Industry Use Case · Utilities & Critical Infrastructure · Post-Quantum Ready, Continuously™
Post-Quantum Readiness for an Electric Utility
A vendor-neutral, NERC CIP-aligned readiness brief for electric utilities, ISOs/RTOs, and critical-infrastructure operators with decades-lived OT/SCADA assets and control-center data exchange.
Company-reported · not independently audited
01 / Executive Summary
What an electric utility buys, and why
A composite mid-size investor-owned electric utility we call Cascade Grid & Power carries the same quantum-cryptography exposure as every operator of the bulk electric system: classical cryptography protects its SCADA and operational-technology networks, its control-center data exchange, and its grid-vendor remote access.1Grid assets stay in service for decades, and adversaries have been observed pre-positioning inside critical-infrastructure networks — the conditions for long-term harvest-now, decrypt-later collection.
Qtonic Quantum Corp engages a utility under a phased, vendor-neutral program that runs 12 to 18 months and begins with a scoped paid proof-of-concept. Deliverables include a cryptographic bill of materials, a hardware-backed demonstration and resource-estimate validation against the operator’s deployed primitives, a five-phase migration roadmap built around hybrid X25519+ML-KEM-768 deployment, and an independent attestation from the Qtonic Quantum Lab signed with ML-DSA, the NIST FIPS 204 signature family.
Regulatory pressure
NERC CIP is mandatory and enforced, with penalties up to $1M per day per violation (NERC Sanction Guidelines maximum). CIP-012 confidentiality and CIP-015 internal-network-monitoring obligations are tightening; PQC migration supports them.
Threat signal
Published 2026 cryptanalysis resource estimates lowered the qubit budget for ECC P-256 by one to two orders of magnitude in a single quarter. Resource estimates under stated assumptions, not demonstrated capability.
Field baseline
Qtonic Quantum company-reported Fortune-1000 PQC readiness averages 18/100 across its governed engagements. Not independently audited.
The compliance window is already closing.The cryptographic primitives protecting Cascade’s SCADA and field devices, control-center and ICCP traffic, and vendor remote-access PKI are inside the NIST 2030–2035 transition window. The engagement retires them in order of risk, on a sequence that respects maintenance windows, outage schedules, and the reality that a substation cannot be patched like a laptop.
1Cascade Grid & Power is a composite, illustrative electric utility — not a real company and not based on any single operator. Threat activity attributed to Volt Typhoon is described solely from the joint CISA/NSA/FBI advisory AA24-038A (Feb 7, 2024) and related public reporting (public sources / not a Qtonic Quantum client). See Notices.
02 / The Signal
Two papers, one regulatory clock, adversaries already pre-positioning
The trigger for board-level urgency is not a single paper. It is two cryptanalysis results in one quarter, a mandatory regulatory framework, and a nation-state adversary observed pre-positioning. In March 2026, Google Quantum research team and co-authors published updated elliptic-curve resource estimates for secp256k1, and a Caltech / Oratomic neutral-atom paper placed ECC P-256 discrete logs within roughly 26,000 physical qubits under fast-architecture, qLDPC assumptions, with RSA-2048 one to two orders longer. Both present resource estimates under stated assumptions, not demonstrated capability against production systems. Balanced and slow-architecture configurations remain subject to substantial engineering challenges.
NERC CIP is the mandatory, enforceable cybersecurity framework for the North American bulk electric system, approved and enforced by FERC. It does not yet name a post-quantum deadline, but CIP-005, CIP-012, CIP-013, and CIP-015-1 impose confidentiality, monitoring, remote-access, and supply-chain obligations that PQC migration supports. NIST IR 8547 (initial public draft) describes deprecating quantum-vulnerable public-key cryptography after 2030 and broadening disallowance after 2035.2
Milestone 1 of 7· select a marker to advance the timeline
NERC CIP
Mandatory and enforceable; up to $1M/day/violation. Confidentiality, monitoring, remote-access, and supply-chain obligations PQC supports. Does not yet mandate PQC. Public source: CIP-005/012/013/015-1; NERC Sanction Guidelines.
FERC oversight
FERC approves and enforces NERC CIP for the bulk electric system — the backstop behind CIP penalties. Public source: FERC orders approving NERC standards.
CISA / DHS PQC
Critical-infrastructure PQC-migration push; non-binding for private operators but shapes supervisory expectation. Public source: CISA PQC readiness guidance; EO 14144 (Jan 2025).
NIST IR 8547 — after 2030
Deprecates quantum-vulnerable public-key cryptography after 2030 (planning anchor, draft). Public source: NIST IR 8547 initial public draft.
NIST IR 8547 — after 2035
Disallowance horizon after 2035; grid asset life (20–40 yr) exceeds it. Public source: NIST IR 8547 initial public draft.
Q-Day 2029
A Qtonic Quantum internal planning assumption (2029), not a NIST date and not a prediction.
Threat active now
Volt Typhoon pre-positioned in critical-infrastructure IT networks; footholds observed up to five years (public sources / not a Qtonic Quantum client). Public source: CISA/NSA/FBI AA24-038A (Feb 7, 2024).
2 This is Qtonic Quantum risk framing, not legal or regulatory advice. NERC CIP does not currently mandate post-quantum cryptography; specific obligations vary by registered entity, function, and Regional Entity. The 2029 reference is a Qtonic Quantum planning assumption, not a NIST date and not a prediction. NIST IR 8547 is an initial public draft. Sources: NERC CIP Reliability Standards (CIP-005/012/013/015-1); NERC CIP Roadmap (Jan 2026); NIST IR 8547 initial public draft; CISA/DHS PQC guidance; EO 14144; Verizon 2026 DBIR; Datadog State of DevSecOps 2026.
03 / Exposure
Where classical cryptography touches the grid
Four cryptographic domains, every one running on classical RSA / ECC primitives today. A cryptographic bill of materials is the prerequisite for any defensible migration plan.
01OT / SCADA & Field DevicesSCADA & EMS/DMS · Protective relays & RTUs · DNP3 / IEC 61850 / Modbus · 20–40 year service lives
Service lives of 20 to 40 years put a device deployed today in the field past any plausible CRQC date — the textbook harvest-now, decrypt-later condition. CISA/NSA/FBI AA24-038A assessed with high confidence that PRC state-sponsored Volt Typhoon pre-positioned on IT networks to enable lateral movement toward OT across energy and other critical-infrastructure sectors.
Public sources — CISA/NSA/FBI AA24-038A. Not a Qtonic Quantum client.
02Control-Center & ICCP DataInter-control-center protocol (ICCP) · Real-time operational data · NERC CIP-012 in-transit confidentiality · TLS / PKI
ICCP links carry real-time operational data, and CIP-012 requires protecting its confidentiality and integrity in transit, served today by TLS/PKI. In AA24-038A the authoring agencies reported Volt Typhoon maintaining footholds in some victim IT environments for at least five years — long enough to capture and hold encrypted control-center traffic.
Public sources — CISA/NSA/FBI AA24-038A. Not a Qtonic Quantum client.
03Vendor & Remote AccessRelays, RTUs, DERMS platforms · Managed services · CIP-005 remote access · CIP-013 supply chain
Vendor remote access governed by CIP-005, with supply-chain controls under CIP-013, is the natural breach path into OT. Volt Typhoon's documented method is living-off-the-land through valid accounts and trusted connections, which makes vendor VPNs and jump hosts the path of least resistance. Larger PQC signatures change the byte budget on every handshake (see Section 7).
Public sources — CISA/NSA/FBI AA24-038A. Not a Qtonic Quantum client.
04Compliance SurfaceNERC CIP High/Med/Low ratings · CIP-012 confidentiality · CIP-015 monitoring · CIP-013 supply chain · Regional-Entity audits
The compliance surface converges on one point: cryptographic primitives must be auditable, deprecation-aware, and forward-compatible. A utility that cannot produce a cryptographic inventory will struggle to evidence the confidentiality obligations it already carries.
04 / Counterparty
Why Qtonic Quantum
Qtonic Quantum Corp is a Florida profit corporation headquartered at 1000 Biscayne Blvd, Miami FL 33132, converted from Qryptonic LLC effective February 20, 2026. SAM.gov UEI FRYFAD3GW5W5. CAGE 14E99. A procurement officer can verify the counterparty in minutes. The company is vendor-neutral — no HSM, no PKI product, no TLS appliance for sale, and no conflict with the OT vendors a utility already runs. Governance and defense adjacency are provided by the Defense Innovation Council, chaired by Lt. Gen. Mark E. Weatherington, USAF (Ret.), and the Allied Defense Council, founding-chaired by Lt. Gen. Roger L. Cloutier Jr., USA (Ret.).
“I spent my career in environments where encryption failure means mission failure. Qtonic Quantum applies that standard to enterprise systems.”
Four tools, one closed loop
QScout — Find
External-first cryptographic risk and vulnerability intelligence. CycloneDX 1.7 CBOM across 15 compliance frameworks. Tiers: QScout Free, Surface, Silver, Gold, Pulse. QScout is not a penetration test; paid tiers run under written authorization.
QStrike — Prove
Hardware-backed demonstration and resource-estimate validation against a bounded 2030–2031 quantum-equipped adversary model. It does not claim present-day RSA-2048 or ECC-256 break capability. $2M Challenge commercially underwritten.
QSolve — Fix
Five-phase migration roadmap (Inventory, Risk & Debt, Prioritization, Hybrid Deployment via X25519+ML-KEM-768, QStrike Validation). The hybrid primitive is already in production at Cloudflare, Google Chrome, and AWS KMS.
The QStrike quantum-cloud platform set
QStrike executes bounded validation workloads on commercial quantum hardware reached through the multi-vendor aggregator AWS Braket and direct provider clouds. The execution set is six platforms across four physical modalities — superconducting, trapped-ion, neutral-atom, and annealing.
| Platform | Modality | Access route | QStrike role |
|---|---|---|---|
| IBM Quantum | Superconducting | Direct (IBM Quantum Platform) | Gate-model adversary-circuit modeling on bounded instances; cross-vendor consistency |
| Rigetti | Superconducting | AWS Braket | Bounded gate-model workloads; superconducting cross-check |
| IonQ | Trapped-ion | AWS Braket; direct | High-fidelity bounded statistical validation and sampling verification |
| Quantinuum | Trapped-ion | Direct (Quantinuum Nexus) | High-fidelity bounded validation; trapped-ion cross-check |
| QuEra | Neutral-atom | AWS Braket | Analog Hamiltonian sampling for selected combinatorial attack-chain modeling |
| D-Wave | Annealing | D-Wave Leap (direct); AWS Marketplace | Combinatorial candidate prioritization and bounded search-space exploration |
Six platforms across four physical modalities, reflecting platforms commercially cloud-accessible as of June 2026, subject to provider access terms and engagement-specific availability. Google Quantum research team’s Willow and other non-commercial research processors are used only as published-benchmark calibration inputs to the adversary model; they are not part of the QStrike execution set, and QStrike does not run customer workloads on them.
Company-reported · not independently audited
05 / Engagement
Find → Prove → Fix → Credential
Each phase produces a discrete artifact the next phase consumes, usable as input for a NERC CIP auditor, a Regional Entity reviewer, a cyber insurer, or a board. Continuous re-attestation feeds the cycle.
01 · Find — QScout
CycloneDX 1.7 CBOM · NIST-aligned scan across corporate IT, control-center, a representative substation/OT segment, and vendor remote access
02 · Prove — QStrike
Hardware-backed validation report against a bounded 2030–2031 adversary model; no present-day break claim
03 · Fix — QSolve
Sequenced migration plan on hybrid X25519+ML-KEM-768, respecting maintenance windows and outage schedules
04 · Credential — the Lab
Vendor-neutral score; ML-DSA-signed attestation; re-attestation cadence the utility can include in its own audit evidence package
Mid-size electric utility scale; four phases over 12 to 18 months from a scoped proof-of-concept. Scope drivers: BES asset count, control-center and substation scope, OT segmentation, and vendor cooperation. Commercial terms are provided under NDA at scoping. The Lab’s assessment spans 215 reference implementations (company-reported).
06 / Outcomes
Business outcomes
The engagement produces a cryptographic inventory, a validated migration plan, and a signed attestation that support NERC CIP audit preparation, CIP-012 confidentiality documentation, cyber-insurance renewals, and board risk reporting against the 18-of-100 company-observed baseline. These artifacts are technical inputs; they do not determine compliance or guarantee any audit outcome. The business case is a comparison, not a promise.
$1M / day
Up to, per NERC CIP violation per day (NERC Sanction Guidelines maximum). Statutory ceiling, not a typical assessment.
20–40 yr
Grid asset service life; exceeds any plausible Q-Day estimate, which is what makes harvest-now, decrypt-later the operative risk.
5+ years
Volt Typhoon footholds observed in some victim IT environments. Public sources — CISA/NSA/FBI AA24-038A; not a Qtonic Quantum client.
The engagement is priced against a risk category where sustained penalty exposure can be material. Exposure framing, not a savings guarantee.
07 / Honest Pushback
Devil’s advocate
The strongest version of QStrike is not that quantum computers can break production cryptography today. The defensible claim is narrower and more valuable: QStrike shows which current implementation defects, weak protocol choices, leakage patterns, and migration gaps are likely to matter first when quantum-capable adversaries arrive.
Vendor non-cooperation
Relay, RTU, and DERMS suppliers move at different paces. Where a vendor cannot supply hybrid X25519+ML-KEM-768 in the window, QSolve sequences compensating controls and gives procurement the evidence to require a deprecation date in vendor contracts and CIP-013 documentation. The CBOM is the leverage instrument.
Scope creep in OT
Every substation, relay, RTU, and field device can absorb the budget if scope is unbounded. The engagement scopes OT explicitly at the Find phase by impact rating, with QStrike validation focused where HNDL or signature-forgery risk is highest.
Constrained devices and real-time limits
PQC primitives are larger (per FIPS 204, an ML-DSA-65 signature is 3,309 bytes with a 1,952-byte public key; per FIPS 203, an ML-KEM-768 public key is 1,184 bytes). Many relays and RTUs were never sized for that, and substation protocols carry hard real-time constraints. Cloudflare's October 28, 2025 report notes the deployed X25519+ML-KEM-768 hybrid 'has already incurred a 4% slowdown in TLS handshake time.' This brief treats the extrapolation to constrained OT hardware as an engineering risk model, not a settled result; migration stages corporate and control-center endpoints first, with field-device cryptography sequenced only after QStrike validation.
Four questions to ask any post-quantum vendor
| Question | Qtonic Quantum answer |
|---|---|
| Do you sell the cryptography you assess? | No. The Lab scores what is on the market, not Qtonic Quantum products. |
| How does QStrike evidence the threat work? | QStrike uses controlled demonstrations and resource modeling. It does not claim present-day RSA-2048 or ECC-256 break capability. |
| Will I receive a signed, third-party-readable attestation? | The Lab issues attestations digitally signed using ML-DSA (NIST FIPS 204). |
| What is your scanner output format? | QScout produces CycloneDX 1.7 cryptographic bills of materials that ingest into existing SBOM tooling. |
08 / Next Step
Start with a scoped proof-of-concept
Scoped to a representative slice of corporate IT plus one control-center or substation segment. Commercial terms are provided under NDA at scoping. 30-day kickoff from countersignature.
Week 1 — Scoping & access
Scoping calls, NDA execution, dataroom access.
Weeks 2 & 3 — QScout deployment
NIST-aligned scan across agreed scope. CBOM generation.
Week 4 — Findings review
CycloneDX CBOM delivered. Decision point on the Find engagement.
Post-Quantum Ready. Continuously.™
Notices
Notices & disclaimers
Forward-looking statements. Future events, timelines, and capabilities are forward-looking and may differ materially. The 2029 reference is a Qtonic Quantum planning assumption, not a prediction. Cited resource estimates are resource estimates, not demonstrations against production systems.
Company-reported metrics.“100,000+ findings,” “99% HNDL exposure signal,” “PQC readiness average 18/100,” “no OpenSSL-verified false positives observed,” and “215 implementations evaluated” are company-reported, not independently audited. Request methodology before relying on them.
QStrike capability scope. QStrike provides hardware-backed demonstrations and resource-estimate validation against deployed primitives. It does not claim, and should not be interpreted as claiming, present-day capability to break, decrypt, or forge signatures against production RSA, ECDSA, ECDH, or related classical primitives at full parameter sizes.
Standards & regulatory references. NERC CIP does not currently mandate post-quantum cryptography; obligations vary by registered entity, function, and Regional Entity. NIST IR 8547 is an initial public draft. FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) are published standards. Use of ML-DSA for Lab attestations does not by itself imply FIPS 140-3 module validation. This page is risk framing, not legal or regulatory advice.
Composite illustration; industry incidents. “Cascade Grid & Power” is a composite, illustrative electric utility — not real, not based on any single operator, not a Qtonic Quantum client. Volt Typhoon activity is described solely from CISA/NSA/FBI AA24-038A and related public reporting. The $1M/day figure reflects the NERC Sanction Guidelines maximum.
No public commercial terms; no binding offer. This page does not contain public commercial terms. Commercial terms are provided under NDA at scoping. No part constitutes a binding offer.
No warranty; no guarantee of compliance outcomes. Deliverables are advisory. They do not guarantee any NERC CIP, Regional Entity, FERC audit outcome, cyber-insurance outcome, or breach prevention.
Third-party trademarks & sources. NERC, FERC, CISA, and all other marks are the property of their owners; reference is descriptive, not endorsement. Market statistics are attributable to their publishers, not to Qtonic Quantum.
Export control. Products and services may be subject to the EAR and possibly ITAR depending on configuration; classifications are confirmed at scoping.
Governing law.Florida law; disputes per the executed engagement letter. © 2026 Qtonic Quantum Corp.