Cybersecurity regulations assume a security posture for Level 0 devices that do not exist

An unjustified (and too often unexamined) assumption underlies the cybersecurity of manufacturing and industrial processes. You can’t be cybersecure or safe if you can’t trust your measurements. This reality creates a profound regulatory challenge because modern cybersecurity frameworks assume that these devices possess protections that are technologically infeasible today.

Purdue Reference Model Level 0 devices (process sensors and actuators) form the foundation of physical operations and are indispensable to process safety, reliability and productivity across critical infrastructures. Operational technology (OT) cybersecurity organizations, regulators and standards bodies globally have assumed the underlying field data feeding process automation systems are authenticated, uncompromised and trustworthy. Yet these devices have no capabilities for cybersecurity, authentication or cyber forensics. Consequently, Level 0 devices cannot authenticate signals, validate integrity or provide cyber forensic evidence. This erroneous assumption is deeply embedded in the design of such frameworks as:

• NERC Critical Infrastructure Protection (CIP) Standards exclude Level 0 devices from cybersecurity requirements. At the Mar. 20, 2025, FERC/NERC supply chain risk management workshop, FERC and NERC representatives acknowledged the exclusion of process sensors because of non-routable communications and the “Electronic Security Perimeter” issue need to change because compromise of process sensors can affect the reliable operation of Bulk Electric Systems.
• ISA/IEC 62443 and NIST SP 800-82 acknowledge Level 0 but do not provide adequate compensating controls.
• On Mar. 16, 2022, NIST issued NIST SP1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector, which said: “In this project, the focus was on the engineering workstations and not on the manufacturing components. It is acknowledged that many of the device cybersecurity capabilities may not be available in modern sensors and actuators.”
• American Petroleum Institute (API) risk standards don’t address the cybersecurity of process sensors.
• American Water Works Association (AWWA) risk and cybersecurity standards do not address cybersecurity of process sensors.
• U.S. Coast Guard standards, https://www.ecfr.gov/current/title-33/chapter-I/subchapter-H/part-101, Subpart F—Cybersecurity, do not address the cybersecurity of process sensors.
• The Network and Information Security Directive (NIS2) does not explicitly address the cybersecurity of process sensors at the device or signal-integrity level.
• KRITIS (the German abbreviation for critical infrastructure) does not explicitly address legacy field-level devices as there is no explicit mandatory requirement that every low-level process sensor (pressure transmitter, analog 4-20 mA sensor, flow/level/temperature sensor, etc.) must support cybersecurity features (authentication, encryption, logging, etc.).
• NEI-08-09, Rev 6, "Cyber Security Plan for Nuclear Power Reactors” does not explicitly address the cybersecurity of process sensors at the device or signal-integrity level.
• IAEA Nuclear Security Series No. 33T (“Computer Security of Instrumentation and Control Systems at Nuclear Facilities”) does not explicitly address the cybersecurity of process sensors at the device or signal-integrity level.
• CISA, TSA and EPA OT cybersecurity guidance address control systems but not the vulnerabilities at the sensor and actuator levels.
• The SANS OT cybersecurity training does not address Level 0 devices. The recently issued “SANS State of OT Security 2025: What the Data Tells Us” report states:
  • Level 3 (Operations Systems): 19.7% reported full visibility.
  • Level 2 (Supervisory Control - SCADA/HMI): Just 10% reported full visibility.
  • Level 1 (Basic Control - PLCs/RTUs): Coverage is even thinner.
  • There was no mention of Level 0.
    

These and other frameworks that address critical infrastructures reflect an erroneous implicit belief that Level 0 signals are inherently trustworthy. However, real-world events, including accidental compromises, equipment failures and malicious manipulation have demonstrated that Level 0 devices can and have been compromised, sometimes with catastrophic consequences. The ultimate irony is that the insecure Level 0 devices were themselves manufactured using systems with insecure Level 0 devices. Where does the “root of trust” start?

As explained in my Nov. 21, 2025, blog, Level 0 devices have no cybersecurity, authentication or cyber forensics “by design.” This information is not new. In late 2017, I started a special working group within International Society of Automation (ISA) 99 to develop cybersecurity considerations for legacy field devices that could be used throughout the equipment life cycle. The task group included members from many of the major Level 0 suppliers, government representatives and industry experts including from the microprocessor industry.

The equipment suppliers acknowledged that legacy Level 0 devices could not meet the requirements in ISA 62443-4-2 and would need compensating controls. The Level 0 device compensating controls were addressed by ISA84.09 (process safety and cybersecurity) because of the need to address cybersecurity of Level 0 devices to meet process safety requirements. As part of this effort an ISA84.09 study identified that modern digital Level 0 sensors, in this case a modern wired safety pressure transmitter, could not meet most of the ISA 62443-4-2 cybersecurity requirements.

The challenge posed by the Cyber Resilience Act (CRA)

Tom Meany of Analog Devices raised a pivotal question: What happens when standards and regulations require cybersecurity capabilities that Level 0 devices cannot deliver? The European Union’s Cyber Resilience Act (CRA) imposes requirements including secure development practices, authentication, logging, vulnerability management and forensic capability — expectations that Level 0 devices fundamentally cannot meet due to engineering and certification constraints. For Level 0 devices, these unmeetable CRA requirements are similar to those in ISA 6443-4-2.

Get your subscription to Control's tri-weekly newsletter.

Because Level 0 devices are sold individually or incorporated into OEM-packaged systems, and because they are deployed globally and remain installed for decades, the CRA creates a looming supply chain risk and regulatory conflict between technical feasibility and legal compliance. This conflict is not limited to Europe; it will affect supply chains, compliance regimes, and operational risk globally.

CRA will be in place by 2027 and will have significant fines for lack of compliance.

Why industry should consider monitoring the Level 0 devices

Secured OT networks are intended to prevent cyber incursions but have no payoff other than potentially averting cyber compromises. However, monitoring the Level-0 devices at the physics level can provide a real return on investment as the accuracy of the process sensors has a direct impact on improved reliability, availability, safety and maintenance, while cybersecurity “comes along for the ride” (see the November 2022 issue of IEEE Computer, “Using Machine Learning to Work Around the Operational and Cybersecurity Limitations of Legacy Process Sensors”). In fact, if the Level 0 cybersecurity monitoring is performed out-of-band from the OT networks, the Level 0 monitoring becomes an independent validation of the OT network monitoring.  Monitoring Level 0 devices at the physics level can also provide justification for continued operation when the IT or OT networks are compromised.

A growing gap between policy and engineering reality

Regulators have historically focused on securing networks, applications and supervisory systems, leaving the physical instrumentation layer unaddressed.

However, some in the worldwide cybersecurity community are starting to recognize that Level 0 vulnerabilities represent a systemic, architecture-level gap. The cyber-physical interface — where digital commands translate into real-world physical action — remains fundamentally unprotected. As a result:

• Cybersecurity compliance does not equate to operational security or safety.
• Safety and reliability systems assume trustworthy inputs that may not be trustworthy.
• Existing compensating controls are insufficient, particularly at scale.
• Exiting cybersecurity training is inadequate to address the cybersecurity gaps in Level 0 devices.

What regulators must now confront

The central question is no longer whether Level 0 devices need cybersecurity. Rather, the question is what governments and regulators can require when the technological capability does not exist now and may not for many years

Regulatory bodies face several options:

1. Enforce requirements that devices cannot meet: This could lead to widespread non-compliance, supply chain disruption, halted device certifications, and significant fines.
2. Exempt Level 0 devices from emerging cyber requirements: This acknowledges current limitations but leaves a well-understood attack surface unprotected.
3. Develop interim standards grounded in engineering reality: Regulators may mandate external monitoring, improved anomaly detection, mandatory engineering and network security Level 0 cybersecurity training, and enhanced process-safety integration until truly cyber-capable Level 0 devices emerge.
4. Coordinate long-term research and development: Meaningful embedded cybersecurity for Level 0 devices will require sustained vendor innovation, interdisciplinary research, updates to intrinsic safety, reliability, and certification methodologies, and Level 0 monitoring technologies.

Conclusion: a necessary rethinking of cyber regulations

The answer is a combination of options, three and four. The lack of embedded cybersecurity in Level 0 devices forces a fundamental reexamination of current regulatory frameworks. Policymakers must acknowledge that existing regulations presuppose technological capabilities that are years away from being realized. Until next-generation cybersecure process sensors become available at scale, governments and industries must rely on external Level 0 monitoring at the physics level, enhanced operational practices, appropriate Level 0 cybersecurity training, and updated safety standards to protect critical infrastructure.

Failing to address this gap risks perpetuating a dangerous illusion of security and safety while the most vulnerable components of control systems remain exposed. The path forward requires pragmatic regulation aligned with engineering realities and a commitment to accelerating the development of secure, resilient Level 0 technologies and appropriate training.