Sample evidence package

An anonymized quarterly compliance report. Every Kyntic client receives a report like this every 90 days. It maps directly to the NERC CIP evidence requirements your auditor will ask for. Organization name and MAC addresses redacted.

Sample

Quarterly Compliance & Evidence Package

Site [REDACTED] Municipal Water Treatment Facility
Site ID SITE-WTP-01
Report Period January 1, 2026 to March 31, 2026 (Q1 2026)
Generated April 1, 2026 at 00:15:03 UTC
Section 1

Executive Summary

During Q1 2026, the Kyntic appliance at SITE-WTP-01 maintained continuous passive monitoring of all OT network traffic with 99.7% uptime coverage. The appliance captured and analyzed 3,381,482 industrial protocol connections across Modbus/TCP, DNP3, and EtherNet/IP.

Eight (8) alerts were generated during the quarter. Three required a real-time SMS to the operator (two CRITICAL IT-to-OT boundary crossings and one HIGH new-device detection -- a replacement variable frequency drive installed during a pump upgrade); all three were correlated to scheduled maintenance and dispositioned within 30 minutes. The remaining five (MEDIUM and LOW) were captured for evidence only -- no human action was needed, so no SMS was sent. All eight are detailed below.

No unauthorized access, malware indicators, or anomalous command-and-control traffic was detected. The device inventory remained stable with one authorized addition. All log data is stored with SHA-256 integrity verification under S3 Object Lock with a 7-year retention policy.

Thirteen weekly "all-quiet" status texts were delivered to the operator on schedule (every Monday at 08:00 local) confirming appliance health between alerts.

Section 2

Monitoring Coverage

NERC CIP-007-6 R4: Security Event Monitoring
2,160 Total Hours
2,153 Covered Hours
99.7% Coverage Rate
7 Gap Hours
99.7%

Gap: 7 hours on February 14 to 15, 2026 (planned facility power outage for main electrical panel upgrade, maintenance ticket EP-2026-011). The appliance resumed monitoring automatically on power restoration. Zeek logs queued locally during downtime were shipped upon reconnection.

Section 3

Network Connection Summary

NERC CIP-005-7 R1: Electronic Security Perimeter

The following table summarizes all connections observed on the OT network during the reporting period, grouped by industrial protocol.

Protocol Port Connections Avg Duration Total Bytes
Modbus/TCP 502 2,147,832 3.1 ms 18.4 GB
EtherNet/IP 44818 892,441 8.4 ms 12.7 GB
DNP3 20000 341,209 11.2 ms 4.1 GB

Top Communication Pairs

Source Destination Protocol Connections
10.10.50.20 (HMI-Primary) 10.10.50.10 (PLC-PS1) Modbus 847,291
10.10.50.20 (HMI-Primary) 10.10.50.11 (PLC-PS2) Modbus 812,104
10.10.50.20 (HMI-Primary) 10.10.50.12 (PLC-Chem) Modbus 488,437
10.10.50.40 (SCADA-RTU) 10.10.50.20 (HMI-Primary) DNP3 341,209
10.10.50.20 (HMI-Primary) 10.10.50.10 (PLC-PS1) EtherNet/IP 421,887
10.10.50.20 (HMI-Primary) 10.10.50.11 (PLC-PS2) EtherNet/IP 398,214
Section 4

Alert Summary

NERC CIP-005-7 R1, CIP-007-6 R4.2: Alert Generation

Eight alerts were generated during Q1 2026. Three were texted to the operator in real time (CRITICAL and HIGH only -- where a human action was required). The remaining five were logged in this evidence report without paging the operator. All eight were investigated and dispositioned within 24 hours.

2
Critical IT-to-OT Boundary
1
High Unknown Device
3
Medium Protocol Anomaly
2
Low Remote Access
Section 5

Alert Detail Log

NERC CIP-005-7 R1, R2: Electronic Security Perimeter and Remote Access
Critical KYNTIC-001 2026-01-12T09:14:23Z Resolved
Office computer reached a plant control device
SMS sent to operator KYNTIC CRITICAL [SITE-WTP-01] ACTION: In next 15 min, confirm with IT that maintenance on Pump Station 1 PLC is authorized right now. If not, unplug office PC 192.168.1.105 and reply HELP. [KYNTIC-001]
Src: 192.168.1.105:49847 > Dst: 10.10.50.10:502 (Modbus/TCP)
Resolution: Authorized maintenance by Apex Controls (contractor). Correlated with maintenance window MW-2026-003, approved by plant manager on 2026-01-10. Contractor laptop accessed PLC-PS1 for annual calibration verification. Session lasted 47 minutes. No write commands issued during session.
Critical KYNTIC-001 2026-02-03T14:22:07Z Resolved
Office computer reached a plant control device
SMS sent to operator KYNTIC CRITICAL [SITE-WTP-01] ACTION: In next 15 min, confirm with IT that work on the Chemical Dosing PLC is authorized right now. If not, unplug office PC 192.168.1.87 and reply HELP. [KYNTIC-001]
Src: 192.168.1.87:52104 > Dst: 10.10.50.12:44818 (EtherNet/IP)
Resolution: Investigated within 15 minutes of SMS alert. Source identified as newly provisioned engineering laptop (asset tag IT-LAP-0087) assigned to SCADA technician. Technician was configuring Siemens S7-1200 chemical dosing parameters. Laptop added to IT asset inventory. Recommended: establish dedicated engineering VLAN with controlled OT access path.
High KYNTIC-004 2026-02-18T11:33:44Z Resolved
An unrecognized device appeared on the plant network
SMS sent to operator KYNTIC HIGH [SITE-WTP-01] ACTION: Today, walk the network rack and PLC cabinets. New device at 10.10.50.55. If you don't recognize it (look for a new VFD, drive, or laptop plugged in), unplug it and reply HELP. [KYNTIC-004]
Src: 10.10.50.55:41902 > Dst: 10.10.50.20:502 (Modbus/TCP)
Resolution: New ABB ACS580 variable frequency drive installed during Pump Station 2 motor upgrade on 2026-02-17 (work order WO-2026-0041). Device confirmed with ABB serial number and firmware version. IP 10.10.50.55 added to baseline device inventory with approval from operations lead.
Medium KYNTIC-006 2026-01-28T03:41:12Z Resolved
Burst of polling traffic from one device (142 requests in 60s; baseline 100)
Digest entry (MEDIUM, no SMS sent) KYNTIC MEDIUM SITE-WTP-01 03:41Z: Burst of polling traffic from 10.10.50.20. DO: Check if HMI changed -- possible scanning. [KYNTIC-006]
Src: 10.10.50.20:49312 > Dst: 10.10.50.10:502 (Modbus/TCP, FC 3: Read Holding Registers)
Resolution: HMI display refresh rate temporarily increased to 500ms polling during overnight operator training session (training record TR-2026-004). Normal 2-second polling interval resumed at 04:15 UTC when training concluded. No impact to PLC operation.
Medium KYNTIC-006 2026-03-05T16:08:33Z Resolved
Burst of polling traffic from one device (118 requests in 60s; baseline 100)
Digest entry (MEDIUM, no SMS sent) KYNTIC MEDIUM SITE-WTP-01 16:08Z: Burst of polling traffic from 10.10.50.21. DO: Check if HMI changed -- possible scanning. [KYNTIC-006]
Src: 10.10.50.21:50221 > Dst: 10.10.50.11:502 (Modbus/TCP, FC 4: Read Input Registers)
Resolution: Backup HMI station activated for annual disaster recovery exercise (DR drill DR-2026-Q1). Elevated polling rate expected during dual-HMI operation. Exercise concluded at 17:30 UTC. Backup HMI returned to standby.
Medium KYNTIC-007 2026-03-19T10:22:15Z Resolved
Industrial protocol came from outside the plant network
Digest entry (MEDIUM, no SMS sent) KYNTIC MEDIUM SITE-WTP-01 10:22Z: Industrial protocol from outside plant network (192.168.1.105 to 10.10.50.10). DO: Move engineering workstation onto the OT VLAN. [KYNTIC-007]
Src: 192.168.1.105:55012 > Dst: 10.10.50.10:44818 (EtherNet/IP)
Resolution: Engineering workstation performing Allen-Bradley CompactLogix firmware update from v33.011 to v33.014 (Rockwell security advisory RA-SA-2026-002). Coordinated with Apex Controls under maintenance window MW-2026-007. Firmware update verified successfully.
Low KYNTIC-008 2026-01-12T09:12:01Z Resolved
Remote access session opened into a plant device
Digest entry (LOW, no SMS sent) KYNTIC LOW SITE-WTP-01 09:12Z: Remote access session opened from 192.168.1.105 to plant device 10.10.50.20. DO: Verify against the maintenance schedule. [KYNTIC-008]
Src: 192.168.1.105:50118 > Dst: 10.10.50.20:3389 (TCP/RDP)
Resolution: Contractor accessing HMI-Primary for Pump Station 1 calibration. RDP session opened 2 minutes before the KYNTIC-001 alert above (same maintenance window MW-2026-003). Session duration: 51 minutes. No unauthorized changes to HMI configuration detected.
Low KYNTIC-008 2026-03-19T10:19:44Z Resolved
Remote access session opened into a plant device
Digest entry (LOW, no SMS sent) KYNTIC LOW SITE-WTP-01 10:19Z: Remote access session opened from 192.168.1.105 to plant device 10.10.50.21. DO: Verify against the maintenance schedule. [KYNTIC-008]
Src: 192.168.1.105:55008 > Dst: 10.10.50.21:3389 (TCP/RDP)
Resolution: Engineering access to Backup HMI for PLC firmware update preparation. Same maintenance window as alert 6 above (MW-2026-007). Session duration: 28 minutes. HMI configuration unchanged.
Section 6

Zeek Connection Log Samples

Raw log entries from appliance. 3,381,482 total connections captured in Q1 2026

Below is a representative sample of raw Zeek JSON log entries as captured by the appliance. Every connection on the monitored network is logged in this format and shipped to encrypted, immutable cloud storage every 30 minutes.

conn.log: Normal Modbus HMI to PLC polling

// HMI reading holding registers from Pump Station 1 PLC (normal 2-second poll cycle)
{"ts":1768209263.847,"uid":"CYLk4x1a2bRc4d","id.orig_h":"10.10.50.20","id.orig_p":49152,"id.resp_h":"10.10.50.10","id.resp_p":502,"proto":"tcp","service":"modbus","duration":0.002847,"orig_bytes":12,"resp_bytes":9,"conn_state":"SF"}

{"ts":1768209265.912,"uid":"CYLk4x5e6fPg8h","id.orig_h":"10.10.50.20","id.orig_p":49153,"id.resp_h":"10.10.50.10","id.resp_p":502,"proto":"tcp","service":"modbus","duration":0.003102,"orig_bytes":12,"resp_bytes":9,"conn_state":"SF"}

modbus.log: Function code detail

// FC 3 = Read Holding Registers (routine polling)
{"ts":1768209263.847,"uid":"CYLk4x1a2bRc4d","id.orig_h":"10.10.50.20","id.orig_p":49152,"id.resp_h":"10.10.50.10","id.resp_p":502,"function_code":3}

// FC 6 = Write Single Register (operator setpoint change via HMI, normal operation)
{"ts":1768214401.223,"uid":"CYLk4xQr9s0tUv","id.orig_h":"10.10.50.20","id.orig_p":49201,"id.resp_h":"10.10.50.12","id.resp_p":502,"function_code":6}

conn.log: DNP3 SCADA communication

// Remote pump house RTU reporting to primary HMI via DNP3
{"ts":1768209264.789,"uid":"CYLk4x9iWj1k2l","id.orig_h":"10.10.50.40","id.orig_p":52847,"id.resp_h":"10.10.50.20","id.resp_p":20000,"proto":"tcp","service":"dnp3","duration":0.011234,"orig_bytes":48,"resp_bytes":124,"conn_state":"SF"}

conn.log: IT to OT boundary crossing (triggered KYNTIC-001)

// This connection triggered a CRITICAL alert. Contractor laptop crossing IT/OT boundary.
{"ts":1768293263.441,"uid":"CHTp2z3mNn4o5p","id.orig_h":"192.168.1.105","id.orig_p":49847,"id.resp_h":"10.10.50.10","id.resp_p":502,"proto":"tcp","service":"modbus","duration":2821.447,"orig_bytes":8472,"resp_bytes":14208,"conn_state":"SF"}
Section 7

OT Device Inventory

NERC CIP-010-4 R1, R1.5: Configuration Change Management and Monitoring

All IP addresses observed communicating on the OT subnet during Q1 2026. Devices are compared against the baseline inventory established during the initial 14-day learning period.

IP Address Device Type Manufacturer Model Role Status
10.10.50.10 PLC Allen-Bradley CompactLogix 5380 Pump Station 1 Controller Baseline
10.10.50.11 PLC Allen-Bradley CompactLogix 5380 Pump Station 2 Controller Baseline
10.10.50.12 PLC Siemens S7-1200 Chemical Dosing Controller Baseline
10.10.50.20 HMI Wonderware InTouch 2020 R2 Primary Operator Station Baseline
10.10.50.21 HMI Wonderware InTouch 2020 R2 Backup Operator Station Baseline
10.10.50.30 Flow Meter ABB AquaMaster 4 Intake Flow Measurement Baseline
10.10.50.31 Flow Meter ABB AquaMaster 4 Discharge Flow Measurement Baseline
10.10.50.40 RTU Schneider Electric SCADAPack 334E Remote Pump House Baseline
10.10.50.50 Analyzer Honeywell AQ4000 Chlorine Residual Analyzer Baseline
10.10.50.55 VFD ABB ACS580 PS2 Variable Frequency Drive New (Feb 18)

Inventory change summary: One device added (ABB ACS580 VFD at 10.10.50.55). Zero devices removed. Zero unauthorized devices detected.

Section 8

NERC CIP Compliance Mapping

Evidence cross-reference for audit preparation

The following table maps each applicable NERC CIP requirement to the specific evidence provided in this report. Hand this table and the referenced sections directly to your auditor.

NERC CIP Standard Requirement How Kyntic Satisfies Evidence
CIP-005-7 R1 Electronic Security Perimeter monitoring All IT-to-OT boundary crossings detected and logged with full connection metadata (source, destination, protocol, duration, bytes) Section 3, 5 (Alerts 1, 2)
CIP-005-7 R2 Interactive Remote Access management All remote access sessions (RDP, VNC, SSH) to OT devices detected, logged, and correlated with maintenance schedules Section 5 (Alerts 7, 8)
CIP-007-6 R3 Security Patch Management Device inventory tracks manufacturer, model, and firmware. Firmware updates logged as maintenance events Section 7, Section 5 (Alert 6)
CIP-007-6 R4 Security Event Monitoring Continuous passive monitoring with 99.7% uptime coverage. 3.38M connections analyzed in Q1. All gaps documented Section 2
CIP-007-6 R4.2 Alerting for security events 8 alerts generated via deterministic rule engine. All investigated and dispositioned within 24 hours Section 4, 5
CIP-010-4 R1 Configuration Change Management New devices on OT network automatically detected and flagged (KYNTIC-004). Baseline comparison on every connection Section 5 (Alert 3), Section 7
CIP-010-4 R1.5 Configuration Monitoring Continuous inventory monitoring against established baseline. Change summary provided quarterly Section 7
Section 9

Evidence Integrity & Chain of Custody

Log data preservation and tamper protection

All log data referenced in this report is preserved with the following integrity guarantees. These controls ensure that evidence is admissible for regulatory audit and cannot be altered after collection.

SHA-256 Checksums Every log bundle is checksummed at the appliance before transmission. The checksum is verified at ingest and stored as S3 object metadata for independent verification.
S3 Object Lock All log objects are stored with GOVERNANCE mode Object Lock. Objects cannot be deleted or overwritten within the 7-year retention window, even by the account administrator.
Encryption at Rest Log data is encrypted with AES-256 (SSE-S3) in the S3 bucket. Encryption keys are managed by AWS and rotated automatically.
Encryption in Transit All appliance-to-cloud communication uses TLS 1.2+ with per-appliance API keys. API keys are stored on the appliance with 600 permissions and never logged.

Log data for this reporting period is stored under the S3 prefix logs/SITE-WTP-01/2026-01-01-00/ through logs/SITE-WTP-01/2026-03-31-23/ and will be retained until Q1 2033.

KYNTIC QUARTERLY COMPLIANCE AND EVIDENCE PACKAGE | Q1 2026 | SITE-WTP-01

This report was generated automatically. Raw log data is available for independent audit upon request.

This report runs itself

Every Kyntic client receives a report like this every 90 days. No manual configuration. No analyst required. Plug in the appliance and the evidence starts collecting.

Interested? Let's chat.