A false positive in IT is an alert. In operations it is an outage.
When security reaches into operational technology — the grid, the water system, the network core — a false positive stops being noise. Isolating a device the model flagged can halt the very service the control was meant to protect.
The obligation is now statutory and named. Kenya's Computer Misuse and Cybercrimes Act established the National Computer and Cybercrimes Coordination Committee, which designated telecommunications, banking, and finance as critical infrastructure in 2022, and the regulations in force from 2024 require designated operators to conduct cyber risk assessments, maintain incident-response plans, and report breaches within twenty-four hours; a draft Critical Infrastructure Protection Bill would extend the framework further. The Central Bank of Nigeria imposes a parallel cybersecurity framework on banks and payment providers. The operator of critical infrastructure no longer merely chooses to secure it; it has a duty to secure it and, separately, to demonstrate that it has.
The technical ground has shifted underneath that duty. Operational technology — the supervisory control and industrial systems that run physical processes — was historically isolated from the corporate IT network. The drive for analytics, remote monitoring, and efficiency has connected the two, which enlarged the attack surface and, more importantly, the consequence. An intrusion that begins in IT and crosses into OT no longer just exposes data; it can stop a physical process. The seam between IT and OT is where the modern critical-infrastructure risk actually lives.
Two forces have widened that seam. The first is commercial: operators connect operational systems to analytics and remote-monitoring platforms because the efficiency is real and the board expects it. The second is the supply chain — the equipment vendors and maintenance contractors who hold remote access into operational systems to service them, a well-documented path by which an intrusion into a trusted third party becomes an intrusion into the plant. Each connection is defensible on its own terms; together they turn a process that was once physically isolated into one reachable, in principle, from the open internet, by an attacker who never has to touch the operator's own corporate network.
The asymmetry of response is the crux. In IT, the correct reaction to a suspicious host is to isolate or quarantine it; the cost is an inconvenienced user. In OT, isolating a controller can halt generation, drop a cell site, or stop a pump — the automated containment that is plainly right on the IT side can be catastrophic on the OT side. The response decision therefore demands judgement that an IT-trained playbook does not encode, and that judgement has to be defensible to two audiences at once: the national cyber authority that expects decisive action, and the safety regime that expects the physical process to keep running.
This is where an over-eager model becomes the threat. A security system that flags normal operational behaviour as malicious and triggers containment causes precisely the outage it was deployed to prevent — and that outage lands in the same quality-of-service or critical-infrastructure return the operator files with its regulator. The confidence of the model is not an academic parameter in this setting. Acting on a weak signal is not a false alarm to be cleared later; it can be the incident.
And the operator must show its working. Demonstrating compliance to the national cyber authority is not satisfied by pointing at deployed tooling; it requires showing that security decisions affecting critical processes were governed, reasoned, and documented. The operator that isolated a controller, or chose not to, has to be able to explain the basis — to the regulator, to the safety authority, and, if the call went wrong in either direction, to an inquiry. A containment decision in critical infrastructure is a compliance artefact before it is anything else.
In operational technology the model's confidence is not an academic question. Acting on a weak signal can be the outage.
Where each sits.
Akki governs the IT–OT seam — what operational telemetry feeds the security model and what stays isolated — as an inspectable substrate, holding the boundary between operational and corporate data rather than letting the two merge into an unmapped attack surface. What the model can see of the physical process, and what it cannot, is itself governed and recorded.
Solva reasons over operational anomalies and refuses to recommend a disruptive containment action on a thin signal — and in this setting the refusal protects the physical process, not just the audit trail. Where the evidence does not warrant halting a controller, Solva holds and surfaces what is missing rather than triggering the outage. Underneath each containment or no-containment call sits the basis the national cyber authority and the safety regulator will both want to see. The discipline that looks like caution is what keeps the lights on.
Operational telemetry can reveal the topology of sensitive national infrastructure, which is itself something an adversary would value. Where that telemetry is processed by an external vendor or a cloud analytics service, SyniSense keeps the identifying topology detail inside the perimeter. For an operator that analyses its OT entirely in-house, this role is lighter; where vendors are involved, it is the boundary that keeps the map of the infrastructure from leaking.
For the OT security lead, the containment decision is governed rather than reflexive. A device is isolated against a reasoned, documented basis, and where the signal does not justify disrupting a physical process, the action is held — which means the security overlay stops being the thing the plant engineers quietly distrust and route around.
For compliance with the national cyber authority, the obligation to demonstrate governed security is met with artefacts. The risk assessment, the incident-response plan, and the individual containment decisions all produce a record, so a designated operator can show not just that it has tooling but that its decisions are reasoned and defensible.
For the operation itself, the false-positive outage — the self-inflicted incident in which the security system causes the disruption — becomes far less likely, because disruptive action on weak evidence is refused rather than automated. Availability and security stop being in tension at the seam.
For the regulator and the board, the IT–OT boundary moves from an unmapped liability to a governed, inspectable interface. The question that follows any critical-infrastructure incident — was the response proportionate and on what basis — has a documented answer rather than a defence assembled after the service was already down.
For the supply chain, third-party access into operational systems becomes a governed, reasoned decision rather than a standing convenience. The vendor connection that is the documented attack path is held to the same evidentiary standard as any other access to a critical process, so the remote session that should not be open is the one that is refused — and the operator can show, to the regulator and to itself, why each connection into the plant exists and on what basis it was permitted.