Businesses cannot afford to ignore the quantum threat to their IoT infrastructure, industry leaders warned in IoT Insider’s first-ever live webinar, held on Tuesday 3 March.
While a commercially viable quantum computer capable of breaking today’s encryption is not yet here, the time to prepare is now.
“I think it’s closer than it’s ever been. You know, it’s sort of my view. We definitely see quantum accelerators on the roadmap… it’s closer than that. I wouldn’t be surprised if we saw hardware options in the not too distant future,” said Scott Shaffer, VP & Chief Technologist, Compute at HPE.
“The threat, in my mind, isn’t just decrypting data streams — it’s protecting the infrastructure. If someone can compromise the firmware in your devices, then they don’t need to decrypt the data; they’re already on the device, and they can mess with it. That’s the real concern.”
The warning underscores the growing urgency for businesses to prepare for the era of commercially viable quantum computers, which experts believe will eventually render conventional encryption, including RSA and ECC, vulnerable. Shaffer emphasised that early mitigation is essential. “It’s not easy to do this in firmware in the very beginning. Putting in place robust authentication today is critical, because if the base layer of your device is compromised, it doesn’t matter whether your OS is secure.”
Ben Packman, Chief Strategy Officer at PQShield, highlighted that preparation is a race against time. “We are ahead of the threat right now, but the time to act is today. You need to build crypto agility into your platforms and ensure your IoT devices are PQC-ready. That’s not about panic — it’s about being proactive so that in 2030 or 2035, you’re not forced to replace everything.”
Packman pointed to high-value targets like pharmaceuticals and energy infrastructure. “Harvest now, decrypt later is a very real strategy. If someone steals data today and waits until a quantum computer is capable of breaking it, that information could become incredibly valuable. But more critical still is the risk to infrastructure itself — once attackers compromise firmware, they control the device and the data it handles.”
Thorsten Stremlau, Systems Principal Architect at Nvidia and Marketing Group Chair for the Trusted Computing Group, stressed the role of standards and supply chain engagement. “Start with an assessment. Identify what’s critical and what isn’t. Work with device manufacturers, integrators, and your own teams. It’s a partnership. You can’t do this in a vacuum. And for long-lived IoT devices, a plan today is crucial to ensure security over a 10- to 15-year lifecycle.”
Standards are evolving rapidly, with NIST, the Trusted Computing Group, and national bodies providing guidance on post-quantum cryptography (PQC). Stremlau explained: “The NIST algorithms are the reference point. Cloud providers are beginning to implement post-quantum TLS and other protections. From 2027, make devices PQC-ready; from 2030, implement PQC. By 2035, governments expect compliance. Don’t wait to get started.”
The panel also highlighted that implementation, not just algorithms, is where security is most vulnerable. Packman noted, “Algorithms are fine. Implementation is where holes appear. That’s why collaboration across the industry is so important. You want multiple experts globally reviewing solutions. You don’t write your own cryptography in isolation.”
Testing quantum resilience today remains challenging. Shaffer cautioned: “You can’t run Shor’s algorithm on a simulator in any meaningful timeframe. What you can do is survey your devices, understand the cryptography they use, and know which parts are at risk. That’s your starting point.”
For businesses worried about cost, the panel was clear that proactive measures can align with normal refresh cycles. Stremlau said, “This doesn’t have to be a massive, expensive programme. Integrate PQC into your ongoing updates and infrastructure refreshes. It’s about small, incremental changes — build security in rather than bolt it on later.”
Staff education was another priority. Stremlau recommended accessible resources: “Quantum computing isn’t one plus one. Educate your teams. Start building awareness now so that your organisation and supply chain are ready.”
The discussion concluded with a reminder that quantum threats are universal, but risk is contextual. Shaffer reiterated, “Not every data stream is high value, but every device can be a target. Protect the firmware and the infrastructure first. That’s the real quantum threat.”
The session, featuring insights from Shaffer, Packman, and Stremlau, is now available to watch on demand via the link below.
