Dam operators, hydro generators, and water-resource authorities run on SCADA, gate-control PLCs, and AI release-optimisers from a small handful of OEMs. FERC, the Central Dam Safety Authority, NERC CIP, and IEC 62443 turn every embedded dependency into a public-safety evidence obligation. Safeguard delivers that evidence live, inside the dam DMZ, without an egress path.
Cyber-physical safety, federal regulation, AI optimisation, and climate-driven loading collapse into one continuous evidence requirement.
An attacker who reaches spillway gate logic or intake-control PLCs can trigger downstream flooding or supply disruption. A CVE in a dam SCADA dependency is a public-safety event, not a backlog item — reachability decides the blast radius.
FERC dam safety guidance in the US and the Central Dam Safety Authority in India both expect continuous cyber-physical evidence. Annual paperwork has been replaced by live, queryable attestation across the SCADA fleet.
Hydro operators increasingly rely on ML models for release timing, generation scheduling, and downstream loading forecasts. Without provenance, prompt audit, and capability scoping, an adversarial input can shape the release curve.
Reservoir loading, sediment, and overtopping risk are shifting faster than regulator return-period tables. Models, telemetry pipelines, and SCADA all need supply-chain integrity to keep up with operating-envelope changes.
Every gate-control, intake, and powerhouse PLC firmware emits a CycloneDX SBOM with signed provenance pinned to the build SHA. FERC and CDSA evidence becomes a query against the trust packet, not a multi-week site visit.
Release-curve and generation-scheduling models carry AI-BOM, training-data lineage, and capability scoping. Every inference is attested against a pinned model SHA, so a tampered optimiser cannot quietly shape the release.
Dam DMZ and OT enclaves run the platform offline, with customer-controlled keys and no upstream telemetry. Vulnerability intelligence flows in via approved one-way conduits, delta-only and signed.
Dam SCADA is built on a small handful of OEM stacks. Concentration risk surfaces at the component level — so when one OEM's transitive dependency ships a CVE, every affected reservoir lights up at once.
Pre-mapped control narratives and evidence in the formats your state water board and federal regulator already accept.
Dam-DMZ sovereign control plane, OT-segment-aware audit log, AI release-model attestation, and a regulator trust packet ready for state water boards.
Control plane and inference cluster live inside the dam DMZ. No cross-tenant traffic, no shared key material, no upstream telemetry from the OT segment.
Every action emits a signed event scoped to its OT cell. Logs export to the operator's existing SIEM in JSON and CycloneDX, with cell-by-cell retention boundaries.
Release-curve and scheduling models carry SHA-pinned weights, AI-BOM, and training-data lineage. Every inference is attested, so an optimiser cannot quietly shape the curve.
State boards, FERC, and the Central Dam Safety Authority get a signed bundle of SBOMs, VEX statements, and attestation history — read-only, on demand.
Spillway gate logic and intake-control PLCs are kinetic assets. A reachable CVE or maintainer takeover in the SCADA stack becomes a downstream-flooding scenario the moment it ships.
ML-driven release scheduling ingests upstream telemetry an attacker can shape. Without provenance, capability scoping, and guardrails, the optimiser becomes the attack surface.
A small handful of OEMs underpin most of the dam-control fleet. A sub-tier compromise pushes a tampered firmware to every reservoir running that stack before anyone notices.
Reservoir-management, EAP, and incident-reporting platforms run on commodity stacks with commodity dependencies. Ransomware on those systems blinds the operator at exactly the wrong moment.
Numbers from regulated dam deployments. Same OEMs, same regulator, dramatically less site-visit fire drill.
| Metric | Before Safeguard | With Safeguard |
|---|---|---|
| FERC / CDSA audit prep | 8 weeks | 1 day |
| OT-firmware patch cycle | 45 days | 7 days |
| AI release-model attestation prep | 3 weeks | 1 hour |
| Tool consolidation | 8 vendors | 1 |
| Air-gapped sync payload | Full | Delta |
| False-positive triage burden | ~80% | ~5% |
| Cyber-physical incident response SLA | Reactive | 15-min initial notification |
Talk to the team about FERC and CDSA evidence pipelines, NERC CIP mappings, and an in-DMZ deployment for the spillway control room.