The standard PQC-migration narrative goes: NIST has shipped Kyber, Dilithium, and SPHINCS+; major TLS libraries have hybrid PQC modes; therefore the timeline question is solved. Crank the rotation, ship the new libraries, done by 2030.
That narrative works for TLS because TLS lives in software that gets shipped continuously. Browsers update weekly. Cloud-native services roll out new ciphers in days. Even the long-tail of corporate VPN appliances will be patched within firmware-rotation cycles measured in years, not decades.
Industrial control systems do not work like that. The honest planning question for a utility CISO is not "can we be ready by 2030?". It is "what do we deploy in 2026 that is still safe in 2035?". The two questions look similar but they imply completely different procurement strategies.
Five concrete reasons ICS migration is an order of magnitude harder than TLS:
01Asset lifecycles are 15–25 years
A SCADA RTU installed in 2010 is not getting replaced in 2030 unless it physically fails. The fleet of devices currently running RSA-2048 includes hardware that was state-of-the-art when Obama was first elected. Procurement cycles in regulated utilities and process industries are measured in 5–7 year planning horizons; replacement of an installed base typically takes 2–3 such cycles. PQC migration on this fleet is a 10–20-year program, not a software upgrade.
02Change windows are not negotiable
Pushing a TLS library update to a web server is a five-minute task with rollback. Pushing firmware to a programmable logic controller in a chemical plant requires a planned shutdown, regulator notification, lockout-tagout procedures, hot-cutover testing on a parallel system, and post-deployment validation against safety cases. The window for any such change might open once per year. If the new firmware fails, the plant doesn't browse to a different site — it stops producing.
03Vendors can't always ship firmware
Many ICS device vendors do not have remote-update infrastructure. The replacement-by-shipping-CDs model isn't entirely gone. Some vendors no longer exist; their devices still run. Some vendors have been acquired three times since the device was installed and the original firmware build chain is lost. The TLS world's assumption that "everyone can patch" simply does not hold.
04HSMs are sized for RSA, not Kyber
Hardware Security Modules deployed across critical infrastructure have memory and timing budgets calibrated for ECDSA-P256 and RSA-2048. Kyber-768 keys are 1184 bytes; Dilithium2 signatures are 2420 bytes. Many HSMs cannot hold these in working memory while serving the existing operational load. The migration plan that says "swap in PQC libraries" often turns into "replace the HSMs", which means a new procurement, new certification, and new deployment timeline.
05Standards layer above the crypto layer
TLS migration only requires changing the crypto. ICS migration requires changing the crypto plus the protocol that uses it. Modbus, DNP3, IEC 61850, OPC UA, and BACnet were specified before PQC was a meaningful concept. They have authenticated-mode profiles that are RSA/ECC-shaped. Re-profiling them for PQC is a multi-year standards effort happening in ISA99, IETF LAKE, and IEC TC 57. None of those efforts are done.
The honest planning question is not "can we hit 2030"; it is "what do we deploy now that survives 2035".
So what should utilities do?
Four practical moves that work today, even with the timeline reality:
- Crypto-agility audit. Inventory every long-lived secret in the fleet, by lifetime. Anything with a 10-year confidentiality requirement is currently at risk under harvest-now-decrypt-later, regardless of when CRQC arrives.
- Hybrid where you can. Where the protocol allows it, run classical + PQC in parallel. Hybrid handshakes survive the failure mode where either primitive is broken.
- Plan for HSM replacement, not HSM upgrade. Budget for new key infrastructure. Treat firmware updates that claim "PQC support" with skepticism unless backed by certified hardware.
- Engage the standards-layer fix early. ISA99 and IETF LAKE need utility participation, not just academic and vendor input. The protocols you'll deploy in 2030 are being decided now.
The TLS story makes PQC migration sound like a fast software problem. The ICS reality is closer to "replace 80% of the cryptographic substrate of every plant in your fleet, on a 20-year clock, while the operational technology continues running." Calling that migration understates the work.