Cairn overview
OT · ICS · Critical infrastructure

Revoke a compromised device offline — and prove what you did.

Detection tools alert. Microsegmentation blocks network paths. Cairn does a third job: it decides which devices are trusted with no server in the loop, revokes a compromised one while the plant keeps running, and writes every decision to a signed record anyone can replay byte-for-byte — the system-of-record an auditor needs.

WHY THIS MATTERS

96% of 2025 OT security incidents began with an IT-level compromise that then reached the OT network. Once the attacker is inside, two hard things have to happen at once — often while the site is disconnected or air-gapped: revoke the compromised device without taking the plant down, and later prove to an auditor exactly who was trusted and when. Cairn is the layer that does both.

THE EVIDENCE

A real detector, real attack, real ICS data

Three runs: a live Suricata detect→enforce→prove loop on a real Modbus attack, the substrate at scale on real ICS/IIoT captures, and a full integration with a live third-party ICS (GRFICS). Pick a tab.

PROOF · REAL THIRD-PARTY ICS

Fronting a real chemical-process ICS

Not our harness: Cairn was wired onto a live GRFICS / Tennessee Eastman plant (real physics, real Modbus PLCs, real Suricata). It admitted the real fleet with no cloud, cut a flagged attacker off the process offline, and proved every decision — holding at ~45k decisions under load.

cairn-mesh
CAIRN OT -- live integration vs a REAL third-party ICS   (GRFICS / Tennessee Eastman chemical process)
  a real physics-simulated plant · 6 Modbus devices · real Suricata · no cloud in the trust path

[INGEST]  captured live GRFICS Modbus traffic -> 7 real devices, Modbus/TCP
[ADMIT]   7/7 real devices admitted (serverless web-of-trust, no cloud PKI) in ~2 ms, signed audit
[ATTACK]  an unauthorized device reaches the process ................ connect: TRUE
[REVOKE]  a detector flags it -> cairn-otd revokes offline (no server) . re-admit DENIED
[ENFORCE] revoked device quarantined off the OT segment ............. attacker cut off (connect: FALSE)
[PROVE]   independent cairn-verify over the signed audit ........... VERDICT: PROVEN
[SCALE]   40k-host fleet + 5k revocations = 44,963 signed decisions in 9.35 s, 9 rotated segments -> PROVEN

  A real detector, a real plant, a real attack -- Cairn decided trust offline and proved every decision.

How this was validated

What it shows
Cairn integrated end to end with a real, third-party ICS stack (GRFICS v3, the Tennessee Eastman process): ingest the live Modbus fleet, admit it serverlessly, revoke a flagged attacker offline and quarantine it off the OT segment, and prove every trust decision offline with an independent verifier.
Real / synthetic
GRFICS is a real, physics-simulated chemical plant with real Modbus soft-PLCs, a real HMI, and real Suricata (Digital Bond Quickdraw rules). The Cairn engine and cryptography are real. It is emulation — a simulated plant, not a fielded site — run for ~$0 with no hardware.
Under load
A stress run drove 44,963 signed trust decisions (a ~40k-host fleet + 5,000 revocations) in 9.35 s, rotated into 9 sealed segments (RAM-bounded), and the whole series verified PROVEN. It also surfaced and fixed a verifier segment-ordering edge case — the kind of hardening only a real integration exposes.
Honest boundary
Strong TRL-4 / 5-in-emulation. The enforcement action here was a NAC-style segment quarantine; a production site wires Cairn to real 802.1X/NAC/firewall or an inline gateway. And Cairn acts on a detector signal — stock Suricata rules do not flag a legitimate-looking valve write, so the detector must be OT-tuned. Those, plus a real plant + third-party audit, are the pilot.
How it was produced
cairn-otd + cairn-verify (Rust) run against the live GRFICS containers on the ICS segment. Full write-up in the repo (ot/docs/GRFICS_INTEGRATION_STRESS.md); mechanism under NDA.

The honest headline: Cairn's trust-decision + provable-audit substrate integrated with a real ICS, proved every decision offline, and held at ~45k decisions — and stress-testing it made it stronger. Enforcement wiring + detector tuning are the pilot.

HOW IT COMPARES

Three different jobs

The OT security market splits into detection and network segmentation. Cairn is a third thing that sits between your detector and your auditor — additive to what you already own, not a rip-and-replace.

Detection (Claroty · Nozomi · Dragos · Armis)Microsegmentation (Elisity · PacketViper)Cairn
What it doesFinds and alerts on threats and vulnerable assets.Blocks east-west network paths between zones.Decides which devices are trusted and revokes a bad one — by identity, not network path.
When the link is downOn-prem sensors keep watching, but enforcement waits on a human or another tool.Static policy holds, but can’t admit a new device or make a fresh trust call.Admits and revokes with no server in the trust path — fully offline / air-gapped.
Proof for the auditorAlert logs.Policy config.Every trust decision signed + byte-replayable, verified offline by anyone.
RelationshipConsumes a detector’s output; runs alongside both. Complement, not competitor.

Why now. The EU Cyber Resilience Act, NERC CIP, IEC 62443 and NIS2 are all auditable, with penalties — and a compromise that reaches OT is the norm, not the exception. Cairn's signed, independently-replayable ledger is exactly the system-of-record those audits demand: provable provenance of every trust decision, not a log you have to be trusted to believe.

Research basis, drivers & honest novelty

  • • Regulation: EU Cyber Resilience Act (Reg. (EU) 2024/2847) — mandatory security design-to-end-of-life; Notified Bodies by 11 Jun 2026, manufacturer reporting from 11 Sep 2026. Plus NERC CIP, IEC 62443, NIS2 — all auditable.
  • • Data: real ICS/IIoT captures — WUSTL-IIoT-2021, 4SICS (Siemens S7), LANL. Next validation target: CIC-APT-IIoT-2024 (real IIoT lateral-movement ground truth).
  • • Closest prior art: device identity (SPIFFE/SPIRE, IEEE 802.1AR IDevID), onboarding vouchers (FIDO Device Onboard), transparency logs — each depends on a reachable server, CA, or rendezvous.
  • • Honest novelty: the pieces exist; the combination — offline admit and revoke with no server in the trust path, plus a post-quantum, byte-replayable proof of every decision for OT fleets — is what we have not found in a product. The audit-log and device-identity blocks are each active in 2026; the edge is the whole bundle offline with no server, proven end-to-end against a real ICS (GRFICS, above) — the integration, not the crypto. Pointers to prior art welcome.

Evaluating Cairn for an OT / critical-infrastructure site?

Strong TRL-4 / 5-in-emulation; real silicon, a live detection-vendor integration, and a real site are the design-partner pilot. The full stack, datasets and tests are on the Technical Validation page; design, source and formal proofs are under NDA.