Quantum Key Distribution for Critical Infrastructures: Towards Cyber-Physical Security for Hydropower and Dams

Hydropower facilities are often remotely monitored or controlled from a centralized remote control room. Additionally, major component manufacturers monitor the performance of installed components, increasingly via public communication infrastructures. While these communications enable efficiencies and increased reliability, they also expand the cyber-attack surface. Communications may use the internet to remote control a facility’s control systems, or it may involve sending control commands over a network from a control room to a machine. The content could be encrypted and decrypted using a public key to protect the communicated information. These cryptographic encoding and decoding schemes become vulnerable as more advances are made in computer technologies, such as quantum computing. In contrast, quantum key distribution (QKD) and other quantum cryptographic protocols are not based upon a computational problem, and offer an alternative to symmetric cryptography in some scenarios. Although the underlying mechanism of quantum cryptogrpahic protocols such as QKD ensure that any attempt by an adversary to observe the quantum part of the protocol will result in a detectable signature as an increased error rate, potentially even preventing key generation, it serves as a warning for further investigation. In QKD, when the error rate is low enough and enough photons have been detected, a shared private key can be generated known only to the sender and receiver. We describe how this novel technology and its several modalities could benefit the critical infrastructures of dams or hydropower facilities. The presented discussions may be viewed as a precursor to a quantum cybersecurity roadmap for the identification of relevant threats and mitigation.


I. INTRODUCTION
Security of critical infrastructures poses a complex and dynamic problem teeming with loopholes, weak links, and outdated measures that create an array of cyber vulnerabilities and safety concerns [1][2][3].Innovative solutions are needed to protect existing and developing infrastructure (see Rass et al. [1] for what constitutes a "critical infrastructure" and related discussions).Currently, in the US alone, less than 3 % of the 80,000 dams produce power.Efforts to generate more clean power from these existing dams mean the utilization of advanced technologies and modernization.Therefore, digital technologies are expected to continue to be integrated with hydroelectric projects (including fleet modernization).The gain (e.g., in the efficiency from turbines and generators) that comes with digitalization and the use of advanced information and communication technologies benefit the missions and objectives of an increasing number of stakeholders in hydro energy.These efforts mean increased connectivity (e.g., enhanced remote control and monitoring of the operational conditions of the assets).Higher connectivity is also expected from optimization efforts to operate neighboring hydropower facilities across whole river systems.Predictive and intelligent maintenance [4], higher efficiency operation, development of digital twins, etc., all require communication of measurement results and associated data analysis from many components and equipment, often in real-time.Higher connectivity, that is, a larger number of communications channels, means a larger cyber-attack surface, and consequently, more risks, as depicted in Fig. 1.A brief summary of some of the basic security issues is provided in Table I, see also relevant discussions by Ratnam et al. [5].In what follows, for convenience, some relevant terms invoked are defined in Table VI.
Clearly, the noted risks associated with exploiting the weaknesses of communications channels need to be addressed.However, known classical (non-quantum) encryption techniques cannot eliminate such risks (for a simple classical encryption example, see Appendix A).This is because, to protect the confidentiality of the communicated messages, classical security utilizes the mathematical complexity of classical cryptography techniques (which ultimately can be figured out with sufficient computer power), as opposed to quantum approaches which capitalize on fundamental physical laws.These laws mean that any attempts to intercept or read off the information will disturb the fragile quantum states carrying the information.The imposed fundamental limits here mean that there is no amount of care one can exercise that would enable this process without creating a detectable quantum disturbance.Thus, without embracing quantum solutions, the long-term security of hydropower and dam infrastructure, remains uncertain.
FIG. 1.It is widely recognized that the existing hydro infrastructure has cyber-security weaknesses that can be exploited at both intranet (left) and internet (right) levels.As exemplified by the dashed arrows, cyber problems are ultimately due to a lack of secure communications and the presence of side channels among the various components/devices inside and outside the system.
Traditional encryption is currently used to validate the legitimacy and authenticity of the sender and receiver, while also obfuscating the information from an attacker.This means that even if communication is intercepted [6], it cannot be read or understood unless the attacker has the decryption key.Traditional methods rely on secure creation and exchanges of keys to ensure end-to-end protection.Current attacks against encryption include incorrect implementation of encryption in software (vulnerabilities), attacks against the users, supply chain attacks, compromise of the keys, brute forcing the message, or analyzing the encrypted communication to derive the key.With the future advancement of quantum computing, the speed at which brute force attacks can successfully decrypt communications (using many current algorithms) could render them insufficient.The problem of infrastructure vulnerability means that attempts to evade security measures including cyber, malware, and side-channel attacks may generate results [1].Reported attacks on dams and other critical infrastructure have revealed significant cyber-security gaps and problems in existing infrastructure, which is ultimately due to a lack of secure communications channels.Physically, the two primary channels over which information, commands, and instructions are conveyed/exchanged are either optical fiber or free space with no other comparable alternatives.Both these channels can be exploited by attackers to threaten the assets.This article proposes a solution and how it may be applied to this problem.Clearly, any solution necessarily should be commensurate with the rapidly growing and diversifying information and communications technologies encompassing edge computing and sensing [7,8], IIoT (the Industrial Internet of Things), IoE (the Internet of Energy), etc.Such a solution must position the hydro security infrastructure for resiliency against increasingly advanced and sophisticated attacks.
Emerging quantum technologies promise to solve the security problem of communications channels.The most wellestablished quantum communication technology is currently quantum key distribution (QKD), which has been shown to achieve information-theoretic security (ITS), meaning it does not rely on any technology assumptions, such as what problems are difficult to compute.Such a solution has already been demonstrated in the form of the deployment of state-of-the-art QKD-based communications technologies across the electric grid [9][10][11][12].To date, as technology transitions from research labs to the commercial sector, only a few commercial QKD systems have made their way to the market.These commercial systems are of basic design and not yet fully adaptable to the hydro environment.An evaluation and comparison of all QKD modalities against hydropower system's requirements is needed (see Table IV).Logically, one may categorize noise sources in QKD operating in a hydropower environment into two main categories: those induced by the environment, as listed in Table II, and those independent of it, as listed in Table III, with related discussions elsewhere [13][14][15][16][17].While noise sources independent of the environment may be addressed with advances in technology and improved equipment, those induced by the dam environment may require specialized solutions tailored to the unique challenges posed by such a setting.Separating these categories could help in better understanding and mitigating the noise sources.Our objective is to elucidate the utility of QKD for protecting hydropower assets and articulate what quantum security technologies can bring into the critical hydro infrastructure security domain.As simplistically depicted in Fig. 2, a hydropower system is composed of many networked sensors, control systems, and operators which need to communicate with each other over geographically diverse locations.A relevant use case of secure communications may therefore be the implementation of a communications channel between the control room and an equipment controller.This would not only prevent cyber-attacks but also any side-channel attacks.The communications link corresponding to this connectivity can be made secure with long-term security provided by QKD.Any information to be exchanged between a party on the internet and a party on the dam network requires encryption or authentication.QKD can share unique private keys that can be used for this purpose (for a simple quantum encryption example, see Appendix A).Therefore, the generation of secure keys over the communications link is the first step (see Fig. 3).Reaching a working understanding of the technical layout specific to a hydro facility could begin by building on previous work in carrying out cyber technical risk assessments including that of hydropower systems and dams [10,18], and development of holistic cybersecurity risk reduction framework for fossil generation facilities [18], as well as deployment of quantum communication for grid security [12] and [10,11].Given that there are many such plant and systemslevel examples of a cyber threat to physical devices of the power plant, during any pilot project, identifying a reasonable location in a dam or an equivalent testbed to implement the QKD is prudent.This important step lays the foundation for developing a similar use-case development methodology that can be applied across various hydro facilities.One may envision research and development of a security use-case taxonomy that can serve the broader energy infrastructure landscape.Such a taxonomy should be of direct benefit to the stakeholders since planning, marketing, energy distribution, customer privacy, service quality, and many other aspects of energy economics can be impacted by a better understanding of the security risks involved.
QKD is currently at the forefront of innovative communications technologies and is typically advertised as the next-generation security technology that, unlike conventional techniques, does not expire when bigger computers are built.QKD has been demonstrated for securing communications between parties on Earth [20] as well as between Earth and satellites [21,22].To implement QKD, we first note that there are different modalities of QKD.Despite, FIG. 3.An example of side-channel threats in a hydropower plant.Secure speed control of the generator is critical for safe operation.During remote control, cyber-attacks may alter the commands leading to altered input values for the speed control of the generator.The displayed differential equations (see Chandra et al. [19]) for the time dependence of the states including frequency change ∆ω, turbine water velocity ūt, gate opening ḡ and the pilot actuator position variation ∆xe serve to emphasize the many parameter and functional dependencies of the hydropower plant model.Possible side-channel attacks may take the form of altering the signal returned by the feedback loop.These communications channels can be made secure using a future implementation of internet-level, intranet-level, and even "device-level" QKD.some modalities still being subject to intense research, new results are leaving research labs, and commercial systems are entering the market.For a brief description of the QKD modalities versus the specific requirements of the present use case see Table IV (see also the recent survey by Sharma et al. [23]

III. QUANTUM KEY DISTRIBUTION AND ITS IMPLEMENTATION
In 1984 the BB84 protocol was introduced by Bennett and Brassard [24].Today, BB84 is just one instance of many possible QKD implementations that rely on the laws of quantum mechanics to share secret keys.As an example of a standard implementation, the polarization of individual photons can be used to encode information.In BB84, the simplest, oldest, and most developed protocol, Alice sends a signal of single photons with random polarizations to Bob, and since quantum states are disturbed when measured, any noise is attributed to an eavesdropper resulting in quantum bit error ratio (QBER), defined as: QBER = number of error bits total number of bits exchanged .
If the QBER is low enough, the two parties can distill a secret key.For many QKD protocols, the process to distill a secure key involves four main steps: raw key exchange, sifting, error correction, and privacy amplification, as shown in Fig. 3. Specifically, in the BB84 protocol, after the raw key is shared through the quantum channel, the sifted key is generated by Bob announcing, over a public classical channel, the basis he used to measure each photon.Alice then compares this with her basis choices.The bits corresponding to mismatched bases are discarded, resulting in the sifted key.Any QKD protocol will have errors in the sifted key due to the experimental imperfections and potential eavesdropping, which are corrected using an algorithm over the authenticated public channel.Finally, privacy amplification is also performed over the public channel to minimize the potential information about the key that Eve may have gathered in the previous three steps.Generally, QKD can be divided into discrete variable (DV) and continuous variable (CV) implementations.DV encoding, such as the polarization example above, involves detecting single quantum states with direct detection single-photon detectors, and results in discrete measurement data.In continuous variable encoding, homodyne detection is used to measure continuous variables of quantum light, namely phase, and amplitude, which carry information between Alice and Bob.CV QKD protocols generally have the potential for higher key generation rates than DV protocols, especially in the presence of lossy channels.This is due to the encoding and detection methods employed by CV systems.However, CV protocols, especially in high-loss scenarios, face challenges related to error reconciliation, given the Gaussian noise characteristics of their keys [24].A benefit of CV protocols is that they can be implemented in shared fiber with classical communication systems without the destruction of the quantum signal [25].QKD can also be divided into entanglement-based and prepare-and-measure implementations.In many entanglement-based QKD protocols, entangled states of light are generated and shared between Alice and Bob.This can be done by a third party or by one of the participants, such as Alice, who then sends one of the entangled particles to Bob.On the other hand, prepare-and-measure protocols, like BB84, involve Alice preparing a quantum state and sending it directly to Bob.For distances relevant to hydropower dams, prepare-and-measure protocols are the most practical and achieve the highest speeds [26].In practical QKD implementations, information is often encoded into weak coherent pulses, such as those from faint lasers.While singlephoton or entangled photon sources are ideal for QKD, their practical implementation can be challenging.The decoy state protocol allows weak coherent sources to be used effectively by mitigating certain eavesdropping threats, making it possible to utilize cheaper and faster equipment for quantum light sources without compromising security [27].This encoding method has evolved to what is called decoy state QKD because certain laser pulses will act as decoys to an eavesdropper for security purposes.Given that decoy-state BB84 is among the most developed protocols and gives the highest data rates for the relevant distances, it makes for a suitable field trial.
FIG. 4. Schematic depiction of QKD.Two parties generate random bit-strings that are encoded in light pulses.The pulses are sent off via fiber or free space to a receiving party, which is measured and converted to bit-strings.A message may be encoded via variations in the polarization of the light, as shown in the second box from left, or in its phase (see R. Wolf [28] for a formal introduction to these operations).
Studies of scientific and technical issues surrounding the security of practical implementation of QKD have illuminated the possibility of various conceivable side-channel attacks.Realistic expectations from the performance of QKD subsystems mean that QKD must be carefully implemented [29,30] to avoid for example Trojan horse and photon-splitting attacks.These attack scenarios are difficult to mount on practical QKD systems which are evolving to safeguard against these and future loopholes in QKD implementation.The implementation of QKD begins by building its physical arrangement, which is composed of light sources, optical components to manipulate light, detectors, and measurement and processing electronics.Alternatively, one may explore the use of commercial QKD systems to generate the needed keys for information encoding.The information encoded by doing a bit-by-bit exclusive "OR" with these keys will be secure if the key is kept private, and the key is larger than the message size.Successful implementation of QKD is measured by generating keys using the physical realization of the diagram shown in Fig. 4.
The key questions to be answered are where QKD can be deployed in a hydropower communications network, and how it can be integrated with existing command and control interfaces.Of importance is the frequency of communications and the requirements of QKD-based one-time-pad (OTP) approaches to meet this need, in addition to communications latency requirements.A summary that systematically and collectively presents the application of QKD to the hydroelectric domain will help to lead the wider utilization of quantum security in hydro infrastructures.Our goal is stimulate the production of this document, which would also complement those focused on classical cybersecurity.

IV. APPROACH
An approach to the security of hydropower assets based on quantum technologies should naturally be relevant to other energy infrastructure security science and technology.Therefore, a high degree of connectivity is expected amongst several works in the energy research portfolio.For example, in fossil power plant cyber security, some previous investigations focused on: 1) assessing how cyber risk changes across a facility's life cycles, 2) performing consequence analysis to prioritize high-consequence events, 3) identifying the digital asset attack surface in sensors, instrumentation, and control equipment, and 4) mitigating cybersecurity control-or countermeasures [18].Such reports [18], describe the current industry cybersecurity best practices in fossil generation that are based on the first principles for cybersecurity engineering.Another specific example is related to grid security, where previous work focused on: • Conducting an analysis of commercial QKD capabilities [9,31].
In the basic form of QKD, the two communicating parties, Alice and Bob carry out quantum optical operations to prepare some bit-strings.After quantum operations are completed, post-processing is required.These include applications of various mathematical and numerical processing to generate the final keys.If an eavesdropper (Eve) attempts to intercept the processes, laws of quantum physics reveal such attempts as errors in the quantum signals.See Table V for further description and R. Wolf [28] for details.
• Conducting an analysis of smart grid security needs [32].
• Identifying the highest value security needs that can be met by QKD [33].
The performed analysis was based on the NIST Framework and Roadmap for Smart Grid Interoperability Standards [12], as described in the related report [34].To achieve the technical objectives above, we may consider the following discussions.It is important to note that operational technology (OT) architectures used in hydropower control and safety systems present unique challenges and considerations from standard information technology (IT) deployment of QKD.OT systems rely on legacy equipment, proprietary, and unique operating systems, specialized protocols, and unique architecture requirements.In addition to the end-use case identification for QKD in hydropower, it is important to consider the impact of these architectures and infrastructure on QKD.

A. Use-case definition for quantum security in hydro
In creating an optimum use case, previous experience, e.g., in performing a cyber security risk assessment of other architectures, may be leveraged to show the holistic security benefit of the QKD solution.Use cases anticipated to be identified include remote monitoring and control, remote sensor, and IIOT deployment.Critical communications which rely on strong authentication in hydropower include: • Securing remote interactive access (control, maintenance, and repairs) • Remote monitoring (remote sensors for control/safety/monitoring, remote monitoring only centers with unidirectional traffic) • Vendor monitoring • Supply chain security (validation of the authenticity of software and supply chain communications) Control systems and operational technology (OT) rely on specific protocols for communications between field devices, programmable logic controllers, management servers and workstations, and other control system components.
Many hydropower facilities that were designed with SCADAs (supervisory control and data acquisition systems) [35,36] are being upgraded to distributed control systems (DCS) as hydropower facilities are undergoing component and digital modernization.The control systems must be carefully architected to provide reliability and safety.Latency and reliability of the communications are crucial in these applications and should be considered.A priority use case should: • document how it capitalizes on the specific environment of the dam/hydro facility or hydro testbed from a security point of view, • Identify security benefits/disadvantages of the QKD relative to traditional methods, in the identified use cases, • document how it highlights the practical (logistical) suitability/applicability of the QKD for implementation within the dam/hydro environment/testbed, • document a reference architecture for deployment in the selected use case, • identify operational impacts on QKD deployment, • highlight how the use case contributes to the missions of hydropower research facilities.
B. Integration of the QKD system with the hydro communications system.
QKD is a novel quantum-based cybersecurity tool that allows for the generation AND secure distribution of truly random number streams.Field demonstration of QKD has been reported in the case of a real-world electric utility optical fiber network [10].A "key" is simply a string of bits, that is, a sequence of 0s and 1s, and a "message" is in the form of a bit string.The end goal here is the successful use of keys generated using QKD by the communicating parties.For example, when the two communicating parties, share a private key, they can use that key to encrypt any messages they intend to send and decrypt any messages they receive.This encryption prevents eavesdropping from accessing any information in the messages.This could for example take the form of the complete set of communications needed for remote control of a dam, or communication for a SCADA system [35].This would ultimately entail generating random bits, that are supplied to a computer hard drive or memory, at two (or more locations).These bits are then to be used for the encryption of the messages between the two locations.The fiber-based QKD is highly versatile as fibers are immune to electromagnetic interference, and mechanically flexible so that they can penetrate confined areas, elaborate machines, and devices.The QKD process begins with a quantum transmitter (typically referred to as Alice, as indicated in Fig. 5).The sender will have to generate light and prepare it in a specific quantum state.These light pulses, representing bit-strings, are then sent into an optical fiber to travel to another location, where they can be detected by a quantum receiver (typically referred to as Bob, as indicated in Fig. 5), at the other end of the fiber.After concluding the quantum operations between the two communicating parties, to generate the final keys, the bit-streams must be processed using post-algorithms.After processing the keys, as shown in Fig. 5, they can be used to protect the information between communicating entities (users, control systems, sensors, actuators, SCADAs, etc.).
QKD operation means that new keys are attempted to be generated.The conditions of the link and specifics of the QKD system determine the key rate.The key bit strings will be written to a file located on both Alice and Bob's portions of the node.The keys and hydro communications are then collected on a local computer where the encryption and authentication are implemented [9].The most computationally efficient (and therefore lowest latency) method remains the one-time pad (OTP) method, where a message is combined with the exclusive OR operation (XOR) and the key.OTP exhibits ITS (information theoretical security), i.e., it is secure regardless of an adversary's computational power, with the following requirements: (1) the keys must be truly random, be kept secret, and are used once only, and (2) the message length is less than or equal to the length of the key.The resulting communications are then sent out through a classical transceiver.An experimental demonstration of relaying keys between relevant hydro infrastructure locations could conclude after a QKD operation over a given period (e.g., ∼ hours).Such an experiment could implement QKD over a metro-area distance (typical of hydro facilities) using a commercial QKD system.The key metric governing QKD system performance is the secret key rate (SKR) -the (average) number of secret bits generated and distributed securely between parties per second.SKR, while largely dependent on the type of system and QKD protocol employed, is ultimately determined by the optical loss on a given fiber link.This loss γ, expressed in units of dB, is largely due to the fiber's attenuation a dB/km, which typically arises due to absorption and scattering mechanisms and can be written for a fiber of length L km as: γ = aL.It is crucial to minimize the losses, which also can be exacerbated by fiber-to-fiber connectors, sharp fiber bending, and splicing.High losses can compromise the effectiveness and security of the QKD process.The greater the optical loss, the lower the SKR, and vice versa.In situations where the optical link loss is significant, the SKR can be zero, indicating that no secret keys can be generated.From a practical standpoint, as noted above optical losses receive contributions from two main factors: the physical distance along the fiber between two points (length attenuation); and splice, or connection loss.The former is indicative of intrinsic material losses in the optical fiber itself.Modern optical fibers exhibit ≈ (0.2 − 0.5) dB/km depending on fiber type, manufacturer, and wavelength of light.The latter is indicative of fiber-to-fiber connections, including in-field splices during deployment or following line breakage, and patch cable connections within a communications facility or substation.For this attenuation range, if, as simulated in Fig. 6, the fiber is 175 km long, the total loss in the fiber will be in the range: γ = aL = (34.4− 87.5) dB.Consequently, a viable QKD deployment must evaluate the optical fiber conditions from points A to B, and link-specific SKR must be measured.
In QKD, the eventual length of the secure key is determined by several factors including channel noise, error rates, and the specifics of the chosen protocol.While longer data collection times can yield larger secret keys, this could introduce delays before the key becomes available for encryption purposes.This is due to the need for post-processing steps like error correction, privacy amplification, and particularly the estimation of parameters such as the quantum bit error rate (QBER) using a substantial portion of the raw key.For real-world applications in hydropower plants, system optimization becomes vital.For instance, when several single-photon detectors in a command center are shared between remote links, the time each remote device utilizes a given detector should be optimized to reduce the total number of necessary detectors.This not only aids in efficient key generation but also in minimizing costs associated with hardware.The key rate or efficiency is not determined by a pre-selected length but rather emerges from the conditions of the quantum channel and post-processing.Practical QKD systems also need to address finitesize effects, where the security of the generated key can be influenced by statistical fluctuations, especially in systems with limited exchanged qubits.These effects become crucial in real-world applications such as hydropower plants, where reliable and timely key generation might be essential.An understanding of the communication frequency and topology between devices in such environments will be pivotal in tailoring QKD systems for optimal performance and cost-efficiency.
Figure 6 depicts how the SKR varies with distance for different key lengths, highlighting the impact of channel loss on the key rate.Similarly, Figure 6 illustrates the SKR's sensitivity to misalignment angles in the system.The secure key rate (SKR), as derived from the theoretical framework introduced by Lim et al. [37], illustrates this dependency.In the protocol proposed by Lim et al., Alice sends Bob randomly polarized coherent states in two orthogonal bases: X and Z.While the X basis contributes to the secure key, the Z basis states are publicly disclosed to estimate the error rate in the X basis.The effective secure key length L key is then described by: where s x,0 and s x,1 represent the number of dark counts and single-photon counts at Bob's detector, respectively.The term ϕ x denotes the error rate in the x basis.The binary entropy function h(ϕ x ) [38] is given by: which captures the maximum information Eve can deduce about the total key given the shared bits used to determine the error rate.As such, the term s x,1 h(ϕ x ) must be subtracted from the total to yield a portion of the key that remains concealed from Eve. Leak EC encapsulates the information exposed during error correction, while the concluding terms address finite size effects.A deeper analysis, especially of terms rooted in the X basis signals and shaped by the sacrificed Z basis signals, is detailed in [37].Figure 6 illustrates how the choice of key length, influenced by finite size statistics, affects the secure key rate and associated generation time.Specifically, at a distance of 1 km, starting with the aim to distill a 100-millionbit secure key yields a sifted key rate of approximately 98 kbps.In contrast, aiming for a 100-thousand-bit secure key results in a sifted key rate of about 25 kbps.Nevertheless, the larger initial key length necessitates a longer data collection duration: 17 minutes compared to the mere 4 seconds required for the shorter initial key length.In a continually operating secure communication system, these trade-offs highlight the importance of preemptive considerations.Factors such as communication frequency, average message size, and required security levels play a pivotal role in optimizing system performance and cost.Such metrics also influence choices regarding the QKD protocol, quantum encoding strategy, and equipment selection, ensuring that the system meets or exceeds the desired performance benchmarks.
The unique environment of a hydropower plant (see Table II) introduces specific imperfections crucial in the context of a QKD system.Predominantly, additional loss and noise from such a setting can elevate the QBER rates for the QKD system.Given the finite size effect in the context of secure encryption, variations in QBER invariably gravitate towards the maximum bound of error.Hence, fluctuations introduced by the dam environment can be quite influential.
FIG. 6.The secure key rate as a function of the distance between communicating parties, derived from fiber-based loss and error models according to Eqs. 2 and 3.This representation assumes a decoy-state BB84 variant of QKD, with parameters grounded in real-world and feasible experimental setups.As can be seen, for longer key lengths, the allowable communication distance before the SKR becomes impractical is reduced.An example of such a system, simulated at the University of Tennessee for a free-space deployment, is presented in [39].Conventional devices, including a 1550 nm continuous wave laser and single photon avalanche detectors, were employed in their work.
The channel error model used for QKD simulations is described by Eq. 4 [37]: where e k is the error rate for a coherent pulse with intensity k, p dc is the background noise rate of the detector (dark count rate), p ap is the after-pulse probability, and D k is the detection rate.η ch represents the loss due to the fiber optic cables and is given by η ch = 10 −0.2L/10 , with L being the fiber length in km.The term e mis stands for the probability of error due to polarization changes in the channel and can be influenced by environmental factors.
Given that turbine operations, with their frequencies typically around 1 Hz and 30 Hz (Table II), can introduce vibrations of typically less than 1 mm in amplitude and that generators, operating at either 50 Hz or 60 Hz, induce similar amplitudes of vibrations, the environment's vibrational noise becomes crucial.Environmental factors, from seismic activities to localized events like machinery operations, can further introduce vibrational noise that influences the polarization states in fiber optics, which are sensitive to such changes [40].Understanding and mitigating these effects is pivotal for QKD.For instance, correlating the vibrational frequency and amplitude data with phase changes in the QKD system could enable real-time counteraction of potential misalignments.As observed in Fig. 6, longer raw key lengths facilitate secure key generation even at higher misalignments, an important consideration in a noiseprone dam environment.To ensure high secure key rates, hydro QKD systems should adopt polarization stabilization techniques [41,42].Typically, stabilization is achieved through feedback loops that monitor changes in the final state, enabling the sender to effectuate corrections.Given that numerous dams employ fiber-based sensors [43,44], integrating such vibrational and noise data into the stabilization algorithm offers a promising avenue to maintain optical alignment, optimizing the QKD system's performance.
With measured SKR metrics in hand, the most appropriate cybersecurity strategy for QKD-secured hydro communications should be evaluated.This can be guided by the following principle: if the classical communication bandwidth needs for hydro is less than the SKR, then OTP may be employed (i.e., number of QKD bits ¿ number of classical bits requiring encryption).However, if the classical communication bandwidth needs exceed the link-specific SKR, then an ITS alternative method must be employed where the same QKD key can be used to authenticate multiple messages which can be done as long as a QRNG supplies a new nonce [9].Finally, regardless of the cryptography option above FIG.7. The secure key rate, depicted as a function of the misalignment angle, relies on Eq. 2 and Eq. 4. Notably, commencing with a longer sifted key provides a buffer against higher degrees of polarization rotation in the quantum channel.
(OTP or authentication), the interface required to supply QKD keys to the user/application must be developed.This is dependent on the type, vendor, model of the user/application, and methods by which the device allows ingestion of external (i.e., QKD) key material.This final experiment will demonstrate the encryption/decryption of realistic hydropower command/control communications using QKD-supplied keys.Performance challenges include SKR changes with variations in the environment in which the subsystems of QKD are to operate.Dealing with various sources of noise (including those in Table II) is of great importance in the successful generation of keys.For example, when both quantum and classical light are considered over the channel, a concern arises from "Raman noise", which is unwanted light generated in the fiber material due to the use of stronger classical light.This effect is particularly pronounced when the wavelengths of the quantum and classical signals are closely multiplexed.However, when they are in separate bands, such as the quantum signal in the O band and the classical signal in the C band, the impact of Raman scattering is substantially mitigated [45,46].Appropriate hardware choices can be made to better address the challenges and noise sources associated with the specific setting of the hydro facility.Although several QKD protocols exist, the well-established Bennet-Brassard protocol (BB84 protocol) makes for a suitable trial.Using the software, the dam communications can be interfaced with QKD keys.Similar experiments have been effectively performed to analyze and address implementation challenges facing the deployment of QKD systems in critical infrastructure, for example as demonstrated in the recent field test of three QKD systems on a real-world electric utility optical fiber network [10], where one endpoint was a hydro/dam.

V. CONCLUSIONS AND OUTLOOK
Witnessing the overall growth trends of quantum technologies in solving energy infrastructure problems, the presented material introduced the specific use case of the hydro energy sector.The preliminary discussions presented may help the creation of a more specialized "Quantum for Hydro" roadmap.Parameters that characterize the hydro/dam environment, as summarized in Table II, are different from those found in a laboratory setting.Some of the parameters likely also differ from those encountered in the electric power grid substations where QKD has been demonstrated.Typical ambient real-world environmental conditions of importance to the performance of any technical measuring device include temperature, humidity, and various noise levels (electromagnetic, acoustic, wind, corrosion, contamination, etc.).QKD is built from sensitive optical and electronic components and devices, each with a set of specifications.Therefore, these parameters, if for example out of range, could impact the rate of key generation.Consideration for application of quantum sensing for environmental monitoring may also prove useful in conjunction with QKD.In compiling such a roadmap, consideration of important issues such as interoperability between QKD systems that operate with dissimilar implementations must be considered.In doing so, QKD standards by the ETSI Quantum-Safe Cryptography Working Group, and QKD network and QKD systems activities within ITU-T SG13 and SG17, respectively, will be put in perspective [10].
-For the first bit (1), Alice chooses the rectilinear basis and sends |1⟩.
-For the second bit (1), Alice chooses the diagonal basis and sends |−⟩.
Step 2: Measurement by Bob • Bob randomly selects a basis for each received qubit and performs a measurement.
-For the first qubit, he chooses rectilinear and measures 1.
-For the second qubit, he chooses rectilinear (a mismatch with Alice) and gets a random result, say 0.
-For the third qubit, he chooses rectilinear and measures 0.
Step 3: Basis Discussion • Alice and Bob publicly disclose the bases they used.
• They compare their choices: -For the first bit, both chose rectilinear -they retain Bob's result.
-For the second bit, they used different bases -they discard Bob's result.
-For the third bit, both chose rectilinear -they retain Bob's result.
• Their resulting raw key is now: 10.

Step 4: Error Estimation
• A subset of the raw key is selected for error testing.
• They compare their respective bits in this subset publicly.
• If QBER exceeds a threshold, the protocol is aborted due to potential eavesdropping.
Step 5: Privacy Amplification • Aims to reduce any potential eavesdropper's information to an insignificant level.
• Two-universal hash functions might be applied to the key to produce a shorter, more secure key.For example, take the raw key to be: 1011010101.Consider a very basic hash function defined as: -Break the string into groups of 2.
-For each group: * If it is 00, it maps to 0. * If it is 01 or 10, it maps to 1. * If it is 11, it maps to 0.
Given the original key: 10 11 01 01 01, applying the hash function produces: 1 0 1 1 1, which is shorter than the original key as a result of a specific transformation.
• Classical error-correcting codes can be used to rectify errors introduced by the quantum channel.For example, consider the Hamming(7,4) code [48]: -Designed to encode 4 bits of data into 7 bits by adding 3 parity bits.
-The error is detected and corrected using the parity bits, restoring the original encoded string.
Our plaintext message "dam" has a length of 21 bits, as noted above.Due to the probabilistic nature of quantum measurements and the random choice of bases, typically only around 50% of the initially sent qubits contribute to the raw key post key sifting.So, if Alice wants to ensure a shared secret key of length 21 bits (to match the plaintext message length), she will need to initiate the process with more than 42 qubits (assuming a 50% retention rate after sifting).Thus, the process requires the transmission of a greater number of qubits than the intended message length due to the key sifting process and potential eavesdropping checks.
Appendix B: Tables Secure keys via QKD encrypt communication, thwarting unauthorized access to the control system.
Sensor Spoofing [49] Interference with sensors, leading to inaccurate readings and unsafe operations.Dam failure, potential loss of life, and environmental damage.
Secure or authenticated communication between sensors and control system, reveals data tampering.

Communication
Interception [6] Interception or injection of malicious commands in communication channels.Secure communication between control systems and authorized personnel, preventing unauthorized access.TABLE III.Basic Noise Sources in QKD Systems in Laboratory Settings (see also [13][14][15][16][17])

Noise Source Description
Quantum Bit Error Ratio (QBER) Represents the ratio of bits that are received in error.Though not a direct noise source, QBER quantifies the impact of various technical factors and imperfections in QKD systems.

Dark Counts
False counts arising in photon detectors due to thermal fluctuations or other non-signal measurement events.

Dead Time
Time taken by a detector to recover after detecting a photon.Photons arriving during this interval can lead to loss.

Detector Jitter
Uncertainty in a detector's time response when it receives a signal, arising from electronic and photonic fluctuations.
Beam Splitting/Coupling Inefficiencies Imperfections in beam splitters or inefficient coupling into optical fibers leading to photon loss.

Fiber or Channel Attenuation
Losses in the optical channel or the transmission fiber.

Multi-Photon Emissions
Occurrences when sources produce multi-photon pulses, introducing vulnerabilities and noise.

Phase Fluctuations
In protocols like Differential Phase Shift QKD, phase fluctuations in transmission fiber can cause errors.• Suitable for existing optical fiber networks.
• Direct point-to-point setups for small-scale plants.
• Economically efficient for short distances.
Decoy State QKD • Robust against photon number splitting attacks.
• Beneficial for medium to large-scale plants with potential eavesdropping threats.

Continuous-Variable QKD
• Preferred for metropolitan-area networks.
• Requires direct trusted relay and quantum repeaters for long distances.
• Suitable for high transmission rate requirements.

MDI-QKD
• Ideal for infrastructures at risk from sophisticated adversaries.
• Eliminates detector side-channel vulnerabilities at center detection node.
• May require higher initial investment for equipment.

Satellite-based QKD
• Best for remote facilities over vast areas.
• Capital-intensive but offers broad coverage.
• Enables global scale secure communications but at low rates.
• Requires clear sky conditions for optimal operations.

Other Considerations
• Maintenance and operational costs.
• Scalability to future expansions.
• Interoperability with existing communication systems.
• Training and expertise requirements.
• Key management/revocation/lawful intercept requirements TABLE V. Basic Post-processing Steps in QKD (see Fig. 5, and R. Wolf [28] for further reading) Step Description/Equation Error Estimation QBER = number of error bits total number of bits exchanged

Information Reconciliation
Uses error-correcting codes to rectify key discrepancies.The Cascade protocol is popular; it entails key division, shuffling, and parity comparison.

Privacy Amplification
Aims to eliminate any eavesdropper's partial information.Typically employs universal hash functions, represented as: k = f (kraw).

Key Sifting
Particularly relevant in the BB84 protocol.Alice and Bob publicly disclose the bases chosen for each qubit.Qubits with differing bases are discarded.

Authentication
Confirms genuine communication between Alice and Bob.Utilizes classical authentication methods in tandem with previously shared secret keys.

Leakage During Error Correction (LeakEC )
The segment of key information that might be exposed to an eavesdropper during error correction procedures in the QKD protocol.

Misalignment Angle
Refers to the variation in the angle of the initial polarization state, which can be caused by factors such as thermal fluctuations or physical stress on the fiber.

One-Time Pad (OTP)
A method of encryption where a message is combined with a key using exclusive OR (XOR) operation.

Phase Modulation
The modulation of the phase of a carrier signal to encode information, often used in QKD systems to encode quantum information.

Photon Avalanche Detectors
Photodetectors that can detect low-intensity light down to single photons, often used in QKD setups.

Polarization
Refers to the orientation of oscillations in electromagnetic waves, used to encode information in quantum states in the context of QKD.Quantum Bit Error Rate (QBER) The rate of errors that occur during quantum transmission.Quantum Cryptography (QC) A method of securing communication channels by applying quantum mechanics principles.Quantum Key Distribution (QKD) A cryptographic protocol based on quantum mechanics to securely distribute random private keys between two parties.

Secure Key Length (L)
The length of the secure key, here denoted L key , in a QKD system, chosen based on various parameters to maintain a balance between security and system performance.

Secure Key Rate (SKR)
The rate at which a QKD system can produce secure shared private keys, influenced by factors like distance and error rate.A metric to evaluate the performance of a QKD system Secure Rate Formula A mathematical representation of the rate at which a QKD system can generate secure keys.
Total Optical Loss (γ) Represented in units of dB, it measures the total loss in the system, arising due to the fiber's attenuation (a) and the length of the fiber (L).

FIG. 2 .
FIG. 2. Schematic depiction of feedback loop for control of the hydro-electric process.Multiple points of vulnerabilities can be readily identified.

TABLE I .
Brief List of Basic Cybersecurity Issues and the Role of QKD for Dams