HART - 4-20mA protocol with a digital overlay and its security

HART (Highway Addressable Remote Transducer) is a communication protocol that combines an analog 4-20 mA signal with digital data transmission using FSK (Frequency Shift Keying). Developed in 1986 by Rosemount (now Emerson), HART solved a fundamental problem in process automation - how to add digital communication (diagnostics, calibration, parameterization) without replacing existing 4-20 mA analog wiring.

Today, HART is the most widely used protocol for field device communication in the world - with over 40 million installed devices. The standard is maintained by FieldComm Group, and the current version HART 7 supports both classic analog communication and multidrop mode.

Protocol architecture

The unique feature of HART is the coexistence of analog and digital signals on the same wire:

Parameter	HART (analog + FSK)
Physical layer	4-20 mA (analog) + FSK 1200/2200 Hz (digital)
Topology	Point-to-point (typical) or multidrop (up to 63 devices)
Digital speed	1200 bps (Bell 202 FSK)
Authentication	None
Encryption	None
Integrity	Checksum (error detection, not cryptographic protection)
Range	Up to 3000 m (depending on loop impedance)
Power	From current loop (2-wire)

The FSK signal is superimposed on the 4-20 mA current loop as an oscillation with a zero mean value - it does not affect the analog reading. This means:

• The 4-20 mA analog signal carries the process variable in real time (e.g. temperature) - read by standard analog input cards in PLC/DCS systems
• The HART digital signal carries additional variables, diagnostics, configuration parameters, and calibration - read by a HART communicator or HART multiplexer

In point-to-point mode (the most common), a single transmitter communicates with the DCS/PLC system. In multidrop mode, the analog signal is fixed at 4 mA, and all communication is digital - this mode is less commonly used due to low speed.

Applications

HART is the standard in process automation:

• Chemical and petrochemical industry - pressure, temperature, level, and flow transmitters
• Energy - monitoring boiler, turbine, and desulfurization plant parameters
• Water and wastewater - flow, pH, turbidity, and tank level measurement
• Pharmaceuticals - process parameter control with full device diagnostics

Security assessment

The HART protocol has no security mechanisms - it was designed in an era of complete physical isolation of field instrumentation.

Vulnerabilities:

• No authentication - any device connected to the current loop (or junction box) can send HART commands to the transmitter. A HART communicator connected at any point on the loop gains full access to device configuration
• No encryption - HART commands and responses are transmitted in plaintext. A HART modem allows eavesdropping on all communication
• No command-level access control - HART defines three command levels (universal, common practice, device-specific), but does not control who sends them
• Physical accessibility - the 4-20 mA current loop runs from the field transmitter to the control cabinet, often over hundreds of meters, through junction boxes located in the field

Attack scenarios:

1. Calibration tampering - an attacker changes the transmitter’s measurement range (e.g. from 0-100C to 0-200C), causing the DCS system to read false values
2. Parameter modification - changing damping, units, or operating mode of the transmitter
3. Diagnostics as reconnaissance - reading the device tag, description, model, and serial number provides a map of field instrumentation
4. Write-protect bypass - many transmitters have a physical write-protect switch, but it is disabled by default

Segmentation and protection

Protecting HART installations relies primarily on physical security - the protocol itself provides no access control tools.

Physical protection - priority:

1. Junction boxes - locked, with tamper sensors. Junction boxes are the easiest access point to the HART loop in the field
2. Cable routes - cable trays enclosed, in areas with controlled access
3. Marshalling cabinets - access control to cabinets where current loops terminate at terminals (intrinsic safety barriers)
4. Write-protect on transmitters - enable the physical write-protect switch on all HART transmitters after configuration

Segmentation and monitoring:

1. HART multiplexers as zone boundaries - a HART multiplexer (e.g. Emerson THUM, Pepperl+Fuchs) aggregates HART data from multiple loops and makes it available over Ethernet. This is the point where network segmentation becomes possible
2. Firewall on the multiplexer - Ethernet communication from the HART multiplexer should pass through a firewall that restricts access to the instrument management server (AMS/PDM)
3. Configuration change monitoring - Asset Management systems (e.g. Emerson AMS, ABB Ability) record changes to HART instrument parameters. Alerting on unauthorized calibration or range changes is critical
4. Calibration station isolation - portable HART communicators should be subject to controls (checkout register, device whitelist)

A detailed approach to designing security zones in OT networks, including field-level protection, is described in our article on OT network segmentation.

Sources

• FieldComm Group - HART Protocol - official specification and documentation
• IEC 62591 - WirelessHART - wireless evolution of HART
• NIST SP 800-82 Rev. 3 - Guide to OT Security, field-level security
• Emerson - HART Communication - manufacturer resources
• IEC 62443-3-3 - security requirements for automation systems