Sample Quarterly Evidence Package

Section 1

Executive Summary

During Q1 2026, the Kyntic appliance at SITE-WTP-01 maintained continuous passive monitoring of all OT network traffic with 99.7% uptime coverage. The appliance captured and analyzed 3,381,482 industrial protocol connections across Modbus/TCP, DNP3, and EtherNet/IP.

Eight (8) alerts were generated during the quarter. Two CRITICAL alerts identified IT-to-OT boundary crossings, both correlated to scheduled maintenance windows. One HIGH alert detected a new device on the OT network: a replacement variable frequency drive installed during a pump upgrade. All alerts were investigated, dispositioned, and documented below.

No unauthorized access, malware indicators, or anomalous command-and-control traffic was detected. The device inventory remained stable with one authorized addition. All log data is stored with SHA-256 integrity verification under S3 Object Lock with a 7-year retention policy.

Section 2

Monitoring Coverage

NERC CIP-007-6 R4: Security Event Monitoring

2,160 Total Hours

2,153 Covered Hours

99.7% Coverage Rate

7 Gap Hours

99.7%

Gap: 7 hours on February 14 to 15, 2026 (planned facility power outage for main electrical panel upgrade, maintenance ticket EP-2026-011). The appliance resumed monitoring automatically on power restoration. Zeek logs queued locally during downtime were shipped upon reconnection.

Section 3

Network Connection Summary

NERC CIP-005-7 R1: Electronic Security Perimeter

The following table summarizes all connections observed on the OT network during the reporting period, grouped by industrial protocol.

Protocol	Port	Connections	Avg Duration	Total Bytes
Modbus/TCP	502	2,147,832	3.1 ms	18.4 GB
EtherNet/IP	44818	892,441	8.4 ms	12.7 GB
DNP3	20000	341,209	11.2 ms	4.1 GB

Top Communication Pairs

Source	Destination	Protocol	Connections
10.10.50.20 (HMI-Primary)	10.10.50.10 (PLC-PS1)	Modbus	847,291
10.10.50.20 (HMI-Primary)	10.10.50.11 (PLC-PS2)	Modbus	812,104
10.10.50.20 (HMI-Primary)	10.10.50.12 (PLC-Chem)	Modbus	488,437
10.10.50.40 (SCADA-RTU)	10.10.50.20 (HMI-Primary)	DNP3	341,209
10.10.50.20 (HMI-Primary)	10.10.50.10 (PLC-PS1)	EtherNet/IP	421,887
10.10.50.20 (HMI-Primary)	10.10.50.11 (PLC-PS2)	EtherNet/IP	398,214

Section 4

Alert Summary

NERC CIP-005-7 R1, CIP-007-6 R4.2: Alert Generation

Eight alerts were generated during Q1 2026. All were investigated and dispositioned within 24 hours.

2

Critical IT-to-OT Boundary

1

High Unknown Device

3

Medium Protocol Anomaly

2

Low Remote Access

Section 5

Alert Detail Log

NERC CIP-005-7 R1, R2: Electronic Security Perimeter and Remote Access

Critical KYNTIC-001 2026-01-12T09:14:23Z Resolved

IT-to-OT boundary crossing detected

Src: 192.168.1.105:49847 > Dst: 10.10.50.10:502 (Modbus/TCP)

Resolution: Authorized maintenance by Apex Controls (contractor). Correlated with maintenance window MW-2026-003, approved by plant manager on 2026-01-10. Contractor laptop accessed PLC-PS1 for annual calibration verification. Session lasted 47 minutes. No write commands issued during session.

Critical KYNTIC-001 2026-02-03T14:22:07Z Resolved

IT-to-OT boundary crossing detected

Src: 192.168.1.87:52104 > Dst: 10.10.50.12:44818 (EtherNet/IP)

Resolution: Investigated within 15 minutes of SMS alert. Source identified as newly provisioned engineering laptop (asset tag IT-LAP-0087) assigned to SCADA technician. Technician was configuring Siemens S7-1200 chemical dosing parameters. Laptop added to IT asset inventory. Recommended: establish dedicated engineering VLAN with controlled OT access path.

High KYNTIC-004 2026-02-18T11:33:44Z Resolved

Unknown device on OT network

Src: 10.10.50.55:41902 > Dst: 10.10.50.20:502 (Modbus/TCP)

Resolution: New ABB ACS580 variable frequency drive installed during Pump Station 2 motor upgrade on 2026-02-17 (work order WO-2026-0041). Device confirmed with ABB serial number and firmware version. IP 10.10.50.55 added to baseline device inventory with approval from operations lead.

Medium KYNTIC-006 2026-01-28T03:41:12Z Resolved

Modbus polling rate anomaly: 142 requests/60s (threshold: 100)

Src: 10.10.50.20:49312 > Dst: 10.10.50.10:502 (Modbus/TCP, FC 3: Read Holding Registers)

Resolution: HMI display refresh rate temporarily increased to 500ms polling during overnight operator training session (training record TR-2026-004). Normal 2-second polling interval resumed at 04:15 UTC when training concluded. No impact to PLC operation.

Medium KYNTIC-006 2026-03-05T16:08:33Z Resolved

Modbus polling rate anomaly: 118 requests/60s (threshold: 100)

Src: 10.10.50.21:50221 > Dst: 10.10.50.11:502 (Modbus/TCP, FC 4: Read Input Registers)

Resolution: Backup HMI station activated for annual disaster recovery exercise (DR drill DR-2026-Q1). Elevated polling rate expected during dual-HMI operation. Exercise concluded at 17:30 UTC. Backup HMI returned to standby.

Medium KYNTIC-007 2026-03-19T10:22:15Z Resolved

EtherNet/IP from outside OT subnet

Src: 192.168.1.105:55012 > Dst: 10.10.50.10:44818 (EtherNet/IP)

Resolution: Engineering workstation performing Allen-Bradley CompactLogix firmware update from v33.011 to v33.014 (Rockwell security advisory RA-SA-2026-002). Coordinated with Apex Controls under maintenance window MW-2026-007. Firmware update verified successfully.

Low KYNTIC-008 2026-01-12T09:12:01Z Resolved

Remote access protocol to OT device (RDP, port 3389)

Src: 192.168.1.105:50118 > Dst: 10.10.50.20:3389 (TCP/RDP)

Resolution: Contractor accessing HMI-Primary for Pump Station 1 calibration. RDP session opened 2 minutes before the KYNTIC-001 alert above (same maintenance window MW-2026-003). Session duration: 51 minutes. No unauthorized changes to HMI configuration detected.

Low KYNTIC-008 2026-03-19T10:19:44Z Resolved

Remote access protocol to OT device (RDP, port 3389)

Src: 192.168.1.105:55008 > Dst: 10.10.50.21:3389 (TCP/RDP)

Resolution: Engineering access to Backup HMI for PLC firmware update preparation. Same maintenance window as alert 6 above (MW-2026-007). Session duration: 28 minutes. HMI configuration unchanged.

Section 6

Zeek Connection Log Samples

Raw log entries from appliance. 3,381,482 total connections captured in Q1 2026

Below is a representative sample of raw Zeek JSON log entries as captured by the appliance. Every connection on the monitored network is logged in this format and shipped to encrypted, immutable cloud storage every 30 minutes.

conn.log: Normal Modbus HMI to PLC polling

// HMI reading holding registers from Pump Station 1 PLC (normal 2-second poll cycle)
{"ts":1768209263.847,"uid":"CYLk4x1a2bRc4d","id.orig_h":"10.10.50.20","id.orig_p":49152,"id.resp_h":"10.10.50.10","id.resp_p":502,"proto":"tcp","service":"modbus","duration":0.002847,"orig_bytes":12,"resp_bytes":9,"conn_state":"SF"}

{"ts":1768209265.912,"uid":"CYLk4x5e6fPg8h","id.orig_h":"10.10.50.20","id.orig_p":49153,"id.resp_h":"10.10.50.10","id.resp_p":502,"proto":"tcp","service":"modbus","duration":0.003102,"orig_bytes":12,"resp_bytes":9,"conn_state":"SF"}

modbus.log: Function code detail

// FC 3 = Read Holding Registers (routine polling)
{"ts":1768209263.847,"uid":"CYLk4x1a2bRc4d","id.orig_h":"10.10.50.20","id.orig_p":49152,"id.resp_h":"10.10.50.10","id.resp_p":502,"function_code":3}

// FC 6 = Write Single Register (operator setpoint change via HMI, normal operation)
{"ts":1768214401.223,"uid":"CYLk4xQr9s0tUv","id.orig_h":"10.10.50.20","id.orig_p":49201,"id.resp_h":"10.10.50.12","id.resp_p":502,"function_code":6}

conn.log: DNP3 SCADA communication

// Remote pump house RTU reporting to primary HMI via DNP3
{"ts":1768209264.789,"uid":"CYLk4x9iWj1k2l","id.orig_h":"10.10.50.40","id.orig_p":52847,"id.resp_h":"10.10.50.20","id.resp_p":20000,"proto":"tcp","service":"dnp3","duration":0.011234,"orig_bytes":48,"resp_bytes":124,"conn_state":"SF"}

conn.log: IT to OT boundary crossing (triggered KYNTIC-001)

// This connection triggered a CRITICAL alert. Contractor laptop crossing IT/OT boundary.
{"ts":1768293263.441,"uid":"CHTp2z3mNn4o5p","id.orig_h":"192.168.1.105","id.orig_p":49847,"id.resp_h":"10.10.50.10","id.resp_p":502,"proto":"tcp","service":"modbus","duration":2821.447,"orig_bytes":8472,"resp_bytes":14208,"conn_state":"SF"}

Section 7

OT Device Inventory

NERC CIP-010-4 R1, R1.5: Configuration Change Management and Monitoring

All IP addresses observed communicating on the OT subnet during Q1 2026. Devices are compared against the baseline inventory established during the initial 14-day learning period.

IP Address	Device Type	Manufacturer	Model	Role	Status
10.10.50.10	PLC	Allen-Bradley	CompactLogix 5380	Pump Station 1 Controller	Baseline
10.10.50.11	PLC	Allen-Bradley	CompactLogix 5380	Pump Station 2 Controller	Baseline
10.10.50.12	PLC	Siemens	S7-1200	Chemical Dosing Controller	Baseline
10.10.50.20	HMI	Wonderware	InTouch 2020 R2	Primary Operator Station	Baseline
10.10.50.21	HMI	Wonderware	InTouch 2020 R2	Backup Operator Station	Baseline
10.10.50.30	Flow Meter	ABB	AquaMaster 4	Intake Flow Measurement	Baseline
10.10.50.31	Flow Meter	ABB	AquaMaster 4	Discharge Flow Measurement	Baseline
10.10.50.40	RTU	Schneider Electric	SCADAPack 334E	Remote Pump House	Baseline
10.10.50.50	Analyzer	Honeywell	AQ4000	Chlorine Residual Analyzer	Baseline
10.10.50.55	VFD	ABB	ACS580	PS2 Variable Frequency Drive	New (Feb 18)

Inventory change summary: One device added (ABB ACS580 VFD at 10.10.50.55). Zero devices removed. Zero unauthorized devices detected.

Section 8

NERC CIP Compliance Mapping

Evidence cross-reference for audit preparation

The following table maps each applicable NERC CIP requirement to the specific evidence provided in this report. Hand this table and the referenced sections directly to your auditor.

NERC CIP Standard	Requirement	How Kyntic Satisfies	Evidence
CIP-005-7 R1	Electronic Security Perimeter monitoring	All IT-to-OT boundary crossings detected and logged with full connection metadata (source, destination, protocol, duration, bytes)	Section 3, 5 (Alerts 1, 2)
CIP-005-7 R2	Interactive Remote Access management	All remote access sessions (RDP, VNC, SSH) to OT devices detected, logged, and correlated with maintenance schedules	Section 5 (Alerts 7, 8)
CIP-007-6 R3	Security Patch Management	Device inventory tracks manufacturer, model, and firmware. Firmware updates logged as maintenance events	Section 7, Section 5 (Alert 6)
CIP-007-6 R4	Security Event Monitoring	Continuous passive monitoring with 99.7% uptime coverage. 3.38M connections analyzed in Q1. All gaps documented	Section 2
CIP-007-6 R4.2	Alerting for security events	8 alerts generated via deterministic rule engine. All investigated and dispositioned within 24 hours	Section 4, 5
CIP-010-4 R1	Configuration Change Management	New devices on OT network automatically detected and flagged (KYNTIC-004). Baseline comparison on every connection	Section 5 (Alert 3), Section 7
CIP-010-4 R1.5	Configuration Monitoring	Continuous inventory monitoring against established baseline. Change summary provided quarterly	Section 7

Section 9

Evidence Integrity & Chain of Custody

Log data preservation and tamper protection

All log data referenced in this report is preserved with the following integrity guarantees. These controls ensure that evidence is admissible for regulatory audit and cannot be altered after collection.

SHA-256 Checksums Every log bundle is checksummed at the appliance before transmission. The checksum is verified at ingest and stored as S3 object metadata for independent verification.

S3 Object Lock All log objects are stored with GOVERNANCE mode Object Lock. Objects cannot be deleted or overwritten within the 7-year retention window, even by the account administrator.

Encryption at Rest Log data is encrypted with AES-256 (SSE-S3) in the S3 bucket. Encryption keys are managed by AWS and rotated automatically.

Encryption in Transit All appliance-to-cloud communication uses TLS 1.2+ with per-appliance API keys. API keys are stored on the appliance with 600 permissions and never logged.

Log data for this reporting period is stored under the S3 prefix logs/SITE-WTP-01/2026-01-01-00/ through logs/SITE-WTP-01/2026-03-31-23/ and will be retained until Q1 2033.

Sample Evidence Package

Quarterly Compliance & Evidence Package