Skip to main content

Critical Infrastructure:
Electric Grid

AI doesn’t just analyze evidence—it decides how to analyze it. RemiFetch adapts forensic methodology in real time based on detected patterns, automatically applying the right techniques—correlation, artifact extraction, behavioral analysis, and timeline reconstruction—to match the investigation.

By linking signals across systems and evolving its approach as new evidence emerges, AI reveals relationships and attack paths that static workflows cannot. This enables deeper insight, faster investigations, and defensible, evidence-driven conclusions.

  • Not dependent on known malware signatures or predefined rules
  • Detects patterns, behaviors, and relationships across systems and time
  • Adapts forensic methods dynamically based on the evidence and context
  • Correlates activity across accounts, devices, networks, and platforms automatically
  • Identifies multi-stage and coordinated attacks traditional tools often miss
  • Surfaces hidden relationships and attack paths without manual stitching
  • Produces evidence-backed findings with defensible, audit-ready timelines

Supported Platforms

  • Siemens Energy – grid automation, protection relays, substation control systems
  • Schneider Electric – SCADA platforms, energy management systems, grid control
  • GE Vernova – grid control systems, protection relays, EMS/SCADA platforms
  • ABB – substation automation, protection relays, grid control technologies
  • Hitachi Energy – grid automation, protection systems, substation control
  • SEL (Schweitzer Engineering Laboratories) – protective relays, grid monitoring, automation
  • Emerson – power plant and grid control systems (Ovation DCS)
  • Rockwell Automation – PLCs and industrial control platforms used in grid facilities
  • Honeywell – industrial control systems and plant automation
  • Mitsubishi Electric – protection relays and substation automation systems

Reconstruct Electric Grid Disruption Tradecraft

Remi analyzes offline electric grid OT/IT event logs to surface insider behavior, grid disruption tradecraft, and coordinated activity across substations, SCADA systems, protection relays, and dispatch operations. By correlating events across control networks, engineering workstations, and grid telemetry, Remi helps investigators identify unauthorized commands, protection system tampering, abnormal load or frequency events, and multi-site coordination that may indicate adversarial attempts to disrupt electric infrastructure.

Critical Infrastructure: Electric Grid — Detection Catalog

Scrollable list (click a detection to expand)

AI-Assisted Tradecraft Indicators

AI API Usage from ICS Environment AI
Detects calls from ICS hosts to external AI APIs or cloud LLM services that may indicate AI-assisted adversary tradecraft inside operational environments.
Automation Agent Framework Indicators AI
Identifies artifacts suggesting use of automation agents or orchestration frameworks to coordinate actions across electric grid systems.
Local LLM Tooling Present on ICS Asset AI
Flags local AI or LLM tooling installed on engineering workstations or other grid control assets where such tooling is not expected.
Prompt / LLM Artifact Indicators in Logs AI
Detects prompt fragments, model artifacts, or related traces in event logs that may suggest AI-enabled operator assistance or adversary experimentation.

Access & Authentication

Unauthorized SCADA Login Access
Detects logins to SCADA or EMS environments from unauthorized users, workstations, or unusual time windows affecting grid operations visibility and control.
Unauthorized Substation Operator Logins at Odd Hours Identity
Flags operator authentication events that occur outside expected dispatch, maintenance, or engineering schedules.
Compromise of Dispatch Center Operator Account Identity
Identifies indicators that dispatch center credentials may have been hijacked, misused, or leveraged for unauthorized grid actions.
Remote VPN Access Without Authorization Remote
Detects unauthorized VPN or remote access into utility control networks, substations, or engineering environments.

Process & Command Integrity

Breaker Trip Injection Control
Detects unauthorized breaker trip commands that may interrupt transmission, distribution, or substation operations.
Unauthorized Substation Command Injection Control
Flags malicious or unapproved commands targeting substation automation equipment, RTUs, or IED control paths.
SCADA Command Replay Attack Replay
Detects replay of legitimate SCADA control messages intended to repeat previously valid actions against grid assets.
Substation Switchgear Forced Open / Close Switching
Identifies forced or abnormal switchgear open/close activity outside approved operating sequences.
Unauthorized Control of Automatic Load Balancer Balancer
Detects manipulation of automatic load balancing controls that could destabilize distribution or transmission operations.
Unauthorized Remote Disconnect of Substations Remote
Flags remote disconnect actions against substation assets that are not associated with authorized operational procedures.
Malicious Command Flooding to SCADA Bus Flooding
Detects high-volume command bursts intended to overwhelm SCADA communications or obscure operator awareness.

Grid Stability & Operations

Load Shedding Frequency Instability Attacks Operations
Detects manipulation attempts involving load shedding sequences, frequency balancing, or stability controls across the grid.
Generator Manipulation (Frequency / Voltage) Generation
Identifies abnormal commands or telemetry suggesting manipulation of generator frequency or voltage behavior.
Frequency Oscillation Anomalies Anomaly
Flags oscillation patterns or abnormal frequency swings that may indicate disruption or coordinated control activity.
Grid-Wide Oscillation Detection Cross-Substation Anomaly Telemetry
Detects oscillation patterns spanning multiple substations that may indicate wide-area instability or coordinated attacks.
Emergency Load Shedding Disabled Safety
Identifies unauthorized disabling of emergency load shedding mechanisms intended to protect grid stability.

Protection, Device, & Firmware Tampering

Protection Relay Setting Change Protection
Detects unauthorized modifications to protection relay settings that could alter fault response and coordination.
GOOSE or SV Spoof / Replay IEC 61850
Flags spoofed or replayed GOOSE or Sampled Values traffic affecting protection or substation automation workflows.
Malware in Substation RTUs or IEDs Malware
Detects suspicious execution patterns or artifacts indicating malware presence on RTUs, IEDs, or related substation devices.
Unauthorized Firmware Change in IEDs Firmware
Identifies firmware changes to intelligent electronic devices outside authorized engineering or maintenance activities.
Unexpected Firmware Downgrade on RTUs Firmware
Detects suspicious rollback or downgrade activity affecting RTUs that may weaken controls or restore vulnerable states.
Tampering with Protection Relays Tamper
Flags direct tampering, manipulation, or unexpected state changes affecting substation protection relays.

Network, Multi-Site Coordination, & Evidence

DoS on SCADA Network Network
Detects denial-of-service conditions affecting SCADA communications, control availability, or operator visibility.
Communication Loss Between Substations Network
Flags unexpected communication loss between substations, field assets, or utility control environments.
Coordinated Attack Across Multiple Substations Multi-Site
Detects synchronized malicious activity spanning multiple substations or geographically distributed grid assets.
Coordinated Fault Injection Across Substations Multi-Site
Identifies deliberate, coordinated fault injection patterns affecting multiple substations at once.
False Telemetry Data Integrity Attack Integrity
Detects falsified or manipulated telemetry values intended to distort operational awareness or hide coordinated actions.
Unauthorized Access to Grid State Estimation Logs Logs
Flags access to grid state estimation logs or analysis outputs by unauthorized users or systems.
Insider Data Historian Tampering Historian
Detects unauthorized modification or deletion of historian data that could undermine forensic reconstruction and operator confidence.
Suspicious Parallel Operator Sessions at Dispatch Dispatch
Flags overlapping operator sessions or concurrent dispatch activity that may indicate misuse, credential sharing, or adversary presence.

Reconstruct Electric Grid Disruption Tradecraft

Remi analyzes offline electric grid OT/IT event logs to surface insider behavior, grid disruption tradecraft, and coordinated activity across substations, SCADA systems, protection relays, and dispatch operations. By correlating events across control networks, engineering workstations, and grid telemetry, Remi helps investigators identify unauthorized commands, protection system tampering, abnormal load or frequency events, and multi-site coordination that may indicate adversarial attempts to disrupt electric infrastructure.

Investigation Report Package
  • Executive_Summary.txt
  • Operational_Narrative.txt
  • System_State_Timeline.txt
  • Device_Activity_Report.txt
  • Control_Action_Summary.txt
  • Anomaly_Report.txt
  • Artifact_Inventory.txt
  • Artifact_Origin_Report.txt
  • Evidence_Excerpts.txt
  • Thread_Index.txt