Substations, water intakes, telecom huts, pipeline pump stations, and data center perimeters are unmanned 23 hours a day. Cameras barely work because of bandwidth. Cellular barely works because of coverage. The site sits exposed between truck-roll inspections. Digital Tripwire deploys a forensic device-level layer that runs on cellular IoT, captures the device cluster of every approach, and reports the data even when the rest of the site infrastructure has gone dark.
Request a Site BriefingCritical infrastructure sites are physically exposed in ways that no other vertical is exposed. A substation is a fenced gravel lot in a rural county with one truck-roll inspection per week. A water treatment intake sits on a riverbank an hour from the nearest dispatcher. A telecom hut on a hilltop has no public road access. A pipeline pump station spans hundreds of acres of pasture. The standard physical security toolkit (cameras, motion alarms, perimeter lighting) was designed for buildings on city lots with broadband connections and security guards on shift. It was not designed for the reality of the modern grid.
The result is a generation of sites that are catastrophically under-monitored. Substation attacks have escalated since the Metcalf incident in 2013, and recent multi-state coordinated incidents show the threat is not theoretical. Water intakes have documented contamination attempts that went undiscovered for hours. Telecom copper theft happens weekly. Cameras catch silhouettes, when they catch anything at all. Digital Tripwire was built to function exactly where the existing toolkit fails: cellular IoT, multi-year battery, weatherproof outdoor design, no on-site network required.


Digital Tripwire deploys with weatherproof solar-and-battery nodes mounted to fence posts, transformer pads, control house exteriors, perimeter gates, equipment compounds, intake structures, telecom shelter exteriors, and pipeline access points. The hub sits inside the control house or, for unmanned sites, in a small dedicated enclosure with cellular and solar power. The deployment is engineered for outdoor exposure across temperature extremes, rural cellular coverage gaps, and the absence of on-site personnel.
When a node detects motion or proximity, it scans every Bluetooth and Wi-Fi device within 10 feet and writes the result to a tamper-evident encrypted log. MAC address, signal strength, timestamp. Uploaded over LTE-M cellular, with store-and-forward buffering for sites with intermittent coverage. The vehicle that pulled up to the substation gate at 1:48am, the two device clusters that walked the fence line, the third that stayed in the truck, all logged, all hash-signed. The data exists even if the site goes dark.
Nodes embedded at perimeter fences, transformer pads, control house exteriors, equipment compounds, and remote site approaches create a forensic device-level layer that operates on cellular IoT and survives where standard security infrastructure fails.
Strategic node placement covers the high-risk approach zones across the major critical infrastructure site types. Designed for unmanned remote operation, cellular IoT communication, and the regulatory frameworks that govern each sector.
Coordinated attacks on substations, water systems, and pipelines do not start with the attack. They start with reconnaissance: a vehicle that drives past at unusual hours, foot traffic along the fence line in the days before, repeated approaches that map the camera coverage and the response time. The patterns are documented in every successful attack post-mortem. The patterns are detectable. The data has historically been impossible to capture because the existing site infrastructure was not designed to capture it.
Digital Tripwire captures it. The same vehicle device cluster appearing at three different substations across the operating territory in the two weeks before a coordinated attack is a pre-attack indicator no current system surfaces. Cross-site MAC pattern matching across a utility's full asset portfolio turns this from a forensic exercise after the attack into a defensive intelligence layer before it. The same capability applies across water utilities, telecom networks, pipeline regions, and data center campuses. Each sector has different regulators. The forensic data layer is the same.


Every critical infrastructure site is built around scheduled maintenance access. Utility crews, contractor teams, regulatory inspectors, and vendor technicians all have legitimate reasons to enter. Every successful insider-threat incident at a critical site has used exactly this framework: a person with authorized credentials, on a scheduled work order, with physical access to control infrastructure. The badge log shows them at the gate. The work order shows the authorized scope. Neither shows whether the work performed matched the work authorized, or whether unauthorized devices were brought into the control house.
Digital Tripwire produces the missing layer. Per-site proximity logs cross-referenced against the work order management system surface patterns the access logs alone cannot. The contractor whose device cluster spent forty minutes in the control house when the work order was for a transformer inspection. The vendor technician whose secondary device matches one seen at a competitor utility two months earlier. The patterns exist in the data. The data has not historically existed in a form operators could query. Now it does.
Critical infrastructure security is governed by sector-specific regulatory frameworks, each with its own physical security mandates and reporting requirements. Electric utilities, water utilities, pipelines, and data centers each answer to a different authority, each with mandatory perimeter monitoring, access control, and incident reporting obligations. CISA provides voluntary cross-sector frameworks, and federal investigation runs through the FBI and the sector-specific ISACs.
Digital Tripwire is engineered against this regulatory stack from the start. The export package, the chain-of-custody framework, and the audit log are built for the authorities that the sector evaluator already knows how to read. Deployment is structured to satisfy the documented physical security requirements of each framework, and the cross-site pattern matching capability is designed for sector-specific intelligence sharing through the appropriate ISAC.

| Capability | Digital Tripwire | Existing Layer |
|---|---|---|
| Identifies devices, not silhouettes | ✓ | - |
| Operates without site bandwidth | LTE-M cellular | Requires backhaul |
| Solar-and-battery for unmanned sites | ✓ | Wired power |
| Pre-attack reconnaissance detection | ✓ | - |
| Cross-site portfolio pattern matching | ✓ | - |
| Detects insider maintenance threats | ✓ | Limited |
| NERC CIP-014 ready | Yes | Varies |
| Federal evidentiary export | CSV / JSON + hash | Varies |
| Survives site power loss | ✓ | Often fails |
Operator pricing scaled to site count and classification. Pilot 5-10 critical sites in 90-180 days. Cellular IoT operation, cross-site pattern matching, NERC CIP-014 ready documentation, federal evidentiary export.
Request a Site Briefing