Skip to main content

Platform Design Principles

The First Watch® platform is designed for non-disruptive, resilient operation within industrial environments. Its architecture and operational logic incorporate multiple fail-safe mechanisms intended to preserve process continuity and stability, even when monitoring or enforcement functions are active. Rather than introducing rigid controls, the platform applies graduated and reversible actions that align with operational priorities.

Fail-Safe Design Principles

The platform integrates structured fail-safe principles to ensure that security and governance functions remain compatible with manufacturing operations while operating under deterministic, policy-defined control. Rather than relying on adaptive or implicit behaviour, the platform applies controls according to explicitly defined operational policies.

Policy-Defined Operational Modes

System behaviour is governed by approved policies that define whether assets operate in:

  • Monitoring mode — visibility without restriction
  • Controlled enforcement mode — selective restriction according to policy

These modes are not automatically inferred. They are deliberately configured, approved, and traceable. This ensures that protection strength reflects operational readiness and risk acceptance.

Non-Disruptive Monitoring Architecture

Monitoring capabilities are implemented to avoid interference with:

  • Control logic
  • Timing constraints
  • Deterministic operation of industrial systems

Visibility functions operate independently of process execution to ensure that observation does not alter system behaviour.

Deterministic and Reversible Enforcement

Where enforcement is enabled, actions are:

  • Explicitly defined in policy
  • Applied deterministically
  • Limited in scope and duration where required

Enforcement mechanisms support time-bound operational windows and temporary overrides. Systems can return to their prior state without complex recovery procedures once approved activities are completed.

Electrical Outage and Watchdog-Based Fail-Safe Behaviour

In industrial environments, network devices must behave predictably during abnormal conditions such as electrical power loss, hardware malfunction, or internal software watchdog triggers.

PLC Guard™ and associated enforcement components support configurable fail-safe behaviour defined during implementation:

ModeBehaviourUse Case
Fail-open (traffic bypass)Network traffic automatically bypasses enforcement logic and continues to flow uninterruptedPrioritises operational continuity where process availability is the highest priority
Fail-closed (traffic stop)Network traffic is halted to prevent uncontrolled or potentially unsafe communicationSelected where safety or security risk outweighs availability concerns

The selected fail-safe mode is not automatic. It is determined by the automation engineer based on:

  • Process criticality
  • Safety requirements
  • Operational risk tolerance
  • Regulatory obligations

This ensures that even under hardware failure conditions, system behaviour remains deterministic and aligned with engineering intent.

Scoped and Granular Control Application

Policies are applied deliberately and at defined operational scopes rather than globally across the entire environment. Depending on operational needs, a policy may apply to:

  • A single critical asset — e.g., one PLC or one engineering workstation
  • A defined asset group — e.g., all SCADA servers
  • A logical zone — e.g., a specific production line or control network segment
  • A specific user role or access context — e.g., engineering users during maintenance windows

This means that enforcement boundaries are precisely aligned with asset function and criticality.

Examples:

  • Application control may be strictly enforced on engineering workstations, while remaining in monitoring mode on operator HMIs
  • PLC communication enforcement may apply only to safety-critical controllers, while other devices remain under observation
  • Maintenance overrides may apply only to a defined asset group and only for a limited time

Policies are therefore not deployed as broad, environment-wide restrictions. Instead, they are intentionally scoped to reflect operational realities. This granular application:

  • Reduces the likelihood of unintended operational disruption
  • Allows phased introduction of enforcement
  • Aligns protection with risk level and asset importance
  • Supports deterministic control based on approved operational intent

Governance-Driven Safeguards

All enforcement behaviour remains aligned with:

  • Approved policies
  • Defined change windows
  • Traceable override mechanisms
  • Human decision authority

The platform does not autonomously escalate restrictions. It applies only what has been formally defined and approved.

Fail-safe design within the First Watch® platform is based on deterministic, policy-governed control. By separating monitoring from enforcement, applying scoped restrictions, incorporating configurable fail-open or fail-closed behaviour, and preserving reversibility, the platform strengthens industrial security without compromising operational stability or engineering authority.

Operational Safeguards

Operational safeguards are embedded to support stable day-to-day use:

  • Time-bound change windows ensure that enforcement aligns with approved operational periods
  • Graceful handling of unknown states — the system records and highlights deviations rather than immediately restricting behaviour
  • Separation of monitoring and enforcement paths — visibility remains available even when enforcement is adjusted or paused

These safeguards support a calm operational posture, where security measures adapt to the environment rather than forcing abrupt change.

Alignment with Manufacturing Operations

The First Watch® platform is intentionally designed to integrate into established manufacturing and control system practices, rather than alter or replace them. Specifically:

  • It complements existing control, protection, and safety systems (PLC logic, interlocks, safety relays, SIS, firewalls) and does not interfere with their deterministic operation
  • It operates alongside the control architecture, providing visibility, governance, and policy-based control without modifying control algorithms or process sequences
  • It supports progressive adoption, allowing organisations to move from visibility, to monitoring, to controlled enforcement only when operational behaviour is fully understood
  • It enables operational and automation teams to introduce protections in alignment with maintenance schedules, engineering approvals, and process constraints, rather than forcing abrupt architectural change

The platform respects the fundamental principle of industrial environments: process stability and safety come first.

By embedding deterministic policy control, scoped enforcement, and fail-safe mechanisms throughout its design, the First Watch® platform strengthens cybersecurity governance while remaining consistent with the operational rhythms, approval workflows, and engineering disciplines that define industrial systems.