The unaddressed cyber frontier: Level 0 sensor measurement integrity

Anna Ribiero from the Industrial Cyber Newsletter asked me the following six questions about Purdue Reference Model Level 0,1,2 devices/systems. These are very good questions that have not been adequately addressed in the “mainstream” discussions about OT cybersecurity.

1. Why are Levels 0 to 2, where sensors, actuators and controllers operate, emerging as the next frontier for industrial cyber threats, and what makes these layers so challenging to secure?
2. How do legacy system designs, real-time operational constraints and vendor dependencies complicate efforts to introduce cybersecurity without disrupting critical physical processes?
3. Compared with upper layers such as SCADA or enterprise networks, what factors contribute to the ongoing lack of visibility and telemetry at Levels 0 to 2, and what advancements are beginning to close that gap?
4. How do long equipment lifecycles and persistent practices such as default configurations, hardcoded credentials and weak network segmentation continue to affect resilience at the device and control levels?
5. Are frameworks such as ISA/IEC 62443 and NIST 800-82 providing enough practical guidance to secure Levels 0 to 2, or does the industry need to move beyond zones and conduits toward a more holistic model that integrates process safety, system design and cybersecurity to protect the entire cyber-physical system?
6. Are we seeing real progress toward secure-by-design PLCs, sensors and embedded devices, or is that still more of an aspiration? What kind of collaboration between vendors, regulators, and operators is needed to make this shift happen at scale?

Technology issues

Level 0 sensors are engineering devices, not network security devices. To the networking community, Level 0 corresponds to, but is not the same as, the OSI Layer 1 physical layer. Network cybersecurity does not begin until Level 2, and tools exist for securing Level 2. However, Level 0 and Level 1 cyber issues can occur before getting to Level 2. IT/OT network defenders assume that Level 0 and 1 signals are uncompromised, authenticated, and correct. 

Level 0 devices are the 100% trusted inputs to every other Level. Level 0 signals begin as analog and are converted to digital or directly to IP at Level 1. You cannot hack physics, but you can compromise the Level 0 sensing element, the Level 1 digital/IP conversion or the process sensor settings. As a result, if you can’t trust the Level 0 sensor signals, the “secure” data being sent to the rest of the levels as well as the OT network monitoring systems cannot be trusted. These Level 0 and 1 gaps apply to every facility in every sector. 

Level 0 devices are operated and maintained by engineering and maintenance organizations with minimal participation from network security organizations. Conversely, at Level 2 there is often minimal participation from engineering and maintenance organizations. Cybersecurity advancements are occurring in Level 2 devices and Level 1 communication protocols, but cybersecurity advancements are not occurring at the same pace for the Level 0 devices.

On Mar. 16, 2022, NIST issued Special Publication 1800-10, Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector. That NIST report stated, “In this project, the focus was on the engineering workstations and not on the manufacturing components. It is acknowledged that many of the device cybersecurity capabilities may not be available in modern sensors and actuators” (emphasis added). Moreover, an acknowledged process industry instrumentation expert said, "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air-gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”

Generally, Level 0 and Level 1 equipment is replaced either because of equipment failures or obsolescence, not for cybersecurity considerations. Level 2 devices, on the other hand, may be replaced for cybersecurity reasons. Level 0 and Level 1 devices often have much longer lifetimes than typical IT/OT network equipment and cybersecurity solutions need to consider these long lifetimes, whereas Level 0 devices need compensating controls to continue operating with cyber vulnerabilities for long periods of time.

Monitoring and controlling physical processes require meeting very specific constraints, like determinism and latency. It is critical that any cybersecurity additions not violate those design constraints. There are also issues with interoperability because control systems are “systems of systems” with multiple control system hardware and software suppliers and cybersecurity vendors. Monitoring Level 0 sensors at the physics level has no negative impact on the process while providing a positive return on investment as well as improved safety, which can be quite significant.

Get your subscription to Control's tri-weekly newsletter.

Actual cases

My experience with Level 0 process sensors began in the 1970s with nuclear plant instrumentation and control systems. There, safety-critical performance was governed by immutable regulatory proof. That work was not thought of as “cyber” but as engineering. To the engineering community (then and now), cybersecurity meant communications, networks, protocols and operating systems, not physics.

In the late 1980s, the need for Level 0 protection emerged from real events at the physics level. Some nuclear plant pump shaft cracks went undetected because the wrong vibration sensor technology was used. In another case, a manufacturing flaw led to non-detectable failures in nuclear plant safety process sensors; one of those compromised sensors contributed to a nuclear plant core melt. These were Level 0 trust failures — raw physics signals, wrong at the source.

In 2022, a productivity project (not a cybersecurity project) at a billion-dollar manufacturing facility applied physics-level monitoring and machine learning to diagnose chronic reliability issues in feed pumps and process sensors. Although HMI displays showed normal performance, raw sensor data tapped directly from signal wires told another story: misconfigured valves, failed sensors and improperly operating pumps—all invisible to standard displays. Those inaccuracies led to a 3% productivity loss while inadvertently creating conditions for man-in-the-middle compromises.

This and other projects have demonstrated that HMI displays irretrievably filtered out “higher” frequency Level 0 process sensor data which are the indicators of the health of process sensors and physical processes. Robust control system performance does not necessarily mean no software errors.  A 1993 fault detection report identified that filtering of data can result in “coincidental correctness”. That is, no failure was detected even though one or more faults actually occurred. Additionally, cyber attackers have used the lack of Level 0 sensor diagnostics to send spoofed sensor data. As a result, safety and security are compromised because the HMI is incapable of monitoring the necessary data.

There have been hundreds of malicious and unintentional incidents at the Level 0 and Level 1 physics layer that have resulted in real physical impacts. Nation-state adversaries are actively exploiting Level 0 and Level 1 devices, including providing counterfeit Level 0 devices. Defending Level 2 and above networks while trusting unvalidated physics inputs is equivalent to securing a bank vault while blindly accepting counterfeit bills. 

Industry guidance

ISA/IEC62443 and NIST 800-82 provide guidance for Level 2 devices, but neither provides adequate compensating controls to monitor and secure legacy Level 0 devices. Level 0 and Level 1 cybersecurity efforts are being addressed in ISA84.09 (process safety and cybersecurity) where it was demonstrated that modern digital Level 0 sensors cannot meet most ISA 62443-4-2 cybersecurity requirements. As Sinclair Koelemij stated in his Nov. 17, 2025, blog, “When ‘Everyone Uses IEC 62443 Becomes an Excuse to Avoid the Real Cyber Physical Risk Discussion,” “a purely digital framework cannot capture false trips from spoofed Level 0 sensor patterns, or silent Safety Instrumented Function failures caused by manipulated Level 0 signals. Yet these mechanisms decide whether a cyber event remains a controllable deviation or escalates into a process-safety incident.”

Summary

At Level 0, cybersecurity is still an aspiration: many regulators and others do not understand the Level 0’s distinctive issues. However, there has been cybersecurity progress at Level 1 and Level 2, including addressing vendor interoperability issues and strengthening OT communication protocols. It is important for organizations to realize that Level 0 and Level 1 compromises are happening to them and not happening only to others. Level 0 is the last unprotected cyber frontier. Until the raw physical signals are independently validated — not inferred — upstream cybersecurity will always be one exploitable layer too late.