CIRTI
QA
Four Unbreakable Pillars
Post-Quantum Specifications
Cirtiqa's platform is built on the three NIST post-quantum cryptographic standards — providing quantum-secure key exchange, digital signatures, and device authentication across every layer of the OT security stack. All classical asymmetric primitives have been removed; every channel, log event, and credential is quantum-hardened from day one.
For device identity, Cirtiqa extends post-quantum cryptography with a quantum authentication layer — embedding unforgeable device credentials directly into quantum random streams. Credentials are single-use, replay-immune, and statistically indistinguishable from random data to any observer without the device key.
Proven via NIST Statistical Test Suite — signed blocks are indistinguishable from raw quantum random data.
BLOCK / DIGEST
2048-bit random block with 256-bit SHA3 digest. Brute-force attack space: 1.50 × 10⁴¹² — computationally infeasible.
REPLAY PROTECTION
Sequential counter (nonce) ensures each credential is single-use. Counter increment is synchronised between device and verifier.
OPTIONAL AUTHORISATION
Second-level key embedded within the signed block enables authorisation scoping — defining which OT operations an authenticated identity is permitted to invoke.
Data Flow Architecture
Addressed Attack Vectors
Rogue Command Injection
Attacker injects unauthorized Modbus write or DNP3 control commands to manipulate PLC outputs, potentially causing physical damage or process disruption.
Harvest-Now / Decrypt-Later
Nation-state adversary records encrypted OT communications today, planning to decrypt with future quantum computer to extract process intelligence or authentication material.
Device Identity Spoofing
Attacker masquerades as a trusted PLC, RTU, or sensor by replaying captured authentication credentials, gaining unauthorized access to safety-critical commands.
Log Tampering & Forgery
Insider or advanced attacker modifies audit logs post-incident to conceal malicious activity, undermine forensic investigations, or create false evidence.
Lateral Movement via OT
Compromised IT endpoint pivots into OT network through permissive zone boundaries, exploiting the expanded IT/OT convergence attack surface.
Rogue Asset Insertion
Unauthorized device physically connected to OT network and begins communicating, attempting to masquerade as a trusted sensor or engineering workstation.
Why Cirtiqa
Most OT security vendors offer visibility. Some offer detection. Very few offer quantum-secure communications. Only Cirtiqa offers all four — deterministic enforcement, passive visibility, post-quantum cryptography, and quantum-based device authentication — in a single, cohesive platform designed specifically for operational technology.
Quantum-Secure from Day One
We implemented NIST FIPS 203/204/205 post-quantum standards before they were mandated. Every channel, every log event, every policy update has been quantum-secure since our first release. There is no "migration path to PQC" — it is our baseline.
ML-KEM-1024 · ML-DSA-87 · SPHINCS+Quantum Authentication — Not Just Encryption
Our quantum authentication embeds unforgeable device identities into quantum random streams. This goes beyond encrypting communications — it makes device credentials themselves quantum-derived and quantum-verified. Replay attacks, credential theft, and spoofing become computationally impossible.
QUANTUM AUTH · QRNG NATIVEZero False Positives — Guaranteed
Our deterministic FSM policy engine produces no probabilistic decisions. Every verdict is permit or deny, computed in constant time from a formally verifiable allowlist. This is not achievable with ML-based anomaly detection, and it is the only approach safe for SIL-rated safety-instrumented systems.
FSM · FORMALLY VERIFIABLE · TLA+Mathematically Tamper-Proof Audit Trail
Our Merkle-chained, Dilithium5-signed log makes any retroactive modification to audit records mathematically detectable without a trusted third party. Auditors verify log integrity offline using only the chain root hash and the root CA public key.
MERKLE · DILITHIUM5 · WORMBuilt for Operations, Not Against Them
Passive-only deployment means we monitor without touching. We never inject packets, never scan, never probe. Our platform has been deployed in active refinery, substation, and water treatment environments with zero reported operational incidents caused by the security platform itself.
PASSIVE TAP · SPAN ONLY · ZERO DISRUPTIONAir-Gap Ready, Cloud-Optional
The Cirtiqa platform operates with zero outbound internet connectivity. No telemetry, no license callbacks, no cloud dependencies. Threat intelligence arrives as signed offline bundles. The entire platform — management console, log store, key management — can be deployed in a fully isolated network.
AIR-GAP CAPABLE · NO CLOUD REQUIREDGet in Touch
Whether you are planning a new OT security programme, upgrading legacy monitoring to quantum-secure standards, or need to address a specific compliance requirement — the Cirtiqa team is ready to help. Our specialists come from OT operations, not IT, and will engage at the level your environment demands.