Energy, Oil & Gas. Software supply chain assurance where ICS/OT meets IT.
Refineries, upstream and downstream oil and gas, grid utilities, and renewables operators sit on top of SCADA, historians, and OEM firmware supplied by a small set of vendors. NIS2, NERC CIP, and the CISA KEV clock turn every shared library into an audit obligation. Safeguard makes that obligation a live query against signed evidence — even inside an air-gapped SCIF segment.
Four forces closing in on the plant network.
Regulators, ransomware crews, and OT/IT convergence are collapsing into one continuous evidence requirement.
NIS2 + EU CER Directive
Energy operators are now in scope for continuous third-party software risk reporting. Annual paper audits no longer satisfy a regulator that expects live evidence across IT, OT, and the procurement perimeter.
US KEV-driven CISA mandates
CISA's Known Exploited Vulnerabilities catalogue now drives mandatory remediation windows for energy critical infrastructure. The clock starts the day a CVE is added — not when it reaches your scanner.
OT/IT convergence
Plant historians, MES, and grid SCADA now talk to corporate IT. A vulnerability in a Windows historian library can reach a turbine controller in three hops. The boundary is software, not air.
Vendor concentration on SCADA stacks
A small group of OEMs supplies the SCADA libraries underpinning grid, refinery, and pipeline operations. One shared transitive dependency, one maintainer takeover — and a continent is exposed.
Capability mapped to OT engineering reality.
IT-side SBOM + reachability for OT-adjacent code
Every build emits a CycloneDX SBOM with signed provenance. Reachability analysis distinguishes the OPC-UA library that actually reaches the control bus from the one that ships dormant in a container.
Air-gapped deployment for SCIF segments
The full stack runs inside an air-gapped enclave for the most sensitive grid and pipeline workloads. No internet egress, customer-controlled keys, delta-sync of vulnerability data via signed offline bundles.
Signed firmware provenance for OT controllers
OEM firmware images are ingested with attestation, hash-pinned, and tied to the SBOM that produced them. A field tech can verify a controller image against its signed bill of materials before flashing.
Vendor-concentration heatmap for SCADA suppliers
See your single-point-of-failure components across OEMs before procurement signs the next service contract. Concentration risk surfaces at the library and maintainer level, not the vendor brochure level.
Frameworks the platform is mapped to.
Pre-mapped control narratives and evidence in the formats your OT auditor and energy regulator already accept.
A typical deployment in a regulated energy operator.
DMZ-anchored control plane, one-way data diodes to OT, audit log streamed to the operator SIEM, and a vendor trust packet exposed to procurement and the regulator on a read-only basis.
DMZ-anchored control plane
Control plane sits in the corporate DMZ with one-way data diodes into the OT environment. No inbound paths into the plant network, no shared key material with cloud tenants.
OT-network audit log streaming
Signed events from OT-adjacent scanners stream into the operator's SIEM in JSON and CycloneDX. Retention, search, and chain-of-custody stay under the operator's control.
Air-gapped offline DB sync
Vulnerability, KEV, and EPSS data sync via signed offline bundles for SCIF and disconnected sites. Delta sync only — not the full pull every refresh.
Vendor trust packet for procurement
Read-only attestation portal for OEMs and EPCs. SBOMs, VEX, signed provenance — exposed to procurement and the regulator on demand, no email attachments.
Four risk surfaces your CISO and plant manager already share.
Stuxnet-class targeted firmware compromise
Nation-state actors continue to invest in OEM-firmware-level intrusions of grid and pipeline controllers. Without signed firmware provenance tied to an SBOM, you cannot tell a benign update from a tampered one.
OEM vendor RTOS CVE
A CVE in an RTOS kernel shared across dozens of OT vendors lights up the entire fleet at once. Reachability and KEV prioritisation are the difference between a manageable patch window and a shutdown.
Ransomware on plant scheduling systems
Ransomware that lands in MES or plant scheduling propagates to operational decisions even when it never touches a PLC. The blast radius is production, not just IT.
Sanctions-related vendor exposure
Export controls and sanctions regimes now reach into the dependency tree. A transitive package from a sanctioned origin can put a refinery's licence at risk before anyone reads the manifest.
What is actually hitting energy operators this year.
- SCADA library KEV CVEs reaching production OTKEV-listed CVEs in shared SCADA and historian libraries are increasingly seen exploited in the wild within days of disclosure.We address this through Eagle reachability + KEV prioritisation
- Ransomware on refinery schedulingOperational scheduling, MES, and plant historian systems are the new ransomware target — production stops even when no PLC is touched.We address this through Signed SBOM + reachable-CVE prioritisation
- GPS-spoofing through navigation libsVulnerable GNSS and time-sync libraries embedded in OT controllers can be coerced via spoofing — a software supply chain failure, not a radio failure.We address this through SCA on OT-adjacent libraries
- OEM firmware backdoorsCompromised firmware images shipped from OEM update servers reach controllers without signed provenance to flag the deviation.We address this through TPRM with vendor attestation
- Sanctioned-vendor SBOM exposureA transitive dependency from a sanctioned origin can put export-controlled energy operations at compliance risk before anyone reads the manifest.We address this through Comply with global regulations
Quantified benefits for energy operators.
Numbers from production deployments inside regulated energy environments. Same OEMs, same plant network, dramatically less spreadsheet.
| Metric | Before Safeguard | With Safeguard |
|---|---|---|
| NERC CIP audit prep | 6 weeks | 1 day |
| OT-vendor SBOM scrutiny | Quarterly | Continuous |
| Air-gapped offline DB sync | Full pull | Delta only |
| Alert noise | ~80% | ~5% |
| Tool consolidation | 7 vendors | 1 |
| Ransomware-readiness drills | Annual | Monthly |
| Sanctions screening | Reactive | Continuous |
Evidence at the speed of an OT incident.
Talk to the team about NIS2 evidence pipelines, NERC CIP mappings, and an air-gapped deployment shape that lives inside your plant perimeter.