KQC and LS ITC Verify PQC-Based Security in Korean Manufacturing

Korea Quantum Computing (KQC) and LS ITC, the IT services unit of LS Group, completed a proof-of-concept for post-quantum cryptography (PQC, a family of algorithms built to resist attacks from quantum computers) spanning the authentication, server communications and certificate management systems that keep Korea’s smart-manufacturing infrastructure running. The joint verification, announced Wednesday and reported by The Elec, a Korean electronics industry publication, confirmed that PQC-based security holds at the distributed scale LS Group’s industrial network demands, addressing the feasibility question most industrial operators have left open while watching the PQC standardization process from a distance.

KQC and LS ITC positioned the pilot as a direct response to two threat timelines running simultaneously: quantum computers still years from breaking widely deployed encryption at scale, and agentic AI-driven attacks already operating inside enterprise environments. Building PQC into the specific security layers where both categories of attack find entry was the design brief.

What KQC and LS ITC Verified

The proof-of-concept (PoC) targeted three layers of LS Group’s security infrastructure, each one chosen because it depends on cryptographic methods that a capable quantum computer will eventually compromise:

• PQC-based FIDO authentication: KQC applied PQC authentication keys to user login systems across LS Group, replacing the elliptic-curve signatures that FIDO (Fast IDentity Online, the industry standard underpinning hardware tokens and passkeys) currently relies on. Elliptic-curve cryptography ranks among the earliest algorithms to fail under a quantum attack, making this layer the most urgent starting point for any industrial PQC migration.
• Centralized secret management for server-to-server communications: The companies deployed a system governing authentication and connectivity between servers in a distributed industrial network. Smart-factory environments run on machines that authenticate to each other continuously, and a single compromised server credential can propagate access across an entire production network before any alarm triggers.
• Automated certificate issuance and renewal: The pilot tested a framework automating the full certificate lifecycle from generation through expiry. KQC and LS ITC cited the accelerating compression of SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate validity periods industry-wide as the direct driver for including this component.

KQC confirmed that “consistent security levels could be maintained even in distributed industrial system environments” and that the technology demonstrated “operational feasibility and efficiency in real-world environments.” Both results matter together. LS Group’s network spans factories, substations and office infrastructure across multiple sites and countries. A PQC solution that performs cleanly in a single-site controlled test but degrades under distributed load creates a misleading baseline for the full deployment decision, so the PoC was designed from the outset to test the harder condition.

The Agentic AI Factor

The framing KQC and LS ITC used calls out two distinct threat categories: quantum computers on a timeline measured in years, and agentic AI already operating inside enterprise environments. A Dark Reading readership poll found that 48% of cybersecurity professionals named agentic AI and autonomous systems the top attack vector heading into 2026, ahead of deepfakes and passwordless-adoption concerns. Gartner projected that by 2026, more than 80% of enterprises would have deployed some form of autonomous AI agents in production environments, each creating what security researchers call a non-human identity requiring machine-to-machine authentication.

That second point connects directly to what the PoC tested. Every AI agent in an industrial or enterprise network authenticates to adjacent systems through server-to-server channels. An adversary capturing traffic from that layer today, encrypted under quantum-vulnerable credentials, retains access to that data until the operator migrates to quantum-resistant algorithms. CISA (the U.S. Cybersecurity and Infrastructure Security Agency) issued guidance in late 2024 warning that agentic AI systems with persistent enterprise access create an attack surface that existing perimeter defenses were not designed to address. LS ITC runs AI-based robotic process automation (RPA) services integrated with cloud platforms across LS Group, adding exactly the kind of agentic workflows that, once compromised, can reach factory-floor operational systems directly, including the manufacturing execution and energy management infrastructure the company manages.

Security researchers have pointed to reasoning-capable large language models combined with the Model Context Protocol (MCP, a standard for linking AI agents to tools and external data sources) as having materially expanded what an autonomous attack agent can accomplish inside an operational technology network in 2026. Once an agent establishes persistence, it adapts and retries automatically without requiring any human operator input on the attacking side. The server-to-server secret management layer the PoC hardened is where that expanded capability tends to find traction first in industrial environments.

Certificates Running Out of Time

The CA/B Forum’s Tightening Schedule

The certificate automation pillar of the PoC has an external forcing function that predates any quantum computing deadline by years. It arrived in March 2026.

The CA/Browser Forum (CA/B Forum), the industry body governing publicly trusted TLS certificates, approved Ballot SC-081v3 in May 2025. The ballot established a phased compression of maximum certificate validity across three enforcement dates. DigiCert, one of the world’s largest certificate authorities, began enforcing 199-day TLS certificate limits on February 24, 2026, ahead of the CA/B Forum’s formal March 15 deadline.

At 47 days, organizations must renew each endpoint’s publicly trusted certificate seven to eight times per year. Industry analysts have identified early October 2026 as the first significant expiry wave, when the initial batch of 200-day certificates issued in March expires for organizations still relying on manual workflows. Manual renewal was already strained at the previous 398-day annual cadence; at a monthly cycle it becomes operationally impossible without full automation infrastructure in place.

Industrial Infrastructure and the Automation Gap

Corporate IT teams facing the deadline can resolve it largely through tooling: deploy an ACME (Automatic Certificate Management Environment) client, connect it to a certificate authority, let it handle renewals automatically. Industrial infrastructure presents a substantially harder version of the same problem on the same timeline.

Supervisory control and data acquisition (SCADA) systems, programmable logic controllers (PLCs) and facility energy management systems (FEMS) were built for long operational cycles with firmware updates timed to planned maintenance windows, typically measured in months. Many of these systems can’t run standard ACME clients without significant integration work, and some can’t run them at all. For industrial operators, the 2029 deadline means having automated certificate infrastructure tested under real production conditions well before the mandate lands.

By validating a PQC-capable certificate automation framework inside LS Group’s distributed infrastructure, KQC and LS ITC accomplished two things within one pilot. The automation layer is now confirmed to work at industrial scale. And because PQC-standard algorithms are embedded in that automation workflow, the eventual migration from RSA-based certificates to quantum-resistant ones won’t require a second, separate integration pass when quantum hardware reaches operational threat range.

How the NIST Standards Frame Korea’s PQC Race

In August 2024, the National Institute of Standards and Technology (NIST) published FIPS 203, FIPS 204, and FIPS 205, the first three finalized post-quantum cryptographic standards after an eight-year global evaluation process. The three standards address the core cryptographic operations an enterprise migration requires:

• FIPS 203 (ML-KEM, a lattice-based key encapsulation mechanism): replaces RSA and elliptic-curve Diffie-Hellman for key exchange
• FIPS 204 (ML-DSA, a lattice-based digital signature algorithm): replaces RSA-PSS and ECDSA for signing and verification
• FIPS 205 (SLH-DSA, a hash-based signature algorithm): provides algorithm diversity for environments where independence from lattice-based assumptions is a design requirement

A parallel driver for acting before quantum hardware matures is the harvest-now-decrypt-later (HNDL) threat. Adversaries are capturing encrypted data traffic today with the intention of decrypting it once a cryptographically relevant quantum computer becomes available. Security researchers estimate that window at five to ten years, which puts data encrypted in 2026 under current RSA-based schemes squarely within range before it loses operational relevance.

KQC evaluated its earlier PQC verification with IBK Industrial Bank of Korea using NIST-designated standard algorithms as the technical benchmark, and the LS ITC project followed the same framework. NIST mandates that U.S. federal systems complete migration by 2035; no equivalent hard deadline yet applies to Korean private-sector industrial operators.

South Korea’s Ministry of Science and ICT (MSIT) announced in May 2026 that the national PQC pilot program would expand to five new sectors in 2026: telecommunications, finance, transportation, defense and space. That followed 2025 pilots covering healthcare, energy and public administration. The ministry also committed to a five-year research program targeting an autonomous PQC transition management platform, optimization of PQC algorithms for lightweight hardware such as industrial integrated circuit chip sets, and hybrid technologies combining PQC with quantum key distribution (QKD). The LS ITC PoC was privately driven, but both tracks are closing in on the same infrastructure gap.

LS ITC’s Factory Infrastructure and the Security Exposure

LS ITC manages IT systems for a conglomerate spanning high-voltage cable, power equipment, electric vehicle components and agricultural machinery. Its smart-factory portfolio includes manufacturing execution system (MES) platforms for LS ELECTRIC’s Cheongju plant, which the World Economic Forum designated a Lighthouse Factory; energy management systems across 70 companies in the Gwangju Industrial Complex; and enterprise resource planning (ERP) deployments for LS affiliates across Asia, the Americas, the Middle East and Europe.

That footprint changes the breach calculus in a specific way. A compromised credential in the server-to-server authentication layer at a conglomerate running power-transmission equipment doesn’t reach financial records first. It can reach operational technology controlling a high-voltage substation or a cable-manufacturing production line, with potential for physical disruption alongside data exposure. LS ITC also provides smart-factory consulting and data analytics services to external clients, including manufacturing systems at Hyundai Motor’s Ulsan facilities and food production operators such as Binggrae and Daesang, meaning a security incident inside LS ITC’s authentication infrastructure carries consequences that extend beyond LS Group’s own estate.

This PoC proactively verified industrial security systems in preparation for the quantum computing era. We plan to review full-scale deployment and application of the technology across key systems going forward.

LS ITC said that in the statement carried by The Elec. “Key systems” was left unspecified, but the practical candidate list tracks the MES and energy management infrastructure the company already runs across LS Group’s factories and industrial complexes.

From Proof-of-Concept to Full Deployment

KQC has now validated PQC technology at two prominent Korean institutions in the same period. The earlier PQC verification with IBK Industrial Bank of Korea covered banking authentication and key management systems; the LS ITC project extended the same three-pillar framework into industrial infrastructure. KQC’s product line includes a PQC hardware security module (HSM) under the QxHSM designation, which anchored the IBK test environment, and FIDO-based PQC authentication as a commercial deployable offering. The company is also a member of the IBM Quantum Network, a roughly 180-strong global consortium, and holds the first ISO 27001 information security certification awarded to a quantum computing company in Korea.

Full-scale deployment across LS Group’s industrial estate would cover security infrastructure spanning multiple countries and operational technology with asset lifecycles measured in decades. The PoC’s specific focus on distributed-environment consistency, confirming security levels hold across geographically dispersed industrial nodes, was designed to answer the operational question the full-scale deployment decision requires before it reaches the executive level.

LS ITC holds the pilot results. The deployment decision, when it comes, converts them from a proof-of-concept into the security baseline for one of Korea’s largest manufacturing IT networks.