Building Secure IoT in the Quantum Age

Steve Hanna is a Distinguished Engineer at Infineon Technologies (IFNNF), where he leads strategic initiatives to strengthen cybersecurity across the rapidly expanding Internet of Things (IoT) ecosystem. With a career spanning over three decades, Hanna has been at the forefront of IoT security since its earliest days, dating back to his work in the 1990s at Sun Microsystems, where he helped pioneer research into ‘connected things’ long before the term IoT was coined.

At Infineon, Hanna works with standards bodies, regulators, analysts and manufacturers to shape secure design principles and promote cybersecurity best practices across industrial systems, smart homes and internet infrastructure. His day involves high-level meetings, conferences and collaborations, blending technical expertise and policy engagement to advance secure, resilient connected technologies.

Through this article, Hanna is outlining how the rapid evolution of IoT brings both powerful benefits and escalating cybersecurity challenges, particularly through AI and the looming risks posed by quantum computing.

Unlocking Potential while Battling Rising Cyber Threats

Over the last 30 years, I’ve seen the IoT grow from research labs into everyday life, bringing incredible promise and serious risk. On one hand, we’ve realized powerful use cases like real-time factory optimization and autonomous vehicles communicating for safer roads. On the other hand, we’ve seen threats materialize, such as the Mirai botnet, which began in 2016 by hijacking IoT devices using default passwords. It infected over a million devices, eventually growing to tens of millions and was used in massive DDoS attacks that brought down major websites. Mirai showed how everyday connected devices, if left insecure, can be weaponized to disrupt critical parts of the internet.

Fortunately, awareness has grown. Today, consumers, manufacturers, pipeline operators, chemical plant operators and city managers increasingly recognize that security is essential to any IoT system. Even more importantly, there’s a deeper understanding of how that security must be built, from secure firmware updates to compliance with new regulations. Governments are stepping in, with efforts like the EU’s Radio Equipment Directive and the upcoming Cyber Resilience Act.

For CIOs, this is especially relevant. As smart devices become embedded in every network, the question is no longer whether they’re present; it’s whether they’re secure. My work focuses on helping leaders answer that with confidence, through standards, policy and cross-sector collaboration.

Smarter Threats, Smarter Defenses

I’ve seen how attackers are using AI to scale and sharpen their methods. Phishing has evolved, moving away from bulk spam toward AI-generated, highly targeted emails that mimic human tone with frightening precision. These attacks are automated and nearly indistinguishable from legitimate messages, making them far more effective.

But we’re not standing still. Defenders are using AI too. I’ve worked with systems that process massive volumes of network data to learn what ‘normal’ looks like, how a sensor typically communicates, data transmission frequency or usual login behavior. Once those patterns are learned, AI detects subtle deviations in real time that static, rule-based systems miss.

 Any organization embracing IoT must view security as a continuous process rooted in awareness and responsibility. Chasing zero risk is rarely realistic, but understanding what could go wrong and putting measures in place to manage it helps keep risk at an acceptable level 

Meanwhile, AI is being embedded into IoT systems, powering everything from predictive maintenance to autonomous vehicles. That raises new concerns. We now have to secure not just the devices, but the model training data, prevent tampering and ensure all inputs and outputs are encrypted, authenticated and verifiable.

As AI begins making real-world decisions, the stakes get higher. This is why IoT security has become a broader, more urgent conversation across developers, researchers, city managers, industrial operators and regulators. The shift in mindset reflects a growing belief that secure systems are foundational to any deployment.

Governments are stepping in with clear regulations and enforceable standards. The UK’s PSTI Act mandates secure update practices; Germany’s BSI standards require strong protections for critical infrastructure. Cybersecurity has evolved into a shared public responsibility rather than remaining a purely technical concern.

Building Resilience for Tomorrow

One of the most transformative forces shaping the future of IoT is quantum computing. As quantum computers become more powerful, they pose a serious threat to today’s widely used cryptographic systems like Rivest– Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithms that underpin everything from secure email to signed firmware updates. The concern is that quantum systems will eventually be able to derive private keys from public ones, a capability that would undermine the entire foundation of digital trust.

Recognizing this risk, the industry is beginning a major shift toward postquantum cryptography (PQC). In the next three to five years, companies are expected to move quickly to adopt new cryptographic algorithms that can withstand quantum attacks. Infineon has already taken early steps in this direction, launching a security chip that supports PQC algorithms. This chip, similar to those found in everyday laptops, is designed to protect devices against the future capabilities of quantum machines. Going forward, Infineon plans to integrate PQC across its full product portfolio, helping customers stay ahead of evolving threats.

Risk Framing Over Risk Avoidance

Any organization embracing IoT must view security as a continuous process rooted in awareness and responsibility. Chasing zero risk is rarely realistic, but understanding what could go wrong and putting measures in place to manage it helps keep risk at an acceptable level. Much like preparing for a journey by buckling a seatbelt and keeping your eyes on the road, laying a secure foundation for IoT begins with anticipating potential pitfalls and thoughtfully managing them. The goal isn’t just to deploy technology. It’s to build systems that operate with foresight, resilience and accountability in the face of evolving risks.