Quantum computing still feels distant to many critical infrastructure operators. After all, most operational technology (OT) environments are not facing disruption from a quantum computer tomorrow morning.

But that does not mean post-quantum cryptography can wait.

For organizations responsible for OT environments, industrial systems, and critical infrastructure, post-quantum cryptography – or PQC – is better understood as a strategic risk management issue. The concern is not simply whether quantum computers are ready today. It’s whether your organization is building, buying, and maintaining systems that will still be defensible years from now.

At RMC, that distinction matters. In OT, security decisions tend to live longer, cost more to change, and carry far greater operational consequences than they do in traditional IT environments.

What is post-quantum cryptography, really?

Post-quantum cryptography refers to encryption and digital signature methods designed to remain secure even against future quantum-capable attacks.

Why is this being discussed now? Because adversaries do not need to wait for a mature quantum computer to create risk. Sensitive data can be collected today and held for later decryption once quantum capabilities advance. That “harvest now, decrypt later” concern is especially relevant in sectors where system lifecycles are long, data sensitivity is high, and infrastructure upgrades move slowly.

For OT operators, the question is not whether to panic. It is whether to start planning before limited visibility, aging assets, and rigid architectures make the transition harder than it needs to be.

The risk may not be immediate, but the planning should be

For most organizations, quantum computing is not an immediate operational threat to OT. The larger issue is timing.

OT systems often remain in service for years or even decades. Many were designed around reliability and interoperability, not around the expectation that cryptographic methods would need to be swapped out during their lifetime. That makes delayed planning more dangerous in OT than in many IT environments.

An organization that waits until post-quantum requirements become urgent may discover too late that key devices cannot be updated, vendors lack a roadmap, or cryptographic changes require costly downtime and hardware replacement.

This is one reason RMC views PQC through the broader lens of cyber resilience. The challenge is not just adopting new algorithms. It’s understanding where your current dependencies exist, which systems are most exposed, and how future security changes will affect operations.

OT already has secure communications challenges

Many OT communication protocols in use today were not originally designed with modern security expectations in mind. In practice, organizations often depend on segmentation, architecture, monitoring, and compensating controls to reduce risk rather than relying on native protocol security alone.

That reality is important when considering PQC.

A common misconception is that stronger encryption, by itself, solves communication security. In OT environments, that is rarely the case. Identity management, network design, legacy device limitations, vendor restrictions, and maintenance windows usually create bigger operational challenges than the encryption standard itself.

Post-quantum cryptography can introduce additional computational and integration demands, particularly for constrained or legacy devices. But in many environments, the real obstacle is not the algorithm. It’s the lack of visibility into assets, dependencies, communications paths, and upgrade feasibility.

In other words, PQC does not create all the complexity, but often reveals complexity that was already there.

What crypto-agility actually means in OT

One of the most important concepts in this conversation is crypto-agility.

In practical OT terms, crypto-agility means your environment is designed so cryptographic components can be updated or replaced without forcing full device replacement or unacceptable operational disruption.

That sounds simple. In reality, it requires forethought.

It means asking whether firmware can be updated safely. It means understanding whether cryptographic functions are modular or hard-coded. It means evaluating whether vendor products are built with standardized interfaces and realistic upgrade paths. It also means building procurement requirements that account for future cryptographic transition instead of assuming today’s approach will remain sufficient for the life of the asset.

For critical infrastructure operators, crypto-agility should not be treated as a technical luxury, but as a resilience requirement.

What operators should ask vendors now

If you are buying OT equipment today, quantum readiness should already be part of the conversation.

That does not mean demanding a fully post-quantum deployment on day one. It does mean asking better questions:

• Does this product support secure firmware updates?
• Can cryptographic components be updated without replacing the device?
• Do you have a documented roadmap for post-quantum cryptography adoption?
• How are cryptographic dependencies tracked across the product lifecycle?
• Will future security changes require downtime, hardware swaps, or major redesign?
• How are you approaching crypto-agility in long-lived OT environments?

These questions align with a broader principle RMC emphasizes across OT security work: organizations need to understand not only whether a product is secure today, but whether it can remain secure as the threat landscape evolves.

Building visibility is a great place to start

For most organizations, the most practical step to take this year is not a wholesale quantum migration, but rather building a complete, continuously updated inventory of OT assets, communications paths, and existing cryptographic dependencies.

Without that visibility, it is extremely difficult to apply security controls consistently, assess where legacy encryption methods remain in use, or build a realistic roadmap for future transition.

This is especially important in critical infrastructure, where asset owners often inherit a mix of legacy equipment, vendor-specific constraints, and operational processes that were never designed for fast security change.

PQC readiness starts with knowing what you have, how it communicates, which trust relationships matter, and where your environment is least adaptable.

Why this matters now

Post-quantum cryptography is often framed as an advanced technical topic for specialists. In OT and critical infrastructure, that framing is too narrow.

This is a business continuity issue. A procurement issue. A lifecycle management issue. A resilience issue.

The organizations that are best positioned for the post-quantum transition will not necessarily be the ones making the loudest claims about quantum readiness today. They will be the ones doing the quieter, harder work of improving asset visibility, strengthening architecture, demanding more from vendors, and designing environments that can evolve without unnecessary disruption.

At RMC, we believe that’s the right way to approach emerging security challenges in OT: with measured urgency, without complacency, and with a clear understanding of how risk affects critical operations.

Post-quantum cryptography may still be a developing issue, but the need for better planning is not. For critical infrastructure operators, the time to start preparing is now, before the transition shifts from a strategic priority to an urgent requirement.