Case Studies
Three illustrative deployment scenarios demonstrating C-PAP across different sectors, operating contexts, and delivery models.
Note: These case studies use fictitious organisations to illustrate C-PAP deployment scenarios. They are representative of real-world deployment patterns but do not describe actual client engagements.
Meridian Energy UK
Sector: Energy & Utilities — generation, transmission, and distribution
Operating Context: Converged IT/OT (Capability Level 3)
Deployment Model: On-premises, air-gapped
Challenge
Meridian Energy UK operates generation, transmission, and distribution infrastructure across multiple sites with a mix of legacy SCADA systems and modern smart grid technology. The organisation faced overlapping compliance obligations under the NIS Regulations, NCSC CAF, IEC 62443, and Ofgem expectations — each managed as a separate compliance programme with duplicated evidence collection and inconsistent reporting.
Approach
C-PAP was deployed on-premises in an air-gapped configuration within the operational technology network boundary. The full CCM — including D14 (OT/ICS Security) and D16 (Critical Infrastructure Resilience) overlay domains — was configured to address the complete regulatory landscape. A single assessment programme replaced four separate compliance workflows.
Outcome
Unified compliance reporting across CAF, NIS, IEC 62443, and Ofgem requirements from a single assessment baseline. Evidence reuse eliminated duplication across framework-specific audits. Board-level assurance reporting provided converged IT/OT risk visibility for the first time.
Vanguard Aerostructures
Sector: Aerospace — civil and defence aerostructures manufacturing
Operating Context: IT Compliance + OT Security (Capability Levels 1 & 2)
Deployment Model: Hybrid — private cloud (enterprise IT) with on-premises (manufacturing OT)
Challenge
Vanguard Aerostructures supplies aerostructure components to multiple civil and defence OEMs, each imposing distinct cybersecurity requirements. DEF STAN 05-138 for UK MOD programmes, CMMC 2.0 for US defence work, DO-326A for civil airworthiness, and ISO 27001 for enterprise governance created four parallel compliance programmes with substantial duplication.
Approach
C-PAP was deployed as a hybrid configuration: private cloud instance for enterprise IT governance, with an on-premises deployment at the manufacturing facility for OT-related controls. The D14 OT/ICS overlay provided dedicated governance for CNC machining centres and quality control systems alongside the enterprise IT baseline.
Outcome
Single assessment producing evidence for DEF STAN, CMMC, DO-326A, and ISO 27001 compliance simultaneously. Reduced audit preparation time and eliminated inconsistency between framework-specific submissions. Supply chain assurance position strengthened for new programme bids.
Northstar Maritime Group
Sector: Marine — commercial shipping and port operations
Operating Context: Converged (Capability Level 3)
Deployment Model: Hybrid — SaaS (shore-side) with on-vessel instances
Challenge
Northstar Maritime Group operates a fleet of commercial vessels alongside port and logistics infrastructure. IACS UR E26/E27 classification requirements, IMO cyber risk management guidelines, NIS Regulations for port operations, and ISM Code cyber extensions created a fragmented compliance landscape spanning vessel-level OT and shore-side enterprise systems.
Approach
C-PAP was deployed as a hybrid model: SaaS instance for shore-side enterprise governance and fleet management, with lightweight on-vessel instances for OT assessment data collection during voyages. The D14 OT/ICS overlay addressed propulsion, navigation, and cargo handling system governance. Assessment data synchronised to the central instance when vessel connectivity was available.
Outcome
Fleet-wide assurance visibility across vessel OT and shore-side IT from a single governance platform. Classification society audit preparation consolidated across IACS E26/E27, IMO, and NIS requirements. Consistent governance applied across the fleet regardless of individual vessel connectivity constraints.
Discuss Your Deployment Scenario
Every organisation's requirements are different. Let us understand your context and recommend the right approach.