Why Industrial Radios Still Use Unencrypted Commands

When we think of cyber threats, we often picture hackers breaching firewalls, phishing for passwords, or breaking into networks through exposed internet services. But some of the most critical infrastructure in the UK and worldwide—water, energy, transport, and heavy industry—relies on radio signals that transmit unencrypted, unauthenticated, and replayable commands.

So why, in 2025, are these vital systems still sending plaintext RF messages?

A Legacy That Predates Cyber Threats

Industrial radio systems have been in service for decades. Originally designed for reliability, simplicity, and long-range communication—not for security—they operate in frequency bands like 400–470 MHz and 869.525 MHz using protocols optimized for serial communication (RS-232/RS-485), low power consumption, and deterministic behaviour.

Back then, cyberattacks weren’t part of the threat landscape. Security-by-design wasn’t a requirement. Instead, vendors focused on:

• Signal robustness over long distances

• Battery life and efficiency

• Ease of integration into legacy PLCs and SCADA systems

• Minimal configuration or IT dependence

Unfortunately, those same strengths now pose a major cybersecurity liability.

Unencrypted Means Unprotected

In a typical legacy RF setup:

• A command is sent over the air as a raw payload.

• The receiver executes it immediately—no challenge, no authentication, no context.

Anyone with:

• A cheap SDR (software-defined radio)

• An open-source tool

• And a few minutes of recording

…can intercept, clone, and replay those messages with potentially disastrous consequences.

Why Haven’t These Systems Been Replaced?

There are several reasons why unprotected radios are still widespread:

🛠️ 1. They Still Work

Many legacy radios are reliable and have operated for 15–20+ years without incident. If a pump starts every morning and stops every night—why touch it?

💸 2. Budget Constraints

Infrastructure upgrades are often prioritised based on visible risks. Radio links are "invisible"—until they fail or are exploited.

📶 3. No Standard to Upgrade To

Until now, there hasn’t been a formal certification defining what "secure" even looks like for radio-based control systems. That’s exactly what SIR Certification sets out to fix.

Real Consequences, Real Risk

An intercepted RF command isn’t just a theoretical threat. In practice, it can mean:

• Flooded villages (triggering pumps or valves)

• Contaminated water (spoofed chlorine dosing)

• Spoofed shutdowns of turbines or generators

• Derailments or signal errors in transport networks

• Moving cranes or conveyors in industrial plants

With unencrypted radios, these events could be caused by accidents or attackers—and you’d never know which.

What Needs to Change

Securing radio communications doesn’t mean ripping everything out. But it does mean raising the bar.

That's why Spotcom introduced SIR Certification—a vendor-neutral, layered security framework that:

• Defines clear levels of protection (Level 1–3)

• Supports AES encryption, message authentication, and key rotation

• Helps operators, engineers, and regulators assess risk and prove compliance

• Offers plug-and-replace options for serial, digital, analogue, and Ethernet-based radios

Final Thoughts

Radio is not obsolete—it’s a powerful and resilient technology. But the days of trusting blind, unprotected RF links are over.

If we’ve secured our emails, our phones, and even our doorbells—shouldn’t we also protect the signals that control our power stations and drinking water?