Security

Passive Network Protection & Data Diode Philosophy

Kyntic is engineered for the rigorous safety requirements of critical infrastructure and operational technology (OT) networks. Our monitoring hardware operates on a Data Diode philosophy: it is galvanically isolated at the physical layer to ensure that traffic only flows into the sensor. The hardware is physically incapable of injecting, modifying, or blocking communication within your OT environment. This provides a hardware-rooted guarantee that your industrial processes remain uninterrupted and safe from accidental or malicious interference.

Deterministic & Auditable Detection

In industrial environments, "black box" security is a liability. All alerts generated by Kyntic are based on deterministic, human-readable rules. Unlike unpredictable machine learning models that generate frustrating false positives, our detection engine is transparent and repeatable. While we utilize advanced language models to summarize compliance reports and answer natural language queries, these models have no authority to trigger, suppress, or modify security alerts. This ensures every alert is predictable and easily auditable by your engineering staff.

NERC CIP Evidence Automation & Compliance

Kyntic acts as a "Compliance-as-a-Service" solution, specifically designed to eliminate the manual burden of regulatory auditing. We provide NERC CIP evidence automation, transforming what is typically a 40+ hour quarterly manual task for water and power district managers into a process that takes seconds.

• Automated Evidence Gathering: The system automatically generates the logs and reports required for NERC CIP and other regulatory frameworks.
• Immutable Logs: Once security logs are recorded, they cannot be deleted or modified by any user during the mandatory retention window.
• Versioning & Archiving: We maintain historical versions of data and provide secure, multi-year archiving to ensure records are always available for forensic audits and compliance reviews.

Data Privacy & Metadata Retention

We prioritize the privacy of your operational data. Our analysis engine is configured to never store packet payloads. We only retain high-level connection metadata such as protocol types, timestamps, traffic volume, and specific industrial headers required for security auditing. Your internal process values, PLC registers, and sensitive application data are never captured or transmitted to our cloud environment.

Advanced Encryption Standards

• In Transit: All data moving between your facility and our secure cloud environment is protected by industry-standard encryption protocols. Each device utilizes unique authentication credentials to ensure secure, verified communication.
• At Rest: All stored logs and databases are protected by multi-layered server-side encryption. Local storage on the appliance is further secured via encrypted filesystems to protect against physical tampering.
• Integrity: We use cryptographic checksums to verify the integrity of every data bundle. This ensures that information has not been altered or corrupted during transmission or storage.

System Hardening

Every Kyntic appliance is deployed with a hardened operating system and a minimal attack surface:

• Network Isolation: Inbound traffic is strictly denied by default, and outbound communication is restricted to authorized security endpoints.
• Service Security: Applications run under dedicated, non-privileged accounts with no interactive login capabilities.
• Automated Updates: Security patches are applied automatically to ensure protection against the latest vulnerabilities without requiring manual intervention.
• Kernel Protections: Core system settings are tuned to disable unnecessary networking features and protect against common denial-of-service techniques.

Strict Access Controls

• Least Privilege: Our internal cloud services operate on a "need-to-know" basis, with permissions restricted to the absolute minimum required for each specific task.
• Identity Management: Every appliance and user is managed through unique, individual credentials that can be revoked immediately if necessary.
• Credential Security: Sensitive keys and secrets are managed in specialized, encrypted vaults and are never exposed in application code or environment configurations.

Responsible Disclosure

We value the contributions of the security community. If you discover a potential vulnerability in our platform, please report it through our contact form. We commit to acknowledging all reports promptly and working transparently toward remediation. Kyntic supports the principles of good-faith security research and will not pursue legal action against those who disclose vulnerabilities responsibly.