What is included.
Each capability below is delivered by senior engineers who have run it in production at scale. We do not subcontract this work.
IEC 62443 alignment
Risk assessments, security level targets, and zone & conduit modelling.
Network segmentation
Purdue model, DMZ design, and east-west microsegmentation — without breaking determinism.
Vendor & contractor access
Zero-trust remote access. No more VPNs to the SCADA server with shared credentials.
Asset visibility
Passive discovery (no scanning of fragile devices) — Claroty, Nozomi, Dragos, or open-source.
Incident response
OT-specific runbooks. What you do when ransomware reaches the corporate network — and stays there.
Compliance
NIS2, NERC CIP, and India's CERT-In OT guidance — mapped to your existing controls.
Four stages, every engagement.
Assess
Network capture, asset inventory, and risk assessment — without disrupting production.
Design
Segmentation plan, access control architecture, and incident response runbooks.
Implement
Phased deployment. Production windows respected. Rollback plans for every change.
Sustain
Quarterly reviews, patching cadence aligned to maintenance windows, and tabletop exercises.
What you can expect.
- A current asset inventory — most plants do not have one
- Vendor and contractor access that you can audit, not just trust
- Network segmentation that survives the next ransomware event
- Compliance evidence ready for the next audit, not assembled the week before