What does the lack of cybersecurity in Level 0 devices mean to cybersecurity regulations?

Purdue Reference Model Level 0 devices (process sensors and actuators) are critical to the safety, reliability and productivity of industrial, manufacturing, building and transportation systems. This issue is not hypothetical, as there have been many Level 0 cyber incidents, some unintentional and others malicious, that have caused catastrophic failures in multiple sectors.

This is a difficult problem, and it doesn’t have any readily available, let alone easy, solutions. Current and evolving regulatory structures tend to assume that the technology for fixing this issue already exists. Unfortunately, it doesn’t.

As explained in my November 21, 2025, blog, Level 0 devices have no cybersecurity, authentication or cyber forensics “by design.” This information is not new.  In late 2017, I started a special working group within International Society of Automation (ISA) 99 to develop cybersecurity considerations for legacy field devices that could be used throughout the equipment life cycle. The task group included members from many of the major Level 0 suppliers, government representatives and industry experts. The equipment suppliers acknowledged that legacy Level 0 devices could not meet the requirements in ISA 62443-4-2 and would need compensating controls.

The Level 0 device compensating controls were addressed by ISA84.09 (process safety and cybersecurity) because of the need to address cybersecurity of Level 0 devices to meet process safety requirements. As part of this effort, an ISA84.09 study identified that modern digital Level 0 sensors, in this case a modern wired safety pressure transmitter, could not meet most of the ISA 62443-4-2 cybersecurity requirements.

It’s a difficult challenge that won’t be met easily. Sinclair Koelemij, who retired from Honeywell, stated in his Nov. 22 blog in response to my Nov. 21 blog,

“...with 43 years on the vendor side of process automation, I’ve seen the real engineering constraints up close. The short version: meaningful embedded cybersecurity in sensors and actuators isn’t feasible today and won’t be for decades in safety-critical applications, not because vendors don’t care, but because physics, power, timing, explosion protection, and qualification realities simply don’t allow it.”

It will take a long time to develop the sort of technology that could secure Level 0 devices. The challenge we face is coming up with ways of operating securely and safely without embedded cybersecurity.

Get your subscription to Control's tri-weekly newsletter.

Again, in response to my Nov. 21 blog, Tom Meany from Analog Devices asked if the Cyber Resilience Act (CRA) will force a change, since  Level 0 devices cannot meet the Cyber Resilience Act (CRA), Annex 1 requirements. Level 0 devices are sold individually and as part of packaged systems (supply chain). As these devices are sold globally, the same questions arise within North America and other international locations.

In North America, the North American Electric Reliability Corporation (NERC’s) Critical Infrastructure Protection (CIP) cybersecurity requirements effectively exclude Level 0 devices. ISA/IEC62443 and NIST 800-82 provide guidance for Level 2 devices, but neither provides adequate compensating controls to monitor and secure legacy Level 0 devices. The U.S. cybersecurity presidential executive orders, Cybersecurity and Information Security Agency (CISA) Operational Technology (OT) cybersecurity guidance, Transportation Security Agency (TSA) and Environmental Protection Agency (EPA) OT guidance do not address the unique cyber issues of Level 0 devices either.

Regulations and standards assume that the sensor signal and actuator response is uncompromised, authenticated, accurate and with cyber forensic capabilities. But the technology to achieve those assumptions simply doesn’t currently exist. Only monitoring and training will fill the safety and security gap at the sensor and actuator level until the next generation of cybersecure Level 0 devices are available and at scale, which may take years. What will governments and regulators do?