Key Outcomes
The Challenge
A regional power grid operator needed comprehensive security coverage across both IT and OT/ICS environments, including legacy operational systems where a security response action could trigger a grid outage.
The Solution
Alaris provided unified IT/OT visibility with environment-aware response policies that could contain threats without triggering operational disruptions, critical for infrastructure where downtime is measured in public safety impact.
Critical infrastructure security presents a challenge that doesn't exist in other sectors: the response actions that would contain a threat in an IT environment can cause catastrophic damage if executed in an operational technology environment. Isolating a compromised endpoint from the network is standard incident response procedure. Isolating a SCADA workstation controlling a power substation can trigger a grid outage affecting hundreds of thousands of people. This is the constraint we had to solve for a regional power grid operator managing generation facilities, transmission infrastructure, and distribution systems across a five-state region. And we had to solve it during a live ransomware attack.
The Environment: IT and OT Under One Roof
The client operates one of the larger regional power grid systems in the US Midwest, managing five generation facilities, 340+ transmission substations, and distribution infrastructure covering approximately 2.1 million customers. The security challenge isn't just scale, it's the integration of fundamentally different technology environments that have very different security requirements.
The OT/ICS Security Challenge
Operational technology in power grid environments includes SCADA systems, distributed control systems (DCS), and industrial control systems (ICS) running specialized software on legacy platforms, often Windows XP, Windows Server 2008, and custom proprietary systems that cannot be updated without years-long recertification processes.
- Generation facility control systems: 847 OT endpoints across 5 facilities, most running legacy OS
- Transmission control systems: 1,240 SCADA endpoints at substations, many without network segmentation from IT
- Distribution management: 620 field device management endpoints across the service territory
- Corporate IT: 11,893 standard IT endpoints including workstations, servers, and cloud workloads
A key risk factor: historically, the IT and OT environments at this facility had not been properly segmented. IT and OT networks shared several network segments, and some OT workstations had direct access to both environments. This is an extremely common configuration at utility companies that grew through acquisition, and it's the configuration that ransomware operators specifically target.
Prior to Alaris: Visibility Gaps
Before deployment, the security team had no unified visibility across IT and OT environments. The IT SOC had monitoring for corporate endpoints via their existing EDR and SIEM. The OT security team had asset inventory and basic network monitoring for control systems. But there was no cross-environment correlation, an attacker could establish a foothold in IT, move laterally into OT, and neither team would see the complete attack chain.
In a red team exercise conducted four months before deployment, the red team was able to move from an initial IT compromise to a position of potential OT disruption in 2 hours and 40 minutes, without triggering any automated detection in either environment.
The Deployment: Building Cross-Environment Detection
The Alaris deployment at this client was one of our most technically complex to date. The OT environment required custom integration work that doesn't exist in standard enterprise deployments.
OT-Aware Response Policies
The most critical engineering work was building OT-aware response policies, rules that determine what Alaris can do autonomously in different parts of the environment. Every OT endpoint was classified by operational criticality: from 'safe to isolate' (administrative OT workstations) to 'never isolate, human decision required' (primary control system nodes).
For OT endpoints in the 'never isolate' category, Alaris's response framework was configured to: (1) immediately alert the OT security team and executive on-call with full incident context, (2) execute network-level segmentation to block lateral movement without touching the endpoint, and (3) prepare a human-readable containment options brief with impact assessment for each option.
IT/OT Network Segmentation as a Response Action
A key integration the team built was automated network micro-segmentation: the ability to dynamically adjust firewall rules at the IT/OT boundary to prevent lateral movement between environments, without physically isolating any OT endpoints. This gave Alaris a response option that was safe to execute autonomously, stopping the spread of an attack from IT to OT without risking operational disruption.
The Incident: A Live Attack During Deployment
The ransomware attack began on a Tuesday afternoon, approximately 3 weeks into the Alaris deployment, while the system was still in shadow mode for OT assets and full autonomous mode for IT assets. The attack was a Scattered Spider variant, entering through a phishing email that successfully compromised a credentials of a help desk employee.
The Attack Timeline
Phishing email clicked by help desk employee. Credential harvesting payload executed. Account credentials for 3 internal systems exfiltrated.
Alaris detected anomalous authentication patterns from the compromised account, login from new geolocation, unusual access to admin systems. Alert generated and autonomous investigation initiated.
Attacker used compromised credentials to authenticate to three additional systems. Alaris's behavioral baseline flagged all three authentications as anomalous and escalated to ransomware precursor detection.
Ransomware payload executed on initial compromised workstation and began attempting to spread via SMB. Alaris classified as active ransomware deployment, initiated autonomous response.
Compromised account suspended across all systems (3.8 sec). Initial workstation isolated from network (4.2 sec). Network segmentation at IT/OT boundary deployed (6.1 sec). OT security team and executive on-call alerted.
Alaris identified and isolated 8 additional workstations the ransomware had attempted to spread to before containment. All 8 isolated before encryption could execute.
All affected endpoints isolated. Ransomware deployment fully contained. Zero OT systems accessed. IT security team briefed. Recovery procedures initiated.
The network segmentation at the IT/OT boundary was deployed in 6.1 seconds, before the ransomware had finished executing on the initial compromised endpoint. The OT environment was protected before the threat even reached it.
What Didn't Happen
It's worth being specific about the damage that was prevented. Post-incident analysis determined that the ransomware variant used had a documented average encryption time of 4 hours and 12 minutes from initial execution to full deployment across a medium-sized network. Had containment taken the industry average of 4+ hours rather than 4 minutes and 22 seconds, the likely outcomes were:
- Encryption of an estimated 2,400–3,800 IT endpoints and file servers
- Potential OT environment access, given the incomplete network segmentation
- Estimated ransom demand based on peer incidents: $6–8M
- Estimated recovery cost and downtime: $10–14M
- Potential NERC CIP regulatory penalties for grid reliability incidents
- Potential public safety impact from grid disruption during recovery
Lessons for Critical Infrastructure Security
The energy sector faces a specific set of security constraints that make standard enterprise security approaches insufficient. Based on this deployment and our work across infrastructure organizations, here's what we've learned.
Network Segmentation Is a Response Tool, Not Just a Control
Traditional IT security thinking treats network segmentation as a preventive control, something you put in place to limit blast radius if a compromise occurs. For OT environments, segmentation also needs to work as an active response action: something that can be deployed in real time to stop a spreading attack without touching the OT systems themselves. Building this capability requires pre-integration of your network infrastructure with your response platform.
OT Visibility Cannot Be Optional
The red team exercise before this deployment demonstrated that an attacker can move from IT to OT in under three hours with no detection. In a sector where OT compromise can cause public safety incidents, partial visibility isn't a reasonable risk posture. The investment in OT-capable security monitoring is not optional for critical infrastructure operators.
Classify Before You Deploy
The OT endpoint classification work done before deployment, assigning every OT endpoint to a criticality tier and defining what autonomous response actions are permitted, was the single most important preparation step. Without this classification, autonomous response would either be too aggressive (risking operational disruption) or too conservative (failing to contain attacks). The classification takes time and requires deep collaboration with the OT operations team. It is not optional.
Following this incident, the client shared their IT/OT security architecture and Alaris integration approach with three peer utilities in the region. Two have since deployed Alaris. The third is in procurement. The energy sector is beginning to recognize that AI-native security is not optional for critical infrastructure protection.