October 9, 2022
Quantum Computing Threat Modelling on a Generic CPS Setup
What is an appropriate threat modelling method to understand your enterprise’s exposure to quantum threats? We recommend Process for Attack Simulation and Threat Analysis (PASTA).
The threat of quantum computers is real and will require significant resources and time for classical systems and applications to prepare for the remedies against the threat. At the algorithm level, the two most popular public-key cryptosystems, RSA and ECC, are vulnerable to quantum cryptanalysis using Shor’s algorithm, while symmetric key and hash-based cryptosystems are weakened by Grover’s algorithm. Less is understood at the implementation layer, where businesses, operations, and other considerations such as time, resources, know-how, and costs can affect the speed, safety, and availability of the applications under threat.
We carry out a landscape study of 20 better-known threat modeling methods and identify PASTA, when complemented with Attack Trees and STRIDE, as the most appropriate method to be used for evaluating quantum computing threats on existing systems. We then perform a PASTA threat modeling exercise on a generic Cyber-Physical System (CPS) to demonstrate its efficacy and report our findings. We also include mitigation strategies identified during the threat modeling exercise for CPS owners to adopt.