Critical Infrastructure: Nuclear Power

AI doesn’t just analyze evidence—it decides how to analyze it. RemiFetch adapts forensic methodology in real time based on detected patterns, automatically applying the right techniques—correlation, artifact extraction, behavioral analysis, and timeline reconstruction—to match the investigation.

By linking signals across systems and evolving its approach as new evidence emerges, AI reveals relationships and attack paths that static workflows cannot. This enables deeper insight, faster investigations, and defensible, evidence-driven conclusions.

Supported Industrial Control Systems

Siemens
Rockwell Automation
Emerson
GE Vernova
Schneider Electric

✓ Not limited to known malware signatures, static detections, or predefined attack rules
✓ Detects adversary behaviors, tradecraft patterns, and operational relationships across systems, accounts, and time
✓ Helps reconstruct coordinated intrusion activity associated with foreign adversaries and hostile cyber operations
✓ Identifies indicators that AI may have been leveraged for automated reconnaissance, access attempts, escalation, or disruption activity
✓ Correlates activity across devices, networks, platforms, vendors, and user accounts into a unified investigative view
✓ Exposes hidden attack paths, multi-stage operations, and coordinated actions that traditional tools often fail to connect
✓ Produces evidence-backed findings with defensible, audit-ready timelines for intelligence, investigative, and reporting use

Remi analyzes offline nuclear OT/IT event logs to surface insider behavior, disruption tradecraft, and coordinated activity

Remi identifies adversary tradecraft in nuclear environments by linking low-signal events into behaviors: access → staging → execution → concealment. It flags suspicious access patterns (privileged use, unusual endpoints, off-hours), operational disruption indicators (unexpected command/mode changes, safety-relevant state transitions, alarm floods/silence), and persistence/covering tracks (log gaps, time shifts, unexpected configuration changes). By correlating events across OT and supporting IT systems, Remi surfaces coordinated activity that looks benign in isolation but high-risk in sequence—then packages evidence and summaries for investigation and compliance.

Access & Authentication

Unauthorized HMI/EWS Login Access

Unapproved access to SCADA workstations/servers.

Privileged Account Change Identity

Unexpected role/group changes in OT identities.

Unapproved Remote Access Session Remote

Remote sessions outside policy/time window.

Process & Command Integrity

Unauthorized Pump Start/Stop Control

Control actions initiated by non-approved principals/hosts.

Valve Actuation Outside Operating Window Change

Valve changes during non-maintenance periods.

Chemical Dosing Setpoint Change Setpoint

Dosing adjustments that require review/authorization.

Rapid Command Oscillation (“Chatter”) Anomaly

Repeated toggling of pumps/valves/setpoints.

Safety & Operations Monitoring

Tank Level / Flow Anomaly Spike Telemetry

Sudden shifts inconsistent with baseline behavior.

Pressure/Backwash Cycle Anomaly Operations

Abnormal sequences that may indicate manipulation.

Alarm Flooding / Alarm Silence Pattern Alarms

Unusual bursts or suspicious quiet periods.

Asset & Configuration Changes

PLC/RTU Configuration Change Config

Controller/RTU config modifications requiring validation.

Firmware/Logic Change Detected Baseline

Changes to logic/firmware vs known baseline.

New OT Asset Discovered Inventory

New device appearing on OT segments.

Network & Segmentation

OT Zone Boundary Violation Network

Unexpected traffic crossing OT segmentation boundaries.

New East–West Communication Path Network

New peer-to-peer connections between OT nodes.

Historian/Data Gateway Anomaly Telemetry

Unexpected behavior in telemetry aggregation paths.

Data Integrity & Readiness

Time Sync Drift / Jump Time

Clock anomalies affecting event sequencing.

Telemetry Gap / Dropout Integrity

Missing data windows from critical sources.

Case Evidence Completeness Readiness

Confirms required outputs exist for export packaging.

Nuclear Disruption Investigation Reports

✓

Reads offline OT/IT event logs from the case workspace to reconstruct tradecraft as behavior, not isolated alerts

✓

Maps disruption sequences across phases: access → positioning → execution → concealment

✓

Flags credential misuse and privilege abuse indicators consistent with insider or adversary activity

✓

Highlights unusual operator / engineering workstation activity and policy-deviating access patterns

✓

Detects suspicious command origin patterns and abnormal mode / setpoint / control-action sequences

✓

Elevates safety-relevant state changes that require heightened scrutiny and review

✓

Surfaces concealment indicators: atypical log gaps, time/clock anomalies, and evidence-tampering signals

✓

Identifies alarm manipulation patterns (flooding or silence) and configuration / logic drift that may indicate unauthorized change pathways

Remi generates this nuclear-focused report set by reading your offline OT/IT event logs from the case workspace and reconstructing adversary (or insider) tradecraft as behavior, not isolated alerts. It looks for sequences consistent with disruption operations—access → positioning → execution → concealment—including credential/privilege misuse, unusual operator/engineering workstation activity, suspicious command origin patterns, abnormal mode/setpoint/control sequences, and safety-relevant state changes that require scrutiny. It also highlights concealment indicators such as atypical log gaps, time/clock anomalies, alarm flooding or silence patterns, and configuration/logic drift that may indicate tampering or unauthorized change pathways.

Report Types

ICS Nuclear Focused Reports

REMI packages nuclear OT/SCADA evidence into confirmation-bound reports for safety-system state, procedure access, control actions, alarms, radiation or process monitoring, artifacts, and preservation-ready investigative threads.

Executive_Summary.txt

What it does: Provides the case-level briefing: strongest evidence patterns, affected nuclear systems, safety-boundary considerations, confidence limits, and what requires examiner confirmation.

Operational_Narrative.txt

What it does: Reconstructs the operational story across protected access, procedure activity, control actions, system-state changes, alarms, monitoring signals, and suspicious access.

Nuclear_Event_Timeline.txt

What it does: Builds a chronological sequence with date/time first, showing access, procedure events, control-system changes, safety-system state, alarms, monitoring changes, and source-backed snippets.

Safety_System_State_Report.txt

What it does: Focuses on safety-system status, protection logic, interlocks, trip-related states, cooling or control-loop indicators, and before/after changes that require expert review.

Control_Rod_Cooling_System_Report.txt

What it does: Reviews control rod, cooling, valve, pump, loop, and auxiliary system activity when those signals are present in the imported source logs.

Radiation_Process_Monitoring_Report.txt

What it does: Captures radiation monitor, process monitor, sensor, threshold, and abnormal reading evidence while keeping conclusions confirmation-bound for specialist review.

Procedure_Access_Activity_Report.txt

What it does: Summarizes procedure access, protected engineering access, account activity, operator actions, vendor sessions, authorization context, and source-backed identity signals.

Control_Action_Summary.txt

What it does: Rolls up commands, overrides, setpoint/configuration changes, procedure-linked actions, and control-system changes by origin, timing, and operational context.

Telemetry_Alarm_Report.txt

What it does: Captures telemetry loss, alarm suppression, alarm floods, stale displays, console mismatch, annunciator gaps, and monitoring conditions that may hide the true system state.

Safety_Boundary_Impact_Assessment.txt

What it does: Provides a cautious, confirmation-bound assessment of whether the evidence pattern could relate to safety boundaries, protected systems, monitoring integrity, or operational continuity.

Remote_Access_Artifact_Report.txt

What it does: Links remote access, vendor sessions, malware, AI agents, spawned bots, scripts, payloads, hashes, command paths, and sandbox-preservation targets to nuclear events when supported by evidence.

Artifact_Inventory.txt

What it does: Lists collected logs, generated outputs, suspicious binaries, scripts, payloads, memory targets, hashes, and preservation-ready evidence artifacts.

Artifact_Origin_Report.txt

What it does: Maps where artifacts came from: vendor source file, protected system, workstation, account, source IP, import batch, detection rule, correlation path, or analysis finding.

Evidence_Excerpts.txt

What it does: Preserves source-backed snippets and row references that support the report narrative, including procedure access, safety-state, control action, telemetry, radiation/process monitoring, and artifact evidence when present.

Thread_Index.txt

What it does: Indexes investigative threads across detection flags, correlation paths, analysis findings, evidence snippets, report sections, and remaining examiner questions.