Why Are Critical Infrastructure Radio Systems Still Unsecured?

When cyber threats are discussed, attention often focuses on internet-connected systems: firewalls, exposed services, phishing attacks, and network intrusions.

However, across the UK and internationally, many essential services — including water, energy, transport, and industrial operations — continue to rely on radio communications that were not originally designed with modern cybersecurity threats in mind.

In some cases, these radio systems carry control commands and telemetry without cryptographic protection or message authentication.

So why, in 2025, are radio-based control systems still operating in this way?

A Legacy That Predates Today’s Threat Landscape

Industrial radio systems have been deployed for decades to support reliable, long-range communication with remote or unmanned sites. Their original design priorities were availability, simplicity, and determinism — not cybersecurity.

Many operate in licensed and licence-exempt bands such as 400–470 MHz or sub-GHz ISM allocations, using protocols optimised for serial communications (for example RS-232 or RS-485), low power consumption, and predictable behaviour.

At the time these systems were designed:

• Cyber-physical attacks were not widely anticipated

• Security-by-design was not an explicit requirement

• Radio links were often treated as trusted infrastructure

Instead, vendors and operators prioritised:

• Signal robustness over long distances

• Battery efficiency and longevity

• Straightforward integration with PLCs and SCADA systems

• Minimal configuration and operational complexity

Many of these characteristics contributed to the long service life of industrial radio systems. However, they can also present challenges when assessed against modern security expectations.

When Communications Lack Cryptographic Protection

In some legacy deployments, radio communications may:

• Transmit control messages without encryption

• Execute received commands without strong authentication

• Provide limited protection against message replay or manipulation

In practical terms, this can mean that a radio receiver cannot always distinguish between an authorised command and a message that has been retransmitted or altered.

With widely available radio hardware and software tools, it is now relatively straightforward to observe, record, and retransmit radio signals — even without detailed knowledge of the underlying protocol.

This does not imply that all radio systems are vulnerable, nor that exploitation is inevitable. It does, however, highlight the importance of understanding what protections are present — and which are not.

Why Haven’t These Systems Been Replaced?

There are several reasons why legacy radio systems remain widely deployed.

1. Proven Operational Reliability

Many radio installations have operated reliably for decades. Where systems perform a stable, predictable role, there is often little operational incentive to change them.

2. Investment Prioritisation

Infrastructure investment is typically driven by visible risk and regulatory pressure. Radio links can be difficult to assess and are often out of scope for conventional IT or network security reviews.

3. Lack of Clear Assurance Criteria

Until recently, there has been no widely recognised framework defining what appropriate security and resilience look like specifically for industrial radio communications.

This has made it difficult for operators, engineers, and risk owners to assess radio systems consistently or to justify proportionate upgrades.

Real-World Impact of Radio Communications Risk

Radio communications often form part of an operational or safety-related control loop. Where this is the case, loss of integrity or unintended operation can have physical consequences.

Depending on the application, this could include:

• Incorrect operation of pumps or valves

• Disruption to treatment or dosing processes

• Unintended shutdowns or starts of equipment

• Erroneous signalling within transport or industrial systems

In environments where radio messages are not strongly protected, it may be difficult to determine whether anomalous behaviour is the result of fault, interference, or malicious action.

Raising the Bar Without Forcing Replacement

Improving assurance of radio communications does not necessarily require wholesale system replacement. However, it does require clear, measurable expectations for how radio systems should behave and what protections they should support.

SIR Certification was introduced to address this gap by providing a vendor-neutral, tiered assurance framework for industrial radio communications. It is intended to help organisations:

• Understand the security and resilience characteristics of their radio systems

• Assess risk in proportion to operational impact

• Document assumptions, boundaries, and limitations

• Support informed decision-making about mitigation or upgrade

SIR Certification focuses on assurance, not prescription. It does not mandate specific products or technologies, and it does not replace existing cybersecurity or safety frameworks.

Final Thoughts

Radio remains a powerful and resilient communications technology within operational technology environments. Its continued use is not inherently problematic.

What matters is whether radio systems are understood, assessed, and governed with the same level of care applied to other elements of critical infrastructure.

As OT environments evolve and cyber risks increasingly have physical consequences, radio communications can no longer remain an implicit assumption. They must become an explicit part of operational assurance.