Only 6% of SSH servers ready for post-quantum encryption

Forescout has released new research indicating that just 6% of SSH servers currently support post-quantum encryption, exposing a significant proportion of vital data to the risk of being harvested now and decrypted once quantum computers become a practical threat.

The findings highlight concerns for the long-term confidentiality of communications across public networks, Secure Access Service Edge tools, and critical data handled in sectors such as military, diplomatic, and proprietary corporate environments. Forescout has developed a patented technology that detects non-quantum-safe encryption across information technology (IT), operational technology (OT), and internet of things (IoT) systems, in an effort to support organisations confronting the quantum threat.

Quantum computing threat

Forescout's technology utilises continuous analysis of device encryption to identify vulnerabilities to quantum attacks. Developed in 2023 and patented in 2024, this approach forms the basis of Forescout's "Quantum-Safe Security Assurance" strategy. The strategy is designed to help organisations identify, assess, and close security gaps associated with post-quantum cryptography (PQC) across IT, OT, and IoT environments.

The urgency around quantum security readiness is highlighted by a recent study from Omnia, which found that 40% of manufacturers expect to see customer use of quantum technologies by 2026. This timeline increases the risks posed by "harvest now, decrypt later" attacks, where adversaries store encrypted data today with the intention of decrypting it in future using quantum technology.

"Quantum computing is no longer a far-off concept. It's a fast-approaching reality that will challenge the foundations of digital trust. Every organisation, public or private, needs to start thinking about post-quantum resilience across IT, OT, and IoT environments today. This is a rare opportunity to get ahead of a generational shift in cybersecurity before urgency overtakes strategy," said Barry Mainz, CEO of Forescout. 

Platform strategy

Forescout's approach is anchored by its 4D Platform, which applies a four-part methodology: detection, enforcement, mitigation, and control. The technology evaluates the cryptographic ciphers supported by devices, assesses their compliance with post-quantum standards, and identifies encryption risks. Because it operates at the network layer, the solution is capable of uncovering risky encryption use, even where devices attempt to obscure their security posture.

The four-pronged strategy delivered through the Forescout 4D Platform includes: detection of PQC-safe assets in real time for a full view over cryptographic postures; enforcement of segmentation to protect critical systems; mitigation through threat intelligence to match policy enforcement with real assets or misconfigurations; and control, which limits traffic from high-risk devices.

"As organisations prepare for a post-quantum future, detecting systems using outdated encryption is critical. Forescout is already delivering on this with our patented technology - the only solution that identifies non-quantum-safe ciphers in real time. Whether it's PHI from medical devices or financial data crossing the web, this level of visibility empowers our customers to assess risk accurately and prioritise remediation where it matters most," said Robert McNutt, Chief Strategy Officer at Forescout Technologies, Inc.

Slow adoption

The research also notes a slow migration towards PQC across global networks. Of 186 million SSH servers exposed to the internet, just 6% support quantum-safe encryption methods. Fewer than 20% of global communications employ Transport Layer Security (TLS) version 1.3, presently the sole version offering support for post-quantum cryptography. Although use of NIST-standardised algorithms such as ML-KEM has increased more than fivefold over six months, it still accounts for under 0.1% of servers worldwide.

Particularly in OT, IoT, and Internet of Medical Things (IoMT) environments, adoption of post-quantum encryption poses additional challenges, often necessitating upgrade or replacement of firmware or hardware.

"We're seeing a clear drop-off in PQC migration once the early adopters are accounted for. The data shows that most systems aren't upgrading fast enough to keep pace with the advancing threat model," said Daniel dos Santos, Head of Research at Vedere Labs.

Mitigation steps

To address these threats, Forescout's research recommends several immediate measures for organisations. These include adopting PQC for devices reliant on third-party infrastructure, securing trusted network infrastructure from attackers, employing network tools capable of accessing SPAN ports, and avoiding use of ISPs and SASE tools for critical or highly protected systems.

The report emphasises that preparing for quantum threats is increasingly necessary, rather than a speculative exercise, as standards and attacker capabilities advance. Forescout positions its technology and platform to help organisations maintain oversight and control of encryption risks and remediate them before quantum technology is widely available to adversaries.