In this exclusive op-ed for The Manufacturer, NXP Semiconductors’ Joppe W. Bos warns that while smart manufacturing is driving efficiency and innovation, the rise of quantum computing threatens current cryptographic protections for IIoT devices, making it urgent for manufacturers to adopt post-quantum cryptography and ensure cryptographic agility to safeguard long-term security.
Smart manufacturing is flourishing. The market is expected to reach $998.99bn by the end of the decade, fueled by growing global populations and product innovations.
At the heart of this sector’s success are new technologies powering the industrial internet of things (IIoT) – made up of a huge range of connected devices, from sensors to actuators, logic controllers to 3D printers – alongside advances in cloud computing, robotics, and AI. Together, these tools enable manufacturers to rapidly reconfigure factories based on market needs, bring products to launch faster, and develop more efficient, accurate, and sustainable manufacturing processes.
However, the skyrocketing number of connected devices in the smart manufacturing industry does raise a new challenge when it comes to security. Scalable cyberattacks present a significant concern as the industry evolves, posing monetary, reputational, environmental, and safety threats to manufacturers. In simple terms, as the number of smart devices grows across the manufacturing industry, so too does the potential attack surface.
Adding further complexity, manufacturers must now also prepare for the potential emergence of quantum computers which will see traditional cryptographic technologies made obsolete. Large-scale, fault-tolerant quantum computers may still be years away but the impact could upend security practices across the globe, with particular repercussions on highly-connected industries like manufacturing.
While it’s urgent that manufacturers recognize and adequately respond to this emerging risk, the good news is that with the right approach, a more efficient, flexible, and resilient manufacturing sector is in reach.
How quantum computing impacts manufacturing security
Traditional cryptography protects the vast majority of devices today, including those that make up the IIoT. Most of this public-key cryptography is built upon complex algorithms (essentially mathematical problems) that are near-impossible for traditional computers to solve. Quantum computers, however, could theoretically make very short work of such mathematical challenges, thanks to using a different computing paradigm.
The threat of quantum computers to cryptography has long been theorized. In fact, Peter Shor famously proposed a quantum algorithm that, with a quantum computer with sufficient qubits of processing power, could break widespread public-key cryptography schemes back in 1994. Following Google’s initial claim of reaching quantum supremacy in 2019 – the point at which a quantum computer can solve problems that are impossible on traditional computers – the risks quantum computers pose to cryptography have quickly moved beyond the theoretical.
In this rapidly changing context, what can manufacturers do to ensure devices, businesses, and the industry as a whole, are secure?
Staying a step ahead: Post-quantum cryptography
While the capabilities of quantum computers are rapidly growing, innovations in cryptographic techniques and IIoT devices – alongside rapidly evolving regulatory frameworks – are helping manufacturers to stay a step ahead of potential bad actors.
While there are issues with fragmentation of post-quantum cryptography (PQC) standards, with many different standards being trialed, put in place, or planned in different regions, the direction of travel is positive. Around the world, agencies such as the USA’s NIST are producing algorithm families and guidance on different use cases with the ambition to keep businesses and consumers safe.
For many consumers, and some businesses, this transitional period is less pressing. That’s because they’ll have updated their devices by the time quantum threats become a reality. But for manufacturers, taking action now is much more urgent. The IoT technology that manufacturers choose today may have a decades-long lifecycle. Companies need to be able to invest today with the confidence their systems will remain both secure and compliant with changing regulations into the 2030s. With the lay of the land still in flux and PQC standards still changing, how will that be possible?
Ensuring cryptographic agility
For manufacturers, cryptographic agility is crucial. This means choosing systems from established and trusted manufacturers that can support multiple algorithms and which can be updated over time. This will make it simpler to adapt to the changing context around PQC. Given this, firmware updateability (something many IIoT devices have traditionally lacked) should be a crucial consideration today – as the alternative may be end-of-life replacement on a shorter timescale than desired.
For manufacturers with thousands of connected devices, this may all seem a daunting – and costly – task. And we should be clear-sighted about the challenges: there’s no overnight fix.
Instead, the industry’s migration will be gradual, starting with PQC being embedded in crucial use cases like secure boot, updates, TLS connections, and device attestation. Manufacturers will need to monitor changing regulations and work with suppliers to ensure compliance. Hybrid schemes that use both traditional and quantum-safe algorithms will also offer a stepping stone to greater protection (although it can be compute-intensive and so may not be suitable for all IIoT devices, many of which have limited resources).
Change takes time in the manufacturing industry. Today, PQC-readiness and agility are too often considered ‘nice-to-haves’ or even simply theoretical concerns, yet advances in quantum computing show no sign of slowing. This means that if manufacturers want to stay future-proof and safe, now is the time to start building PQC into their security strategy.
About the author
Joppe W. Bos is a cryptographic researcher and technical director at NXP Semiconductors in Leuven, Belgium, and a co-author of the post-quantum CRYSTALS-Kyber (ML-KEM) secure key encapsulation mechanism, which has been selected by NIST for standardization. At NXP, he is the technical lead of the Post-Quantum Cryptography team and the manager of the Crypto Concepts team. Previously, Bos was a post-doctoral researcher in the Cryptography Research Group at Microsoft Research in Redmond, WA. In 2012, he obtained his PhD in the laboratory for cryptologic algorithms at EPFL in Lausanne, Switzerland.
Bos’ research focuses on computational number theory as used in (post-quantum) public-key cryptography. He served as the Secretary for the IACR (2017 – 2022) and serves as the co-editor of the IACR Cryptology ePrint Archive (2019 – now), and the co-editor-in-chief for the IACR Communications in Cryptology (2024 – now).
