C_01Utility
OT segmentation review for a multi-site operator.
Independent assessment of network segmentation, remote access, and vendor connectivity across geographically distributed control environments.
Illustrative · scoped under confidentiality
Cyber-Physical & Critical Infrastructure Security.
Where operational technology, safety systems, and corporate IT converge — and where a security incident has physical, regulatory, and public consequences.
MRBF works on cyber-physical security as an engineering and governance problem, not a tooling exercise. Our focus is on operators of critical infrastructure, regulators of essential services, and the boards accountable when a control system, network, or supply chain is compromised.
[01_Context]
Where the work sits.
- 01Operators of energy, water, transport, and industrial infrastructure subject to critical infrastructure obligations.
- 02Regulators and policy teams setting resilience, reporting, and uplift expectations.
- 03Engineering and operations leadership integrating OT/IT security into normal asset stewardship.
- 04Boards and audit committees seeking independent assurance over cyber-physical risk posture.
[02_Tailored_Services]
S_01
OT/ICS security posture review
Independent, engineering-led review of operational technology environments — architecture, segmentation, vendor exposure, and incident readiness.
S_02
Critical infrastructure compliance
Program design and uplift support against critical infrastructure regimes — risk management programs, reporting obligations, and director attestations.
S_03
Resilience & continuity strategy
Cross-domain resilience planning where cyber, physical, supply chain, and workforce risks compound — scenario design, exercises, and operating model review.
S_04
Supply chain & vendor risk
Structured assessment of OEMs, integrators, and software providers embedded in safety-critical systems — including foreign ownership and dependency exposure.
S_05
Board-level assurance
Translation of technical posture into the evidence boards and regulators need: risk appetite, accountability, and trajectory rather than tooling lists.
S_06
Incident review & lessons
Post-incident review focused on systemic and governance lessons — what the operating model, not just the responders, needs to change.
[03_Case_Highlights]
Illustrative scenarios drawn from the kind of problems MRBF is equipped to engage on in this domain. Anonymised by design — specific principals and outcomes are confirmed in scoping and governed by confidentiality.
C_02Regulator
Sectoral resilience uplift program design.
Designed an uplift framework defining minimum capability, evidence expectations, and a phased pathway for operators of varying maturity.
Illustrative · scoped under confidentiality
C_03Board
Independent assurance ahead of director attestation.
Provided board-level assurance over a critical infrastructure risk management program before formal attestation, with clear residual-risk articulation.
Illustrative · scoped under confidentiality
[04_Questions_We_Engage]
The questions we are built for.
- Q_01Is our OT environment defensible — and can we evidence that to a regulator?
- Q_02How do we run cyber and physical resilience as one program, not two?
- Q_03Which vendors and dependencies represent unacceptable concentration risk?
- Q_04What does 'reasonable steps' actually look like for our directors?
- Q_05After this incident, what in the operating model has to change?
[05_Engage]
Bring a cyber-physical & critical infrastructure security question into scoping.
Engagements begin with a scoping conversation. We confirm the problem, the senior practitioners or specialists who would deliver, and whether MRBF is the right counterpart before any work starts.