Liscere

Authorised is not always appropriate.

The missing question

Every check can pass.

The action can still be wrong.

Identity ✓ Access ✓ Protocol ✓ Asset ✓ Monitoring ✓ Context ?

Oldsmar Water Treatment · 2021 · Water

At a water plant, the sodium hydroxide setpoint jumped from 100 ppm to 11,100 ppm, over 100× the normal level. Whether by intruder or by mistake, the change reached the process and nothing questioned the value itself.

Action Set chemical dose: 100 ppm → 11,100 ppm

The process runs at ~100 ppm. Why suddenly 11,100 ppm?

A valid workstation. A valid user. A valid protocol. Every check that runs today would have passed.
None of them asked whether 11,100 ppm made sense for the physical process. That is the question Liscere is built to ask.

Ukraine Power Grid · 2015 · Energy

Attackers used hijacked operator workstations to open breakers across 30 substations, cutting power to hundreds of thousands of people. Operators watched their own cursors move and could not stop it.

Action Open breakers across ~30 substations

Dozens of breakers, all at once, out of nowhere. Does this fit how the grid normally operates?

Liscere aims to learn what "normal" looks like for a process, and judge every action against it.
An action this far outside the norm is exactly what should be surfaced for review the moment it happens, not after the lights go out.

Stuxnet · 2010 · Nuclear enrichment

Malware drove centrifuge rotor speeds far outside their normal operating range, causing gradual physical destruction, while feeding recorded "normal" data back to operator screens.

Action Drive rotor RPM from ~63,000 to 84,600

A speed the centrifuges had never run before. Why now, and why at all?

Stuxnet fed operators fake "normal" readings while the centrifuges tore themselves apart.
That's where Liscere is going: judging actions against the real process state, not the one on the screen.

Why this is becoming urgent

Permission is becoming a weaker
signal of safety.

The harder question is no longer who can act, but whether the action fits the moment.

01

The door is already open.

Attackers increasingly arrive through legitimate access: stolen credentials, remote sessions, IT/OT convergence.

SANS, 2025

02

Attackers now act like operators.

They learn how the process runs and act with intent, so a malicious action looks like a legitimate one.

Dragos, 2025

03

The check that no longer fires.

When access looks valid, checking who is acting no longer reveals the attack.

As the attacker becomes indistinguishable from the operator, the only defence left is asking whether the action fits the process. That is the layer Liscere is building.

So, what is Liscere?

Liscere is a research-led venture building the next layer of industrial cybersecurity.

We are building the next layer of industrial cybersecurity: one that reads the network the way it already speaks, protocol by protocol, and turns that traffic into a picture of what the process is doing. Against that picture, every action gets weighed. Not who sent it, not whether it is permitted, but whether it still makes sense. A judgment that sits beside the tools already in place, without asking you to rebuild what runs today.

The attacks aimed at critical infrastructure grow sharper every year. The defences guarding it have barely moved, and much of what runs the world is too old, or too critical, to touch. So the gap widens: more valid ways in, and no one asking what happens once an action is already inside. The name says it. From the Latin licere, to be permitted, Liscere begins there and moves past it, because in a live process, permitted is no longer the same as safe.

Security that understands the traffic, not just the credentials.

And how does it work?

From traffic to judgment.

The approach we are researching, in four steps. Each one is an open problem we are working to solve.

  1. 01

    Observe

    Read industrial protocol traffic as it flows, without sitting in the path of the process.

    The hard part: extracting meaning from raw control-system communication, across protocols never designed to be read by a third party.

  2. 02

    Reconstruct

    Turn that traffic into a live picture of what the process is doing: its state, its rhythm, its normal.

    The hard part: inferring physical-process context from the network alone, with no sensors and no changes to the plant.

  3. 03

    Evaluate

    Weigh each action against that picture. Does this command fit the state the process is in right now?

    The hard part: judging legitimacy in context, where the same valid action can be right in one moment and harmful in the next.

  4. 04

    Decide

    Produce a verdict, and the evidence behind it.

    The hard part: a verdict an operator can review, made in time to matter.

Each one is an open research problem. Together, they are the layer that does not exist yet.

Built on evidence

Built from research.
Tested in controlled OT scenarios.

Liscere originates from doctoral research, turning a rigorous academic question into a practical layer of cybersecurity for industrial systems.

Collaborate Research OT Lab GitHub

Liscere 2026