top of page
Search

How SIR Certification Works: A Practical Assurance Framework for Industrial Radio

  • spotcom
  • Jan 19
  • 4 min read

Industrial radio communications play a critical role in many operational technology (OT) environments. They are widely used to carry control commands and telemetry between control systems and remote or unmanned sites, often forming part of a wider operational or safety-related control loop.


Despite this, radio communications have historically sat outside the scope of many OT cybersecurity and governance programmes. While networked and IP-based systems are commonly assessed against established frameworks and standards, radio links are frequently treated as implicit, trusted infrastructure.


SIR Certification was developed to address this gap.


This article explains how SIR Certification is structured, how it is intended to be applied, and how it fits alongside existing OT cybersecurity approaches.


Why a tiered assurance model is used


OT environments are highly diverse. They include modern, fully integrated systems alongside long-lived legacy installations that continue to deliver essential services reliably.


A single, binary definition of “secure” is rarely appropriate in this context. Instead, SIR Certification adopts a tiered assurance model, allowing radio communications to be assessed in proportion to their operational role, risk profile, and system constraints.


This approach supports:

  • Incremental improvement rather than forced replacement

  • Clear documentation of system capabilities and limitations

  • Alignment with risk-based governance and engineering decision-making


Each SIR level represents a set of assurance objectives, not a prescriptive technical specification.


Overview of the SIR Certification levels


SIR Certification is structured into three progressive levels. These levels are designed to reflect increasing degrees of confidence in the integrity, authenticity, and resilience of radio communications used within OT systems.


Level 1 – Foundational Controls

Level 1 focuses on establishing a baseline level of assurance, particularly in environments where legacy systems are in use or where operational impact is limited.


At this level, assessment considers whether basic controls and safeguards are in place to reduce obvious and avoidable exposure, such as:


  • Unique identification of devices

  • Removal of insecure default configurations where supported

  • Defined fail-safe behaviours

  • Basic controls over local or maintenance access


Level 1 does not imply that a system is “secure” in a comprehensive sense. Instead, it helps organisations demonstrate that minimum expectations have been considered and documented.


Level 2 – Enhanced Communications Assurance

Level 2 applies to systems where the integrity and authenticity of radio communications are operationally significant.


Assessment at this level considers whether the radio platform and its deployment support mechanisms to:


  • Detect unauthorised modification of messages

  • Reduce the risk of replay or repeated command injection

  • Control access to configuration and operational functions

  • Support secure update or maintenance processes where applicable


Level 2 is typically appropriate for modern industrial environments where radio communications influence operational outcomes and where greater confidence in communications behaviour is required.


Level 3 – Advanced Assurance

Level 3 is intended for environments where radio communications are critical to safety, environmental protection, or continuity of essential services.


At this level, SIR Certification assesses whether systems support advanced assurance objectives, such as:


  • Strong cryptographic protection of communications

  • Robust authentication and trust mechanisms

  • Managed key handling practices

  • Enhanced monitoring, diagnostics, and auditability appropriate to system criticality


Level 3 does not guarantee immunity from failure or attack. Rather, it reflects a higher degree of confidence that radio communications are designed, implemented, and operated in line with recognised good practice for high-impact OT environments.


How SIR assessments are performed


SIR Certification assessments are evidence-based and context-aware.


Rather than relying solely on product specifications, assessments consider:

  • The operational role of the radio system

  • The environment in which it is deployed

  • Supported technical capabilities

  • Configuration and integration within the wider OT system

  • Documented assumptions, boundaries, and exclusions


The outcome of a SIR assessment is not a statement of absolute security, but a clear and defensible description of the level of assurance that can reasonably be placed in the radio communications layer.


What SIR Certification does — and does not — claim


It is important to understand the intended scope of SIR Certification.


SIR Certification:


  • Is not a regulatory requirement

  • Does not replace existing standards or regulations

  • Does not mandate specific vendors or technologies

  • Does not certify an entire OT system


Instead, SIR Certification complements existing OT cybersecurity, safety, and governance frameworks by addressing a specific layer that is often out of scope: industrial radio communications.


How SIR fits alongside existing OT frameworks

SIR Certification is designed to align with the principles of established OT cybersecurity and risk management approaches, including those promoted by national cybersecurity bodies and international standards organisations.


Where many frameworks focus on networks, systems, and processes, SIR focuses on the communications layer that connects them — particularly where that layer is non-IP, remote, or difficult to monitor using conventional tools.


By doing so, SIR helps organisations:


  • Identify previously unassessed dependencies

  • Support proportionate risk management decisions

  • Improve documentation and assurance for auditors and insurers


Who SIR Certification is for


SIR Certification is intended to support a range of stakeholders, including:


  • Asset owners responsible for critical infrastructure

  • Operators managing OT systems and remote sites

  • Engineers designing or maintaining radio communications

  • Risk managers and insurers assessing operational exposure

  • Integrators and suppliers supporting long-term system operation


In each case, the objective is the same: to replace implicit trust in radio communications with explicit, documented assurance.


A practical approach to an overlooked risk


Industrial radio systems are often reliable, long-lived, and operationally essential. Their continued use is not inherently a problem.


However, as OT environments evolve and cyber risks increasingly have physical consequences, it becomes important to understand and document how these systems behave, what protections they offer, and where their limitations lie.


SIR Certification provides a structured, proportionate framework for doing exactly that — helping ensure that industrial radio communications are no longer an assumed component of OT systems, but a clearly assessed and understood one.


End note


This article is explanatory in nature and does not constitute regulatory guidance or a compliance requirement. SIR Certification assessments are performed in context and should be considered as part of a wider OT governance and risk management approach.

 
 
 

Comments

SIR Certification

+44 (0)1329 448161

 

© 2025 Spotcom Ltd. All rights reserved.
SIR Certified™ and its associated certification levels are trademarks of Spotcom Ltd.
The name, logo, and certification marks are protected under UK intellectual property law.
Unauthorised use, reproduction, or distribution of these marks is strictly prohibited.
You are welcome to share or reference this content for awareness or educational purposes, provided attribution to Spotcom Ltd. is maintained and the material is not altered or misrepresented.

 

bottom of page