Defend at industrial scale.

State-actor sabotage targets ICS. Volt Typhoon pre-positions on grid OT. Triton hit petrochemical SIS. Russia and China target recipe, formulation, toolpath, CAD, and geological-formation data as specific asset classes. OT cyber spend grows to $21.6B by 2028. The defenses industry needs aren’t software policies — they’re hardware-rooted identity, Purdue-Model-enforced isolation, on-device IP-exfiltration controls, and continuous attestation that holds the line at the asset, not the perimeter.

The threats are no longer hypothetical

OT attacks rose 19% in 2023 across 500+ physical sites. Applied Materials lost $250M in sales from one attack on its supplier MKS Instruments. Clorox and Johnson Controls each lost tens of millions in single incidents. Triton sabotaged a petrochemical SIS. Volt Typhoon pre-positioned on U.S. water, energy, and transportation systems. The old answer — perimeter firewalls and VLAN segmentation — covers a vanishing fraction of the actual attack surface.

OT Security writes the controls the industry actually needs. TPM 2.0 hardware identity on every node. Purdue-Model-enforced VLAN isolation across Levels 0–5. On-device IP-exfiltration defense for recipe, formulation, toolpath, CAD, and geological data — the specific asset classes state actors target. SIS hardware authority preserved per IEC 61511. Continuous attestation evidence against IEC 62443, CIP-013, CMMC L1/L2/L3, NIST SP 800-171, AS9100, CFATS, EU NIS2. Air-gapped + sovereign variants for ITAR and classified work.

6 defenses live
Live
TPM 2.0 identityHardware
99%
Purdue Model L0–L5VLAN-isolated
98%
IP-exfiltration defenseRecipes / toolpaths
97%
SIS authority preservedIEC 61511
99%
CMMC L2/L3Continuous evidence
96%
State-actor monitoringVolt Typhoon / Triton
95%

Four lines of defense

Identity in silicon. Detection in the ICS. IP in the device. Attestation across the chain.

The threats industry faces aren’t solved by another VPN or policy memo. They’re solved by hardware-rooted identity, ICS-native detection, IP-exfiltration controls on the device itself, and cross-tier attestation that hold the line where the assets live.

1

Hardware-rooted identity + Purdue isolation

TPM 2.0 on every node. Cryptographic chain from silicon through deployment-time provisioning through runtime attestation. Purdue Model Levels 0–5 enforced in hardware via managed switches with strict VLAN policies. Software policy alone is insufficient.

2

State-actor + ICS defense

IEC 62443 continuous monitoring tuned to ICS-specific signatures. Triton-class SIS sabotage detection. Volt Typhoon pre-positioning indicators. NotPetya / Colonial Pipeline ransomware threat models. SIS hardware authority preserved per IEC 61511 — the policy operates inside the envelope, never around it.

3

On-device IP-exfiltration defense

Recipe, formulation, toolpath, CAD configuration, geological-formation data are targeted asset classes for Russia and China state-actor exfiltration. Hardware-rooted access control on the device prevents unauthorized egress. Cross-org sharing happens only through Multiplayer’s privacy-preserving substrate, never raw.

4

Continuous attestation evidence

Append-only ledger of security state (firmware versions, patch status, configuration drift, anomaly events). Real-time evidence assembled against IEC 62443, CIP-013, CMMC L1/L2/L3, NIST SP 800-171, AS9100, CFATS, EU NIS2, NERC CIP. Audit packs assembled as the work happens — consumed by AI-enabled regulatory compliance for filings, by Embedded Trading for attested-pool eligibility, by Theorem for project-finance + insurance underwriting.

Defense in action

An unsigned write hits a hardware wall.

When an anomalous command appears, TPM-rooted identity, IEC 62443 monitoring, and SIS hardware authority converge in under 120ms. Every block is audit-sealed and federated to threat-intel partners on the same chain.

Anomaly to attestation

120ms from anomaly detected to write blocked

Detection at the controller, identity verification in hardware, policy enforced inside the SIS envelope — sealed in an audit log that can be replayed years later.

[14:23:07] ALERT Unsigned setpoint write — substation feeder-7 controller
Anomaly detectedIEC 62443
40ms
Hardware attestationTPM 2.0
60ms
Policy enforcementSIS authority
20ms
3 layers
hardware-rooted
120ms total
Write blocked
What the substrate ships

Hardware. Detection. IP defense. Attestation.

A defense posture that matches how industrials actually operate — siloed networks, multi-vendor control rooms, defense supply chains, classified-program isolation, and state-actor-targeted IP asset classes.

1
TPM 2.0 + Purdue Model

Hardware identity, sealed keys, attested boot on every node. Levels 0–5 enforced by managed switches. Cross-vendor authentication for mixed-vendor cobot fleets and multi-OEM control rooms.

2
State-actor signatures

Triton-class SIS sabotage. Volt Typhoon pre-positioning. NotPetya / Colonial Pipeline ransomware. NERC-CIP-isolated substations. Air-gap-by-default at refinery (post-Triton), grid substations, ITAR-controlled programs, classified SAP enclaves.

3
IP-exfiltration controls

Recipes, formulations, toolpaths, CAD configurations, geological-formation data — the specific asset classes state actors target. Hardware-rooted device access control; egress over Multiplayer ZK only. The defense incumbents don’t ship.

4
Continuous attestation evidence

CMMC L2/L3 (Dec 2026), ITAR, DFARS 252.204-7012, AS9100, NIST SP 800-171, IEC 62443, CIP-013, CFATS, EU NIS2. Audit packs assembled continuously, not at filing time.

Defenses that match the threats.

Hardware-rooted identity, Purdue-Model isolation, IP-exfiltration defense, continuous attestation — built for the threats industry actually faces.

Book a demo