OT asset owners are being asked to attest to their post-quantum cryptographic readiness, but regulators have not provided the tooling to make those attestations meaningful, resulting in paperwork that can look like security. The piece argues that the frameworks used for IT environments do not fit OT, where availability remains the top priority and many devices are too constrained to support modern cryptographic operations.
It notes that cryptography is buried in legacy libraries and firmware, making it hard to audit, upgrade, or verify. The article cites the real risk of harvest now, decrypt later, where adversaries could use captured encrypted data once quantum capabilities exist, and warns that signing attestations without adequate visibility gives a false sense of security.
It references Volt Typhoon as an example of a state-sponsored actor with long-term access to critical infrastructure, stressing that cryptographic readiness remains a matter of claims rather than verifiable capability, according to NIST’s post-quantum standards and timelines.