What Deloitte gets wrong in Energy
Deloitte's energy practice is one of the few consulting relationships that survives publicly documented failures. Utilities have replaced Deloitte on major modernization programs, launched internal post-mortems, and then re-engaged Deloitte for the next program. The structural reason is straightforward: the pool of consulting firms that can staff a 200-person utility technology program is small, and Deloitte is large. Scale creates captive relationships even when performance does not warrant them.
NERC CIP compliance in an Operational Technology environment is not a documentation exercise that a Big Four advisory practice can perform. The Critical Infrastructure Protection standards require technical controls — access management, patch management, supply chain risk management, incident response — that must be engineered into the OT architecture. Deloitte produces NERC CIP documentation. The OT environment that the documentation describes may not enforce the controls the documentation claims.
Grid modernization and AMI deployment programs are the current generation of utility technology engagements where Deloitte's model creates the most risk. These programs touch operational technology systems that affect grid reliability. A cybersecurity architecture gap in an AMI network is not a data breach — it is a grid stability event. Deloitte's cybersecurity advisory practice and their OT integration engineering practice are separate workstreams with separate accountability.
What we deploy instead
Our energy technology teams are OT-qualified engineers with NERC CIP compliance built into their practice, not adjacent to it. Grid modernization systems, AMI integration, and OT/IT boundary architecture designed with NERC CIP controls enforced at the infrastructure layer.
We build energy systems that generate NERC CIP audit evidence automatically — not systems that require a compliance team to assemble documentation before the annual audit.
NERC CIP and NIST built into the architecture from day one — enforced automatically by ALICE at every commit.
Fixed-price engagements. Production system in 8-20 weeks. No discovery phase. No change orders.
Domain-qualified engineers with energy experience. The senior engineer who scopes the engagement is the senior engineer who delivers it.
Full source code and documentation transferred at close. No licensing. No managed services dependency.
The compliance difference
NERC CIP, FERC cybersecurity orders, NIST frameworks for critical infrastructure, NIS2 for European utility operations. OT compliance is architecture, not documentation.
What switching from Deloitte looks like
Energy technology engagement: 14-22 weeks. Team: 10-16 engineers with OT/ICS and NERC CIP qualification. Fixed price. Full IP transfer.
Architecture review and scope definition. We review existing deliverables and identify gaps.
Scope locked, team assembled, first sprint underway. Working code from week two.
First production milestone — a working integration or system component, not a document.
Full IP transfer. Source code, documentation, operational runbooks. Your team runs the system.
Failed Vendor Recovery Playbook
Step-by-step framework for recovering from a failed Deloitte engagement — from emergency stabilisation through full re-platforming. 4-phase playbook covering stabilise, assess, transition, and normalise.