Practitioner Note 2025

Location Assurance for Critical Operations and Infrastructure Resilience

A practitioner-focused overview of how location assurance supports infrastructure resilience, emergency response, and continuity planning in complex physical environments.

Written for: Operators of critical infrastructure, resilience planners, and emergency management leaders who need a realistic view of where location assurance fits into continuity, control, and investigation strategies.
Gregory Steinberg
Co-Founder & CTO, iDvera Software Inc.

Executive Summary

Critical infrastructure operators have made substantial progress in identity management, network segmentation, and system hardening. Yet for many high-consequence operations, one question remains surprisingly difficult to answer with confidence: Where, physically, is this action originating?

In routine conditions, that answer is usually inferred from badging systems, control-room layouts, and network topology. Under stress—during incidents, outages, cyber events, or physical disruptions—those proxies become unreliable. People relocate to backup sites or ad-hoc locations; emergency routing and virtual private networks reshape traffic; and access-control systems themselves may be degraded or bypassed. At the exact moment when decisions depend most on physical context, organizations often have the least reliable information about it.

This paper examines location assurance as a distinct capability supporting infrastructure resilience, emergency response coordination, and continuity planning. The focus is deliberately practical: how to integrate a physics-anchored notion of "where" into existing operational and security patterns, rather than how any particular vendor implements its algorithms.

1. Why Location Assurance Matters for Critical Operations

In critical operations such as power grids, pipelines, transportation networks, data centers, and large campuses, location is not an abstract coordinate on a map. It determines which equipment a person can physically reach, which environmental hazards they face, which procedures and regulatory regimes apply, and which communication paths are available or trustworthy. We already treat many of these distinctions implicitly: "control room versus office," "inside the perimeter versus outside," and "field crew on site versus engineer on a laptop." Location assurance is about turning those implicit assumptions into explicit, measurable, governed signals.

When systems are under stress, the gap between assumed and actual location surfaces in familiar ways:

  • Role–location mismatch: A privileged account changes a control parameter "from the control room" while the operator is actually off-site on a laptop. During incidents, such violations often go unnoticed.
  • Shadow control rooms: Staff gather in conference rooms, hotels, or improvised locations and begin issuing changes through remote sessions. Physical access controls and supervision that exist in the primary site no longer apply.
  • Unverifiable presence during emergencies: Teams must confirm that personnel have reached muster points, or that essential staff are in designated resilient locations, before proceeding with shutdowns or restarts, yet the evidence is often patchy.
  • Third-party and contractor ambiguity: External responders and contractors need emergency access. Without credible location assurance, distinguishing "authorized on-site presence" from remote access becomes difficult.

Identity, entitlements, and network controls remain necessary, but in these scenarios they are not sufficient. The missing dimension is a trustworthy assertion of where in the physical environment a person or device is, expressed with explicit uncertainty and confidence so that it can be used in security decisions, operational procedures, and later investigations.

2. Physical Environments and Their Challenges

From a geophysicist's standpoint, critical operations environments share attributes that make traditional positioning methods difficult, particularly those that depend on radio-frequency (RF) signals:

  • Dense structures and complex RF propagation: Reinforced concrete, steel framing, heavy equipment, and cable trays create severe multipath conditions for RF. Global Navigation Satellite Systems (GNSS) are degraded or absent indoors and underground. Wi-Fi and cellular positioning rely on infrastructure that may be unevenly deployed and easily mis-characterized.
  • Layered spaces and vertical complexity: Facilities are often multi-storey with mezzanines, cable basements, tunnels, galleries, and overhead structures. "Which building" is rarely enough; procedures may depend on which floor, which bay, or which side of a fire barrier or flood door an operator is on.
  • Contested or degraded communications: Cyber events, physical damage, and natural disasters can trigger emergency rerouting, satellite backhaul, and heavy use of virtual private networks. Under those conditions, it is extremely hard to draw strong conclusions about physical location from network paths alone.
The practical implication is that, for critical operations, location assurance must be anchored in physical properties of the environment itself, not just in network topology or nominal satellite fixes.

3. Signal Classes: What Can Be Trusted

It is useful to separate the different signal classes that are often lumped together as "location."

Easily spoofed or abstract signals

Logical network location (Internet Protocol addresses and subnets), application-level "location" fields, and unverified Global Positioning System or Global Navigation Satellite System fixes in RF-challenged environments. These are inexpensive and ubiquitous, but they do not constitute assurance.

Physical access and line-of-sight signals

Badge readers, physical locks, staffed control rooms, camera coverage, and human confirmation ("I can see them in the room"). These are powerful in normal conditions but fragile under disruption: doors can be propped open, cameras offline or blinded, and improvised workspaces may have no instrumentation at all.

Geophysically anchored signals

Measurements of the local environment and of the path taken through it—for example characteristics of the geomagnetic field, barometric patterns linked to altitude or floor level, and inertial signatures that reflect how a device actually moved through a facility over a short interval. These encode real physical properties of location and motion; they cannot be teleported or trivially generated at a distance.

A robust location assurance layer fuses several of these inputs into an assertion of the form: "Given the available information, this device is consistent with being in region R, with uncertainty U and confidence C, and inconsistent with most other regions that matter for this decision." For critical operations, the question is usually not "What are the exact coordinates?" but "Is this inside or outside the specific zones from which we are willing to allow this class of actions?"

3.1 What mature physics-native systems can realistically do

  • In well-characterized facilities—meaning environments that have been observed repeatedly in the course of normal operations—physics-native systems using commodity sensors can often support zone- to room-scale assurance in many facilities, subject to sensor quality and the distinctiveness of the local environment. Indoors and underground, that level of performance is often tighter and more stable than Global Navigation Satellite Systems, which may be absent or erratic in those spaces.
  • In new or lightly characterized environments, the same underlying physics can usually still provide a decision in the form of a useful regional signal from the very first traces. In practical terms, that often means being able to distinguish between a small number of widely separated operating areas, such as different campuses, facilities, or geographic regions.
  • In radio-frequency-challenged or underground environments, geophysically anchored signals continue to function even when radio-frequency-based positioning effectively disappears.

Importantly, these behaviors do not require a separate "walk the building" survey campaign before the system can contribute. A physics-native approach can begin providing useful, coarse-grained assertions on day one, based purely on the sensor trace and reference models. As normal operations continue and more traces are observed, the effective resolution and confidence improve in the background.

4. Use Cases in Critical Operations

4.1 Control Rooms and High-Risk Operations

Many sectors have operational "red zones" where particular actions carry disproportionate risk: plant shutdown commands, protection relay settings, pipeline valve and pump controls, data-center power configuration, modifications to safety-instrumented systems. Historically, these actions were physically tied to control rooms or hardened workstations. In reality, remote access, emergency workarounds, and temporary procedures have eroded those boundaries.

Location assurance allows operators to re-establish governed physical constraints around these actions by:

  • Requiring that initiating devices be in designated rooms or secure zones, not arbitrary laptops tunneled through virtual private networks.
  • Providing a physics-anchored backstop when access-control systems are degraded, for example during a power event affecting badge infrastructure.
  • Giving operations leadership a verifiable record of where high-risk changes were actually initiated during and after an incident.

4.2 Backup Facilities and Continuity of Operations

Continuity plans often define secondary control rooms, remote operations centers, and alternate facilities to be used under specific triggers. When an event occurs, staff are likely to be distributed across primary, secondary, and improvised locations, and network paths may bear little resemblance to design diagrams.

In that environment, location assurance acts as a sanity check on where control truly resides by:

  • Verifying that critical actions occur from intended alternate sites, not from uncontrolled locations.
  • Enabling policies such as: "After transitioning to Site B, actions above risk threshold X must originate from Site B or from designated resilient locations."
  • Providing an audit trail showing how physical control shifted between sites over the course of the event.

4.3 Emergency Response and Muster Management

During emergencies, two questions dominate: "Is everyone clear of danger?" and "Are the people authorized to act actually in the right place to do so?" Badge logs, manual roll calls, and radio check-ins are essential but limited.

Location assurance can complement those mechanisms by:

  • Confirming that devices, and by extension likely their users, have reached designated safe zones or muster points.
  • Identifying devices remaining in prohibited zones after an evacuation trigger, supporting more informed all-clear decisions.
  • Providing time-stamped location evidence that can be correlated with alarms and procedural steps during drills and real events.

4.4 Field Maintenance and Remote Sites

Field crews and contractors routinely work on assets in remote or minimally instrumented locations, often with intermittent connectivity. The risk is not only that a task is left undone, but that the wrong task is performed at the wrong asset or at the wrong time, with safety or environmental consequences.

In these settings, location assurance enables:

  • Verification that technicians actually visited specific sites before certain actions, such as valve operations, safety checks, and configuration changes, are logged as complete.
  • Post-event reconciliation of physical presence and action times with sensor readings and control-system logs.
  • Stronger governance around temporary workarounds and laptop-based changes executed from vehicles, laydown yards, or hotels.

5. Architectural Patterns for Integration

Location assurance is most effective when treated as one more governed signal in existing architectures, not as a standalone silo.

5.1 Location-Constrained Action Policies

Certain classes of actions can explicitly depend on where they are initiated. A typical pattern is: "This action is permitted only when the initiating device is within zone Z, with uncertainty below U and confidence above C." High-risk control operations, changes to safety-critical configuration, protection-setting adjustments, and manual overrides of automated interlocks are natural candidates.

5.2 Location-Aware Continuity States

Most operators already think in terms of operating states: normal, alert, incident, continuity mode. Location requirements can be bound to those states:

  • Normal operations: Low-risk tasks may be allowed from a wide range of locations under standard controls.
  • Elevated alert: Certain operations are restricted to hardened rooms or known resilient zones.
  • Continuity mode: Initiations of the highest-risk actions are accepted only from the active operations center(s) and a short list of pre-approved alternate sites.

5.3 Location-Backed Forensics and Exercises

Making location assertions a routine part of drills, exercises, and incident reconstruction yields benefits beyond any single event. Organizations can test whether the physical concentration of personnel matches plans, correlate location with log events to understand how control shifted between sites over time, and identify procedures that depend on implicit assumptions about who is "in the room" that may not hold under stress.

6. Deployment Considerations

From a practitioner's perspective, several deployment choices matter more than the details of any particular algorithm.

  • Granularity: For each use case, decide whether you need site-level assurance (which facility), building- or wing-level assurance, or floor- and room-level assurance. Most organizations only need fine-grained resolution in a limited number of high-consequence zones.
  • Coverage: Be explicit about where location assurance is expected to operate: primary and backup control rooms, key data-center halls, critical equipment areas, designated resilient locations, and selected high-value field sites.
  • Device strategy: Not all endpoints make good environmental probes. Mobile devices with suitable sensors, selected hardened laptops or tablets used for control, and external sensor modules attached to fixed workstations in key rooms are typical building blocks.
  • Failure behavior: Like any safety-relevant system, location assurance must fail in a known, governed way. It should be clear what happens when location cannot be verified, how ambiguous results are treated, and under what conditions manual overrides are allowed.
  • Workforce trust and privacy: Location assurance for critical operations is about where high-risk actions originate, not continuous tracking of individuals. Narrow scoping, clear communication about what is measured and why, data minimization, and strong access controls around location data are all important.

7. Honest Boundaries

From a geophysical perspective, location assurance is not a perfect "truth machine." It operates in noisy, dynamic environments with heterogeneous sensors and changing infrastructure. Important boundary conditions include:

  • Dynamic environments: Remodeling, equipment changes, and temporary structures will alter local conditions over time. Any system that relies on environmental properties must detect and adapt to such changes to remain reliable.
  • Sensor variability: Different devices have different sensor quality; some will never be suitable for high-confidence use and should be treated accordingly.
  • Adversary model: A sufficiently resourced attacker with physical access to a facility can attempt to manipulate both the environment and the sensors. A well-designed, physics-anchored location assurance layer will raise the cost and sophistication required to spoof presence, but it cannot make spoofing impossible.

The value proposition, therefore, is risk reduction and improved evidence, not absolute certainty. Systems should be judged on how well they integrate into existing controls, how transparently they express uncertainty, and how they behave under failure and attack.

Conclusion

Critical operations and infrastructure resilience depend on more than identities and network packets. In the scenarios that matter most—grid disturbances, industrial incidents, natural disasters, and coordinated cyber-physical attacks—the question of who did what from where becomes central to both safety and accountability. Traditional signals provide a baseline, but they tend to degrade precisely when the system is under maximum stress.

Location assurance, grounded in physical properties of the environment and integrated with existing controls, offers operators a way to constrain high-risk actions to known safe zones, to support continuity transitions between primary and backup sites, to provide verifiable evidence of physical presence when regulators and investigators ask hard questions, and to improve the fidelity of incident reconstruction and exercises.

The sooner location is treated as a first-class operational primitive, the more resilient critical infrastructure will be when it is most under pressure.