SIF R3 Alpha: Network Security in a Quantum Future
Project summary
As part of the UK's critical national infrastructure, the energy system must be secure against malicious cyberattacks.
| Name | Status | Project reference number | Start date | Proposed End date |
|---|---|---|---|---|
| Network Security in a Quantum Future - Alpha | Live | 10129418 | Oct 2024 | Apr 2025 |
| Strategy theme | Lead Funding Licensee | Funding mechanism | Technology | Expenditure |
|---|---|---|---|---|
| Data and digitalisation | NESO - National Energy System Operator | SIF Alpha - Round 3 | Cyber Security, Digital Network | £553,628 |
| Preceding Projects | Third Party Collaborators |
|---|---|
| 10103996 | Cambridge Consultants, University of Edinburgh |
The nature of emerging quantum computing technologies will enable attackers to break encryption that is currently highly secure and open significant new attack vectors.
To ensure resilience, energy networks must therefore consider the quantum threat in their cybersecurity strategies. However, understanding quantum impact highly requires specialist knowledge. This project addresses this by creating an innovative risk management tool to assess the quantum threat to the energy network, mapping it to a diverse range of energy system assets, and enabling prioritisation of appropriate mitigations.
Innovation Justification
The below Innovations will support resilience of the energy sector to emerging quantum-enabled cyberthreats:
- Making quantum intelligence actionable: Quantum research will be captured, analysed, and converted to parameters that can be used to update risk models on a regular basis, translating highly technical, cutting-edge research into usable threat intelligence for energy sector security teams.
- Embedding quantum computing risk management into BAU: The proposed tool and workflow will map into standardised risk management processes familiar to energy sector security professionals, allowing quantum risks to be prioritised against traditional cyber risks, and enabling informed trade-offs about where to invest in mitigations. Consumers will benefit from reduced costs achieved through better-targeted mitigations.
- Characterising quantum risks: Our novel methodology will produce evidence-based estimates of quantum risk, blending analysis of time-to-attack (time until quantum computing resources become available to attackers), with time-of-attack (time required for an attacker to initiate and execute a quantum attack). The risks posed by quantum computers to energy sector assets will be characterised to a level of detail not previously achieved, adding significant value for security teams.
- Modelling energy network assets: We will identify an asset modelling approach that is detailed enough to be useful but lean enough to support the need for the quantum risk tool to be scalable and feasibly applied to the full range of energy system assets.
Developing Discovery research
- We will expand on Discovery’s analysis of types of quantum-enabled attacks and post-quantum mitigations, covering more energy system test cases, asset types, and ranges of tactics, techniques and procedures (TTPs) that attackers will use.
- Discovery’s literature review highlighted ongoing research likely to shorten both time-to-attack and time-of-attack for quantum-enabled cyberattacks. In Alpha we will begin developing the tool to incorporate quantum experts' updated estimates of these parameters, enabling security specialists to make decisions based on timely data.
- Discovery highlighted gaps in the literature about quantum attack prediction; specifically, much literature focused on time-to-attack. Our Discovery work focused on time-of-attack. Alpha will merge these approaches to build a complete picture of risk, based on both factors (and others that could impact quantum risk).
- Discovery created a list of potential mitigations for quantum-enabled attacks but was not comprehensive and did not include advice on when to employ which mitigation; Alpha will develop clearer guidance on this.
Readiness Levels (Now->Alpha)
- TRL2->TRL4 (limited scope demonstrator in a working environment).
- IRL2->IRL3 (compatibility between technologies).
- CRL2->CRL3 (technology application).
Stakeholder validation
To ensure that tool outputs are relevant and appropriate for the energy sector, we will continue to leverage knowledge from the NESO and engage with the UK Cyber Security Task Group. We will target embedding the toolset into Business-As-Usual (BAU), defining a roadmap from Proof-of-Concept (PoC) to BAU.
Need for SIF Funding
The quantum cybersecurity threat is an industry-wide challenge of national importance.
The complexity of distilling quantum computing knowledge into actionable intelligence takes this process outside the scope of normal energy network strategic planning, and other network funding routes. The SIF phased structure will facilitate an informed and engaged approach, involving development of a process, then of a tool, utilising an iterative process, working first with the NESO security team, and then with the broader energy ecosystem.
Counterfactual solutions
The alternatives to this project, which we believe are either too risky or too costly to be viable, are to:
- Adopt a purely reactive response strategy, relying on cybersecurity suppliers to implement solutions.
- Rip-and-replace' all assets with systems that support post-quantum cryptography as they appear.
The Appendix provides a comparison of the counterfactuals to the Network Security in a Quantum Future (NSiaQF) strategy.
Impacts and Benefits
Primary Benefit: Future reductions in cost of operating the network
Current Situation
Discovery showed that quantum computers will enable cybersecurity threats against the energy sector by breaking current public key cryptography, enabling potentially catastrophic attacks such as network shutdown by malware or market manipulation through message tampering. If network operators do not prepare, this will increase the likelihood of a successful attack.
Financial and social costs of cyberattacks on critical infrastructure are significant. In December 2015 a Russian cyberattack on Ukraine left 1.4M homes without power. Logistics provider Maersk estimated a successful cyberattack on their systems cost $300M to fix.
The UK National Risk Register 2023 estimates the cost of a cyberattack against UK critical infrastructure could run to “hundreds of millions of pounds”, causing 81-400 casualties and 41-200 fatalities.
Alpha WP4 (Impact analysis) will define and quantify the increased risk and likely impact of quantum-enabled attacks, with input from the NESO''s cybersecurity team and other industry stakeholders.
Further, WP1 will develop an asset model for the energy network, highlighting the size and scope of potential vulnerabilities and inform the quantification of potential benefits.
Quantification of Benefits
Option 1: Develop and deploy Q-ARM tool (proposed project)
Alpha's cost-benefit analysis will quantify the expected reduction in future energy network operating costs, primarily from using the Q-ARM tool to support cost avoidance through minimising risk of a successful quantum-enabled cyber-attack. Potential successful attacks could start by 2029, increasing year-on-year through 2033. We have estimated the lifetime net present value (NPV) as £878,455,958. This figure will be refined during Alpha.
Further reductions in operating costs would come from minimising the costs for implementation of mitigation strategies within energy networks by ensuring mitigations are targeted and appropriate to quantum-enabled threats. The proposed Q-ARM tool will evaluate the criticality of energy network assets and recommend cost-effective mitigation strategies. This will also facilitate planning for long-term asset investment.
Baseline/BAU (Reactive Strategy):
Up-front cost would be lowest in this option, as no Q-ARM tool would be developed. However, the likelihood of successful quantum-enabled cyberattacks would increase significantly, with negative impacts on consumers, security of supply and the UK economy.
Option 2: Rip-and-Replace Strategy
In this option (not yet modelled), network operators undertake an accelerated asset replacement program, targeting all hard-to-upgrade assets (those unable to change cryptographic standard). This would be done without the Q-ARM tool to identify and prioritise specific vulnerabilities, and thus would mean bringing major cross-network investment requirements forward by many years. We will develop the analysis for this in Alpha; however, as a benchmark, in 2022 the UK invested £13billion in the energy industry, mainly for asset replacement. Assuming a significant proportion (20%) of this replacement will need to be accelerated over the coming years to maintain network security against the quantum threat, this would lead to extra cost of £350-£450million annually.
Metrics
In Alpha's cost-benefit analysis, we will develop a methodology and associated metrics to clearly quantify the above benefits but will include:
- Level of cyber-risk from a quantum attack.
- Expected impact on the wider UK economy.
- Reduction in accelerated asset replacement costs due to cyber-risk.
Other benefits: De-risking cybersecurity of energy network assets and systems in the post-quantum world
Qualitative Benefit:
Discovery highlighted the real, significant threat quantum computing will pose, with threats initially coming from nation states in as early as 5 years but then from other threat actors. The risk reduction enabled by developing the Q-ARM tool will ensure future energy network resilience, security of supply for consumers. This is key for social and economic benefit, continued security of supply and protection of Critical National Infrastructure.
| Name | Published |
|---|---|
| SIF Alpha Round 3 Project Registration | 12 Oct 2024 |