Industrial IoT and SCADA Governance

Your controllers operate. Your governance doesn't.

Industrial control systems manage power grids, water treatment plants, chemical facilities, and oil pipelines. Attackers have shut down pipelines serving 45% of the US East Coast fuel supply, attempted to poison a city's water with a 111x lye overdose, destroyed uranium centrifuges by manipulating PLC logic while replaying false sensor data, and disabled safety systems at petrochemical plants. The ICS/SCADA cybersecurity market is $13.3B and growing at 16.5% CAGR. The governance gap between what controllers decide and what compliance covers is an infrastructure safety risk.

10
Detection patterns
5
Governance modules
31
Behavioral monitor methods
10
Compliance frameworks
8ms
Emergency halt response
The Problem

Critical infrastructure without behavioral governance

A ransomware attack shut down 5,500 miles of pipeline for 6 days, causing fuel shortages across the US East Coast. A remote attacker accessed a water treatment plant's SCADA system and increased sodium hydroxide levels by 111x. A nation-state weapon destroyed 1,000 uranium centrifuges by modifying PLC logic while replaying normal sensor data to operators. Another nation-state malware targeted safety instrumented systems at a petrochemical plant, designed to cause physical destruction. 26 active threat groups are targeting operational technology. Only 30% of OT networks have adequate visibility.

Every ICS security vendor monitors the network: packet inspection, anomaly detection, asset inventory. No vendor governs the controller's behavior: process variable deviations, unauthorized setpoint changes, firmware integrity violations, safety system bypasses, air-gap breaches. Agentomy closes that gap.

Behavioral Detection

10 detection patterns mapped to real incidents and real regulations

Every pattern references a documented incident, a specific regulatory requirement, and a concrete detection method. The 31-method behavioral monitor runs continuously across the control system lifecycle. No theoretical threats. No generic compliance language.

Process Variable Deviation
Process Variable Deviation
Process variable drifting outside safe operating range without corresponding setpoint change. Continuous comparison against configured ranges and physical process models. Catches the type of manipulation where an attacker increases a chemical concentration by 111x while operators see nothing unusual.
Critical
Unauthorized Setpoint Change
Unauthorized Setpoint Change
Setpoint modification from unauthorized source, outside maintenance windows, or exceeding rate-of-change limits. Validates source attribution for every setpoint command. Catches direct register writes to PLCs that bypass the operator authorization layer.
Critical
Controller Firmware Tampering
Controller Firmware Tampering
PLC, RTU, or IED firmware modified outside approved change management. Maintains cryptographic hashes of approved firmware images. Catches the pattern where malware modifies controller logic to alter physical processes while reporting normal readings.
Critical
PLC Command Injection
PLC Command Injection
Malformed or crafted commands via industrial protocols. Deep packet inspection of Modbus TCP, OPC-UA, EtherNet/IP traffic. Detects register write floods, function code abuse, and replay attacks. Catches the protocol-level attacks used to open circuit breakers and cut power to 230,000 customers.
Critical
Safety System Override
Safety System Override
Safety Instrumented System bypassed or disabled outside approved procedures. Monitors all SIS state changes: bypass requests, force commands, maintenance mode transitions. Catches the attack pattern designed to disable safety systems at petrochemical plants to enable physical destruction.
Critical
Network Segmentation Breach
Network Segmentation Breach
Unauthorized traffic crossing IT/OT network boundaries. Monitors Purdue model zone transitions. Detects lateral movement from corporate networks into control systems. Catches the attack pattern that forced a pipeline shutdown because the operator could not confirm OT network isolation.
Critical
Unscheduled Maintenance Window
Unscheduled Maintenance Window
Control system modifications attempted outside approved windows. Integrates with change management to track approved periods per asset. Catches the pattern where ransomware spreads laterally during business hours without triggering change management controls.
High
Sensor Data Manipulation
Sensor Data Manipulation
Sensor data replayed, frozen, or artificially manipulated. Statistical analysis detects frozen values, impossible rate-of-change jumps, and correlation violations between related process variables. Catches the attack where operators saw normal readings while equipment was being physically destroyed.
Critical
Cascading Shutdown Propagation
Cascading Shutdown Propagation
Shutdown propagating across interconnected process units. Tracks temporal correlation between shutdown events. Detects domino failures across connected systems. Catches the pattern where a single attack disrupts 76 port terminals or 20% of a country's processing capacity.
Critical
Air-Gap Violation
Air-Gap Violation
Air-gapped control system connected to external network through unauthorized means. Detects USB introductions, unauthorized wireless access points, cellular modems, and any bridge defeating physical isolation. Catches the vector that delivered a cyber weapon across an air gap via USB drive.
Critical
Governance Modules

5 governance layers for industrial control systems

Each layer enforces one aspect of ICS governance -- from individual controller process boundary enforcement to plant-wide emergency shutdown orchestration across interconnected facilities.

Process Boundary Enforcer
Continuous process variable validation against safe operating ranges. Every reading checked against configured boundaries and rate-of-change limits. Every setpoint change validated against authorized sources. Deviations trigger operator alerts and controlled shutdowns.
Controller Integrity Monitor
Cryptographic firmware integrity verification for every PLC, RTU, and IED. Maintains approved firmware baselines. Detects unauthorized logic changes and firmware uploads. Quarantines compromised controllers from the control network.
Safety Instrumented System Guard
Monitors all SIS state changes. Validates bypass requests against approved work orders with time-limited windows. Tracks concurrent bypass counts. No safety system operates in unauthorized bypass state. The last line of defense stays defended.
Network Perimeter Controller
IT/OT boundary enforcement per Purdue model zones. Validates all cross-zone traffic against authorized communication paths. Detects air-gap violations, unauthorized remote access, and protocol tunneling. No unauthorized traffic crosses zone boundaries.
Emergency Shutdown Orchestrator
Coordinates controlled shutdowns across interconnected process units. Detects cascading propagation. Manages orderly process isolation sequences. Prevents uncontrolled cascade failures that cause physical damage or environmental release.
Regulatory Landscape

10 frameworks, real enforcement deadlines, real penalties

Every control mapping references the actual regulatory document. No generic compliance language. All mappings are self-assessed, pending external validation. Penalty exposure ranges from NERC CIP fines to EUR 10M under NIS2.

Framework Status Scope
NERC CIP (v7/8) Active (mandatory) Mandatory cybersecurity for North American bulk electric system. Electronic Security Perimeters, security event monitoring, configuration change management, incident response. Fines up to $1M/violation/day.
NIS2 Directive Enforced Oct 2024 EU-wide cybersecurity for essential entities: energy, transport, water, manufacturing. Incident notification within 24 hours. Penalties up to EUR 10M or 2% global turnover.
IEC 62443 Active International IACS cybersecurity standard series. System-level (3-3), component-level (4-2), organizational (2-1) requirements. Authorization enforcement, network segmentation, input validation, firmware integrity.
NIST SP 800-82 Rev 3 Active (2023) Comprehensive OT security guide. Authentication, network architecture, security monitoring, firmware integrity, configuration management. Covers SCADA, DCS, PLCs, and other control components.
TSA Pipeline Directives Active (2021-02C/D) Mandatory cybersecurity for pipeline operators. Network segmentation, access control, continuous monitoring, patch management. Issued after Colonial Pipeline. Enforceable by TSA inspection.
EU Cyber Resilience Act Effective 2027 Mandatory cybersecurity for products with digital elements sold in EU. Vulnerability handling, incident notification within 24 hours to ENISA, security by design requirements.
ISO 27001 + ISO 27019 Active Information security management with OT annex for energy utilities. Configuration management, OT-specific access controls, operational procedures, change management for control systems.
IEC 61508 Active Functional safety of E/E/PE safety-related systems. Safety function bypass management, software safety integrity verification, SIL requirements. Foundation for sector-specific safety standards.
IEC 61511 Active Safety Instrumented Systems for process industry. SIS lifecycle from design through decommissioning. Bypass management, proof testing, management of change. Mandatory for chemical, petrochemical, oil and gas.
CFATS Active Chemical Facility Anti-Terrorism Standards. Risk-Based Performance Standards for physical and cybersecurity. Deter cyber sabotage including unauthorized access to critical process controls. 300+ chemicals of interest.
Why This Matters

Pipeline shutdowns, water poisoning attempts, centrifuge destruction, and safety system attacks

Colonial Pipeline, May 2021
$4.4M ransom, 6-day shutdown, 45% of US East Coast fuel
Ransomware attack shut down 5,500 miles of pipeline for 6 days. 87% of Washington D.C. gas stations ran out of fuel. $4.4M ransom paid (63.7 BTC later recovered). Pipeline shut down because the operator could not confirm IT/OT network isolation. Presidential state of emergency declared.

Detected by: Network Segmentation Breach, Cascading Shutdown Propagation

Oldsmar Water Treatment, Feb 2021
111x lye increase via remote SCADA access
Attacker accessed water treatment plant SCADA via TeamViewer and increased sodium hydroxide from 100 ppm to 11,100 ppm. Operator noticed mouse moving independently and reversed the change within minutes. No process variable monitoring detected the 111x setpoint change. City of 15,000 residents at risk.

Detected by: Process Variable Deviation, Unauthorized Setpoint Change, Network Segmentation Breach

Stuxnet, Discovered June 2010
1,000 centrifuges destroyed via PLC logic manipulation
First known cyber weapon targeted industrial control systems. Modified PLC logic to alter uranium centrifuge speeds while replaying normal sensor data to operators. Crossed the air gap via USB drive. Destroyed approximately 1,000 centrifuges at Natanz, Iran. Demonstrated that air gaps are policy, not guarantee.

Detected by: Controller Firmware Tampering, Sensor Data Manipulation, Air-Gap Violation

Triton/TRISIS, Aug 2017
Safety system attack at petrochemical plant
Nation-state malware targeted Safety Instrumented Systems at a Saudi petrochemical facility. Designed to disable the SIS that protects against catastrophic failures like explosions. A bug in the malware triggered a plant shutdown, inadvertently preventing physical destruction. First malware specifically targeting safety controllers.

Detected by: Safety System Override, Controller Firmware Tampering, Network Segmentation Breach

Ukraine Power Grid, Dec 2015
230,000 customers without power for 6 hours
Attackers used BlackEnergy malware to access SCADA at three power distribution companies. Issued unauthorized commands via IEC 101/104 protocol to open circuit breakers. 230,000 customers lost power for up to 6 hours. First confirmed cyberattack to take down a power grid. Repeated in 2016 with Industroyer/CrashOverride.

Detected by: PLC Command Injection, Unauthorized Setpoint Change, Cascading Shutdown Propagation

NotPetya/Maersk, Jun 2017
$300M damages, 76 port terminals offline, 20% of global shipping
Malware destroyed 49,000 laptops and 4,000 servers across Maersk shipping operations. 76 port terminals went offline simultaneously. $300M+ in damages. 20% of global shipping capacity disrupted for weeks. Spread through supply chain compromise. Also devastated Norsk Hydro ($75M, Mar 2019) and JBS Foods ($11M ransom, Jun 2021).

Detected by: Cascading Shutdown Propagation, Network Segmentation Breach, Unscheduled Maintenance Window

Market Gap

Network security is solved. Behavioral governance is not.

ICS security vendors provide network monitoring, asset discovery, and threat detection. They watch the wire. Agentomy governs the controller. Process variable boundaries, setpoint authorization, firmware integrity, safety system bypass management, and emergency shutdown orchestration are behavioral governance problems that network monitoring does not solve. A packet inspector cannot tell you whether a setpoint change was authorized by the right operator during the right maintenance window. The $13.3B market is building better firewalls. No one is building the behavioral governance layer.

Integration

Four entry paths to governed industrial control systems

Connect any SCADA platform through the protocol that fits your infrastructure. Gate mode for pre-operation authorization. Observer mode for post-operation monitoring. Both modes produce the same audit trail. Go edge binary for air-gapped deployments.

OPC
OPC-UA / Modbus TCP
Native integration with standard industrial protocols. Governance decisions intercept process commands at the protocol level. Compatible with any PLC, RTU, or SCADA system.
SDK
TypeScript / Python / Go
First-class SDK adapters for control system infrastructure. Historian integration. Go edge binary for air-gapped deployments with zero external dependencies.
CLI
Command Line Interface
Governance operations from the terminal. Emergency halt, firmware verification, compliance evidence export, benchmark execution. Scriptable for automated workflows.
REST
REST API
Standard HTTP endpoints for any SCADA platform. Pre-operation authorization, post-incident reporting, emergency halt, audit trail queries. Platform-agnostic by design.
GovernanceBench

20 industrial IoT governance scenarios. Run it yourself.

Suite 10: Industrial IoT / SCADA Governance. 20 self-contained, idempotent scenarios across 4 coverage areas: process boundary enforcement (5), controller integrity monitoring (5), safety system governance (5), and network perimeter control (5). Every scenario runs against the live governance layer. No mocks. No stubs.

# Run the industrial IoT governance benchmark $ npx agentomy-bench --suite industrial-iot # Run a specific coverage area $ npx agentomy-bench --suite industrial-iot --area process-boundary # Export results for compliance evidence $ npx agentomy-bench --suite industrial-iot --export json
Honest Limitations

What we are and what we are not

Get Started

Three commands to governed industrial control systems

# Install the governance adapter $ npm install @agentomy/governance # Authorize a controller operation (pre-operation gate) $ curl -X POST http://localhost:3000/api/claw/authorize \ -H "Content-Type: application/json" \ -H "X-API-Key: YOUR_API_KEY" \ -d '{"agentId": "plc-001-reactor-temp", "action": "write", "scope": "scada_operation", "metadata": {"processVariable": "reactor_temperature", "setpoint": 175.0, "safeRange": {"min": 100, "max": 250}}}' # Emergency halt -- all governed controllers $ curl -X POST http://localhost:3000/api/claw/halt \ -H "Content-Type: application/json" \ -H "X-API-Key: YOUR_API_KEY" \ -d '{"reason": "unauthorized setpoint change detected", "operatorId": "control-room-01"}'

Govern your controllers before attackers operate them.

NIS2 enforcement is active. TSA pipeline directives are mandatory. NERC CIP violations carry $1M/day penalties. The EU Cyber Resilience Act takes effect in 2027. 26 threat groups are actively targeting OT networks. The compliance gap is closing.

Request Access