Critical Infrastructure:
Water Treatment

AI doesn’t just analyze evidence—it decides how to analyze it. RemiFetch adapts forensic methodology in real time based on detected patterns, automatically applying the right techniques—correlation, artifact extraction, behavioral analysis, and timeline reconstruction—to match the investigation.

By linking signals across systems and evolving its approach as new evidence emerges, AI reveals relationships and attack paths that static workflows cannot. This enables deeper insight, faster investigations, and defensible, evidence-driven conclusions.

✓

Analyzes offline water treatment OT/SCADA event logs locally—beyond simple signature or rule-only checks

✓

Correlates activity across operator consoles (HMI), engineering workstations, and control network segments over time

✓

Flags suspicious operational changes—pump/valve actions, chemical dosing setpoints, and configuration changes that impact process stability

✓

Highlights alarm manipulation patterns (flooding or silence) and safety-relevant state transitions that require review

✓

Identifies insider-risk signals—privileged misuse, off-hours access, unusual command origin, and policy deviations

✓

Surfaces concealment indicators—log gaps, time anomalies, and unusual tooling—without manual stitching across sources

✓

Produces evidence-backed findings with defensible timelines for incident response, regulatory review, and case export

Supported ICS Platforms

Remi analyzes event log data from a wide range of industrial control system platforms and operational technologies commonly deployed across critical infrastructure environments. The system supports logs and data generated by leading ICS, SCADA, PLC, and automation vendors used in plant operations, grid control, and utility infrastructure. By normalizing and correlating activity across these systems, Remi enables investigators to reconstruct operational events, identify suspicious engineering changes, and detect adversarial behaviors across complex OT environments regardless of the vendor platform involved.

Siemens – PLCs, SCADA systems, and water utility automation platforms
Schneider Electric – SCADA systems, PLCs, and water infrastructure automation
Rockwell Automation (Allen-Bradley) – PLCs and industrial control systems used in treatment plants
Emerson – plant automation and distributed control systems
ABB – process automation and water infrastructure control systems
Xylem / YSI – water monitoring systems and treatment process controls
Honeywell – industrial control systems and plant monitoring platforms
Mitsubishi Electric – PLCs and automation systems used in water facilities
Yokogawa – distributed control systems and process automation platforms
Endress+Hauser – instrumentation and process control systems for water treatment

Remi analyzes offline water treatment OT/SCADA event logs to surface insider behavior, disruption tradecraft, and coordinated activity.

Water treatment is critical infrastructure—when it’s disrupted, the impact is immediate: public health, continuity of operations, and community stability. Remi analyzes offline water treatment OT/SCADA event logs to surface insider threat signals, coordinated disruption behaviors, and concealment patterns, then organizes them into a defensible timeline and evidence-backed findings for rapid response and escalation. All processing is local-first and offline, supporting sensitive investigations without sending operational data to the cloud.

Access & Authentication

Unauthorized HMI/EWS Login Access

Unapproved access to SCADA workstations/servers.

Privileged Account Change Identity

Unexpected role/group changes in OT identities.

Unapproved Remote Access Session Remote

Remote sessions outside policy/time window.

Process & Command Integrity

Unauthorized Pump Start/Stop Control

Control actions initiated by non-approved principals/hosts.

Valve Actuation Outside Operating Window Change

Valve changes during non-maintenance periods.

Chemical Dosing Setpoint Change Setpoint

Dosing adjustments that require review/authorization.

Rapid Command Oscillation (“Chatter”) Anomaly

Repeated toggling of pumps/valves/setpoints.

Safety & Operations Monitoring

Tank Level / Flow Anomaly Spike Telemetry

Sudden shifts inconsistent with baseline behavior.

Pressure/Backwash Cycle Anomaly Operations

Abnormal sequences that may indicate manipulation.

Alarm Flooding / Alarm Silence Pattern Alarms

Unusual bursts or suspicious quiet periods.

Asset & Configuration Changes

PLC/RTU Configuration Change Config

Controller/RTU config modifications requiring validation.

Firmware/Logic Change Detected Baseline

Changes to logic/firmware vs known baseline.

New OT Asset Discovered Inventory

New device appearing on OT segments.

Network & Segmentation

OT Zone Boundary Violation Network

Unexpected traffic crossing OT segmentation boundaries.

New East–West Communication Path Network

New peer-to-peer connections between OT nodes.

Historian/Data Gateway Anomaly Telemetry

Unexpected behavior in telemetry aggregation paths.

Data Integrity & Readiness

Time Sync Drift / Jump Time

Clock anomalies affecting event sequencing.

Telemetry Gap / Dropout Integrity

Missing data windows from critical sources.

Case Evidence Completeness Readiness

Confirms required outputs exist for export packaging.

Near-Instant AI Generated Reporting

Remi analyzes offline water treatment OT/SCADA event logs to expose disruption tradecraft and insider-risk behavior—linking suspicious access, pump/valve actions, chemical dosing setpoint changes, alarm manipulation, and concealment signals into a single, defensible timeline. The report set turns fragmented operational data into evidence-backed findings and correlated investigative threads for rapid response, escalation, and regulatory review—local-first and offline.

ICS Water Focused Reports

REMI analyzes offline water treatment OT/SCADA evidence to connect suspicious access, pump and valve actions, chemical dosing changes, water-quality anomalies, telemetry gaps, and service-continuity risk.

Executive_Summary.txt

What it does: Provides the case-level briefing: key water-system findings, affected assets, public-health or service-continuity concerns, confidence limits, and required examiner confirmation.

Operational_Narrative.txt

What it does: Reconstructs the operational story across treatment, distribution, SCADA/HMI activity, operator actions, suspicious access, and process changes.

Water_Process_Timeline.txt

What it does: Builds a chronological water-process sequence with date/time first, showing pump, valve, tank, reservoir, pressure, flow, dosing, alarms, before/after states, and evidence snippets.

Asset_Activity_Report.txt

What it does: Summarizes activity by pump, valve, PLC, RTU, HMI, tank, reservoir, chemical feed system, sensor, or facility so examiners can see which assets changed.

Control_Action_Summary.txt

What it does: Rolls up pump starts/stops, valve open/close actions, dosing changes, setpoint edits, overrides, and commands by source, timing, and operational effect.

Water_Quality_Anomaly_Report.txt

What it does: Focuses on chlorine, turbidity, pH, conductivity, contamination-adjacent indicators, abnormal sensor values, and water-quality thresholds that require review.

Pressure_Flow_Level_Report.txt

What it does: Reviews pressure drops/spikes, abnormal flow, tank or reservoir level changes, pump/valve relationships, and distribution-system stability indicators.

Chemical_Dosing_Report.txt

What it does: Tracks chemical feed status, dosing setpoints, over-dosing, under-dosing, disabled feed systems, manual overrides, and source-backed dosing changes.

Telemetry_Alarm_Report.txt

What it does: Captures telemetry loss, alarm suppression, alarm floods, stale HMI values, console mismatch, sensor gaps, and why operators may not have seen the true process state.

Public_Health_Service_Continuity_Assessment.txt

What it does: Provides a confirmation-bound assessment of whether the evidence pattern could affect potable water quality, distribution pressure, treatment continuity, or service availability.

Artifact_Inventory.txt

What it does: Lists collected logs, generated outputs, suspicious binaries, scripts, payloads, memory targets, hashes, and preservation-ready evidence artifacts.

Artifact_Origin_Report.txt

What it does: Maps where artifacts came from: vendor source file, plant system, workstation, account, source IP, import batch, detection rule, correlation path, or analysis finding.

Evidence_Excerpts.txt

What it does: Preserves source-backed snippets and row references that support the report narrative, including dosing, pump, valve, pressure, water-quality, telemetry, and malware/artifact evidence when present.

Thread_Index.txt

What it does: Indexes investigative threads across detection flags, correlation paths, analysis findings, evidence snippets, report sections, and remaining examiner questions.

Critical Infrastructure:Water Treatment