.svg){kind=spacer}
December 28, 2025
Industrial control and operational technology (OT) cybersecurity frameworks often presuppose that the lowest tier of field instruments—Purdue Level 0 process sensors and actuators—possess intrinsic security capabilities such as authentication, integrity validation, logging, and forensic support. In reality, these devices lack any built-in cybersecurity functions, cannot authenticate signals, and provide no mechanism for verifying data trustworthiness or forensic evidence. Many regulatory standards and frameworks (including NERC CIP, ISA/IEC 62443, NIST 800-82, and various sector-specific guidance) implicitly treat Level 0 inputs as inherently trustworthy and either exclude them from scope or fail to mandate effective compensating controls, creating a gap between engineering reality and compliance assumptions. Compromise or failure at this physics level can have direct impacts on safety, reliability, and process outcomes, but the regulatory model does not currently align with this systemic vulnerability.
This disconnect poses a regulatory challenge because emerging laws such as the EU’s Cyber Resilience Act will impose secure development, authentication, logging, vulnerability management, and incident reporting requirements that Level 0 devices are fundamentally incapable of meeting. Regulators face difficult choices: enforcing unachievable requirements could disrupt supply chains and certification processes; exempting these devices would leave a significant attack surface unprotected; interim approaches such as out-of-band monitoring, enhanced anomaly detection, and updated training may be necessary until next-generation cybersecure instrumentation becomes viable at scale. Effective mitigation will require pragmatic alignment of standards with engineering capabilities, investment in external monitoring technologies, and the development of compensating controls that safeguard physical measurement integrity within critical infrastructure environments.
