Introduction: The Security Blind Spot in OT Systems
During my professional career, in the army and afterwards, I’ve spent days visiting industrial plants, from national critical infrastructure sites to defence, legacy and privately owned manufacturing facilities. No matter the industry – food manufacturing plant, water treatment facilities, or large-scale production lines – I’ve encountered a recurring theme: the persistence of legacy systems, sometimes as old as 20 years old PLCs, computers running Windows XP, and communication lines running all over the place with no to very low maintenance. One of the most alarming aspects of this persistence is the fact that UART-based communication protocols remain the backbone of industrial control systems (ICS) and are here to stay.
While these systems reliably operate massive machinery and keep essential processes running, they also present a gaping security hole that few in the OT industry seem willing to address. Walking through plant control rooms, I’ve seen decades-old serial devices humming along, faithfully transmitting commands over Modbus RTU, Profibus, RS485 and other UART-based protocols. Some of these systems have run unchanged for 20-30 years, untouched by modern cybersecurity improvements.
A Perfect Target for Attackers
While IT networks have evolved with encryption, authentication, and intrusion detection (well, still struggling against as fast if not faster attack surfaces and vectors evolution), UART-based protocols remain inherently insecure by design. The vulnerabilities I’ve observed across different industries, as I describe in detail and demonstrate during my courses and workshops I give, include:
- Sniffing and Traffic Capture – Serial communication lines, especially RS-232, RS-485, and CAN bus, are openly exposed to anyone with physical access. Attackers can passively listen to the data flow and extract critical information, such as authentication messages or control commands.
- Command Injection and Replay Attacks – UART lacks built-in authentication, allowing attackers to inject malicious packets or replay previous legitimate commands to manipulate industrial equipment.
- Man-in-the-Middle (MITM) Attacks – With simple tools, an attacker can place a rogue device between two communicating endpoints, modifying commands on the fly without detection.
- Reverse Engineering of Proprietary Protocols – Even proprietary serial protocols used in specialized industrial equipment can be easily analysed by attackers who gain access to the data stream.
- Baud Rate and Parameter Predictability – Traditional UART communication relies on static baud rates, start/stop bits, and parity settings, making it trivial for attackers to configure their own sniffing devices.
If you think the above methods are minor or unlikely to cause harm, think again after the following example from my army experience. As some of you know, during one of my positions in the IDF I oversaw the border security technology. Without revealing too much, I was amazed to reveal repeatedly vendors who offered a security system for a border, a system which supposed to guard lives, using plain UART based protocols which was so vulnerable I gained full control over the system shutting its guards down using tiny MCU with some wire manipulation experience. These vulnerabilities are still out there to be found.
Despite these inherent security gaps, most plant operators and OT security teams remain hesitate to address them. Their primary concerns revolve around the cost of upgrading infrastructure, operational continuity, and the lack of security expertise in OT environments. And how can you blame them? Think about it 70+ years old food plant with hundreds of miles of wiring, countless end devices and 30-year-old control system patched over the years with fixes, changes and upgrades both in hardware and firmware, most of it undocumented but runs smoothly, so they all go by ‘if it works, don’t fix it”.
Why Security Upgrades Are Often Dismissed in OT
During my visits, I’ve often had conversations with engineers and plant managers who acknowledge the risks but feel powerless to act. Some common reasons include:
- “It’s always worked this way.” Many legacy systems were designed in an era when security wasn’t a concern. Replacing or modifying them is seen as unnecessary unless a failure occurs.
- “If it’s air-gapped, it’s safe.” The assumption that industrial networks are isolated from the internet is no longer valid. USB devices, remote maintenance access, and supply chain vulnerabilities have introduced new attack vectors.
- “Upgrading is too expensive.” Replacing an entire fleet of industrial controllers, sensors, and communication hardware can cost millions. Even adding software-based security layers can be seen as disruptive and impractical.
- “Security is an IT problem, not ours.” Many OT security teams still see cybersecurity as separate from operational reliability, leading to slow adoption of security measures.
- “I only need to comply with the legislator standards” forgetting that the standards are mostly influenced by the ability of the market leaders to comply, locked in endless loop of compromise.
Understanding UART and Its Vulnerabilities
While UART (Universal Asynchronous Receiver-Transmitter) has been a reliable and widely used communication standard for decades, it was never designed with security in mind. Originally developed for simple serial data exchange, UART-based protocols still dominate OT (Operational Technology) environments, from PLC-to-sensor communication in factories to critical infrastructure control systems. However, the same simplicity that makes UART reliable and low-cost low maintenance also makes it dangerously exposed to cyber threats.
How UART Works: The Basics
To understand its security weaknesses, let’s first break down how UART communication works:
- Asynchronous Transmission – Unlike protocols that use dedicated clock signals for synchronization, UART sends data asynchronously. This means devices must agree on the transmission speed (baud rate) and format (start bits, stop bits, parity) beforehand. The upside is the ability to use these protocols for long distance use cases (like OT plants, access control systems and more), but the downside is the predictability of these parameters.
- Packet Structure – A typical UART frame consists of:
- A start bit (indicating the beginning of a transmission).
- A data payload (usually 8 bits per byte).
- An optional parity bit (used for basic error detection).
- One or more stop bits (signalling the end of the transmission).
This highlights the need for a convention between the network parties and stick to it for as long as the plant exists. Once a hacker is in, he is there for good.
- Simple and Open Protocols – Many industrial UART-based protocols, such as Modbus RTU, Profibus, and proprietary machine protocols, lack authentication, encryption, or session management.
This simplicity means that any device listening on the same bus can read, manipulate, or inject data with minimal effort.
For more information about UART and its driven protocols, please see my UART classes in TrainSec Academy https://trainsec.net/hardware-hacking-expert-level-1-2/
Major Security Vulnerabilities in UART-Based Systems
You do not believe how many beer rounds (and other trophies) the following vulnerabilities won me after a “you can never beat our system” dare was laid in front of me (yes even by defence companies from the worlds top 3).
1. Sniffing and Traffic Capture
One of the easiest and most common attacks on UART-based systems is passive sniffing. Since UART communication is often not encrypted or obfuscated in any way, attackers can:
- Eavesdrop on control commands between industrial controllers and field devices.
- Extract credentials or authentication sequences (if present).
- Reverse engineer proprietary protocols used by industrial equipment manufacturers.
Real-World Example: An attacker with a simple USB-to-RS-232 adapter can plug into a maintenance port or tap into a serial line, silently collecting operational data without raising alarms.
2. Command Injection and Replay Attacks
Because UART devices often lack authentication, an attacker who captures a valid command can easily inject it back into the system to manipulate behaviour.
- Replay Attacks – An attacker records a legitimate command (e.g., “open valve”, “start motor”, “set centrifuge to speed”) and replays it later to cause unauthorized actions.
- Malicious Command Injection – Without authentication, an attacker can fabricate malicious UART frames, tricking a device into executing unauthorized actions.
Example: A hacker captures an “unlock door” command in a building access control system. Later, they replay the command to bypass security without triggering alarms.
3. Man-in-the-Middle (MITM) Attacks
A step beyond simple sniffing, MITM attacks involve intercepting and modifying data in real time. Attackers can:
- Modify sensor readings sent from field devices to controllers.
- Alter control commands (e.g., changing “close valve” to “open valve”).
- Introduce delays or manipulate system responses to hide their presence.
Example: In a power grid SCADA system, an attacker intercepts temperature sensor data and sends false readings to prevent overheating alarms from triggering, leading to equipment damage or failure.
4. Reverse Engineering of Proprietary Protocols
Many industrial manufacturers use custom serial protocols over UART, assuming that “security by obscurity” is enough to protect them. However, these protocols can be reverse engineered with simple monitoring tools.
- Attackers capture UART traffic and analyse repeating patterns.
- Over time, they map out command structures and device behaviours.
- Once the protocol is understood, attackers can create custom tools to inject malicious commands.
Example: A factory’s robotic arm system uses a proprietary serial protocol. By logging UART traffic for a few hours, an attacker identifies movement commands and then injects a malicious command to disrupt operations.
5. Static and Predictable Baud Rate & Parameters
UART relies on predefined communication settings (baud rate, parity, stop bits), which means attackers can easily configure their own devices to intercept and manipulate traffic.
- Once the baud rate and frame format are known, attackers can perfectly mimic legitimate devices.
- Without encryption, these settings are rarely changed mid-communication, making it trivial to eavesdrop on static configurations.
Example: A malicious technician connects a rogue device to an industrial controller, using the same baud rate and frame settings to spoof a legitimate sensor and feed false data to the system.
Again, all of these techniques and more are deeply detailed in my “Hardware Hacking Expert – Level II” on the TrainSec Academy.
Why Traditional IT Security Measures Don’t Work in OT
Many OT engineers ask: Why not just add encryption and authentication? While that might be an obvious solution in IT networks, the reality of industrial environments makes it difficult:
- Legacy Systems – Many industrial controllers were never designed for cryptographic operations. Implementing encryption may require replacing entire hardware ecosystems.
- Resource Constraints – Unlike modern computers, embedded systems running UART often have limited processing power and cannot support computationally heavy encryption algorithms.
- Real-Time Constraints – Many OT processes require ultra-low latency. Adding authentication handshakes and cryptographic overhead can disrupt real-time operations.
- Vendor Lock-In – Some proprietary industrial systems do not allow modifications to communication protocols, making software-level encryption impractical.
A Different Approach: Making UART Secure Without Overhauling Infrastructure
Instead of replacing UART-based systems, I propose leveraging the parity bit as a low-overhead security mechanism. By repurposing the parity bit in strategic ways, we can introduce (as a starter):
- Instruction authentication (ensuring commands follow a secure sequence).
- Synchronization-based parameter changes (randomizing baud rates dynamically).
- Session key rotation (establishing lightweight encryption through alternating parity-based keys).
This method does not require hardware replacements and can be implemented with firmware updates or middleware solutions.
In the next section, I’ll introduce how using the parity bit innovatively can transform UART security—blocking sniffing, preventing injection, and even enabling lightweight encryption.
Parity Bit: An Underutilized Resource for Security
In the face of increasing cyber threats targeting OT environments, securing UART-based communication without replacing existing infrastructure is a major challenge. Instead of trying to add complex encryption mechanisms that industrial controllers cannot support, I propose a novel approach: leveraging the parity bit as a lightweight security feature.
Traditionally used for basic error detection, the parity bit is an underutilized resource that can be repurposed to introduce authentication, synchronization, and even lightweight encryption into UART-based protocols. This section explores three groundbreaking methods to enhance UART security without disrupting industrial operations.
Method 1: ParityLock – Using the Parity Bit for Instruction Authentication
Concept: Locking Down UART Commands with a Hidden Parity-Based Code
Since most UART-based protocols lack built-in authentication, attackers can inject unauthorized commands or replay old ones. By using the parity bit as a covert authentication mechanism, we can enforce strict command sequence validation, ensuring that only authorized messages are accepted.
This method locks down command authentication by enforcing a hidden parity-based sequence. Just like a lock requires the right key, ParityLock ensures that only valid messages following the secret parity pattern are accepted. It blocks unauthorized commands and prevents replay attacks—acting as a lock against UART-based attacks.
How ParityLock Works
- The parity bit follows a pre-defined pattern or formula known only to legitimate devices.
- Instead of being used solely for error detection, the parity bit encodes a hidden sequence of validation bits across consecutive packets.
- Devices reject commands that do not follow the expected parity pattern, preventing replay and injection attacks, alarming higher control hierarchy about the security breach.
Implementation Example
- Every device participating in UART communication agrees on a secret formula that determines the expected parity bit sequence.
- This sequence is based on:
- Message timing
- Message order
- A predefined mathematical operation (e.g., XOR with a session-specific key)
- The receiving device validates the command’s parity sequence against the expected pattern.
- If the sequence is incorrect (e.g., an attacker injected a fake command), the command is rejected.
Security Impact of ParityLock
- Prevents unauthorized command injection – Attackers cannot forge valid commands without knowing the secret parity pattern.
- Blocks replay attacks – Even if a hacker captures a legitimate command, it won’t work again since the parity sequence changes dynamically.
- No additional bandwidth or encryption overhead – Security is achieved purely through an existing UART feature.
Method 2: BaudMorph – Using the Parity Bit for UART Parameter Synchronization
Concept: Morphing UART Settings in Real Time to Confuse Attackers
Static UART configurations are a hacker’s dream. Once they figure out the baud rate and frame format, they can easily eavesdrop, inject packets, or launch MITM attacks.
By embedding synchronization signals into the parity bit, we can dynamically change these settings, making sniffing and injection almost impossible.
How BaudMorph Works
- Instead of a fixed baud rate, BaudMorph dynamically shifts UART parameters in sync between devices.
- The parity bit triggers and signals changes in baud rate, stop bits, or parity mode at predefined intervals.
- Attackers who are unaware of this hidden synchronization lose track of the correct UART settings, making sniffing and injection virtually impossible.
Implementation Example
- The master device embeds a synchronization signal in the parity bit, signaling the slave devices to change UART parameters.
- The new baud rate and parameters are determined by:
- A pre-agreed formula incorporating time-based factors.
- A salted hash function based on previous messages.
- An external entropy source (e.g., sensor input).
- Both devices update their communication settings simultaneously, without needing a separate secure channel.
- Attackers trying to eavesdrop suddenly lose synchronization and are unable to sniff or inject packets correctly.
- Parity bits are monitored continuously.
- When the sequence 1-0-1 appears, the devices shift to a new baud rate.
- Legitimate devices track the parity-based trigger and adjust their settings correctly.
- Attackers fail to adapt once the baud rate shifts, causing sniffing/injection failures (✖).
Security Impact of BaudMorph
- Breaks passive sniffing – Attackers cannot maintain a stable UART configuration to intercept data.
- Disrupts MITM and injection attempts – If an attacker injects a packet at the wrong baud rate, the receiver won’t process it correctly.
- Enhances security with minimal changes – No cryptographic overhead, just dynamic parameter shifting.
$1,550
$728 or $75× 10 payments
Hardware Hacking Expert
This comprehensive path, combining dynamic lectures and hands-on exercises, equips you with the skills, resources, and confidence to explore, manipulate, and exploit electronic systems. No prior hardware experience is required!
Method 3: CipherBit – Using the Parity Bit for Session Key Exchange
Concept: Embedding Lightweight Encryption in UART Without Extra Bandwidth
One of the biggest limitations in securing UART communication is the lack of encryption and key exchange mechanisms. Traditional encryption methods consume too much processing power and aren’t feasible for many industrial devices.
How CipherBit Works
- Instead of a static key, the parity bit carries fragments of a session key across multiple packets.
- Devices extract and reconstruct the session key based on a predefined rule.
- Once the key is formed, it is used for lightweight encryption, such as XOR obfuscation, rotating ciphers, or simple bit manipulations.
Implementation Example
- Device A sends a sequence of UART frames where the parity bit carries fragments of a session key.
- Device B reconstructs the session key using pre-agreed reassembly rules.
- Once the session key is established, both devices encrypt their data using lightweight methods (e.g., bitwise XOR with the session key).
- The session key is refreshed periodically using a new parity-encoded sequence.
Security Impact of CipherBit
✔ Introduces lightweight encryption without modifying UART – The session key is exchanged covertly using an existing UART feature.
✔ Prevents long-term key exposure – Even if an attacker intercepts data, the session key rotates frequently, making decryption impractical.
✔ No need for heavy cryptographic operations – The method is suitable for low-power industrial devices.
Practical Considerations and Challenges
While these parity-based security enhancements are highly effective, they come with practical challenges:
- Compatibility Issues – Some legacy devices may not support custom parity sequences. A firmware update might be required.
- Error Handling – Traditional parity checking must be adapted to coexist with security functions without disrupting normal UART error detection.
- Implementation Complexity – While lightweight, these methods require coordination between devices, meaning the OT industry must standardize such techniques for broad adoption.
Despite these challenges, implementing parity-based security is far easier and cheaper than replacing entire OT infrastructures. It allows critical industries to secure legacy UART-based systems without sacrificing performance or uptime.
And OBTW, I almost never saw the use of parity as error handling method in live systems.
Conclusion: A New Era of UART Security Without Overhauling Infrastructure
For decades, UART-based communication has remained a foundational element of industrial control systems, yet it has been largely overlooked in cybersecurity. The OT industry has continued to rely on legacy protocols, exposing critical infrastructure to sniffing, injection, and MITM attacks.
But securing UART does not require an expensive overhaul of infrastructure. Instead, by leveraging an often-overlooked feature – the parity bit – we can transform UART into a much more resilient communication channel.
Liked the content?
Subscribe to the free TrainSec knowledge library, and get insider access to new content, discounts and additional materials.
The Three Pillars of Next-Gen UART Security
- ParityLock → Blocks unauthorized command injections and prevents replay attacks by enforcing a hidden parity-based authentication mechanism.
- BaudMorph → Continuously disrupts passive sniffing and breaks injection attempts by dynamically morphing baud rates and UART settings using parity-based synchronization.
- CipherBit → Introduces lightweight encryption by using parity bits as a session key exchange mechanism, hiding encryption keys in plain sight without computational overhead.
Why This Approach is a Game-Changer
- No expensive hardware changes – Everything can be implemented through firmware updates.
- Minimal performance impact – Unlike traditional cryptographic solutions, these techniques use existing UART features without adding latency.
- Future-proofing legacy systems – By incorporating parity-based security, industrial networks can remain operational while closing major security gaps.
- Breaks the attacker’s advantage – Attackers rely on predictability in UART communication. Parity-based techniques introduce controlled unpredictability, making attacks significantly harder.
The Future of OT Security Starts Here
For too long, the security industry has ignored UART-based protocols, assuming that “air-gapped” systems were safe. That era is over. Threat actors are actively targeting industrial control systems, and the time to act is now.
Instead of dismissing UART as an “unfixable” security liability, we must rethink the problem and use the tools we already have in smarter ways.
ParityLock, BaudMorph, and CipherBit prove that securing UART is possible – without ripping out existing infrastructure.
With these methods, OT security teams can fight back against attacks and take control of their legacy systems.
The question is no longer whether we can secure UART—it’s whether we are ready to do it.
The solution is here—it’s time to implement it.
What’s Next?
The next step is industry-wide experimentation and adoption of parity-based security enhancements. I invite OT security experts, engineers, and researchers to explore with me these methods further and collaborate on securing our industrial future.
