No behavioral baseline flags anomalous command sequences. The protocol endpoint has no model of expected behavior - it executes valid frames.
Network segmentation reduces reachability. It does not introduce identity. Once an actor is inside the segment - through a compromised credential, a vendor session, a misconfigured cloud connector, or a pivot from a compromised engineering workstation - the protocol layer offers no second line of defense. The segment boundary was the only boundary.
What This Exposes
This is the default condition of deployed OT infrastructure, not an isolated deficiency.
Water and wastewater: EPA and CISA have issued repeated advisories on exposed HMI and control interfaces. Water sector systems disproportionately rely on Modbus TCP for SCADA communication and remote access via VPN to HMI endpoints. The protocol provides zero authentication. The attack requires only reachability.
Building automation: Unauthenticated BACnet endpoints operate on enterprise-routable networks. CISA BACnet advisories document exposed building controllers accessible from corporate LAN segments. The protocol's BBMD architecture actively routes control traffic across subnets. Network segmentation failures directly expose physical building systems - HVAC, access control, fire suppression - to any client on the routable network.
Energy distribution: NERC CIP establishes compliance requirements for bulk electric system cyber assets. CIP-005 mandates electronic security perimeters. CIP-007 mandates system security management. Neither mandates protocol-layer authentication for all control traffic within the security perimeter. A compliant network can still run Modbus TCP and non-SA DNP3 endpoints internally. Compliance and security are not equivalent conditions.
The attack primitive across all three sectors is not exploitation. It is normal use of a protocol that was never designed to distinguish between operators and adversaries.
Operator Position
Four enforcement requirements must be met before any OT network can claim a defensible identity boundary:
Device attestation at the protocol boundary. No control command is processed unless the originating device presents a verified identity - hardware-rooted where possible (TPM-backed device certificates), X.509 certificate-based at minimum. Network reachability is not identity. An authentication proxy or protocol gateway must sit in front of every endpoint that cannot perform native identity verification.
Session-bound trust evaluation. Every command session is scored against context: originating device, user identity, time window, command type, target device, command frequency. Commands that fall outside established behavioral baselines are held for validation, not executed and logged after the fact. Trust is continuous, not established once at session creation.
Policy-engine integration at the SCADA/HMI boundary. A policy decision point evaluates every command against role-based and context-based rules BEFORE the command reaches the protocol layer. The PLC or RTU should never be the first point of access control. The policy engine must enforce least-privilege: specific identities authorized for specific commands on specific devices within specific time windows.
Deprecation of unauthenticated protocol endpoints. Any OPC UA endpoint running SecurityPolicy#None, any Modbus TCP port without an authentication proxy, any DNP3 outstation without Secure Authentication enabled, and any BACnet interface on a routable network without enforced access controls must be classified as an uncontrolled attack surface. Remediate, isolate with compensating controls, or decommission. There is no fourth option.
The protocol layer is the last point of enforcement before a physical process is altered. If identity is not validated there, it is not validated where it matters.