The Environment
A high-throughput fulfillment centre operates a large fleet of autonomous mobile robots (AMRs), fixed robotic picking arms, and conveyor control systems alongside conventional warehouse management software (WMS). The environment is a hybrid IT/OT network: standard server infrastructure for back-office and WMS functions, and a separate operational technology network where robots communicate with a central orchestration server over proprietary protocols. The robots run embedded Linux. Network segmentation between the OT and corporate networks is partial — a common legacy of rapid operational expansion. There is no dedicated OT security expertise on staff.
Frostbow Deployment
Frostbow was deployed in the Complete Security Platform configuration. A critical requirement was passive monitoring of OT network traffic without disrupting robot operations — agent installation on robot controllers was ruled out due to vendor warranty constraints and operational risk. Frostbow’s ingestion adapters were configured to receive NetFlow data from OT network switches and Syslog feeds from the orchestration server. On the IT side, Windows event logs, WMS application logs, and firewall logs were all ingested. Separate ontologies were maintained for the IT and OT environments within a single deployment.
The Scenario: Supply Chain Software Compromise / OT Pivot
A routine WMS software update was pushed from the vendor’s update server. Unknown to the operator or the vendor, the vendor’s build pipeline had been compromised weeks earlier in a supply chain attack — the update package contained a backdoor designed to beacon outbound and await instructions. The update installed without issue and the backdoor process ran under the vendor’s legitimate signed service name.
How Frostbow Responded
The backdoor’s initial beacon was subtle — a small HTTPS POST to an external IP on a consistent four-minute interval, mimicking telemetry traffic. It evaded perimeter firewall rules because the vendor’s software had legitimate internet access permissions. However, Frostbow had established a behavioral baseline for the WMS service. The new beacon pattern — consistent timing intervals to a newly-observed IP outside the vendor’s known infrastructure — triggered an anomaly against the concept Frostbow had formed around PeriodicExternalBeaconing.
Simultaneously, Frostbow observed that the compromised service account had begun making authentication queries to the domain controller for systems it had never previously accessed — including a server that bridged the IT and OT networks. This lateral movement precursor matched a causal relationship in Frostbow’s ontology: PeriodicExternalBeaconing frequently precedes PrivilegedAccountEnumeration, a relationship that had achieved 78% confidence from observations across the SKADI deployment network.
Frostbow autonomously isolated the WMS server from the OT network bridge and escalated to human review with a complete attack chain narrative. Robot fulfillment operations continued uninterrupted — the isolation was surgical, targeting only the WMS server’s bridge connectivity. The OT network was never reached.
Key Deployment Characteristics
- Passive OT monitoring via NetFlow and Syslog — no agent installation on robot controllers
- Surgical network isolation preserved fulfillment operations throughout the incident
- Cross-client intelligence: beaconing pattern concept reinforced from global deployment network
- Separate IT and OT ontologies maintained within a single deployment