Critical Infrastructure:
Water Treatment

AI doesn’t just analyze evidence—it decides how to analyze it. RemiFetch adapts forensic methodology in real time based on detected patterns, automatically applying the right techniques—correlation, artifact extraction, behavioral analysis, and timeline reconstruction—to match the investigation.

By linking signals across systems and evolving its approach as new evidence emerges, AI reveals relationships and attack paths that static workflows cannot. This enables deeper insight, faster investigations, and defensible, evidence-driven conclusions.

✓

Analyzes offline water treatment OT/SCADA event logs locally—beyond simple signature or rule-only checks

✓

Correlates activity across operator consoles (HMI), engineering workstations, and control network segments over time

✓

Flags suspicious operational changes—pump/valve actions, chemical dosing setpoints, and configuration changes that impact process stability

✓

Highlights alarm manipulation patterns (flooding or silence) and safety-relevant state transitions that require review

✓

Identifies insider-risk signals—privileged misuse, off-hours access, unusual command origin, and policy deviations

✓

Surfaces concealment indicators—log gaps, time anomalies, and unusual tooling—without manual stitching across sources

✓

Produces evidence-backed findings with defensible timelines for incident response, regulatory review, and case export

Supported ICS Platforms

Remi analyzes event log data from a wide range of industrial control system platforms and operational technologies commonly deployed across critical infrastructure environments. The system supports logs and data generated by leading ICS, SCADA, PLC, and automation vendors used in plant operations, grid control, and utility infrastructure. By normalizing and correlating activity across these systems, Remi enables investigators to reconstruct operational events, identify suspicious engineering changes, and detect adversarial behaviors across complex OT environments regardless of the vendor platform involved.

Siemens – PLCs, SCADA systems, and water utility automation platforms
Schneider Electric – SCADA systems, PLCs, and water infrastructure automation
Rockwell Automation (Allen-Bradley) – PLCs and industrial control systems used in treatment plants
Emerson – plant automation and distributed control systems
ABB – process automation and water infrastructure control systems
Xylem / YSI – water monitoring systems and treatment process controls
Honeywell – industrial control systems and plant monitoring platforms
Mitsubishi Electric – PLCs and automation systems used in water facilities
Yokogawa – distributed control systems and process automation platforms
Endress+Hauser – instrumentation and process control systems for water treatment

Remi analyzes offline water treatment OT/SCADA event logs to surface insider behavior, disruption tradecraft, and coordinated activity.

Water treatment is critical infrastructure—when it’s disrupted, the impact is immediate: public health, continuity of operations, and community stability. Remi analyzes offline water treatment OT/SCADA event logs to surface insider threat signals, coordinated disruption behaviors, and concealment patterns, then organizes them into a defensible timeline and evidence-backed findings for rapid response and escalation. All processing is local-first and offline, supporting sensitive investigations without sending operational data to the cloud.

Access & Authentication

Unauthorized HMI/EWS Login Access

Unapproved access to SCADA workstations/servers.

Privileged Account Change Identity

Unexpected role/group changes in OT identities.

Unapproved Remote Access Session Remote

Remote sessions outside policy/time window.

Process & Command Integrity

Unauthorized Pump Start/Stop Control

Control actions initiated by non-approved principals/hosts.

Valve Actuation Outside Operating Window Change

Valve changes during non-maintenance periods.

Chemical Dosing Setpoint Change Setpoint

Dosing adjustments that require review/authorization.

Rapid Command Oscillation (“Chatter”) Anomaly

Repeated toggling of pumps/valves/setpoints.

Safety & Operations Monitoring

Tank Level / Flow Anomaly Spike Telemetry

Sudden shifts inconsistent with baseline behavior.

Pressure/Backwash Cycle Anomaly Operations

Abnormal sequences that may indicate manipulation.

Alarm Flooding / Alarm Silence Pattern Alarms

Unusual bursts or suspicious quiet periods.

Asset & Configuration Changes

PLC/RTU Configuration Change Config

Controller/RTU config modifications requiring validation.

Firmware/Logic Change Detected Baseline

Changes to logic/firmware vs known baseline.

New OT Asset Discovered Inventory

New device appearing on OT segments.

Network & Segmentation

OT Zone Boundary Violation Network

Unexpected traffic crossing OT segmentation boundaries.

New East–West Communication Path Network

New peer-to-peer connections between OT nodes.

Historian/Data Gateway Anomaly Telemetry

Unexpected behavior in telemetry aggregation paths.

Data Integrity & Readiness

Time Sync Drift / Jump Time

Clock anomalies affecting event sequencing.

Telemetry Gap / Dropout Integrity

Missing data windows from critical sources.

Case Evidence Completeness Readiness

Confirms required outputs exist for export packaging.

Near-Instant AI Generated Reporting

Remi analyzes offline water treatment OT/SCADA event logs to expose disruption tradecraft and insider-risk behavior—linking suspicious access, pump/valve actions, chemical dosing setpoint changes, alarm manipulation, and concealment signals into a single, defensible timeline. The report set turns fragmented operational data into evidence-backed findings and correlated investigative threads for rapid response, escalation, and regulatory review—local-first and offline.

Executive_Summary.txt

What it does: High-level overview for leadership and rapid triage—top findings, operational risk posture, and what requires immediate review.

Operational_Narrative.txt

What it does: Investigator narrative that explains suspicious water-treatment activity as a sequence of behaviors, linking access, actions taken, operational context, and concealment indicators.

System_State_Timeline.txt

What it does: Time-ordered timeline of significant system and process-state events to reconstruct “what happened when.”

Device_Activity_Report.txt

What it does: Device-centric activity summary (HMI/EWS, PLC/RTU, gateways) highlighting unusual behavior, new/changed assets, and deviations from baseline operations.

Control_Action_Summary.txt

What it does: Roll-up of control actions—pump/valve operations, chemical dosing setpoints, and other commands—grouped for review of intent, origin consistency, and potential impact.

Anomaly_Report.txt

What it does: Prioritized anomalies across telemetry and operations—unexpected timing, unusual sequences, spikes/gaps, and patterns that warrant investigation.

Artifact_Inventory.txt

What it does: Inventory of collected/produced artifacts and outputs to support defensible review, completeness checks, and export packaging.

Artifact_Origin_Report.txt

What it does: Provenance and traceability—maps artifacts back to sources and acquisition context for auditability and evidence review.

Evidence_Excerpts.txt

What it does: Curated excerpts of key evidence—short, relevant slices with enough context to support investigation, reporting, and stakeholder briefings.

Thread_Index.txt

What it does: Index of correlated investigative threads—links related events across users/hosts/assets/time windows to follow multi-step behavior rather than isolated alerts.

Critical Infrastructure:Water Treatment