OT-Grade Reliability, Zero Trust Security, and Audit-Ready Evidence
Energy & Utilities infrastructure must be safe, reliable, and compliant—24×7.
SolveForce designs and operates IT/OT networks and platforms for electric (T&D, generation, DER/microgrids), gas & pipelines, and water/wastewater that are Zero-Trust by default, latency-engineered for control, and auditable against NERC CIP, NIST 800-82, IEC 62443, ISO 27019, TSA Pipeline, and privacy laws.
Connective tissue:
🖧 Fabric → /networks-and-data-centers • 🌐 Access → /connectivity
🔀 Control → /sd-wan • 🚪 Edge → /nac • 🔐 Per-App → /ztna / /sase • 🧩 East–West → /microsegmentation
📡 Field → /fixed-wireless • /mobile-connectivity • /satellite-internet • /cbrs • /private-5g
☁️ On-ramps → /direct-connect • 🌈 Optical → /wavelength / /lit-fiber / /dark-fiber
🔒 Security → /cybersecurity • 📊 Evidence → /siem-soar
💾 Continuity → /cloud-backup • /backup-immutability • /draas
🎯 Outcomes (Why SolveForce for Energy & Utilities)
- Deterministic control paths for SCADA, teleprotection, DA/FLISR, synchrophasors, and plant control.
- Zero-Trust OT — identity, device posture, segmentation, and per-app access from control center to pole-top.
- Field reach, anywhere — fiber + microwave + private LTE/5G/CBRS + satellite with SD-WAN brownout steering.
- Provable compliance — encryption, key custody, logging, and immutable backups with exportable auditor packs.
- Operational clarity — SLO dashboards for control latency, time sync, poll cycles, and site availability.
🧭 Scope (What We Build & Operate)
- OT networks — substation LAN (IEC 61850), plant LAN, process bus, core OT WAN/MPLS-TP, IP/MPLS/EVPN, PRP/HSR redundancy.
- SCADA & protocols — DNP3, IEC 60870-5-104, Modbus/TCP, IEC 61850 GOOSE/Sampled Values, ICCP/TASE.2.
- Timing — PTP (IEEE 1588), GNSS grandmasters, IRIG-B; disciplined clocks for PMU (IEEE C37.118) accuracy.
- Backhaul — OPGW/dark fiber/waves, licensed microwave/mmWave, CBRS/Private 5G, fixed wireless, LTE/5G, satellite tertiary. → /wavelength • /fixed-wireless • /private-5g
- Access & security — 802.1X/NAC at OT edge, ZTNA for vendors/field crews, SASE for web/SaaS, PAM for elevation. → /nac • /ztna • /sase • /pam
- Edge & core — micro/edge DCs, substation compute, historian integration, lakehouse/warehouse, vector search with “cite-or-refuse.” → /edge-data-centers • /data-warehouse • /vector-databases
🧱 OT Zero-Trust Building Blocks
- Segmentation by function — protection & control, SCADA, AMI/FAN, corporate IT, vendors; microsegmentation allow-lists per flow. → /microsegmentation
- Per-session access — ZTNA for operators, engineers, and vendors; session recording for privileged actions (PAM). → /ztna • /pam
- OT boundary — firewalls + DPI for OT protocols; unidirectional gateways/diodes where mandated.
- Crypto & keys — IPsec/MACsec/L1, CMK/HSM dual-control, certificate lifecycle for devices/services. → /encryption • /key-management
- Patching with compensating controls — allow-lists, application whitelisting, maintenance windows, and rollback runbooks.
🔁 Reference Patterns (Choose Your Fit)
1) Substation LAN (IEC 61850)
- Redundant station bus + process bus; PRP/HSR; GOOSE/SV paths over fiber; PTP grandmaster & boundary clocks; microseg rules; MACsec on uplinks.
2) DA/FLISR & AMI/FAN
- Field routers over licensed microwave + Private LTE/5G/CBRS; SD-WAN SLO steering; ZTNA for field crews; device identity at the edge.
3) Generation (Thermal/Renewables)
- Plant LAN with protection VLANs; SAN/NVMe for historians; PTP for synch; deterministic DCI to control center via wavelengths; PAM for OEM vendors.
4) Pipelines & Midstream (Gas/Oil)
- SCADA over microwave/fiber; SAT backup; ZTNA for third-party technicians; TSA Pipeline overlays; immutable configs/backups.
5) Water/Wastewater
- Lift stations and plants on fixed wireless/LTE; NAC profiling; microseg enclaves; DNP3 poll & alarm SLOs; DR runbooks.
📐 OT SLO Guardrails (Targets You Can Measure)
| Control / Telemetry Path | Target SLO (Typical)* |
|---|---|
| IEC 61850 GOOSE (substation LAN) | ≤ 3 ms end-to-end |
| Teleprotection L2 (point-to-point) | < 10–20 ms end-to-end |
| SCADA poll cycle (DNP3/IEC 104) | 1–4 s (normal), ≤ 1 s critical points |
| Event/alarm propagation (unsolicited) | ≤ 500 ms to HMI/EMS/DMS |
| PMU time error (IEEE C37.118) | ≤ ±1 μs vs UTC; GNSS + PTP holdover |
| Substation WAN availability | ≥ 99.95–99.99% with diverse paths |
| Vendor ZTNA attach (p95) | ≤ 1–3 s to first byte |
| Evidence completeness (CIP-007/010/011) | = 100% configs/logs/backups/tests |
*Final numbers depend on device class, protection scheme, and regulator/utility standards.
🔐 Compliance & Governance (Mapped)
- NERC CIP — asset identification (CIP-002), BES cyber systems, access control/audit (CIP-004/007/010/011), supply chain risk (CIP-013); immutable logs to SIEM; backup evidence.
- NIST 800-82 (ICS), IEC 62443 (IACS), ISO 27019 (energy utilities), TSA Pipeline (pipelines).
- Privacy/Records — state PII, customer data (AMI), and outage/EMS data governance with DLP & residency controls. → /dlp
📊 Observability & Evidence
- OT NDR at boundaries; DPI for DNP3/Modbus/IEC 104/61850; anomaly detection. → /ndr
- Time & protection — PTP/PTP-BMCA state, GNSS health, GOOSE latency histograms, relay counters.
- WAN & field — latency/jitter/loss per class, RF link SNR, microwave fade margins, satellite attach.
- Change & configs — device diffs, firmware/SBOMs, approved windows; WORM log options; SOAR cases. → /siem-soar
💾 Continuity & IR (OT-Aware)
- Immutable backups — configs, relay settings, historian/db snapshots; object-lock + MFA Delete; air-gap accounts. → /backup-immutability
- DR tiers & drills — control-center failover, substation cutover, communication path swaps; artifacts archived. → /draas
- Incident Response — playbooks for ransomware, mis-ops, vendor compromise; SOAR triggers to isolate, re-key, and restore. → /incident-response
🛠️ Implementation Blueprint (No-Surprise Rollout)
1) Crown-jewel map — protection & control, EMS/DMS/ADMS, AMI, DA/FLISR, DER/microgrid, pipeline/water SCADA.
2) Identity & posture — SSO/MFA; cert-based device identity; MDM/UEM + EDR for laptops/HMIs; PAM for OEM/vendor access. → /iam • /mdm • /mdr-xdr • /pam
3) Segmentation — station bus/process bus/SCADA/AMI/IT enclaves; microseg intents compiled to L2–L7 controls. → /microsegmentation
4) Backhaul — diverse fiber/microwave + Private LTE/5G; satellite tertiary; SD-WAN SLO policies (packet dup/FEC). → /sd-wan • /private-5g • /satellite-internet
5) Timing — PTP grandmasters, boundary clocks, holdover strategy, monitoring.
6) Security — WAF for portals/APIs; DLP labels; HSM/vault; CIP logging to SIEM; SOAR playbooks. → /waf • /key-management • /secrets-management • /siem-soar
7) Continuity — immutable backups; DR tiers; quarterly drills; clean-point catalog. → /cloud-backup • /backup-immutability
8) Operate — SLO dashboards (latency, poll cycles, time sync, availability); vendor escalation trees; monthly compliance health.
✅ Pre-Engagement Checklist
- 🧭 In-scope domains (T&D, DA/FLISR, AMI, DER/microgrid, generation, pipeline, water/WW).
- 🔐 Identity posture (SSO/MFA), device identity (certs), field-laptop MDM/UEM + EDR, PAM needs.
- 🗺️ Current segmentation (OT/IT), substation/plant LAN designs, timing topology (PTP/GNSS).
- 🌐 Backhaul options (fiber, microwave, Private LTE/5G/CBRS, satellite) & diversity letters.
- 📡 Protocol mix (DNP3/IEC 104/Modbus/61850), teleprotection needs, PMU deployments.
- 💾 Backup/DR tiers; object-lock scope; drill cadence; clean-point criteria.
- 📊 SIEM/SOAR destinations; SLO targets; audit/report cadence; NERC CIP scope.
🔄 Where Energy & Utilities Fit (Recursive View)
1) Grammar — OT traffic rides /connectivity & /networks-and-data-centers with timing discipline.
2) Syntax — composed across /cloud, MAN/WAN, and secure edges; SD-WAN guides paths.
3) Semantics — /cybersecurity preserves truth; keys/logs/backups prove control.
4) Pragmatics — /solveforce-ai predicts risk (weather, load, RF fade) and suggests safe policy changes.
5) Foundation — consistent terms via /primacy-of-language.
6) Map — indexed in the /solveforce-codex & /knowledge-hub.