Quick Summary
Quantum computing threatens to break today’s cryptographic protections, including the algorithms used across some BAS networks, while other are completely unprotected. Because BAS devices have long lifespans, operators must begin planning their transition to post-quantum cryptography now. PQC provides a path to future-proof building systems without requiring quantum hardware.
Introduction
Quantum computing is no longer a theoretical concept reserved for science labs, it is progressing rapidly and its cybersecurity impact will reshape how organizations secure critical infrastructure. For Building Automation Systems (BAS), which often lack methods to authenticate devices and protect communications, the arrival of quantum-capable adversaries poses a significant risk.
Current cryptography, including RSA and ECC, forms the backbone of secure communications, secure tunnels, firmware signing, and certificate-based identity. But these algorithms will eventually be breakable by sufficiently powerful quantum computers using Shor’s algorithm. That means building systems must begin transitioning to post-quantum cryptography (PQC) well before quantum computers reach practical attack capability.
This article explains what PQC is, why BAS operators should care, and what steps they must begin taking now to future-proof their environments.
Why Quantum Computing Threatens BAS Security
- Quantum computers can break today’s public-key cryptography
Algorithms such as RSA-2048 and ECC-256, which protect most digital certificates, VPNs, and secure connections, would be vulnerable to quantum attacks once machines with enough qubits and error correction exist. Government and industry bodies call this the “Q-Day” problem—the point at which classical cryptography becomes breakable.
- Harvest-now, decrypt-later attacks have already begun
Threat actors are believed to be collecting encrypted data today with the expectation that quantum computing will eventually decrypt it. For BAS, this could include:
- Captured building traffic
- Encrypted configuration files
- Device credentials protected by classical cryptography
- Archived backups from BMS servers
- BAS devices have long lifecycles
Unlike laptops or cloud services, BAS equipment often remains in operation for 10–20+ years. That means devices being installed today will still be running when quantum attacks become practical. If they cannot be upgraded or replaced to support PQC, they become long-term vulnerabilities.
What Is Post-Quantum Cryptography (PQC)
PQC refers to cryptographic algorithms designed to be secure against both classical and quantum attacks. Unlike quantum key distribution (QKD), PQC does not require quantum hardware, it runs on traditional processors but uses mathematically different foundations.
In 2022 and 2023, the U.S. National Institute of Standards and Technology (NIST) announced the first standardized PQC algorithms, including:
- CRYSTALS-Kyber (for key establishment)
- CRYSTALS-Dilithium (for digital signatures)
- FALCON (for digital signatures)
- SPHINCS+ (stateless hash-based signatures)
These algorithms are now being adopted into commercial products, government systems, and embedded security platforms.
Why BAS Operators Must Act Now
- Compliance pressure is rising
Government mandates, including U.S. Executive Order 14028 and White House National Security Memorandum 10 (NSM-10), require federal systems to prepare for quantum-resistant cryptography. Although BAS may not be explicitly mentioned, buildings supporting government tenants or critical industries will be required to align with these mandates.
- BAS communications depend heavily on public-key cryptography
PQC impacts:
- Mutual authentication between gateways and devices
- Secure tunnels encrypting BACnet/Modbus traffic
- Firmware signing and device identity
- Certificate management for remote access and vendor connections
- Transitioning BAS is harder than transitioning IT
Many BAS devices have:
- Low memory
- Low CPU power
- Limited firmware update paths
- Long deployment lifecycles
This makes PQC adoption significantly more challenging, but also more urgent.
How to Prepare Your BAS for the Quantum Era
- Conduct a cryptographic inventory
Identify everywhere classical cryptography is used:
- VPNs
- TLS sessions
- Certificates
- BACnet/Modbus security overlays
- Gateways, controllers, and endpoints
- Adopt crypto-agile security tools
Crypto agility means the system can shift algorithms without replacing hardware. This is essential for PQC transition.
- Prioritize device-level protection
Any Zero Trust-based BAS cybersecurity solution should support:
- Strong device identity
- Mutual authentication
- Encrypted channels
- PQC-readiness
Learn how Veridify’s DOME platform make your BAS quantum-ready.
- Require PQC roadmaps from vendors
Make PQC questions part of procurement:
- “Do you support crypto-agility?”
- “What PQC algorithms will your firmware adopt?”
- “How will updates be delivered?”
- Prepare for hybrid cryptography
For years, systems will use hybrid classical + PQC algorithms to ensure maximum security during transition.
Key Takeaways
- BAS devices installed today will operate well into the quantum era, making PQC preparation urgent.
- NIST has already standardized quantum-resistant algorithms like Kyber and Dilithium.
- BAS communications are often plaintext or with maybe some encryption, leaving systems open to cyberattack.
- A crypto-agile, device-level Zero Trust strategy is essential for PQC adoption.
- Vendors and integrators must demonstrate PQC roadmaps for long-term building security
