Energy

No Govern or Identify function requires verification that control system computational capacity meets the Landauer-bounded minimum for the thermal environment of the system being controlled.

Action Items:

• Add Landauer bound verification as a required control under ID.RA (Risk Assessment) for any critical infrastructure control system operating above 400K
• Develop measurement methodology for thermodynamic controllability ratio (𝓜 = Landauer power floor / system thermal output) as a standardized safety metric
• Issue guidance requiring that control system adequacy be expressed not only in reliability terms but in information-theoretic terms
• Create a new CSF subcategory: ID.RA-X — Thermodynamic Feasibility of Safety Functions
• Require that safety function verification include confirmation that the computational bit rate demanded by the physical process does not exceed available processing capacity at operating temperature

SP 800-82 addresses cybersecurity of industrial control systems but contains no guidance on the physical thermodynamic limits of those systems as a security and safety boundary.

Action Items:

• Revise SP 800-82 to include a thermodynamic feasibility section for control systems in high-temperature environments
• Define a new threat category: thermodynamic boundary violation — where a control system is architecturally incapable of responding within the physical timescales demanded by the process it controls
• Require that ICS security assessments for nuclear and high-temperature industrial systems include Landauer-bound analysis as a baseline adequacy check
• Issue an SP 800-82 revision notice flagging fusion and high-temperature plasma systems as requiring separate thermodynamic controllability analysis before security controls can be meaningfully evaluated

No control family in SP 800-53 addresses the physical thermodynamic limits of information processing systems as a control baseline requirement.

Action Items:

• Add a control under SA (System and Services Acquisition) requiring thermodynamic feasibility documentation for safety-critical control systems
• Expand SI-12 (Information Management and Retention) to include information-energy accounting for systems where Landauer costs are material to system performance
• Create a new control family: TE — Thermodynamic Efficiency, requiring organizations operating critical infrastructure to document and disclose the Landauer floor of their control systems
• Issue supplemental guidance connecting TE controls to existing RA (Risk Assessment) and SA (System Acquisition) families

Risk assessment methodology treats computational systems as logical constructs with failure probabilities but never as physical thermodynamic systems with hard energy floors.

Action Items:

• Revise threat taxonomy to include thermodynamic boundary as a threat source category distinct from adversarial, accidental, and environmental
• Add thermodynamic controllability ratio (𝓜) as a required input to risk assessment for systems operating critical infrastructure at elevated temperatures
• Develop guidance for quantifying the risk contribution of operating a control system near or beyond its Landauer-bounded capacity
• Require that residual risk calculations for nuclear and high-temperature systems account for irreducible information-energy costs that cannot be engineered away

FIPS 140-3 establishes security requirements for cryptographic modules but contains no requirement to verify that the module operates within thermodynamically feasible bounds for its deployment environment.

Action Items:

• Add a thermal environment declaration requirement to FIPS 140-3 certification — modules deployed in elevated temperature environments must document their Landauer cost per operation at that temperature
• Create a FIPS validation category for thermodynamic operating envelope — certifying not just cryptographic correctness but physical feasibility at deployment temperature
• Issue guidance distinguishing between cryptographic security (logical) and thermodynamic security (physical) as complementary and both necessary for critical infrastructure

CSF contains no category for computing systems whose architecture mandates energy consumption in excess of the Landauer minimum as a functional requirement, creating an unregulated class of thermodynamic infrastructure threat.

Action Items:

• Define a new asset category in CSF Identify function: Thermodynamically Inefficient Critical Load — systems where protocol design mandates energy consumption orders of magnitude above the Landauer floor
• Require that organizations operating such systems disclose the ratio of actual energy consumption to Landauer minimum as a standardized efficiency metric
• Develop measurement methodology for productive computation ratio — distinguishing energy that produces information with social or scientific value from energy consumed to produce artificial scarcity or difficulty
• Issue guidance classifying protocol-mandated waste heat as a physical infrastructure risk requiring the same disclosure as other thermal and environmental hazards
• Create CSF profile guidance for grid operators, water utilities, and environmental agencies to assess thermodynamic load threats from collocated high-consumption computing facilities

No NIST practice guide addresses thermodynamic limits as a cybersecurity and safety consideration for critical infrastructure operators.

Action Items:

• Commission a new SP 1800-XX: Thermodynamic Feasibility Assessment for Critical Infrastructure Control Systems
• The guide should cover: Landauer bound calculation methodology, controllability ratio assessment, multi-scale control requirement estimation, and disclosure requirements for federal licensing bodies
• Develop reference implementations for fission reactor control systems, grid management systems, and high-temperature industrial processes
• Create a self-assessment toolkit allowing critical infrastructure operators to evaluate their control systems against thermodynamic feasibility standards before and during licensing

The NICE Cybersecurity Workforce Framework contains no knowledge, skill, or ability (KSA) relating to thermodynamic physics as a competency for critical infrastructure security roles.

Action Items:

• Add KSA entries for thermodynamic feasibility analysis to the NICE Framework work roles covering industrial control systems, nuclear facilities, and critical infrastructure
• Develop training guidance connecting information theory, Landauer's principle, and physical system limits as a required competency for ICS security professionals
• Require that nuclear facility cybersecurity personnel demonstrate understanding of thermodynamic controllability as part of role qualification
• Partner with DOE and NRC to integrate thermodynamic feasibility into existing nuclear operator and security training curricula

NIST has no measurement standard for information-energy as a physical quantity, despite the Infoton framework establishing m(T) = kBT ln(2)/c² as a calculable, temperature-dependent physical value.

Action Items:

• Initiate a measurement science program to establish SI-compatible standards for information-energy quantities including Landauer energy per bit at specified temperatures
• Develop calibration methodology for thermodynamic efficiency of computing systems expressed against the Landauer floor
• Issue a NIST Technical Note establishing the thermodynamic controllability ratio 𝓜 as a standardized, measurable quantity for critical infrastructure assessment
• Coordinate with BIPM to evaluate whether information-energy warrants formal recognition as a derived SI quantity given its derivation from established constants kB, T, and c