Oktenli, Burak

About / Research Mission

Why This Platform Exists

The IT/OT bridge is the most failure-prone interface in critical-infrastructure cybersecurity. BLADE-INFRA-OT is a focused variant of BLADE-INFRA that addresses this interface explicitly with the AUTHREX governance pipeline. Operational-technology environments, including water utilities, electric substations, gas pipelines, and building-management systems, have historically been protected by network segmentation alone.

The Purdue Reference Model assumed adversaries could not cross from the corporate IT zone into the control and field zones. That assumption has eroded. Rather than rely on segmentation as a static boundary, BLADE-INFRA-OT treats the boundary as an active adjudication point: it reads, classifies, governance-checks, and then forwards or quarantines every cross-boundary message.

Strategic Context

Federal and Industry Anchors

BLADE-INFRA-OT is framed against current operational-technology security guidance. It is positioned as a reference implementation of the December 2025 CISA / Five Eyes joint principles for governing AI-influenced operational technology, and its audit-ledger output is structured to support utility-sector reporting obligations.

NIST 800-82

OT Security

IEC 62443

Zones & Conduits

NERC CIP

Bulk Electric System

NIST AI RMF

AI Risk

Capability Gap

What OT Segmentation Does Not Provide

Conventional IT/OT defense relies on static segmentation: firewalls, data diodes, and zone boundaries that assume an adversary cannot cross from the corporate network into the control network. Segmentation is binary and context-free. It does not reason about who issued a command, whether the command pattern is consistent with normal operations, whether the operator holds sufficient authority for the current plant state, or whether an AI-generated script is attempting to drive a physical actuator. Once traffic is permitted through a conduit, nothing adjudicates the individual command.

BLADE-INFRA-OT closes that gap. It treats each cross-boundary command as a governed event, adjudicated against provenance, message pattern, operator authority tier, and the active operational regime before it is allowed to reach a field device.

Framework Extension

Extending AUTHREX to the IT/OT Bridge

BLADE-INFRA-OT is the ninth instantiation of the AUTHREX authority-governance framework and the operational-technology companion to BLADE-INFRA. It reuses approximately 70% of the parent platform and applies the seven governance architectures in IT/OT-specific roles: SATA for boundary provenance, IFF for OT-target authentication, HMAA for operator authority-tier enforcement, ADARA for AI-script deception detection, MAIVA for inspection-node consensus, FLAME for bounded deliberation on high-stakes writes, and CARA for deterministic isolation on detected compromise, with ERAM providing risk-based gating across the pipeline.

Architecture

Parse, Score, Adjudicate

BLADE-INFRA-OT is a bump-in-the-wire appliance at the IT/OT segmentation boundary. All cross-boundary traffic is read, classified, governance-checked, and then forwarded or quarantined. Each command is resolved to one of three actions.

PROPAGATE

Authorized under the regime; forwarded to OT

HOLD

Ambiguous or elevated; held for operator clearance

ISOLATE

Unauthorized or malformed; blocked, source isolated

OT authority regimes

Four OT authority regimes (NOMINAL, ELEVATED, LOCKDOWN, SAFE-HALT) change how strictly commands are adjudicated. Malformed input fails closed by default. Every decision is written to a seed-deterministic, SHA-256 hash-chained, tamper-evident audit ledger.

Adjudication Pipeline

Eight-Stage AUTHREX Pipeline, Applied Per Message

Every cross-boundary message is evaluated through eight AUTHREX stages before an adjudication is issued.

STAGE 1

SATA · Provenance

Verifies provenance and identity of the originating IT system

STAGE 2

ADARA · Script Pattern

Detects AI-generated or anomalous command-script patterns

STAGE 3

IFF · Target Auth

Authenticates the OT-side target of the command

STAGE 4

HMAA · Authority Tier

Checks the operator authority tier against the current regime

STAGE 5

MAIVA · Consensus

Requires consensus across inspection nodes

STAGE 6

FLAME · Deliberation

Bounded deliberation for high-stakes or ambiguous actions

STAGE 7

ERAM · Risk Gating

Risk-based gating of the proposed cross-boundary action

STAGE 8

CARA · Isolation

Automatic isolation of the source on detected compromise

BLADE-INFRA-OT reuses approximately 70% of the parent BLADE-INFRA platform, extending it for operational-technology bridge operations rather than re-deriving the governance core.

Compute & Security Stack

Dual-Plane Compute with a Hardware Root of Trust

The governance plane runs on a Xilinx Kria K26 industrial system-on-module; the network plane runs on a separate x86 fanless single-board computer, isolating packet handling from adjudication. A Microchip ATECC608 secure element provides the hardware root of trust, a TPM 2.0 module anchors platform state, and a Form C fault relay drives a fail-safe output. A managed Ethernet switch with SFP+ uplinks segregates IT-side and OT-side interfaces, and an out-of-band management module supports administration without traversing the data path.

Supported OT Protocols

Industrial Protocol Awareness

The appliance parses and adjudicates the industrial protocols common at the IT/OT boundary, such as Modbus/TCP, DNP3, OPC UA, EtherNet/IP, and IEC 61850. Adjudication operates at the command level: for example, a SCADA pump-start issued as a Modbus write-holding-register is checked for operator provenance, baseline-consistent message pattern, and authority tier before it is permitted to propagate to the field device.

Network Architecture

Bump-in-the-Wire, Fail-Closed

BLADE-INFRA-OT installs inline at the segmentation boundary so that no cross-boundary command can reach operational-technology assets without traversing the governance node. If the appliance cannot parse, authenticate, or authorize a message, the message is isolated rather than forwarded. The default state on fault, power loss, or tamper is closed, preserving the safety posture of the protected control zone.

Safety Architecture

Fail-Closed by Design

BLADE-INFRA-OT defaults to the safe state. A Form C fault relay drives a fail-closed output, and the appliance isolates rather than forwards whenever it cannot parse, authenticate, or authorize a cross-boundary command. On power loss, fault, or detected tamper, the bridge latches closed, preserving the safety posture of the protected control zone. Adjudication and packet handling run on physically separate planes, so a fault in the network plane cannot silently grant authority on the governance plane.

Form C

Fail-closed fault relay

Closed

Default state on fault

ISOLATE

On unparseable input

2-plane

Governance / network isolation

Hardware

1U Fanless Reference Design

BOM line items

Electrical connections

Mechanical connections

Fanless / DIN-rail

A commercial-off-the-shelf reference design in a fanless, conformal-coated, industrial-temperature enclosure. No hardware has been fabricated; the design is a research reference at TRL 2-3, with the simulation tier at TRL 3-4.

Resilience Engineering

Dual-Plane Separation and Recovery

The appliance separates the governance plane (a Xilinx Kria K26 industrial system-on-module that performs adjudication) from the network plane (an x86 fanless single-board computer that handles packet I/O), so a compromise or fault in packet handling cannot bypass adjudication. A managed Ethernet switch with SFP+ uplinks segregates the IT-side and OT-side interfaces, an out-of-band management module supports administration off the data path, and a conduction-cooled, conformal-coated, industrial-temperature build (-40 to +70C) supports continuous operation. Recovery from an authority lockout follows the deterministic CARA recovery model used across the BLADE family.

Electrical Design

System Schematic

Full subsystem node graph color-coded by type (MCU, Sensor, Actuator, Power, Module, Display). Shows the governance-plane and network-plane compute, managed switch with SFP+ ports, ATECC608 root of trust, TPM 2.0, Form C fault relay, DC/DC power, and status LEDs, connected by data, power, and ground edges.

Download Schematic (SVG) Download Schematic (PDF)

Cost Analysis

Reference Configuration Cost

Typical configuration with industrial temperature range, fanless operation, conformal-coated PCB, and 1U rack-mount or DIN-rail mounting. Engineering margin is included.

Category	USD
Xilinx Kria K26 SOM (governance plane)	3,000
x86 Atom fanless SBC (network plane)	1,800
4x GbE + 2x SFP+ switch chip	400
TPM 2.0 + secure element	60
Out-of-band management module	200
1U rack-mount chassis (industrial)	400
Industrial-grade power supply	300
Conformal coating, gasketing	150
Internal cabling	100
Documentation & ICD	1,500
Integration & first-article test	3,500
Engineering margin (~25%)	3,000
Total typical configuration	14,410

Interactive Demo

Browser-Based Governance Simulator

A deterministic, browser-based simulator demonstrates the IT/OT bridge governance pipeline across four scripted scenarios: nominal operation (a water-utility pump-start command), an attempted attack, authorized maintenance, and a multi-utility coordinated probe.

SCENARIO 01 · NOMINAL

Water-utility pump start

A SCADA operator issues a Modbus pump-start. SATA verifies provenance, ADARA confirms a baseline-consistent pattern, HMAA grants T3, and the command propagates.

SCENARIO 02 · ATTACK

Attempted unauthorized write

A forged-authority write fails provenance and authority-tier checks. The command is isolated, the source is quarantined, and the event is recorded.

SCENARIO 03 · MAINTENANCE

Authorized maintenance window

An elevated-regime maintenance action is held for operator clearance under FLAME bounded deliberation, then propagated once cleared.

SCENARIO 04 · COORDINATED

Multi-utility coordinated probe

A distributed probe across utilities triggers MAIVA inspection-node consensus and a regime escalation to LOCKDOWN, failing closed on ambiguous traffic.

The interface adds a split IT/OT viewport, exposes the eight-stage pipeline per message, supports malformed and Byzantine forged-authority injection, clock drift, and operator-clearance delay, and records every decision to a seed-deterministic, SHA-256 hash-chained audit ledger with CSV export.

Launch Governance Simulator Simulation User Guide (PDF)

Evidence

Validation Metrics

Scripted scenarios

OT authority regimes

SHA-256

Hash-chained ledger

Seed

Deterministic replay

The simulator injects malformed and Byzantine forged-authority traffic, applies clock drift and operator-clearance delay, and confirms fail-closed behavior on every malformed input. Each decision is written to a seed-deterministic, SHA-256 hash-chained audit ledger that can be exported as CSV and verified for tampering. A simulation verification-and-validation record accompanies the deposit. These are simulation results; no certified hardware exists.

Research Methodology

Deterministic Scenario Validation

The simulation is evaluated against documented IT/OT threat patterns using a seed-deterministic, scenario-driven methodology. Each scenario fixes the authority regime, the message stream, and the seed, so a given configuration reproduces an identical decision trace and audit ledger for independent verification.

Scenario	Protocol / Trigger	Pipeline Response	Adjudication
Nominal pump start	Modbus write-holding-register	SATA provenance, ADARA baseline-consistent, HMAA tier T3	PROPAGATE
Attempted attack	Forged-authority write	SATA / HMAA failure, CARA isolation	ISOLATE
Authorized maintenance	Elevated-regime action	FLAME bounded deliberation, operator clearance	HOLD, then PROPAGATE
Multi-utility probe	Distributed cross-utility traffic	MAIVA consensus, escalation to LOCKDOWN	ISOLATE

Compliance & Alignment

Mapped to OT Security Guidance

Standards alignment is inherited from BLADE-INFRA and extended for IT/OT bridge operations. Under NERC CIP, the appliance supports CIP-005 electronic security perimeter, CIP-007 system security management, and CIP-010 configuration change management, with audit-ledger output structured for CIP-008 incident response. Under IEC 62443, BLADE-INFRA-OT functions as a conduit gateway between SL-1 IT zones and SL-3+ OT zones. Its cryptographic boundary aligns with the parent BLADE-INFRA cryptographic-module specification, and it is positioned as a reference implementation of the December 2025 CISA / Five Eyes operational-technology principles.

Research Integration

Role in the Governance Stack

BLADE-INFRA-OT is the ninth instantiation of the AUTHREX authority-governance framework and the operational-technology companion to BLADE-INFRA. The seven governance architectures (SATA, HMAA, ADARA, MAIVA, FLAME, CARA, ERAM) are reused in their IT/OT-bridge roles, and the same governance pipeline and evidence design that runs across the BLADE family is applied to the IT/OT seam rather than re-derived.

Related platforms: Rover Testbed (~$484) · UAV Platform (~$4,200) · BLADE-EDGE (defense, ~$139K) · BLADE-AV (automotive, ~$16K) · BLADE-MARITIME (maritime, ~$43K) · BLADE-INFRA (infrastructure, ~$12K) · BLADE-SPACE (orbital, ~$505K) · BLADE-CUAS (counter-UAS, ~$43.5K) · BLADE-AGENT-HSM (agentic AI, ~$199) · BLADE-SWARM (swarm autonomy, ~$1,333/node) · BLADE-INFRA-OT (IT/OT bridge governance, 1U fanless) · BLADE-FINANCE (financial-sector governance, ~$9K). Twelve research platforms demonstrating governance-stack portability across ten domains.

Governance Middleware

Unified SDK Integration

BLADE-INFRA-OT is configured through the same unified governance API used across the BLADE family. The host opens the node, submits a cross-boundary command, and receives an adjudication. Only the configuration changes between domains.

blade_infra_ot.yamlIT/OT Bridge

domain: infra_ot
placement: bump_in_the_wire
fail_state: closed

compute:
  governance_plane: xilinx_kria_k26
  network_plane:    x86_atom_sbc

protocols: [modbus_tcp, dnp3, opc_ua,
            ethernet_ip, iec_61850]

regimes:
  NOMINAL:   permissive
  ELEVATED:  hold_high_stakes
  LOCKDOWN:  isolate_writes
  SAFE_HALT: isolate_all

audit: sha256_hash_chain   # tamper-evident

bridge_integration.pyPython

import blade_governance as bg

# Open the IT/OT bridge governance node
node = bg.InfraOT("blade_infra_ot.yaml")

# Adjudicate a cross-boundary command:
d = node.adjudicate(msg, regime="ELEVATED")
if d.action == "PROPAGATE":
    forward_to_ot(msg)
elif d.action == "HOLD":
    queue_for_operator(msg, d.reason)
else:
    isolate(msg.src)          # ISOLATE

node.audit_append(d)          # SHA-256 chained

Cross-domain portability: the same API drives BLADE-INFRA-OT and the other BLADE nodes. Switching from a defense node to an IT/OT bridge changes the configuration, not the application code. This is how one governance pipeline operates across ten domains.

Research Papers

Companion Paper & Documentation

The BLADE-INFRA-OT paper, working paper, interface-control document, assembly guide, and the complete reference-design files are deposited on Zenodo under DOI 10.5281/zenodo.20342067 (CC BY 4.0, v1.0).

Document	Description
Zenodo Paper (PDF)	Authority-Governed IT/OT Bridge for Cross-Boundary OT Command Adjudication.
Working Paper (PDF)	Authority Governance for IT/OT Bridge Operations.
Interface Control Document	ICD-INFRA-OT-001: hardware interface control document.
Full Repository	All deposited files: simulator, paper, ICD, assembly guide, schematic, BOM, connection graphs, and V&V record.

Current Status

Technology Readiness

BLADE-INFRA-OT hardware is at approximately TRL 2-3 (specification and reference design); the simulation tier is at approximately TRL 3-4 (a deterministic research demonstrator running real Web Crypto SHA-256). No hardware has been fabricated, and no penetration testing against an operational utility has been performed.

Hardware - TRL 2-3

Reference design with the system schematic, 48-line BOM, 35 electrical and 42 mechanical connections, and the 1U fanless enclosure. No certified hardware exists.

Simulation - TRL 3-4

Browser-native, deterministic, four scripted scenarios, four authority regimes, fail-closed handling, and a SHA-256 hash-chained audit ledger with CSV export.

Research Roadmap

Future Work

First-Article Fabrication

Build the 1U first article, bring up the governance and network planes, the managed switch, and the root of trust, and verify the adjudication path end to end.

Protocol-Parser Hardening

Extend and fuzz the Modbus, DNP3, OPC UA, EtherNet/IP, and IEC 61850 parsers against malformed and adversarial frames.

Hardware-in-the-Loop

Connect the governance node to a benchtop PLC and HMI to validate adjudication latency and fail-closed behavior under realistic control traffic.

Regime Policy Study

Characterize false-hold and false-propagate rates across the four authority regimes and tune the risk-based gating thresholds.

Open Research

Repository & Reproducible Artifacts

BLADE-INFRA-OT provides reproducible artifacts enabling independent verification of the adjudication behavior, the reference hardware design, and the simulation. All files are published open-access on Zenodo (DOI 10.5281/zenodo.20342067) and mirrored in the repository.

Deterministic Simulator

A self-contained HTML simulator with real Web Crypto SHA-256, a deterministic clock, four scenarios, fault and Byzantine injection, CSV export, and an audit-ledger verifier.

Reference Hardware

System schematic, 48-line BOM, electrical (35) and mechanical (42) connection maps, the ICD, and the first-article assembly guide.

Verification

A simulation verification-and-validation record covering the four scenarios, the four authority regimes, fail-closed handling, and audit-ledger integrity.

Standards Alignment

NIST SP 800-82, ISA/IEC 62443 zones and conduits, NERC CIP-005/007/008/010, the NIST AI Risk Management Framework, and the CISA / Five Eyes OT principles.

View Repository Zenodo Record

Research Framing

Independent, Openly Published Research

BLADE-INFRA-OT is a fundamental-research deliverable: a hardware reference design, an interactive simulation, an open interface-control document, and a working paper, all built from commercial off-the-shelf components and published openly under CC BY 4.0. No penetration testing is performed; the simulation is scripted against documented threat patterns rather than against any operational utility. The status frame is TRL 3-4 for the simulation tier and TRL 2-3 for the hardware tier. Within the AUTHREX program, BLADE-INFRA-OT is the ninth BLADE platform and the operational-technology companion to BLADE-INFRA.

Researcher

About This Project

The BLADE-INFRA-OT Governance Node is part of the authority-governed autonomy research program by Burak Oktenli at Georgetown University (M.P.S. Applied Intelligence). It is the ninth domain instantiation of the BLADE governance framework and the operational-technology companion to BLADE-INFRA, demonstrating that the same authority and evidence design developed across defense, automotive, maritime, critical-infrastructure, orbital, counter-UAS, agentic-AI, and swarm reference designs applies to governing the IT/OT bridge.

Related architectures: SATA · HMAA · CARA · MAIVA · FLAME · ADARA · ERAM

View full research portfolio →

BLADE-INFRA-OT Governance Node