25  Security Architecture & Threat Model

Audience: Kav AI engineering + client security reviewers + SOC 2 auditors. Purpose: back the read-only OT/SCADA claims with an actual architecture and threat analysis; foundation for SOC 2 and the client trust whitepaper. Reference: IEC 62443; OWASP threat modeling; STRIDE; MITRE ATT&CK for ICS; Palantir deployment/security materials.

25.1 Sections

  1. System architecture — components, trust zones, data flows (tie to PRD Figures 1, 2.1).
  2. Trust boundaries — Purdue level placement (Kav AI at L3.5+); OT/IT DMZ.
  3. Read-only enforcement — the three controls (access rights, DMZ write-rejection, firewall port restriction) described as enforced architecture, not just policy.
  4. Threat model (STRIDE per data flow) — spoofing, tampering, repudiation, info disclosure, DoS, elevation — for OPC UA ingest, historian, LLM, web app, on-prem.
  5. ICS-specific threats — map relevant MITRE ATT&CK for ICS techniques and how the read-only/no-actuation posture mitigates them.
  6. Identity, secrets, supply chain — reference PRD App F.7; expand to design level.
  7. Deployment-tier differences — cloud vs. customer-cloud vs. air-gapped threat surface.
  8. Residual risks & assumptions.

25.2 Maintenance

Source of truth for the client Security & Trust Whitepaper. Keep consistent with PRD App F.