Where each of these conversations belongs in the procurement timeline
The series closer — fifteen substantive topics mapped against eight procurement gates, with the dependencies that determine where each conversation belongs
10 min read
Rajesh Khanikar
Hi, I'm Rajesh Khanikar
I work in OT security for a renewable energy company, which mostly means thinking about how electricity gets to the grid — from solar plants, wind farms, hydro stations, batteries, and hybrid sites — without anyone breaking in along the way.
When I'm not doing that, I'm tinkering with code, soldering something I shouldn't, cooking, or trying to outsmart fish in a Norwegian lake. Most of what shows up here is about cybersecurity, with the occasional detour into programming, electronics, food or fishing — whichever was on my bench that week.
Recent writing
── 2026
When the money comes from Europe, the rulebook travels with it
A North African plant, an EU sponsor, a non-EU bidder, and the EU rulebook that travels down the financing chain — opening an 18-part series for suppliers
4 min read
What is in your firmware: the bill of materials nobody asked for before
What an SBOM is under the CRA — why the lender's risk team reads it before the security team does, and what catches non-EU OEMs out
12 min read
What 'system integrator for L0/L1' actually means under 62443
What an OEM-as-system-integrator inherits under IEC 62443 — zone-and-conduit risk assessment, Target Security Levels, component capability mapping
12 min read
The substation is a foreign country
Where the wind or solar plant ends and the substation begins is where the manufacturer's design authority ends absolutely — and why
8 min read
The regulatory stack, in fifteen minutes
A 15-minute walk through five EU regulations and one framework that show up in every EU-financed renewable project — CRA, NIS2, GDPR, sustainable finance, Equator Principles
16 min read
The people, the certifications, the insurance
The vetted, certified engineers and the cyber insurance schedule the lender actually reads — the human and commercial layer alongside the technical architecture
13 min read
The five-year service contract and the twenty-five-year support commitment
The service contract runs five years, the asset twenty-five — and the CRA's declared support period must reflect operational lifetime, not commercial cycle
12 min read
The data lands somewhere. The lender wants to know where
Where the OEM's analytics telemetry actually terminates — GDPR Articles 44-49, Schrems II, and the data flow diagram the lender's DPO will read
11 min read
The cryptographic baseline assumed in every European bid
TLS 1.3, no SHA-1, AEAD ciphers, asset-owner PKI, hardware root of trust, secure boot, post-quantum agility — the European bid cryptographic baseline
11 min read
The communication network is not yours to design
The plant network — its segmentation, addressing, redundancy and firewall rules — belongs to the operator, not the manufacturer. What to specify, what not to
9 min read
The bill of materials the sanctions desk will read
Sanctions and provenance disclosure for non-EU OEMs — what the lender's compliance pack contains, why a failed check has no negotiating room
11 min read
Remove the cellular modem. Not disable — remove
Cellular modems, Bluetooth, hidden USB ports — disabling them in firmware is not adequate. The hardware must be physically absent
8 min read
Remote access, but not the kind you remember
Persistent VPN tunnels are a 2015 architecture. What replaces them in EU-financed projects — unidirectional telemetry out, brokered just-in-time access in
10 min read
PLCs, RTUs, PPCs and EMSs — a buyer's guide for people who don't programme them
A plain-English buyer's guide to PLCs, RTUs, PPCs and EMSs for renewable-energy and OT-security teams — what they are, where they sit, and what to buy
19 min read
Patches arrive on the owner's schedule, not yours
Patches arrive as signed artefacts to the asset owner's repo with documentation and rollback. The owner schedules deployment. No auto-update, no silent installs
11 min read
Logs ship in formats someone else's SOC can read
The asset owner's SIEM is the system of record. Devices emit standard-format logs with documented taxonomy and tamper-evident audit logs
12 min read
IEC 62443 evidence pack: one-page version
A printable, opinionated checklist of the documentary evidence an auditor will ask for under each numbered group of IEC 62443 — and what should never count
14 min read
Email is not a vulnerability disclosure programme
The CRA requires a public coordinated vulnerability disclosure programme. A customer email list is not one. The minimum-viable PSIRT, in 4-6 weeks
11 min read
Bring your engineers, not your accounts
Manufacturer engineers receive named identities in the asset owner's IAM with time-bound credentials. No shared accounts, no federation at the OT boundary
11 min read
Mapping IEC 62443 controls to NIS2 Article 21 measures
NIS2 Article 21 measure-by-measure, mapped to IEC 62443 clauses with fit ratings and the extra evidence asset owners must produce on top
31 min read
IEC 62443-1-x: the words everyone argues about
A walkthrough of IEC 62443 Part 1 — the foundation documents that define IACS, zones, conduits, SL-T/SL-A/SL-C and the seven foundational requirements
30 min read
What Copilot can't tell you
Microsoft Copilot for 365 respects SharePoint permissions, which means it answers from whatever you can see — and never tells you what's behind the wall
3 min read
Using Tesla Fleet API with Home Assistant
Wiring a Tesla Model Y into Home Assistant via the Fleet API — the Cloudflare Worker, the dashboard, and home-only charging meters that survive Nord Pool
7 min read
IEC 62443-4-1 and 4-2: what an OEM must actually prove
Plain-language guide to the two IEC 62443 parts every industrial OEM gets name-checked for — what 4-1 and 4-2 are, what an OEM must objectively prove, and the red flags in a compliance claim
22 min read
IEC 62443-3-2 and 3-3: what asset owners and integrators must prove
How IEC 62443-3-2 turns risk into a partitioned system design with target Security Levels, what IEC 62443-3-3 requires of the integrated system, and what evidence each party must put on the table
32 min read
IEC 62443-2-x: the management system behind a secure industrial plant
The management-system half of IEC 62443 — how asset owners run their security programmes, how service providers prove their capabilities, and how patches actually reach the field
26 min read
Does the Cyber Resilience Act apply to your product?
An eleven-step walkthrough for working out whether Regulation (EU) 2024/2847 applies to your product — with citations at every step
31 min read
Does NIS2 apply to your EU project?
An eleven-step walkthrough for working out whether Directive (EU) 2022/2555 applies to your organisation — with citations at every step
29 min read