The Post-Quantum Reality—Why IoT Security Must Adapt Now

The Urgency of Post-Quantum Readiness 

The quantum era isn’t a hypothetical—it’s happening. On February 19, Microsoft doubled down on its quantum computing roadmap, signaling that real-world applications aren’t decades away. This should set off alarm bells for anyone responsible for securing IoT devices. The cryptographic foundations we rely on today—RSA and ECC—will be broken in a post-quantum world. The time to prepare isn’t in five years—it’s now. 

DigiCert is leading the charge on post-quantum cryptography (PQC) readiness, ensuring organizations aren’t caught off guard when regulatory bodies and industry standards start mandating quantum-safe security. 

Government agencies, regulatory bodies, and global cybersecurity frameworks are already incorporating PQC. The U.S. National Institute of Standards and Technology (NIST) finalized its first standardized quantum-safe cryptographic algorithms, while entities like CSA Matter and the EU’s Cyber Resilience Act are planning for post-quantum security requirements. 

IoT devices, with their long deployment lifecycles, are particularly vulnerable. Many devices in use today will still be operating when quantum computers reach cryptographic-breaking capability. Organizations must act now to ensure a smooth transition and avoid leaving their devices—and by extension, their entire ecosystems—exposed. 

How to Assess Your Readiness: 

1. Discover – Identify cryptographic dependencies across your devices using SBOMs, CBOMs, and HBOMs, assess vendor PQC roadmaps, and engage with industry standards bodies. 
2. Test – Upgrade cryptographic and TLS libraries to PQC-ready, FIPS 140-3 certified solutions, integrate with secure elements, and ensure compatibility with future-proof certificates and HSMs. 
3. Deploy – Automate software updates and PQC certificate issuance using an integrated device management and lifecycle security platform. 
4. Manage – Continuously secure and update devices with automated, scalable certificate and software lifecycle management. 

 The PQC Toolkit: Practical Steps for IoT Security 

Taking action doesn’t have to be overwhelming. We’ve built a practical set of assets to help security teams navigate PQC adoption: 

• PQC for Dummies eBook – Quantum computing is advancing by leaps and bounds. But how is quantum different from classical computing, and how will it affect you and your security? Here are your answers. 

• DigiCert’s Embedded Security Blog – TrustCore SDK is a versatile solution designed to streamline the integration of robust security features into IoT devices across various industries. The blog highlights how TrustCore SDK simplifies the development process and ensures device integrity, supports PQC, and protects data from development through retirement. 

• Post-Quantum Readiness for IoT Guide- Discussing the imminent threat quantum computing poses to current cryptographic methods in IoT. It outlines industry efforts, including NIST’s establishment of new PQC standards, and provides guidance for organizations to prepare their IoT infrastructures for a quantum-resilient future. 

 Now is the time to put a plan in motion. Waiting until quantum computers pose an active threat means you’re already too late. 

Industry News 

February 24, 2025: GSMA Releases Guidance on PQC for IoT 

• The GSMA has published a strategic guide on implementing post-quantum cryptography in IoT networks, emphasizing crypto-agility and resilience. (GSMA) 

February 6, 2025: Security Risks in Smart Home Appliances 

• A recent report highlights that many smart home devices, such as refrigerators and thermostats, become vulnerable to cyberattacks as they age and cease receiving security updates. Without ongoing support, these devices can be exploited, posing risks to both home networks and broader security infrastructures.  (The Verge) 

January 7, 2025: Reuters- Internet-connected devices can now have a label that rates their security 

• The U.S. Cyber Trust Mark, a labeling program for secure smart devices, will roll out this year to help consumers identify cybersecurity-compliant IoT products. (Reuters)  

Upcoming Events 

Embedded World 2024  | Nuremberg, Germany 

• When: March 11-13, 2025 

• Where:  NürnbergMesse - Hall 5, Booth 5-177 

• Detail: DigiCert and Reply are partnering to bring quantum-resistant security to connected devices. At Embedded World 2024, we’ll be showcasing post-quantum cryptography (PQC) solutions, secure device identity, and real-world implementations of hybrid certificate architectures. Visit us at Booth 5-177 to see live demos and discuss how we’re securing the next generation of connected devices. 

• Featured Presentation: Quantum-Safe Security for IoT: What’s Next? by Kevin Hilscher, Sr. Director, Device Trust, DigiCert 

OpEd: The Real Threat of Quantum Computing to Device Security 

By Kevin Hilscher , Senior Director, Device Trust, DigiCert 

For years, post-quantum cryptography has been discussed in theoretical terms. But now, with Microsoft and other tech leaders accelerating quantum computing investments, it’s clear that “someday” is rapidly becoming “soon.” 

The implications for device security are immense. Today’s IoT devices, industrial control systems, medical devices, and automotive components rely on cryptographic algorithms that quantum computing will break. The risk isn’t just about the future—it’s about data being harvested now that could be decrypted later, when quantum computing reaches its critical threshold. This is known as the “Harvest Now, Decrypt Later” attack scenario, and it’s a real and present danger. 

What does this mean for organizations? It means the time for planning is over, and the time for execution is here. Regulators are already moving—look at NIST and CISA, which now have specific retirement dates and requirements for vulnerable cryptographic algorithms. Enterprises that don’t take action now will be playing a dangerous game of catch-up when compliance mandates roll out. 

The industry often warns of the “Harvest Now, Decrypt Later” threat—hackers stealing encrypted data today to decrypt once quantum computing advances. But our focus is on making sure customers are prepared for the future, not just reacting to threats. That’s why we take a different approach: “Design Now, Comply Today.” 

If you’re designing any hardware or software that will be in the field for more than five years, you need to start accommodating PQC now. This isn’t just about reacting to compliance requirements—it’s about ensuring your devices and systems remain viable, secure, and trusted in the long term. Organizations that integrate post-quantum cryptography into their product development cycles today will be the ones that lead tomorrow—not the ones forced into rushed, expensive retrofits. 

At DigiCert, we’re working directly with industry leaders to provide quantum-safe security solutions today—from ML-DSA certificates to post-quantum signing tools. The transition to PQC doesn’t have to be disruptive if organizations start early. The worst mistake security leaders can make right now is assuming they have time. 

The quantum clock is ticking. Are you ready? [Click here to schedule a meeting to discuss your next steps.] 

Partner Spotlight: DigiCert + Reply 

Securing the Future of Connected Devices 

In a world where IoT security is no longer optional, DigiCert and Reply are working together to simplify and accelerate post-quantum security adoption for connected devices. 

Reply brings deep expertise in IoT architectures, cloud security, and embedded systems, while DigiCert delivers industry-leading device identity, post-quantum cryptography (PQC), and certificate lifecycle management. Together, we help manufacturers and enterprises design, build, and deploy PQC-ready devices that meet future compliance requirements without disrupting existing workflows. 

Why This Partnership Matters for Customers: 

• Future-Proof Security – Integrated solutions that help device makers prepare for PQC today, before it becomes a mandate. 

• End-to-End Trust – From secure manufacturing to remote updates, we ensure devices remain protected throughout their lifecycle. 

• Accelerated Compliance – Get ahead of upcoming EU-CRA regulations with built-in security from design to deployment. 

• Proven Expertise – Combining DigiCert’s cryptographic leadership with Reply’s IoT and cloud security innovation. 

Join DigiCert & Reply at Embedded World 2024! We’re showcasing this partnership live at Booth 5-177—come see how we’re helping customers secure IoT for the post-quantum era. 

This newsletter is a publication by DigiCert, designed to keep you informed about the latest in device trust and security. We value your feedback and would love to hear your thoughts on this edition. If you have any topics you’d like us to cover in future editions, please let us know!