Critical Infrastructure: Nuclear Power

AI doesn’t just analyze evidence—it decides how to analyze it. RemiFetch adapts forensic methodology in real time based on detected patterns, automatically applying the right techniques—correlation, artifact extraction, behavioral analysis, and timeline reconstruction—to match the investigation.

By linking signals across systems and evolving its approach as new evidence emerges, AI reveals relationships and attack paths that static workflows cannot. This enables deeper insight, faster investigations, and defensible, evidence-driven conclusions.

Supported Industrial Control Systems

Siemens
Rockwell Automation
Emerson
GE Vernova
Schneider Electric

✓ Not limited to known malware signatures, static detections, or predefined attack rules
✓ Detects adversary behaviors, tradecraft patterns, and operational relationships across systems, accounts, and time
✓ Helps reconstruct coordinated intrusion activity associated with foreign adversaries and hostile cyber operations
✓ Identifies indicators that AI may have been leveraged for automated reconnaissance, access attempts, escalation, or disruption activity
✓ Correlates activity across devices, networks, platforms, vendors, and user accounts into a unified investigative view
✓ Exposes hidden attack paths, multi-stage operations, and coordinated actions that traditional tools often fail to connect
✓ Produces evidence-backed findings with defensible, audit-ready timelines for intelligence, investigative, and reporting use

Remi analyzes offline nuclear OT/IT event logs to surface insider behavior, disruption tradecraft, and coordinated activity

Remi identifies adversary tradecraft in nuclear environments by linking low-signal events into behaviors: access → staging → execution → concealment. It flags suspicious access patterns (privileged use, unusual endpoints, off-hours), operational disruption indicators (unexpected command/mode changes, safety-relevant state transitions, alarm floods/silence), and persistence/covering tracks (log gaps, time shifts, unexpected configuration changes). By correlating events across OT and supporting IT systems, Remi surfaces coordinated activity that looks benign in isolation but high-risk in sequence—then packages evidence and summaries for investigation and compliance.

Access & Authentication

Unauthorized HMI/EWS Login Access

Unapproved access to SCADA workstations/servers.

Privileged Account Change Identity

Unexpected role/group changes in OT identities.

Unapproved Remote Access Session Remote

Remote sessions outside policy/time window.

Process & Command Integrity

Unauthorized Pump Start/Stop Control

Control actions initiated by non-approved principals/hosts.

Valve Actuation Outside Operating Window Change

Valve changes during non-maintenance periods.

Chemical Dosing Setpoint Change Setpoint

Dosing adjustments that require review/authorization.

Rapid Command Oscillation (“Chatter”) Anomaly

Repeated toggling of pumps/valves/setpoints.

Safety & Operations Monitoring

Tank Level / Flow Anomaly Spike Telemetry

Sudden shifts inconsistent with baseline behavior.

Pressure/Backwash Cycle Anomaly Operations

Abnormal sequences that may indicate manipulation.

Alarm Flooding / Alarm Silence Pattern Alarms

Unusual bursts or suspicious quiet periods.

Asset & Configuration Changes

PLC/RTU Configuration Change Config

Controller/RTU config modifications requiring validation.

Firmware/Logic Change Detected Baseline

Changes to logic/firmware vs known baseline.

New OT Asset Discovered Inventory

New device appearing on OT segments.

Network & Segmentation

OT Zone Boundary Violation Network

Unexpected traffic crossing OT segmentation boundaries.

New East–West Communication Path Network

New peer-to-peer connections between OT nodes.

Historian/Data Gateway Anomaly Telemetry

Unexpected behavior in telemetry aggregation paths.

Data Integrity & Readiness

Time Sync Drift / Jump Time

Clock anomalies affecting event sequencing.

Telemetry Gap / Dropout Integrity

Missing data windows from critical sources.

Case Evidence Completeness Readiness

Confirms required outputs exist for export packaging.

Nuclear Disruption Investigation Reports

✓

Reads offline OT/IT event logs from the case workspace to reconstruct tradecraft as behavior, not isolated alerts

✓

Maps disruption sequences across phases: access → positioning → execution → concealment

✓

Flags credential misuse and privilege abuse indicators consistent with insider or adversary activity

✓

Highlights unusual operator / engineering workstation activity and policy-deviating access patterns

✓

Detects suspicious command origin patterns and abnormal mode / setpoint / control-action sequences

✓

Elevates safety-relevant state changes that require heightened scrutiny and review

✓

Surfaces concealment indicators: atypical log gaps, time/clock anomalies, and evidence-tampering signals

✓

Identifies alarm manipulation patterns (flooding or silence) and configuration / logic drift that may indicate unauthorized change pathways

Remi generates this nuclear-focused report set by reading your offline OT/IT event logs from the case workspace and reconstructing adversary (or insider) tradecraft as behavior, not isolated alerts. It looks for sequences consistent with disruption operations—access → positioning → execution → concealment—including credential/privilege misuse, unusual operator/engineering workstation activity, suspicious command origin patterns, abnormal mode/setpoint/control sequences, and safety-relevant state changes that require scrutiny. It also highlights concealment indicators such as atypical log gaps, time/clock anomalies, alarm flooding or silence patterns, and configuration/logic drift that may indicate tampering or unauthorized change pathways.

Report Types

Executive_Summary.txt

What it does: High-level case overview for leadership and fast triage—key findings, severity posture, and what requires immediate review.

Operational_Narrative.txt

What it does: Investigator narrative explaining suspected disruption tradecraft as behavior sequences, linking access, actions, context, and concealment indicators.

Reactor_Event_Timeline.txt

What it does: Chronological timeline of significant events with timestamps to reconstruct “what happened when.”

Safety_System_Activity.txt

What it does: Focused view of safety-relevant activity—critical-state context and transitions requiring heightened scrutiny.

Control_Actions.txt

What it does: Summary of control actions (commands/mode changes) grouped for review of origin consistency, intent, and potential impact.

Critical_Event_Log.txt

What it does: Prioritized top-risk events for rapid triage—high-signal anomalies and safety-impacting indicators surfaced ahead of noise.

Artifact_Inventory.txt

What it does: Inventory of collected/produced artifacts and outputs to support defensible review and export packaging.

Artifact_Origin_Report.txt

What it does: Provenance and traceability—maps artifacts back to sources and acquisition context for auditability.

Evidence_Excerpts.txt

What it does: Curated excerpts of key evidence—short, relevant slices with enough context to support investigation and reporting.

Thread_Index.txt

What it does: Index of correlated investigative threads—links related events across users/hosts/assets/time windows to follow multi-step tradecraft.