An unjustified assumption underlies the cybersecurity of manufacturing and industrial processes. You can’t be cybersecure or safe if you can’t trust your measurements. The lack of embedded cybersecurity in Level 0 devices forces a fundamental reexamination of current regulatory frameworks such as NERC CIP, ISA/IEC 62443-4-2, NIST SP 800-82, API, AWWA, NIS2, CRA, KRITIS, NEI-0809, IAEA 33T, CISA, TSA, and EPA as they do not provide adequate compensating controls for Level 0 devices. Additionally, there is no OT cybersecurity training for Level 0 devices (SANS training doesn’t distinguish between Level 0 and Level 1). Policymakers must acknowledge that existing regulations presuppose technological capabilities are years away from being realized.The European Union’s Cyber Resilience Act (CRA) imposes requirements that Level 0 devices cannot meet due to engineering and other constraints. This could mean large fines. Until next-generation cybersecure process sensors become available at scale, governments and industries must rely on Level 0 monitoring at the physics level, enhanced operational practices, appropriate Level 0 cybersecurity training, and updated safety standards to protect critical infrastructures. Failing to address this gap perpetuates a dangerous illusion of security and safety while the most vulnerable components of control systems remain exposed. The path forward requires pragmatic regulation aligned with engineering realities and a commitment to accelerating the development of secure, resilient Level 0 technologies and appropriate training. I asked ChatGPT to do a consistency check on the blog. According to ChatGPT, “Overall: Your content is factually sound, aligned with industry consensus, and reflects real regulatory gaps.”
