Physical isolation for transmission, distribution and substation control
Electricity networks now stretch from corporate trading systems down to IEC 61850 protection inside the substation. When those paths converge, a single compromise can move from an office to a breaker. Firevault Control puts a real boundary at every step.
Energy
When EMS, SCADA and substation networks are reachable from corporate or vendor estates, every software vulnerability becomes a candidate for a switching incident.
100%
Substation path isolation from corporate IT
Zero
Persistent OEM access into protection systems
6
Control modules deployed per electricity zone
Full
Evidence for NIS2, NERC CIP and Ofgem
Electricity control networks are converging faster than they can be defended.
IT, OT and market convergence
Trading, settlement and ENCC interfaces sit close to the same control rooms that operate the grid. Attackers traverse those interfaces to reach EMS and SCADA.
Legacy protection alongside IEC 61850
Substations carry a mix of legacy RTUs and modern IEC 61850 IEDs. They cannot all be patched on the same cycle without risking operational disruption.
Distributed energy resources
Inverter-based resources and DER orchestration multiply the number of remotely reachable controllers across the distribution grid.
The Scenario
Scenario: Substation vendor remote access compromise
Attackers compromise a protection vendor laptop with persistent VPN access into a transmission substation engineering network. From there they pivot through a shared jump server into the control room SCADA. Operators lose visibility across two grid supply points for several hours. Restoration is delayed because protection setting backups are stored on the same domain that was compromised. With Firevault Control, vendor access opens only on a scheduled, authorised window. The substation fabric is physically separate from the control room fabric. Verified baselines for protection settings are held on infrastructure with no live network path to production and require multi-party authorisation to release. The pivot path does not exist.
"We assumed our substations were isolated. They were, until a vendor laptop was trusted on both sides at the same time."
Where each Control module is deployed across generation, transmission and distribution.
Electricity operators run a Purdue stack from the corporate estate down to substation protection. Control puts a real boundary between the office, the operations centre and the substations so a problem in one place does not become a blackout in another.
Grounded in NIST SP 800-82 Rev. 3, IEC 62443-3-2, IEC 61850, NERC CIP-005 and NCSC CAF.
Cloud / Internet
External
Settlement, ENCC and market data.
Settlement, ENCC and market data.
Market and cloud traffic terminates at the perimeter.
Enterprise
IT
Office, trading and corporate identity.
Office, trading and corporate identity.
Office estate cannot reach the industrial DMZ on its own.
Industrial DMZ
DMZ · trust boundary
Brokered exchange. No straight-through paths into operations.
Brokered exchange. No straight-through paths into operations.
ICCP and engineering traffic crosses on scheduled, approved routes.
Control centre systems
OT
Energy management, distribution management, DER orchestration.
Energy management, distribution management, DER orchestration.
Control centre and SCADA on separate fabrics.
Supervisory control
OT
Control room view of the grid.
Control room view of the grid.
Switching and protection changes need approval before they reach the substation.
Substation control
Field
Bay control and protection inside the substation.
Bay control and protection inside the substation.
Bay devices tie to named protection engineers.
Primary plant
Field
Crown jewels
Off-network
Detail callout · A
Offline Secure Storage
Protection settings, substation configurations, EMS baselines and the recovery sets you need to restart the grid from a known-good state.
Offline by design · secure by defaultModules & symbols
Where each module is deployed, and what it does there.
One row per module. Placement on the network, then plain-English purpose at that point.
-
Isolate
At every Purdue boundary
Office, ICCP, control centre and substation fabrics are physically separate. A compromise on the corporate side cannot reach protection.
-
Firebreak
On the L5 to L4 link and the L4 to L3.5 link
A real off switch on the public and office boundaries when an incident is in flight.
-
Validate
On the L5 to L4 link and inside the L3.5 DMZ
ICCP and engineering traffic is checked for origin, integrity and authority before it reaches operations.
-
Relay
Inside the L3.5 DMZ
Cross-domain data moves on scheduled routes. Nothing streams unattended into the control centre.
-
Execute
Inside the L3.5 DMZ and on the L2 to L1 link
Firmware, settings and switching actions hold until the right authority signs them off.
-
Lock
On the L3 to L2 link and the L1 to L0 link
The closer you get to primary plant, the tighter the named access. Standing access into substations is the exception.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Sovereign grid data
Grid control and protection data remains within the agreed jurisdiction in carefully selected Firevault Bunkers.
Multi-party control
Critical switching and protection changes require sign-off from both control room and security teams.
Regulatory evidence
Continuous compliance evidence for NIS2, NERC CIP and Ofgem cyber expectations.
Out-of-band management
Cellular and dedicated paths keep the control plane reachable when primary networks are compromised.
Tamper-proof logging
Every access, configuration change and switching command lands in immutable logs on physically separate infrastructure.
Verified configuration baselines
Verified baselines of EMS, IED and SCADA configuration enable a known-good restore of control-plane state.
Demo to Live
Adoption Guide
Network assessment
Map every path between corporate IT, ICCP, EMS, SCADA and substation networks to identify convergence and persistent vendor connections.
Zone architecture design
Design physically separated zones aligned to your control rooms and substation estate, with Control modules at each boundary.
Non-production pilot
Deploy in a test environment mirroring an EMS and substation pair with full zone separation, multi-party authorisation and compliance logging.
Operational deployment
Full deployment across the grid estate with verified configuration baselines, continuous compliance evidence and 24/7 out-of-band management.
Network assessment
Map every path between corporate IT, ICCP, EMS, SCADA and substation networks to identify convergence and persistent vendor connections.
Zone architecture design
Design physically separated zones aligned to your control rooms and substation estate, with Control modules at each boundary.
Non-production pilot
Deploy in a test environment mirroring an EMS and substation pair with full zone separation, multi-party authorisation and compliance logging.
Operational deployment
Full deployment across the grid estate with verified configuration baselines, continuous compliance evidence and 24/7 out-of-band management.
Explore More
Control for Utilities
The parent view across power, water and gas networks.
Learn more about Control for UtilitiesControl for Critical Infrastructure
National-grade security for essential services.
Learn more about Control for Critical InfrastructureIT/OT Convergence Threat
Physically separate IT from operational technology.
Learn more about IT/OT Convergence ThreatControl for Renewables
Wind, solar and battery sites with heavy OEM remote access.
Learn more about Control for RenewablesQuestions
Frequently Asked
Speak to the team to organise a PoC
Walk through your blueprint with the Firevault team and scope a proof of concept on your estate. 30 minutes, no sales pitch.