I expected by now there would be commercial and government organizations addressing the unique cybersecurity issues at Level 0. They are not. This disconnect highlights a fundamental problem: much of today’s OT cybersecurity training assumes a security posture at Level 0 that simply does not exist. That is, just because Level 0 devices are not vulnerable to the threats network security are used to addressing does not mean Level 0 devices are not cyber vulnerable. The Calgary session, the SANS Level 0/1 conflation, and government inaccurate responses to Level 0 issues reinforce the same point: the industry is not teaching, distinguishing, or addressing Level 0 cybersecurity. This also means there are no Level 0 cybersecurity procurement requirements. Focusing on cyber mechanisms that only apply at higher Purdue levels leaves a critical blind spot in the protection of the physical process itself. What is needed is dedicated Level 0 cybersecurity training or the foundation of physical operations will remain vulnerable, regardless of how secure the upper layers of the system may appear. Adversarial nation-states are aware of the Level 0 gap and the reticence by cyber defenders to address it. With the lack of Level 0 cybersecurity, authentication, and appropriate training, OT cybersecurity is built on a foundation of sand.
