IIA Industrial Independence Alliance

Pillar IV · position

Our Philosophy.

Control systems act on physics, not on information. The architecture follows from that distinction.

§ Control is not information

The mistake of the last decade.

Information models - CIA and its derivatives - were imported from enterprise IT and applied to systems that act on physics. Architecture got fragile. Security got cosmetic. The model on offer promised seamless integration; it delivered complexity and attack surface.

The correction is simple: use the right model for what you are governing. SRP for control, CIA for information.

The domain boundary - ACS versus IT Horizontal diagram showing two domains separated by the IIA box. Left: ACS domain - physics, action, real-time. Governed by SRP: Safety, Reliability, Performance. Security model: Managed Trust. Center: the IIA box - the boundary. The moment a value stops requiring real-time action and becomes a record, it crosses this boundary. Right: IT domain - records, information, historical. Governed by CIA: Confidentiality, Integrity, Availability. Security model: Zero Trust. ACS Automation & Control Systems SRP Triad S Safety R Reliability P Performance Acts on physics Valves · interlocks · loops Real-time determinism required Managed Trust The box the boundary inbound (ACS-facing) poll · capture · classify internal DMZ bus · audit · attestation outbound (IT-facing) push · query · mTLS value becomes a record at this crossing ACS → IT boundary IT Information Technology CIA Triad C Confidentiality I Integrity Availability Operates on records Historical · information · reports Best-effort latency acceptable Zero Trust data out record Zero Trust ⇆ Managed Trust
The domain boundary - SRP governs the ACS substrate · CIA governs information · PERA+ framing: Zero Trust ↔ Managed Trust

§ Why SAIC fails as a control-system model

Safety is not an addendum.

SAIC takes the information-domain triad - Availability, Integrity, Confidentiality - and prepends Safety. The structure betrays the move: Safety is bolted on, not foundational. The model is right for IT systems that touch safety-critical information - historians, audit stores, regulator-facing dashboards. For those, SAIC is the correct frame.

Extended downward to govern the ACS itself, it fails. The ACS does not operate on records. It operates on action and physics - a valve that moves, an interlock that latches, a loop that closes within its required time. Reliability and Performance are properties of the physical system. Safety is what the physical system protects. That is a different substrate than information. It needs a different model.

“Safety comes first. Always.”

- The SRP Triad,
Robert Radvanovsky, Infracritical

Read the source →

§ The principles

Seven principles. Not negotiable.

Drawn from the reality of running physical processes. Principle 00 fixes the starting point: physics overrides information. Principles 01-06 follow from it.

  1. 00

    Physics overrides information

    Control systems act on physics. Information is the record that follows. Treating ACS as information is the wrong starting point - every architectural decision downstream inherits the mistake.

  2. 01

    Safety. Reliability. Performance. In that order.

    SRP governs the ACS substrate. Safety is not an addendum; it is what the physical system protects. Reliability and Performance are properties of that system. Information-centric models - CIA, AIC, SAIC - are the wrong tools for what acts on physics. After Robert Radvanovsky, Infracritical.

    srpmodel.infracritical.com

  3. 02

    Operational reality dictates design

    Industrial environments are not data centers. There is no singular control network - a plant has many discrete control networks, each with its own management entity. There is no executive director of Manufacturing Operations. PERA+'s 4Rs - Response, Resolution, Reliability, Resilience - determine where applications belong. Network designs, hardware, software, historians, and zone IP services (DHCP, DNS, NTP, file) must be decentralized to match the substrate they serve. After Gary Workman, Two-Box Method (RTA, 2022).

    pera.net

  4. 03

    Complexity is the enemy of Reliability

    Robust Manufacturing Operations is simple, predictable, deterministic. Every additional dependency, feature, or communication path introduces fragility and increases attack surface. The goal is systems that are easy to understand, easy to maintain, and easy to secure - by virtue of having less to understand, maintain, and secure.

  5. 04

    Security is an architectural property

    The most effective posture for Manufacturing Operations is deliberate, managed separation from untrusted networks, especially the enterprise IT environment. PERA+ articulates this as "secure interfaces, not integration." IIA rejects the "IT/Operations convergence" frame entirely - there is no merger to design, only an interface to enforce. Cultural rupture escalated when networks were linked through shared infrastructure (switches, L3 routers spanning the boundary) instead of through gateways; a gateway is an end device with one owner. True security is built in, not bolted on, and never bought.

  6. 05

    Every boundary is formalized

    Data flows that exit the ACS are documented, limited, and governed by bilateral contracts with explicit RACI matrices for every failure mode. These conduits are security perimeters requiring the same rigor as external interfaces. Informal "visibility" requests that bypass this process are attacks on the architecture, intentional or not.

  7. 06

    Empower the practitioner

    The most valuable asset is the knowledge of practitioners who design, implement, and maintain these systems. Standards must be field-ready. Practical experience over vendor certifications. The Alliance exists to make standards like IEC 62443 accessible - to restore them to the people who actually operate the plant.

§ The point

Whoever controls the automation infrastructure controls the plant. If it isn't you, it's someone else.

A plant that depends on an outside connection to see its process, reach its historian, monitor security, or run the cell's basic IP services (DHCP, DNS, NTP, files) is not independent. The historian is the clearest example: a central historian - vendor-owned, off-site, only reachable when the WAN is up - goes down when the WAN goes down. IIA puts a historian at every zone: data, network and audit belong to the operator, and they run without the cloud.

Centralized vs decentralized historian Side-by-side comparison. Left panel: centralized historian - one server upstream, every plant zone a thin client, WAN-dependent, single point of failure, vendor lock-in. Right panel: decentralized historian - one historian per zone on each IIA box, sovereign and complete, awareness without dependency. Centralized historian Vendor-hosted historian off-site · WAN-dependent WAN Zone A thin client Zone B thin client Zone C thin client WAN down → no historian Vendor removed → data held hostage Single point of failure by design Vendor wedge between operator and own data × Decentralized historian box zone A historian box zone B historian box zone C historian optional awareness · no dependency Operator owns substrate WAN down → historian still runs Vendor removed → data stays Sovereignty at every zone, by default The historian is the load-bearing case for operational sovereignty.
Centralized vs decentralized historian - sovereignty by architecture, not by policy
Read The Architecture →

§ Prior art cited

Independent works the Alliance credits as the substrate its position is built on. Infracritical, Entercon, ISA, and IEC are independent organizations. None of them is affiliated with the Alliance or with each other.

  • SRP Triad - Robert Radvanovsky / Infracritical. The foundation of the ACS substrate model. srpmodel.infracritical.com
  • PERA+ - Gary Rathwell / Entercon. The reference architecture for industrial enterprise organization; source of the 4Rs, the CIAD/CIND diagram conventions, and the "secure interfaces, not integration" stance. pera.net
  • The Two-Box Method - John Rinaldi & Gary Workman. The canonical articulation of physically enforced ACS/IT segmentation. The Everyman's Guide to EtherNet/IP Network Design (RTA, 2022).
  • IEC 62443 - cybersecurity for industrial automation. SL1–SL4, FR1–FR7. The Architecture targets SL3 floor / SL4 via diode.
  • ISA-95 - the canonical IT↔ACS data-modeling backbone.

§ Reference implementations

  • MarlinSpike - the maintained, multi-user successor to NSA’s GrassMarlin. Open-source passive control-system topology workbench. Captures in, zero packets out. grassmarlin.com →
  • Conversational Factory - read-only control-system platform. Passive observation across many industrial protocols, local historian, i3X v1 + MCP query surface for operators and AI clients, every answer bound to an append-only audit chain. conversationalfactory.com →