Consulting

Systems Assurance for Critical Infrastructure

Lex Rosa designs and implements systems where security, auditability, and operational integrity are enforced by architecture, not policy documents.

We specialize in critical infrastructure environments where failure has public consequences: water treatment, power distribution, municipal systems, and essential services.

Our work replaces assumptions and best practices with mechanically provable guarantees.

 

What We Do

Lex Rosa provides systems assurance for infrastructure operators who need to prove their systems are secure, compliant, and resilient.

Our engagements typically involve:

Infrastructure Hardening – Elimination of internet-exposed industrial control systems – Network segmentation and data diodes for OT/IT separation
– Version-controlled configuration management with CVE tracking – Automated vulnerability detection and remediation workflows

Provable Security Architecture – Systems designed such that security is an emergent property of the architecture – Removal of undocumented access paths and trust assumptions – Continuous verification of configuration state and change attribution – Audit trails that survive regulatory and forensic review

Operational Integrity – Deterministic deployment and rollback procedures – Automated detection of configuration drift and unauthorized changes – Integration of security controls with existing SCADA/ICS systems – Evidence generation for compliance and incident response

Risk Assessment – Identification of internet-exposed systems (Shodan-class analysis) – Evaluation of insider risk, process drift, and cascading failures – Gap analysis against CISA directives and state/local requirements – Prioritized remediation roadmaps

Tooling is selected pragmatically. Architecture and enforcement are the primary deliverables.

 

Why Critical Infrastructure

Most security consulting focuses on IT systems: databases, web applications, cloud platforms.

Critical infrastructure is different. The systems that control water treatment, power distribution, and essential services were designed for reliability and uptime, not security.

Many were deployed decades ago and have since been connected to the internet without adequate protection. Routine security practices (patching, access control, network segmentation) are often incompatible with operational requirements.

The result: thousands of industrial control systems are visible on the internet with no authentication, running outdated software with known vulnerabilities.

Lex Rosa exists to fix this without disrupting operations.

 

Typical Outcomes

Infrastructure operators engage Lex Rosa when they need:

  • Elimination of internet-exposed control systems (SCADA, PLCs, HMIs)

  • Compliance with CISA directives and state/local security mandates

  • Network segmentation between OT and IT environments

  • Version control and change management for ICS configurations

  • Automated vulnerability tracking and CVE remediation

  • Incident response preparedness with provable audit trails

  • Restoration of confidence after near-miss events or audit findings

 

Experience

Lex Rosa principals have designed and implemented assurance systems for large, highly regulated organizations including financial institutions, healthcare systems, and government contractors.

Representative capabilities include:

  • Designed enterprise-wide build and audit systems achieving consistent regulatory compliance

  • Eliminated recurring audit findings through architecture-enforced controls

  • Implemented continuous security monitoring across hundreds of developers and critical systems

  • Recovered failed deployments and stabilized brittle operational pipelines

  • Built provenance tracking and change attribution systems for regulated environments

We bring proven methods from highly regulated industries to critical infrastructure operators.

 

Who Should Contact Us

You should contact Lex Rosa if:

  • You operate water treatment, power distribution, or other critical infrastructure

  • You are subject to CISA directives or state/local security mandates

  • You have internet-exposed industrial control systems

  • You need to prove security and compliance, not just assert it

  • You have been warned, fined, or are quietly concerned about current controls

 

Engagement Model

Lex Rosa works in high-trust, high-accountability engagements:

Assessment — Independent evaluation of current state and provable gaps
Architecture — Design of security controls that work with operational constraints
Implementation — Deployment of hardening measures and verification systems
Maintenance — Optional ongoing assurance and compliance monitoring

We deliberately limit concurrent engagements to maintain depth and accountability for outcomes.

Initial engagements are typically structured as fixed-scope assessments, completed in weeks not months, with minimal operational disruption.

 

Contact

For inquiries: info@lexrosa.com

We respond to serious inquiries within 48 hours.