The need for appropriate Purdue Reference Model Level 0 cybersecurity training

There’s a lot of attention being paid to what might broadly be called “network security.” Many people equate this to critical infrastructure cybersecurity. Unfortunately, this is a mistake. Network security typically doesn’t include the security of process sensors, actuators and other field devices, which the Purdue Reference Model categorizes as “Level 0.” With the lack of Level 0 cybersecurity, authentication and appropriate training, operational technology (OT) cybersecurity is built on a foundation of sand. 

A look at some events demonstrates why this is an important and troubling oversight.

On Nov. 21, 2025, the ISA Calgary Section held a session on OT cybersecurity training. According to the session organizer, the discussion centered on the potential for cyberattacks on cyber-physical systems using hijacked sessions, stolen credentials or compromised encryption certificates. These are all certainly legitimate concerns for the upper levels of the Purdue Reference Model, where user sessions, certificates and authentication mechanisms exist.

However, these examples don’t apply to the Purdue Reference Model Level 0 devices that make physical operations possible. The Level 0 devices including process sensors, actuators and other field devices have no sessions to hijack, no credentials to steal and no encryption certificates to compromise. These devices provide the raw data that drive safety, reliability and productivity, yet they have no inherent cybersecurity capabilities, no authentication of the signals they generate or receive, and no cyber forensics.

The agenda of the ISA Calgary Session meetings included:

• Greg Potter: Facility overview + emergency & evacuation procedures, overview of the  Operations Technology Cyber Security Special Interest Group (OTCSSIG) activities, International Society of Automation (ISA) resources and upcoming events and session introduction
• Matt Rothkopf from ISA gave an overview of ISA OT training resources that addressed hardware, not cybersecurity.
• Jeff Hahn from the Idaho National Laboratory (INL) gave an overview of INL OT training resources that did not address specific Level 0 training.
• Stephen Mathezer from iON United gave an overview of SANS OT training resources that did not address Level 0 training. Some SANS courses (ICS410, ICS515) touch very lightly on instrumentation conceptually, but they do not provide technical cybersecurity training for sensors.
• Carla Marioni from Southern Alberta Institute of Technology (SAIT) gave an overview of SAIT OT training.
• I gave an overview of Level 0 control system cybersecurity issues and received the following LinkedIn response from one of the attendees: 

“I had a chance to interact with Joe Weiss during today’s ISA OT Cybersecurity discussion, and his clarity around Level 0/Level 1 realities is something the industry continues to learn from. One of his points that stayed with me was his reminder that most control-system cyber issues never begin at the network. They begin quietly inside the process in the signals, the instrumentation, and the control logic that everyone assumes is trustworthy. It’s a perspective that feels very true when you work closely with industrial systems. LOTL-type behavior, subtle manipulation of values, and blind trust in raw field data are becoming defining challenges. In moments like this, it’s always the operators and maintenance teams who detect the first signs, long before any cybersecurity tool does. Conversations like today reinforce why modern architectures must place much more focus on field-level trust and component-level security. This is exactly where frameworks like IEC 62443-4-2 become essential — ensuring that individual components, from controllers to I/O modules, enforce security 'by design' rather than relying on external layers alone.” 

While IEC 62443-4-2 provides an important framework, Level 0 devices in the field today predate these requirements, and they do not provide the basic capabilities the standard assumes. Many sectors are using ISA-62443 or a sector-specific modification. This means that multiple sectors that rely on the 62443 standards are not adequately addressing cybersecurity of Level 0 devices.

On Nov. 26, 2025, SANS published the results of their survey on LinkedIn: SANS State of OT Security 2025: What the Data Tells Us. The SANS report states:

"Breaking this down by Purdue Model levels tells an even starker story:

• Level 3 (Operations Systems): 19.7% report full visibility.

• Level 2 (Supervisory Control - SCADA/HMI): Just 10% report full visibility.

• Level 1 (Basic Control - PLCs/RTUs): Coverage is even thinner.” [SANS didn’t provide a percentage.]

There was no mention of Level 0 in the report. I included this SANS Level 0 training gap in my Dec. 1, 2025, blog. Jason Christopher of SANS responded to my comments on his announcement of the SANS report with the following:

“The blog post from Dragos above simplifies what was already simplified as "Level 0/1" in the actual SANS survey because there was no data distinction by survey participants from what security they performed at Level 1 vs. Level 0. There was no omission about Level 0 in the report, but the data clearly showed that ICS/OT security practices do not differentiate between the treatment of Level 0 vs. Level 1.”

To be clear, Level 0 is not the same as Level 1. This lack of distinction by practitioners is itself evidence that current OT cybersecurity training does not cover Level 0 in a meaningful or differentiated way. This is a clear message that OT cybersecurity experts are not being adequately taught the unique cybersecurity issues with Level 0 devices.

Level 0 cybersecurity issues are not new, and I expected that they would be addressed by now. However, that is not the case.

In early February 2025, the Cybersecurity and Information Security Agency (CISA) advertised that they were offering control system cybersecurity training at a college site. Consequently, I sent a note to the identified CISA personnel asking if the class included specific training on control system field devices such as process sensors, actuators and drives, or whether the training was mostly about OT networks. The response to my question came not from CISA, but from the Idaho National Laboratory (INL). The response stated:

“The training does not have specific training on field controllers or field devices. We do look at HMI creations, and an overview of the types of programming done on controllers including a short lab on ladder logic.”

Get your subscription to Control's tri-weekly newsletter.

Later that same month, I virtually attended a water cybersecurity conference where I asked what was being done about cyber securing Level 0 devices. Specifically, “Beyond SCADA, OT assets include process sensors, pumps, valves, drives and analyzers. There is no cybersecurity for these devices.  IT is incapable of addressing these devices. How do you address these systems?” The onsite organization referred my question to EPA Washington. According to EPA’s response:

“For OT systems like those you have listed, we at EPA recommend common IT actions [emphasis added] such as:

• Maintain updated inventory of OT assets

• Require all OT vendors and service providers notify a utility of security incidents or vulnerabilities in a risk-informed timeframe

• Change default passwords

• Require unique and separate credentials for users to access OT and IT network

• Deny connections to the OT network unless explicitly allowed (e.g., by IP address and port)

• Require Multifactor Authentication wherever possible but at a minimum to remotely access OT networks

• Offer OT-specific cybersecurity training on at least an annual basis to personnel who use OT as part of their regular duties.”

EPA went on to state: “While there may not be many (if any) specific actions to take directly on the OT assets, there are ways to protect them through actions/trainings for other systems/networks that those OT assets interact with.” However, as noted in my Dec. 1 blog, IT actions do not apply to legacy Level 0 devices and there is no Level 0 cybersecurity training.

On Nov. 13, CISA held a two-hour training course on using Cyber Informed Engineering (CIE) on a water plant. Process sensors were mentioned but minimized by stating that erroneous sensor readings could be compensated for by using CIE. There are many examples where that assumption may not be true.

The lack of Level 0 cybersecurity training has led to the gap in control system cybersecurity requirements in Level 0 procurement requirements. This perpetuates the Level 0 device vulnerabilities across new projects and retrofits.

Summary

I expected by now there would be commercial and government organizations addressing the unique cybersecurity issues at Level 0. They are not. This disconnect highlights a fundamental problem: Much of today’s OT cybersecurity training assumes a security posture at Level 0 that simply does not exist. That is, just because Level 0 devices are not vulnerable to the threats network security are used to addressing does not mean Level 0 devices are not cyber vulnerable.

The Calgary session, the SANS Level 0/1 conflation and government inaccurate responses to Level 0 issues reinforce the same point: the industry is not teaching, distinguishing or addressing Level 0 cybersecurity. Focusing on cyber mechanisms that only apply at higher Purdue levels leaves a critical blind spot in the protection of the physical process itself. What is needed is dedicated Level 0 cybersecurity training or the foundation of physical operations will remain vulnerable, regardless of how secure the upper layers of the system may appear.

Adversarial nation-states are aware of the Level 0 gap and the reticence by cyber defenders to address it. With the lack of Level 0 cybersecurity, authentication and appropriate training, OT cybersecurity is built on a foundation of sand.