The modern digital supply chain is no longer a traditional linear sequence but a complex, interconnected ecosystem of suppliers, sellers, logistics providers, and customers.
PQC strengthens supply chain cybersecurity and ensures the security of IoT and operational technology devices.
While digital transformation greatly improves efficiency, it also exponentially expands the overall attack surface. In this model, risks are no longer isolated but systemic and cascading. Supply chain efficiency is built on an implicit digital trust model between partners, which is manifested through application programming interfaces (APIs), shared portals, and integrated software. However, this trust structure, built in pursuit of efficiency, has become a primary attack vector. Cybercriminals are no longer just breaking through firewalls—they are exploiting the fundamental fabric of digital collaboration. As a result, the traditional perimeter defense model is outdated; The new perimeter of defense is the entire supply chain ecosystem, and its security must be built on a zero-trust model enforced with cryptography.
Third-party or fourth-party vulnerabilities
Attackers often use the weakest link in the chain—often smaller, poorly secured vendors—as a springboard to infiltrate the network of their ultimate high-value target. This highlights a stark reality: an organization's security posture is only as strong as its least secure partners. This risk stems from the pursuit of supply chain efficiency, as the smooth operation of business processes requires granting partners a considerable degree of access. This expansion of access rights, without corresponding strict security controls, constitutes a systemic vulnerability based on excessive trust.
The fundamental role of traditional cryptography and its limitations
Current supply chain security relies heavily on traditional public key cryptography (such as RSA, ECC) to protect data in transit and at rest. Mitigation strategies such as data encryption (using AES), risk assessment, and incident response plans are crucial, but their effectiveness is built on the strength of these underlying cryptographic algorithms. While these methods are still effective against today's threats, the entire security foundation is fragile and faces an existential threat that will be the focus of the next section.
Quantum Horizons: A Paradigm Shift in Cryptographic Threats
Quantum computers use quantum mechanical principles such as superposition and entanglement to solve mathematical problems (e.g., integer factorization, discrete logarithms) that form the security basis of today's public key cryptography (RSA, ECC, Diffie-Hellman). This is not a purely theoretical deduction, but a major engineering challenge that is making rapid progress. Once a quantum computer with sufficient scale and stability comes out, the current encryption system that protects global digital communications will fail in an instant.
"Get First, Decrypt Later" (HNDL): An imminent danger
The Harvest Now, Decrypt Later (HNDL) attack transforms the quantum threat from a futuristic problem to a present reality. The mechanism is that attackers, especially state-state actors, are actively intercepting and storing large amounts of today's encrypted data. These attacks target information with long-term value, such as intellectual property, government secrets, financial records, medical data, and personally identifiable information (PII).
This means that by the time a "Cryptographically Relevant Quantum Computer" (CRQC) appears that can crack current encryption algorithms (known as "Q-Day", which is expected to arrive as early as 2035), these obtained data will be retroactively deciphered. Therefore, the security of any sensitive data transmitted today that requires long-term confidentiality is already at risk.
This attack pattern transforms a company's data retention policy into a huge potential security liability. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or the General Data Protection Regulation (GDPR) often require organizations to retain data for an extended period. The HNDL attack vector turns this legal compliance requirement into a potential ticking time bomb. Organizations are legally required to encrypt data stored for years, making it an ideal target for HNDL attacks. This creates a direct conflict between compliance and security: the act of adhering to data retention regulations inadvertently creates vulnerabilities for future quantum decryption threats. Therefore, risk management and legal teams must be immediately involved in the migration strategy of post-quantum cryptography. This is no longer just an IT issue, but a simmering corporate governance and compliance crisis.
To learn the latest cybersecurity regulations and trends, download the hardware security whitepaper for free.
Post-Quantum Cryptography (PQC): Laying the foundation for quantum resilience
Definition of post-quantum cryptography
Post-quantum cryptography (PQC) refers to traditional algorithms that are designed to run on today's classical computers but are resistant to attacks from both classical and quantum computers. This distinguishes PQC from quantum cryptography, which requires specialized hardware, such as quantum key distribution, or QKD. PQC's goal is to develop a new generation of public-key cryptographic systems based on mathematical problems that are equally difficult for quantum computers.
NIST PQC Standardized Process: A globally recognized mark
The National Institute of Standards and Technology (NIST) has led a multi-year, transparent, and collaborative global process to select and standardize the next generation of public key algorithms. This process is crucial in building trust in the new standard. The process began in 2016 with a public call for proposals, receiving 82 proposals from 25 countries and undergoing multiple rounds of rigorous public review and analysis in the global cryptography community.
The finalization of NIST standards is the starting gun that triggers a massive technology update cycle across the tech industry. This was not only an academic milestone but also a turning point in business and logistics. It directly prompted government agencies such as CISA and the National Security Agency (NSA) to issue migration directives, which in turn pushed major software vendors and hardware manufacturers such as Microsoft and Google to integrate these specific algorithms into their products. This ripple effect ultimately extends to enterprises, who must plan their migrations to maintain compatibility and security. NIST standards are the core domino that initiates PQC adoption worldwide.
Secure the edge: Protect IoT and operational technology equipment in the supply chain
Internet of Things (IoT) and operational technology (OT) devices face the biggest challenges in PQC migration for the following reasons:
*Long life cycle: The device may be used in the field for 10-20 years without replacement.
*Limited resources: Limited processing power, memory, and energy budgets.
*Lack of Updability: Many devices are not designed to be conducive to easy firmware or cryptography updates.
The application of PQC in these areas will be gradual and there will be significant differences between the old and new systems. For "greenfield" systems, such as new IoT product lines, PQC can be integrated from the outset. For "brownfield" systems, such as existing factory OT equipment, the challenge is enormous, often requiring the entire hardware to be replaced. This means that the PQC migration of the supply chain will be a two-speed process. Businesses must prioritize the adoption of PQC in new systems while developing long-term, potentially costly, retirement or retrofit capital plans for existing assets that are not quantum-safe.
Use cases for PQC include:
*Industrial automation: Protecting communication between sensors, controllers, and management systems in factories and processing plants.
*Smart Infrastructure and Logistics: Protecting smart grid equipment, traffic control systems, and connected logistics sensors.
*Automotive V2X Communication: Secure vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications to ensure security and prevent malicious manipulation.
*Healthcare Supply Chain: Ensuring the integrity and privacy of data from connected medical devices.
Conclusion and recommendations
Winbond's W77Q Secure Flash Memory is a robust solution to address the PQC threats mentioned above. Key PQC-Safe features of the W77Q Secure Flash include:
*Platform Resilience: In accordance with NIST 800-193 recommendations, the system automatically detects unauthorized program changes and can automatically restore to a secure state to avoid potential cyberattacks.
*Security Software Update and Fallback Protection: Supports remote security software updates while preventing fallback attacks, ensuring that only legitimate updates can be executed. To maintain the highest level of security and integrity, the W77Q adopts the quantum-secure Leighton-Micali signature (LMS) algorithm recommended by NIST Special Publication 800-208 to ensure the authenticity and integrity of updated software, providing additional security
*Secure Supply Chain: Secure Flash ensures the origin and integrity of flash content at every stage of the supply chain. The W77Q implements LMS-OTS-based remote authentication (NIST 800-208). This advanced method effectively prevents content tampering and misconfiguration during assembly, transportation, and configuration, protecting the platform from cyberattacks.
Winbond's secure flash solutions help system manufacturers meet industry regulatory compliance requirements, improve platform security, and improve supply chain information and communication security during production, shipping, and construction and operation.
To learn more about Winbond's advanced security solutions, visit Winbond's website or contact Winbond directly, or download the latest Hardware Security White Paper.
To learn the latest cybersecurity regulations and trends, download the hardware security whitepaper for free.
Article edited by Joseph Tsai
