Critical Infrastructure · KRITIS

SCADA that adversaries cannot command-inject.

Project Hierophant provides power grids, water systems, and energy networks with zero-knowledge command verification — every control instruction carries cryptographic proof of origin before any actuator responds.

Review the Architecture Request Briefing
OT CONTROL NETWORK · ZK VERIFICATION · ACTIVE NODES 04/04 VERIFIED · CMD INJECT: BLOCKED
000+090 +180+270+360 ZK CORE AUTH LAYER OT PERIMETER POWER GRID VERIFIED WATER SYSTEMS VERIFIED ENERGY NETWORK VERIFIED CMD INJECT · BLOCKED OT COMMAND AUDIT LOG UNVERIFIED CMDS : 0 INTERNET HOPS : 0 IT/OT CROSSINGS : NIL
Our Position

Critical infrastructure is not secured by isolation. It is secured by verification.

Every major attack on industrial control systems has exploited the same structural gap: SCADA architectures that authenticate operators but not commands. An attacker who reaches the IT layer and crosses into OT can issue commands that the system executes because it cannot distinguish legitimate from adversarial instructions. Firewalls and air gaps provide perimeter security — they do not verify the provenance of commands that pass through. Hierophant introduces zero-knowledge command verification at the protocol layer: every control instruction carries cryptographic proof of authorized origin, and no actuator responds to a command without that proof. The command cannot be forged, replayed, or injected.

The Threat Model

Five threats every industrial control system faces.

These five vulnerabilities appear in every major critical infrastructure attack on record — from Stuxnet to Colonial Pipeline to Industroyer. They are not edge cases. They are the attack surface.

01

SCADA Command Injection

ICS · Command Forgery · Replay Attack

SCADA and industrial control systems authenticate users, not commands. An attacker who reaches the control network — through IT/OT bridging, a compromised engineering workstation, or a supply chain implant — can issue commands that the system executes without additional verification. The command looks identical to a legitimate operator instruction. The system responds. The consequence is physical: valves open, breakers trip, turbines overspeed.

02

IT/OT Lateral Movement

Network Pivot · IT-to-OT Bridge · Persistent Access

Modern industrial environments bridge IT and OT networks for monitoring, remote maintenance, and efficiency. Every IT/OT connection is a potential pivot path from enterprise email phishing to operational technology control. Attackers routinely establish persistent access in IT environments and wait — sometimes months — for the right moment to cross into OT. The Colonial Pipeline attack established IT access well before the operational decision was made to shut down the pipeline.

03

Supply Chain Attack on Industrial Hardware

PLC Firmware · Foreign Silicon · Implants

Industrial controllers, RTUs, and communication hardware sourced from global supply chains may contain firmware implants or silicon-level backdoors that cannot be detected by operational security testing. A compromised PLC does not need to be hacked over the network — its implant activates on a trigger. Stuxnet demonstrated that industrial hardware implants could cause catastrophic physical damage before detection. The threat has evolved significantly in the decade since.

04

Quantum Harvest of ICS Traffic

HNDL · Quantum · Operational Intelligence

Industrial control system communications — operational parameters, command sequences, topology data — are being archived for retroactive quantum decryption. This intelligence has strategic value: infrastructure topology, operational procedures, and system parameters provide a map for future physical attacks. The current encryption on ICS communications provides no protection against a quantum-capable adversary operating on a 5–10 year timeline.

05

Regulatory Compliance Gap Under NIS2 & KRITIS

NIS2 · KRITIS · Regulatory Compliance Risk

Regulators worldwide — EU NIS2, German KRITIS, and equivalent frameworks across critical infrastructure sectors — are mandating a transition to post-quantum cryptography and verifiable command integrity. Operators who have not yet made that transition face both rising regulatory exposure and an architecture that is structurally unprepared for the current threat model. Compliance timelines are compressing; the technical gap is widening.

The Capability Stack

Eight layers. One verified command.

Hierophant for critical infrastructure applies the sovereign communications stack to the industrial control environment — ZK command provenance, non-IP OT isolation, and sovereign hardware for KRITIS and NIS2-regulated operators.

01

ZK SCADA Command Protocol

Every control command carries a zero-knowledge proof of authorized origin. The actuator verifies cryptographic provenance before responding — not user authentication, but command authentication. A command without valid proof is rejected at the protocol layer, regardless of where it originates in the network.

ZK Command Proof · No Forged Cmds · Anti-Replay
02

Post-Quantum ICS Encryption

NIST post-quantum cryptography for all control traffic. Protects operational parameters, topology data, and command sequences against retroactive quantum decryption. Infrastructure operational data has 20–30 year strategic sensitivity — post-quantum protection is a present requirement, not a future upgrade.

NIST PQC · Forward Secrecy
03

IT/OT Isolation Layer

Hierophant creates a cryptographically enforced IT/OT boundary. IT systems and OT control networks communicate through a zero-knowledge relay that passes only verified, authenticated command structures. No lateral movement path from IT to OT exists — the boundary is not a firewall rule, it is a protocol requirement.

IT/OT Boundary · No Pivot · ZK Relay
04

Hardware PLC Integration

Hierophant protocol runs on bare-metal MCUs that integrate with existing PLC and RTU infrastructure. The ZK command verification layer does not require replacing existing industrial control hardware — it can be introduced as a verification gateway in front of existing PLCs, adding command authentication without disrupting operational continuity.

MCU SDK · PLC Integration · Non-Disruptive
05

Non-IP Private Networks

OT control networks that operate without internet protocols are invisible to IP-layer attack tools. A control network with no IP addresses cannot be scanned, fingerprinted, or targeted by internet-routed exploit delivery. Non-IP OT isolation removes the entire class of internet-accessible attack vectors from industrial control infrastructure.

No TCP/IP · No IP Scan Surface · Non-IP OT
06

Anonymous Firmware for ICS

Firmware updates for industrial hardware distributed without the update server knowing which PLCs, RTUs, or controllers connect, their versions, or locations. Fleet enumeration via firmware update traffic — a common pre-attack reconnaissance technique — yields no information about the industrial control infrastructure.

Anonymous OTA · No ICS Fleet Metadata
07

Tamper-Evident OT Hardware

Austrian-manufactured, OS-free hardware for the ZK command verification gateway. No operating system — no operating system vulnerability class. Tamper-evident enclosure detects physical access attempts. EU supply chain audit trail. Hardware that secures critical infrastructure is manufactured under national oversight.

OS-Free · EU Hardware · Tamper-Evident
08

NIS2 / KRITIS Audit Trail

Immutable, cryptographically verified audit log of all command events — who issued which command, when, with what verification result — meeting NIS2 Article 21 requirements and KRITIS technical security obligations. The audit trail is tamper-evident: any modification to the log is detectable. Compliance evidence is a byproduct of the security architecture.

NIS2 · KRITIS · Audit Trail
In Deployment

When a rogue command reaches the actuator.

Three scenarios where unverified commands reached industrial actuators and Hierophant ZK command verification would have prevented physical consequences.

Power Grid ZK Command Verification

An attacker pivots from IT to OT and issues circuit breaker commands targeting a regional substation.

The attacker's command arrives at the substation PLC without a valid ZK proof of authorized origin. The Hierophant verification gateway rejects it at the protocol layer — the breaker command never reaches the actuator. The KRITIS audit log records the rejection with full cryptographic evidence. The operator is alerted. The grid remains stable.

Power GridZK VerificationCommand Rejected
Water Treatment Facility Isolation

A compromised operator workstation attempts to alter chemical dosing parameters.

The compromised workstation cannot generate a valid ZK command proof — the signing key is held in a hardware messenger, not the workstation. The altered dosing command is rejected without reaching the chemical feed controller. The treatment process continues at verified parameters. No physical consequence occurs.

Water UtilityHardware KeyProcess Protected
Energy Network Quantum-Safe Update

A national energy operator requires NIS2-compliant post-quantum firmware updates across 200 RTUs.

Anonymous OTA distributes firmware without the update server knowing which RTUs connect, their current versions, or their geographic distribution. Adversary monitoring of update traffic cannot enumerate the energy network asset count, version status, or locations. The update completes unobserved; the adversary sees nothing.

Energy NetworkNIS2 CompliantAnonymous OTA
By the Numbers

Command integrity.

Four properties of the Hierophant critical infrastructure stack that hold under active adversary presence in the IT network.

Zero
Unverified Commands Executed
ZK Proof Required · Anti-Forgery
Zero
IT/OT Lateral Paths
ZK Relay · Protocol Boundary
PQ
All Control Traffic Encrypted
NIST PQC Standard
NIS2
Compliance-Ready Audit Trail
NIS2 · KRITIS · Regulatory Ready
Continue

Adjacent capabilities.

Critical infrastructure operations intersect with these three mission-critical communication and control surfaces.

National Infrastructure

Sovereign Networks

National non-IP mesh backbone that carries critical infrastructure control traffic without internet routing — the sovereign network layer beneath KRITIS operators.
Mission Capability

Space & Maritime

One sovereign protocol for vessels, yachts, and orbital links — communication that works on land, at sea, and in space, without carriers who read your content or metadata.
IoT & Edge

Quantum-Safe Embedded

MCU-native post-quantum cryptography for the sensors, edge devices, and microcontrollers that form the lowest layer of critical infrastructure control systems.
Recognition

Trusted by those who cannot afford to be wrong.

Independent validation from the defence and security community — not awards for growth metrics, but recognition for solving a hard problem correctly.

Austrian Armed Forces · 2026
ADIC 2026 — Austrian Defence Innovation Conference
Project Hierophant presented at the Austrian Defence Innovation Conference 2026, the primary forum for defence technology assessment by the Austrian Armed Forces (Bundesheer) and allied ministries.
Austrian Armed Forces · bundesheer.at ↗
Press · Defence Media
Militär Aktuell — GetTrusted Cybersecurity Coverage
Militär Aktuell, Austria's leading defence and security publication, covered Project Hierophant's post-quantum sovereign communications approach and its relevance to national security architecture.
Read Coverage · militaeraktuell.at ↗
Hardware · hierophant.at
Austrian-Manufactured Secure Hardware
Purpose-built OS-free hardware manufactured in Austria under EU supply chain oversight. No operating system means no operating system vulnerability class. Hardened enclosures with physical access protection. National supply chain audit trail.
Hardware Catalog · hierophant.at ↗
GetTrusted Escrow GmbH · Vienna, Austria

Infrastructure that verifies every command.

Request a Briefing Hardware Catalog