Revoke a compromised device offline — and prove what you did.
Detection tools alert. Microsegmentation blocks network paths. Cairn does a third job: it decides which devices are trusted with no server in the loop, revokes a compromised one while the plant keeps running, and writes every decision to a signed record anyone can replay byte-for-byte — the system-of-record an auditor needs.
WHY THIS MATTERS
96% of 2025 OT security incidents began with an IT-level compromise that then reached the OT network. Once the attacker is inside, two hard things have to happen at once — often while the site is disconnected or air-gapped: revoke the compromised device without taking the plant down, and later prove to an auditor exactly who was trusted and when. Cairn is the layer that does both.
THE EVIDENCE
A real detector, real attack, real ICS data
Three runs: a live Suricata detect→enforce→prove loop on a real Modbus attack, the substrate at scale on real ICS/IIoT captures, and a full integration with a live third-party ICS (GRFICS). Pick a tab.
PROOF · REAL THIRD-PARTY ICS
Fronting a real chemical-process ICS
Not our harness: Cairn was wired onto a live GRFICS / Tennessee Eastman plant (real physics, real Modbus PLCs, real Suricata). It admitted the real fleet with no cloud, cut a flagged attacker off the process offline, and proved every decision — holding at ~45k decisions under load.
CAIRN OT -- live integration vs a REAL third-party ICS (GRFICS / Tennessee Eastman chemical process) a real physics-simulated plant · 6 Modbus devices · real Suricata · no cloud in the trust path [INGEST] captured live GRFICS Modbus traffic -> 7 real devices, Modbus/TCP [ADMIT] 7/7 real devices admitted (serverless web-of-trust, no cloud PKI) in ~2 ms, signed audit [ATTACK] an unauthorized device reaches the process ................ connect: TRUE [REVOKE] a detector flags it -> cairn-otd revokes offline (no server) . re-admit DENIED [ENFORCE] revoked device quarantined off the OT segment ............. attacker cut off (connect: FALSE) [PROVE] independent cairn-verify over the signed audit ........... VERDICT: PROVEN [SCALE] 40k-host fleet + 5k revocations = 44,963 signed decisions in 9.35 s, 9 rotated segments -> PROVEN A real detector, a real plant, a real attack -- Cairn decided trust offline and proved every decision.
How this was validated
- What it shows
- Cairn integrated end to end with a real, third-party ICS stack (GRFICS v3, the Tennessee Eastman process): ingest the live Modbus fleet, admit it serverlessly, revoke a flagged attacker offline and quarantine it off the OT segment, and prove every trust decision offline with an independent verifier.
- Real / synthetic
- GRFICS is a real, physics-simulated chemical plant with real Modbus soft-PLCs, a real HMI, and real Suricata (Digital Bond Quickdraw rules). The Cairn engine and cryptography are real. It is emulation — a simulated plant, not a fielded site — run for ~$0 with no hardware.
- Under load
- A stress run drove 44,963 signed trust decisions (a ~40k-host fleet + 5,000 revocations) in 9.35 s, rotated into 9 sealed segments (RAM-bounded), and the whole series verified PROVEN. It also surfaced and fixed a verifier segment-ordering edge case — the kind of hardening only a real integration exposes.
- Honest boundary
- Strong TRL-4 / 5-in-emulation. The enforcement action here was a NAC-style segment quarantine; a production site wires Cairn to real 802.1X/NAC/firewall or an inline gateway. And Cairn acts on a detector signal — stock Suricata rules do not flag a legitimate-looking valve write, so the detector must be OT-tuned. Those, plus a real plant + third-party audit, are the pilot.
- How it was produced
- cairn-otd + cairn-verify (Rust) run against the live GRFICS containers on the ICS segment. Full write-up in the repo (ot/docs/GRFICS_INTEGRATION_STRESS.md); mechanism under NDA.
The honest headline: Cairn's trust-decision + provable-audit substrate integrated with a real ICS, proved every decision offline, and held at ~45k decisions — and stress-testing it made it stronger. Enforcement wiring + detector tuning are the pilot.
HOW IT COMPARES
Three different jobs
The OT security market splits into detection and network segmentation. Cairn is a third thing that sits between your detector and your auditor — additive to what you already own, not a rip-and-replace.
| Detection (Claroty · Nozomi · Dragos · Armis) | Microsegmentation (Elisity · PacketViper) | Cairn | |
|---|---|---|---|
| What it does | Finds and alerts on threats and vulnerable assets. | Blocks east-west network paths between zones. | Decides which devices are trusted and revokes a bad one — by identity, not network path. |
| When the link is down | On-prem sensors keep watching, but enforcement waits on a human or another tool. | Static policy holds, but can’t admit a new device or make a fresh trust call. | Admits and revokes with no server in the trust path — fully offline / air-gapped. |
| Proof for the auditor | Alert logs. | Policy config. | Every trust decision signed + byte-replayable, verified offline by anyone. |
| Relationship | — | — | Consumes a detector’s output; runs alongside both. Complement, not competitor. |
Why now. The EU Cyber Resilience Act, NERC CIP, IEC 62443 and NIS2 are all auditable, with penalties — and a compromise that reaches OT is the norm, not the exception. Cairn's signed, independently-replayable ledger is exactly the system-of-record those audits demand: provable provenance of every trust decision, not a log you have to be trusted to believe.
Research basis, drivers & honest novelty
- • Regulation: EU Cyber Resilience Act (Reg. (EU) 2024/2847) — mandatory security design-to-end-of-life; Notified Bodies by 11 Jun 2026, manufacturer reporting from 11 Sep 2026. Plus NERC CIP, IEC 62443, NIS2 — all auditable.
- • Data: real ICS/IIoT captures — WUSTL-IIoT-2021, 4SICS (Siemens S7), LANL. Next validation target: CIC-APT-IIoT-2024 (real IIoT lateral-movement ground truth).
- • Closest prior art: device identity (SPIFFE/SPIRE, IEEE 802.1AR IDevID), onboarding vouchers (FIDO Device Onboard), transparency logs — each depends on a reachable server, CA, or rendezvous.
- • Honest novelty: the pieces exist; the combination — offline admit and revoke with no server in the trust path, plus a post-quantum, byte-replayable proof of every decision for OT fleets — is what we have not found in a product. The audit-log and device-identity blocks are each active in 2026; the edge is the whole bundle offline with no server, proven end-to-end against a real ICS (GRFICS, above) — the integration, not the crypto. Pointers to prior art welcome.
Evaluating Cairn for an OT / critical-infrastructure site?
Strong TRL-4 / 5-in-emulation; real silicon, a live detection-vendor integration, and a real site are the design-partner pilot. The full stack, datasets and tests are on the Technical Validation page; design, source and formal proofs are under NDA.