Use Case

The SKADI Cyberdefense huntress icon which represents Frostbow™ SKADI’s autonomous defense platform.
Critical Infrastructure — Regional Utilities Operator

Municipal Water and Wastewater Authority — IT/OT Converged Environment

The Environment

A municipal authority responsible for water treatment, distribution, and wastewater processing operates a converged IT/OT environment that has evolved organically over decades. Modern administrative workstations and cloud-connected reporting tools sit alongside aging SCADA systems and programmable logic controllers (PLCs) that were never designed with network security in mind. Operational continuity is a public safety obligation — any disruption to treatment or distribution processes has immediate consequences for the community served. The authority employs a small engineering and operations team with two IT administrators focused primarily on keeping systems running. Regulatory oversight from environmental and public health agencies creates significant reporting obligations in the event of any incident.

The authority’s threat profile is elevated. Water and wastewater infrastructure is a documented target for nation-state actors and ideologically motivated threat groups, both of whom have demonstrated interest in manipulating treatment processes rather than simply extracting data.

Frostbow Deployment

Frostbow was deployed with a clear constraint: under no circumstances could any automated response action interact directly with SCADA systems or PLCs. Operational decisions on treatment processes must remain with human engineers. Frostbow’s role in the OT environment was strictly detection and alerting — passive monitoring via network tap on the SCADA network, with autonomous response capabilities limited to the IT environment only. On the IT side, full autonomous response was enabled. The SCADA and IT networks were monitored as linked environments, with Frostbow correlating events across both while respecting the hard boundary on OT-side response. Deployment was completed in four weeks.

The Scenario: Nation-State Reconnaissance and IT/OT Pivot Attempt

A sophisticated threat actor gained initial access through a spear-phishing email targeting one of the IT administrators — crafted to resemble a communication from a water industry regulatory body. A lightweight implant established persistence on the administrator’s workstation and began conducting low-and-slow reconnaissance: mapping the network, identifying assets, and probing for connectivity pathways between the IT network and the SCADA environment. Over several days, the actor identified a dual-homed engineering workstation with access to both networks and began staging a toolset to pivot through it toward the SCADA systems.

How Frostbow Responded

The implant’s initial beacon was detected on day one — a low-volume periodic connection to an external IP outside the administrator’s established baseline. Frostbow formed a low-confidence alert and began tracking the host closely without acting, allowing further behavioral evidence to accumulate.

Over the following days, Frostbow observed the host conducting internal network scans — subtle, low-rate queries that individually appeared benign but collectively mapped to a concept Frostbow had developed called LowAndSlowReconnaissance. When the actor began authenticating to the dual-homed engineering workstation from the compromised administrator account — an account with no prior history of accessing engineering systems — Frostbow’s confidence crossed the high-severity threshold.

Frostbow autonomously isolated the compromised administrator workstation from the IT network, blocking the pivot pathway to the engineering workstation and by extension the SCADA environment. A high-priority alert was delivered immediately to both the IT administrators and the engineering team lead, with a full narrative of the reconnaissance activity, the identified pivot target, and the isolation action taken. SCADA operations and water treatment processes were unaffected throughout.

Key Deployment Characteristics

  • Detection-only posture in OT/SCADA environment — no automated response on operational systems
  • Full autonomous response enabled on IT network with hard OT boundary respected
  • Cross-network event correlation between IT and SCADA environments
  • Multi-day low-and-slow reconnaissance detected through cumulative pattern analysis
  • Pivot pathway to SCADA blocked before crossing the IT/OT boundary
  • Immediate escalation to engineering team for OT-side human review
Share the Post: