.svg){kind=spacer}
December 15, 2025
Industrial cybersecurity still assumes that data coming from Level 0 and Level 1 devices is trustworthy, yet the weakest and least protected part of many control systems sits exactly at this physical layer. Sensors and actuators feed analog signals that are converted to digital or IP at Level 1, and these values become the 100% trusted input for every higher level of the Purdue model. In reality, compromises can occur long before network defenses engage: sensing elements can be tampered with, conversion hardware can be manipulated, and device settings can be altered to produce believable but false readings. Historical incidents in sectors like nuclear power have already shown how wrong sensor technology, hidden manufacturing defects, and filtered displays can mask serious failures or create “coincidental correctness,” where systems appear healthy even as faults accumulate. Modern projects that tap raw physics-level data have uncovered misconfigured valves, failed sensors, and misbehaving pumps that never showed up on HMIs, proving that process safety and cyber integrity depend on what happens before the data ever reaches conventional monitoring tools.
Meanwhile, standards and guidance focus mainly on Level 2 and above, offering limited compensating controls for legacy Level 0 devices with long lifecycles, no built-in cybersecurity, and minimal involvement from network security teams. Engineering and maintenance staff operate these assets using frameworks and assumptions that were never designed with modern cyber threats in mind, while nation-state adversaries and other attackers have already learned to exploit this blind spot, including through counterfeit devices and spoofed sensor patterns that can defeat safety functions or enable man-in-the-middle attacks. Progress is occurring in Level 1 protocols and Level 2 equipment, but the foundational physics layer remains largely an “unseen frontier” that many regulators and organizations still do not fully grasp. Until raw sensor signals are independently validated and monitored at their source, every upstream defense—from OT network monitoring to enterprise SOC tooling—will remain one exploitable layer too late, securing the bank vault while still accepting counterfeit bills at the teller window.
