Engineer conducting OT network topology assessment at industrial plant
Phase 1 — The Wedge

OT Topology Assessment for Cement & Mining Operations

Per-plant scoped assessment producing documented OT topology — asset inventory, network segmentation evidence, and security-level capability mapping. Scoped per plant, returned within standard SOW timing, delivered to a named procurement-grade contact.

Book a Topology AssessmentHow it works

Why static documentation fails

You cannot secure a topology you have not documented

Most operators know their OT environment has documentation gaps. The asset inventory is incomplete, the network diagrams are out of date, and nobody is sure which devices are actually reachable from the corporate network. These are the predictable consequences of an OT environment that grew plant by plant without a single topology authority.

1
Asset inventories are incomplete or out of date
Controllers, HMIs, historians, and PLCs exist on your network that don't appear in any current documentation. Every acquisition, expansion, or OEM integration adds devices that were never formally inventoried — and the gap compounds with every plant added to the fleet.
2
Network segmentation is assumed, not verified
The architecture diagram says the zones are separated. The reality on the wire may not match. Without documented segmentation evidence — VLANs, firewall rules, zone boundaries — you are relying on assumptions that no auditor or insurance carrier will accept.
3
Point-in-time pen tests expire on delivery
A penetration test tells you what was exploitable on the day it ran. It does not tell you what is on your network, how it connects, or what changed since the last test. The Topology Assessment is not a pen test — it is the documented foundation that makes every subsequent security decision defensible.

How the assessment works

Scoped per plant, delivered to a named contact

The Topology Assessment is Potenza's wedge engagement — the first thing we deliver and the foundation for everything that follows. It is scoped per plant, returned within standard SOW timing, and delivered to a named procurement-grade contact at the operator.

Comprehensive asset discovery

Passive and active discovery across every OT network segment — controllers, HMIs, historians, PLCs, switches, firewalls, and remote-access pathways. Every device is inventoried with manufacturer, model, firmware version, IP address, and network zone placement.

Network segmentation mapping

Documented evidence of how your OT environment is actually segmented — VLANs, firewall rules, zone boundaries mapped against the Purdue Model (Levels 0–5). The output is what your auditor, your insurance carrier, and your own team need to verify segmentation claims.

Security-level capability mapping

Each zone and conduit mapped against ISA/IEC 62443 security-level targets. The assessment produces capability evidence — not a compliance certificate, but the documented foundation that makes compliance achievable and auditable.

What you receive

Procurement-grade documentation, not a slide deck

The Topology Assessment produces artifacts that procurement teams, CISOs, and plant operations leadership can act on immediately — not a consultant's summary that requires another engagement to interpret.

Delivered

OT asset inventory

Complete inventory of every device on the OT network — controllers, HMIs, historians, PLCs, network infrastructure, and remote-access endpoints. Manufacturer, model, firmware, IP, zone placement, and connectivity path for each.

Delivered

Network topology diagrams

Logical and physical topology diagrams showing actual network architecture — VLANs, routing, security zones, IT/OT boundary, and DMZ placement. Delivered as editable diagrams, not locked PDFs.

Delivered

Segmentation evidence report

Documented evidence of network segmentation status — what is separated, what is not, and where the gaps are. Mapped against Purdue Model levels and suitable for audit or insurance renewal submission.

Delivered

Security-level capability matrix

Zone-by-zone capability mapping against ISA/IEC 62443 security levels. Identifies current capability, target capability, and the gap between them — the roadmap for what to fix and in what order.

FAQ

Questions operators ask before booking an assessment

Common questions from procurement teams and plant operations leadership evaluating the Topology Assessment. Reach out to our team.

Get Started

Start with the topology

Every Potenza engagement begins with the same step — documenting what is on your OT network and how it connects. Tell us which plant you want to start with.

What you’ll get

  • Per-plant scoped assessment with named delivery contact
  • Complete OT asset inventory and network topology diagrams
  • Segmentation evidence mapped to Purdue Model levels
  • Security-level capability matrix aligned to ISA/IEC 62443
  • Foundation for Topology Authority and OT Service Owner phases

Prefer email? helpdesk@potenzaservices.com