• Use authentication and encryption. The manufacturer must verify and encrypt both data and settings, whether stored or transmitted.

• Apply lifecycle thinking. The manufacturer must integrate and clearly address security issues at every phase of the product lifecycle. Products must be designed to support secure deployment, configuration, operation, updating, and eventual decommissioning, all without jeopardizing device integrity or data.

• Report. Should security vulnerabilities arise at any stage, they are to be promptly remediated and reported in a timely and transparent manner.

• Remember the user. The manufacturer must acknowledge the user’s existence. Users must be reliably identified and be provided with transparent privacy settings as well as robust data management tools. Only data necessary for operations should be retained. Furthermore, users are to be clearly informed of the data collected, its intended use, and the procedures for secure deletion.

Addressing future security challenges in research and development

How can we get ready for future threats? For consumers, using long passwords and enabling multi-factor authentication are still solid strategies. But device makers need to consider additional measures beyond the basics.

In device-focused research and development projects, what actions should one take at this stage?

• Use symmetric encryption algorithms such as AES. Quantum computers only reduce the key strength of symmetric encryption algorithms rather than fully compromising their security.

• Do not centre new product designs on public-key encryption techniques, such as RSA. Public-key encryption methods are vulnerable to compromise due to advances in quantum computing.

• Acquire comprehensive knowledge of quantum-safe encryption, commonly known as Post-Quantum Cryptography (PQC). Established PQC algorithms and published standards are already available, assisting the manufacturer to initiate the transition process promptly.

• Implement systems with adaptable encryption methods. Depending on the application, it may be appropriate to employ hybrid solutions that integrate both current and post-quantum cryptographic techniques concurrently.

As referenced earlier, McEwan’s dystopian novel is a fictional tale that can offer a welcome escape from workplace pressure. However, its central theme lingers. We are accumulating packages of information that act like time capsules. But, unlike traditional capsules hidden underground with explanatory letters for the future recipient, these digital versions we may not want anyone to ever access. Yet, we can still have a saying — if we can imagine ourselves in the future and act now.

You can explore this subject in greater detail by tuning into the R&D Tech Talk Finland podcast episode about Cybersecurity in device manufacturing (in Finnish): Kyberturvallisuus laitevalmistuksessa – regulaatioista kvanttiturvallisiin ratkaisuihin.