Workshops Power & Energy PQC Migration for SCADA and OT Networks
Power & Energy Full Day or Half Day Workshop

PQC Migration for SCADA and OT Networks

This workshop equips OT security engineers and SCADA architects with a protocol-specific migration methodology for transitioning energy OT networks to post-quantum cryptography under operational constraints.

Full day (6 hours) or half day
In person or online
Max 30 delegates
Commission This Workshop View Agenda

Proud to recommend our expert members

Qrypto Cyber
Eclypses
Arqit
QuantBond
Krown
Applied Quantum
Quantum Bitcoin
Venari Security
QuStream
BHO Legal
Census
QSP
IDQ
Patero
Entopya
Belden
Atlant3D
Zenith Studio
Qudef
Aries Partners
GQI
Upperside Conferences
Austrade
Arrise Innovations
CyberRST
Triarii Research
QSysteme
WizzWang
DeepTech DAO
Xyberteq
Viavi
Entrust
Qsentinel
Nokia
Gopher Security
Quside
Qrypto Cyber
Eclypses
Arqit
QuantBond
Krown
Applied Quantum
Quantum Bitcoin
Venari Security
QuStream
BHO Legal
Census
QSP
IDQ
Patero
Entopya
Belden
Atlant3D
Zenith Studio
Qudef
Aries Partners
GQI
Upperside Conferences
Austrade
Arrise Innovations
CyberRST
Triarii Research
QSysteme
WizzWang
DeepTech DAO
Xyberteq
Viavi
Entrust
Qsentinel
Nokia
Gopher Security
Quside

Workshop Description

For OT security engineers, SCADA architects, and energy infrastructure teams. Covers protocol-specific PQC migration for DNP3 Secure Authentication, IEC 61850 GOOSE/MMS, Modbus/TCP, and OPC UA. Addresses constrained device migration for RTUs, PLCs, and IEDs with limited compute resources, IEC 62351 and NERC CIP compliance mapping, NIST FIPS 203/204/205/206 algorithm selection criteria, and supply chain vendor readiness assessment.

Operational technology networks in the energy sector present migration challenges that IT-focused PQC programmes do not address. Asset lifecycles of 15-30 years mean that RTUs and PLCs deployed today will still be operating when cryptographically relevant quantum computers arrive. Constrained compute environments (ARM Cortex-M class processors with 256 KB RAM) cannot simply adopt ML-KEM-1024 without architectural changes. Proprietary protocols lack standard PQC integration paths. Safety-critical uptime requirements (99.999%) eliminate the option of fleet-wide firmware upgrades during a single maintenance window. This workshop provides a structured migration methodology that accounts for these constraints: protocol-by-protocol cryptographic inventory, device-by-device capability assessment, and a phased migration sequence that maintains operational continuity throughout the transition.

What participants cover

  • Protocol-level cryptographic exposure: RSA/ECDSA/HMAC dependencies in DNP3 SA, IEC 61850 GOOSE/MMS, Modbus/TCP, and OPC UA, with quantum threat timelines for each
  • NIST FIPS 203/204/205/206 algorithm selection: ML-KEM key sizes, ML-DSA signature overhead, SLH-DSA as stateless hash-based fallback, and FN-DSA for bandwidth-constrained links
  • Constrained device migration: memory footprint and CPU cycle requirements for PQC on ARM Cortex-M class processors, gateway-based termination architectures, and hybrid X25519+ML-KEM transition schemes
  • IEC 62351 compliance mapping: where PQC algorithms integrate into Parts 3-6 (TLS for MMS, GOOSE/SV authentication) and gap analysis methodology
  • NERC CIP alignment: CIP-005 electronic security perimeter, CIP-007 system hardening, and CIP-013 supply chain obligations for PQC procurement
  • Vendor readiness and CBOM: assessing SCADA/DCS vendor PQC roadmaps, building a Cryptographic Bill of Materials, and incorporating PQC into firmware update contracts

Preliminary Agenda

Full-day session structure with scheduled breaks. Content is configurable to your OT architecture, protocol stack, device fleet, and regulatory jurisdiction.

# Session Topics
1 OT Protocol Cryptographic Exposure Where quantum threats intersect SCADA, DCS, and ICS architectures
2 Protocol-Specific Vulnerability Analysis Cryptographic dependencies in energy OT communication stacks
  • DNP3 Secure Authentication (SA v5/v6): RSA and HMAC-SHA dependencies, quantum exposure timeline, and ML-DSA replacement path
  • IEC 61850 GOOSE/MMS: TLS 1.2/1.3 in MMS, multicast authentication gaps in GOOSE, and constrained latency budgets for PQC key exchange
  • Modbus/TCP and OPC UA: unencrypted legacy exposure, OPC UA certificate chain migration to ML-DSA/ML-KEM, and backward compatibility constraints
Break, after 50 min
3 Standards, Regulation, and Compliance Mapping IEC 62351, NERC CIP, and NIST PQC standards for energy OT
  • IEC 62351 Parts 3-6: TLS for MMS (Part 3), GOOSE/SV authentication (Part 6), and where PQC algorithms slot into the standard
  • NERC CIP-005/CIP-007/CIP-013: electronic security perimeter, system hardening, and supply chain risk management obligations for PQC migration
  • NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), draft FIPS 206 (FN-DSA): selection criteria for constrained OT devices
4 Interactive Demonstration: OT Cryptographic Inventory Full-day format only
  • Facilitator-led walkthrough: building a cryptographic inventory for a representative SCADA/DCS architecture (RTUs, PLCs, IEDs, engineering workstations, historian servers)
  • Mapping protocol-level cryptographic dependencies to NIST FIPS algorithm replacements: which OT endpoints can support ML-KEM/ML-DSA key sizes and which require hybrid or gateway-based migration
  • Delegates discuss: migration sequencing under operational constraints (planned outage windows, safety system isolation, vendor firmware dependencies)
Break, after 60 min
5 Constrained Device Migration Strategy PQC for RTUs, PLCs, and field devices with limited compute
  • ML-KEM key encapsulation on constrained hardware: memory footprint (1,568-byte ciphertext for ML-KEM-768) and CPU cycle requirements for ARM Cortex-M class processors
  • Hybrid classical-PQC schemes for transition periods: X25519+ML-KEM composite key exchange for OT gateways, phased rollout without full protocol stack replacement
  • Gateway-based migration architecture: PQC termination at substation gateways with classical protocol preservation for legacy field devices beyond firmware upgrade
6 Supply Chain and Vendor Readiness Assessing OT vendor PQC roadmaps and procurement strategy
  • Vendor readiness assessment framework: evaluating SCADA/DCS/EMS vendor PQC roadmaps (ABB, Siemens, GE Vernova, Schneider Electric, Honeywell)
  • NERC CIP-013 supply chain obligations: incorporating PQC requirements into vendor procurement specifications and firmware update contracts
  • CBOM (Cryptographic Bill of Materials): building and maintaining a machine-readable inventory of cryptographic dependencies across the OT estate
7 Q&A and Migration Roadmap Planning

Designed and Delivered By

Workshops are designed and delivered by QSECDEF in collaboration with sector specialists. All facilitators have direct experience in both quantum technologies and power & energy systems.

QD

Quantum Security Defence

Workshop design and delivery

QSECDEF brings world-leading expertise in post-quantum cryptography, quantum computing strategy, and defence-grade security assessment. Our advisory membership spans 600+ organisations and 1,200+ professionals working at the intersection of quantum technologies and critical infrastructure security.

PO

Energy Sector Partners

Domain expertise and operational validation

Power & Energy workshops are co-delivered with sector specialists who bring direct operational experience in power & energy organisations. This ensures workshop content is grounded in regulatory, operational, and technical realities specific to the sector.

Commission This Workshop

Sessions are configured around your OT architecture, protocol stack, device fleet age, and regulatory jurisdiction. Get in touch to discuss requirements and schedule a date.

Contact Us
Power & Energy Workshops All Consulting Services All Workshops