Given a completely static authentication realm like the rooms of a hotel, Modbus over TCP over IPSec would work just fine, and be transparent to the application. That sort of sounds like a good reason to be using Linux (Android) controllers in the first place; maybe they just forgot to enable it (or let go the installing contractors before their job was done, as soon as everything seemed to be "working.")

Maybe embedded network is the new javascript ecosystem: rediscovering novel ideas (like authentication!) that were invented 50 years ago.

/deploying CAN bus without security

I wonder if what is blindsiding all of these companies and people is routing.

That if you have a box that can talk to network A and B, suddenly anything on A can talk to anything on B.

A CAN bus, or older modbus installs, would be airgapped by its very nature.

Just because its CAN doesn't mean its actually air gapped. If there is a Linux box on one end for SCADA use or similar, then the path is IP -> Linux spl01t -> SocketCAN