# Empty Attestations: OT Lacks the Tools for Cryptographic Readiness


Operational Technology (OT) environments face a critical vulnerability: many lack adequate tools to verify cryptographic implementations and ensure systems can withstand modern threats. As organizations rush to implement post-quantum cryptography and strengthen their security posture, a fundamental gap has emerged—the absence of robust attestation mechanisms to validate cryptographic readiness across industrial control systems, utilities, and critical infrastructure.


## The Core Problem


Cryptographic attestation—the ability to prove that a system has implemented cryptographic protections correctly—remains poorly supported in legacy and modern OT systems alike. Unlike information technology (IT) environments where hardware security modules (HSMs), Trusted Platform Modules (TPMs), and software attestation tools are commonplace, OT systems often operate without comparable verification mechanisms.


"Empty attestations" describes a dangerous scenario: systems may claim to have cryptographic capabilities, but organizations lack the tools to independently verify these claims. A control system might report that encryption is enabled, yet no mechanism exists to confirm:


  • Whether encryption is actually implemented correctly
  • If cryptographic keys are properly managed
  • Whether the system can withstand adversarial cryptanalysis
  • If the implementation meets industry standards

    • This verification gap leaves critical infrastructure exposed to attacks that compromise systems despite claimed security implementations.


    ## Why OT Cryptographic Readiness Matters


    Operational Technology powers the systems that keep society running: electric grids, water treatment facilities, manufacturing plants, transportation networks, and healthcare delivery. Unlike IT systems designed for frequent updates and rapid security patches, OT environments prioritize availability and safety over agility—meaning systems often remain operational for decades with minimal changes.


    The transition to post-quantum cryptography adds urgency. Adversaries employing quantum computing or quantum-resistant algorithms could:


  • Decrypt historical communications collected today and decrypted later once quantum capabilities mature
  • Intercept and modify control signals in real time, potentially causing physical harm
  • Authenticate fraudulent commands if asymmetric cryptography is compromised
  • Undermine digital signatures that operators rely on to verify legitimate system updates

    • Yet many OT operators cannot answer a basic question: *Is our cryptographic implementation actually secure?*


    ## The Technical Gap


    Traditional IT attestation mechanisms don't translate cleanly to OT:


    | Challenge | IT Approach | OT Reality |

    |-----------|-------------|-----------|

    | Update Frequency | Regular patches, firmware updates | Systems run unchanged for 10-20+ years |

    | Hardware Diversity | Standardized x86/ARM architectures | Embedded systems, proprietary hardware, legacy chipsets |

    | Tool Availability | Commercial HSMs, TPM 2.0 widespread | Minimal or no attestation hardware |

    | Computational Overhead | Can absorb cryptographic overhead | Resource-constrained embedded systems |

    | Vendor Support | Security updates standard practice | Many vendors no longer support legacy systems |


    OT systems often run cryptographic implementations on hardware that predates modern attestation standards. A 15-year-old industrial controller running custom encryption cannot be audited with contemporary tools designed for modern processors.


    ## Real-World Implications


    Critical Infrastructure at Risk: Without attestation, utilities cannot verify that SCADA systems, RTUs (Remote Terminal Units), or PLCs (Programmable Logic Controllers) implement cryptography correctly. An attacker who compromises encryption could:


  • Send unauthorized commands to power substations
  • Modify setpoints in water treatment systems
  • Alter production schedules in manufacturing
  • Manipulate traffic signals or rail switching systems

    • Compliance Challenges: Regulatory frameworks (NERC CIP for utilities, IEC 62443 for industrial automation) increasingly require cryptographic controls. Yet organizations cannot fully demonstrate compliance without attestation—creating a gap between claimed security and verifiable security.


    Supply Chain Vulnerability: Manufacturers of OT components could inadvertently ship systems with weak cryptographic implementations, or malicious actors could introduce backdoors. Without attestation mechanisms, these vulnerabilities propagate undetected across industrial networks.


    ## Why Attestation Tools Are Scarce


    Several factors explain why OT lacks robust attestation infrastructure:


    1. Market Fragmentation: OT equipment comes from hundreds of vendors using proprietary architectures. No single attestation standard covers all devices.


    2. Legacy System Economics: Organizations cannot afford to replace perfectly functional systems. Security vendors focus on modern IT platforms with larger customer bases.


    3. Security Through Obscurity Mindset: Historically, many OT environments relied on air-gapping and isolation rather than cryptographic verification. This posture created little demand for attestation tools.


    4. Regulatory Lag: Standards bodies move slowly. Post-quantum cryptography standards are still stabilizing; OT-specific attestation standards lag even further behind.


    5. Performance Constraints: Attestation mechanisms add computational overhead. Resource-constrained OT devices cannot absorb additional crypto operations.


    ## Recommendations for Organizations


    For OT Operators and Integrators:


  • Audit Your Cryptography: Conduct a comprehensive inventory of cryptographic implementations across OT systems. Document which systems can be verified and which represent blind spots.

  • Prioritize Replaceable Systems: Focus cryptographic attestation efforts on systems with lifecycle replacement plans. A control system being replaced in 18 months should have strong attestation; a 20-year-old legacy system may require different strategies.

  • Implement Compensating Controls: Where attestation tools don't exist, implement:

    • - Regular independent security assessments

    - Network-level monitoring for anomalous traffic patterns

    - Cryptographic agility—systems capable of switching algorithms if current implementations are compromised

    - Hardware security modules (HSMs) for key storage when feasible


  • Engage with Vendors: Pressure equipment manufacturers to provide:

    • - Clear documentation of cryptographic implementations

    - Mechanisms for external verification (even if not formal attestation)

    - Upgrade paths for systems to support modern attestation standards


    For Vendors and Manufacturers:


  • Design for Verifiability: New OT systems should include attestation capabilities from the ground up, even if current market demand is limited.

  • Standardize on Common Platforms: Where feasible, use industry-standard cryptographic libraries and hardware security modules to enable third-party verification.

  • Publish Security Documentation: Detailed technical documentation allows security researchers to audit implementations, building credibility and identifying issues proactively.

    • For Policymakers and Standards Bodies:


  • Establish OT Attestation Standards: Develop frameworks that account for OT constraints (resource limitations, long lifecycles, vendor diversity).

  • Mandate Attestation for New Systems: Require cryptographic attestation capabilities in OT systems used in critical infrastructure, with phased timelines for legacy system upgrades.

  • Fund Research: Support development of lightweight attestation mechanisms suitable for embedded OT hardware.

    • ## The Path Forward


    The cryptographic readiness crisis in OT cannot be solved by IT security tools alone. Organizations cannot wait for perfect attestation solutions to emerge—the threat landscape is evolving faster than standards bodies can respond.


    Immediate actions matter: Inventory cryptographic implementations, identify blind spots, and implement compensating controls. Simultaneously, push vendors to provide transparency and verifiability, even if formal attestation mechanisms don't yet exist.


    Post-quantum cryptography will not solve OT security challenges if organizations cannot verify that implementations actually work. Filling the attestation gap is as urgent as deploying quantum-resistant algorithms themselves. Until OT systems can prove their cryptographic readiness, critical infrastructure remains vulnerable to sophisticated adversaries who know exactly what protections they're circumventing.