Position · The working doctrine
What it means, and what it requires.
Sovereignty isn't something somebody gives you. It's something you build. It means owning the infrastructure, training your own engineers, writing your own code, and being able to audit what's running on your networks.
If you can't do it, you don't own it. And if you don't own it, it's not sovereign.
River Caudle · Riverman · OT/ICS Security Practice
§ 01. Ownership is capability
The word gets used loosely. A nation can declare digital sovereignty in a press release; a plant can hang a "secured by" sticker on a switch. Neither is the thing. Sovereignty is the operational capability to do the work. Design the network, write the firmware, read the traffic, replace the part. Anything short of that is dependence with branding.
"If you can't do it, you don't own it. And if you don't own it, it's not sovereign."
§ 02. The fractal
Digital sovereignty at the national level and operational technology independence at the plant level are the same problem at different scales. Different vocabulary, identical structure. Who owns the stack? Who can see the traffic? Who do the devices call home to? Who can alter the firmware? The questions don't change between a continent and a control room. The answers just have more zeros.
National scale
Plant scale
§ 03. The substrate distinction
This is where most OT security writing falls apart. The plant's substrate is governed by a different ranking than the information layer that watches it. Two governance models, one architecture. The fractal doesn't collapse at the top: same unit at every level, only scope changes.
OT governance
In that order. Always.
IT governance
The CIA triad. Different problem.
§ 04. Where this leads
Position is only useful if it shows up in how networks get built. Each of the frameworks below is this doctrine, operationalized. Applied to a slice of the work where decisions actually get made.
Aligned with Cyber-Informed Engineering, the Idaho National Laboratory / DOE CESER initiative. Security is an engineering discipline; engineering is a security discipline. The gap in this field isn't missing security. It's the missing engineering. Member of the CIE Community of Practice; contributor to the Purdue Enterprise Reference Architecture (PERA).
River Caudle · river@riverman.io · Houston, Texas