How It Works Enterprise Solutions Use Cases Where It Goes Plans Become a Partner Pre-Order My Account
Critical Infrastructure Security

A Substation Went Dark
at 2:03am. The Camera
Caught a Truck,
Not the Driver.

Substations, water intakes, telecom huts, pipeline pump stations, and data center perimeters are unmanned 23 hours a day. Cameras barely work because of bandwidth. Cellular barely works because of coverage. The site sits exposed between truck-roll inspections. Digital Tripwire deploys a forensic device-level layer that runs on cellular IoT, captures the device cluster of every approach, and reports the data even when the rest of the site infrastructure has gone dark.

Request a Site Briefing
The Problem
Cameras Need Bandwidth.
Substations Don't Have Any.

Critical infrastructure sites are physically exposed in ways that no other vertical is exposed. A substation is a fenced gravel lot in a rural county with one truck-roll inspection per week. A water treatment intake sits on a riverbank an hour from the nearest dispatcher. A telecom hut on a hilltop has no public road access. A pipeline pump station spans hundreds of acres of pasture. The standard physical security toolkit (cameras, motion alarms, perimeter lighting) was designed for buildings on city lots with broadband connections and security guards on shift. It was not designed for the reality of the modern grid.

The result is a generation of sites that are catastrophically under-monitored. Substation attacks have escalated since the Metcalf incident in 2013, and recent multi-state coordinated incidents show the threat is not theoretical. Water intakes have documented contamination attempts that went undiscovered for hours. Telecom copper theft happens weekly. Cameras catch silhouettes, when they catch anything at all. Digital Tripwire was built to function exactly where the existing toolkit fails: cellular IoT, multi-year battery, weatherproof outdoor design, no on-site network required.

$15B+
Annual U.S. critical
infrastructure attacks
55K+
U.S. substations
at distribution level
23hr
Avg. unattended
window per site
7+
Coordinated U.S. substation
attacks since 2022
Remote substation at night
Digital Tripwire nodes deployed at substation
The Solution
Every Approach, Every Fence Breach,
Every Bay Logs Who Was There.

Digital Tripwire deploys with weatherproof solar-and-battery nodes mounted to fence posts, transformer pads, control house exteriors, perimeter gates, equipment compounds, intake structures, telecom shelter exteriors, and pipeline access points. The hub sits inside the control house or, for unmanned sites, in a small dedicated enclosure with cellular and solar power. The deployment is engineered for outdoor exposure across temperature extremes, rural cellular coverage gaps, and the absence of on-site personnel.

When a node detects motion or proximity, it scans every Bluetooth and Wi-Fi device within 10 feet and writes the result to a tamper-evident encrypted log. MAC address, signal strength, timestamp. Uploaded over LTE-M cellular, with store-and-forward buffering for sites with intermittent coverage. The vehicle that pulled up to the substation gate at 1:48am, the two device clusters that walked the fence line, the third that stayed in the truck, all logged, all hash-signed. The data exists even if the site goes dark.

  • Weatherproof solar-and-battery design for unmanned outdoor sites
  • LTE-M cellular with store-and-forward for coverage gaps
  • Cross-site MAC pattern matching, NERC CIP-014 and TSA Pipeline aligned
The Node Ecosystem
Hidden in the Fence Line. Built
for the Sites Cameras Can't Reach.

Nodes embedded at perimeter fences, transformer pads, control house exteriors, equipment compounds, and remote site approaches create a forensic device-level layer that operates on cellular IoT and survives where standard security infrastructure fails.

Tap any node to see what it protects
Placement Guide
8 Spots Across Every Site Type

Strategic node placement covers the high-risk approach zones across the major critical infrastructure site types. Designed for unmanned remote operation, cellular IoT communication, and the regulatory frameworks that govern each sector.

F
Perimeter Fence
Fence post mount. NERC CIP-014 perimeter monitoring.
T
Transformer Pad
Inside cabinet. Highest-value asset protection.
C
Control House
Inside door frame. Cyber-physical attack defense.
G
Access Gate
Inside gate housing. Truck-roll and unauthorized entry.
S
Telecom Shelter
Mounted to exterior. Copper theft and equipment tampering.
W
Water Intake
Pole mount. AWIA compliance and contamination defense.
P
Pipeline Pump
Inside cabinet. TSA Pipeline Security Directive.
D
Data Center Perimeter
Fence and bay mount. SOC 2 and Uptime Tier supplement.
Physical Attack & Reconnaissance
The Attack Was Tuesday Night.
The Reconnaissance Was
Three Weeks Earlier.

Coordinated attacks on substations, water systems, and pipelines do not start with the attack. They start with reconnaissance: a vehicle that drives past at unusual hours, foot traffic along the fence line in the days before, repeated approaches that map the camera coverage and the response time. The patterns are documented in every successful attack post-mortem. The patterns are detectable. The data has historically been impossible to capture because the existing site infrastructure was not designed to capture it.

Digital Tripwire captures it. The same vehicle device cluster appearing at three different substations across the operating territory in the two weeks before a coordinated attack is a pre-attack indicator no current system surfaces. Cross-site MAC pattern matching across a utility's full asset portfolio turns this from a forensic exercise after the attack into a defensive intelligence layer before it. The same capability applies across water utilities, telecom networks, pipeline regions, and data center campuses. Each sector has different regulators. The forensic data layer is the same.

  • Pre-attack reconnaissance pattern detection
  • Cross-site MAC pattern matching for coordinated multi-site attack indicators
  • FBI, CISA, E-ISAC, WaterISAC, ONG-ISAC ready exports
Substation perimeter and security infrastructure
Utility maintenance crew at substation
Insider Threat & Maintenance Access
The Hardest Threat to Detect
at a Critical Site Is the One
Carrying Authorized Credentials.

Every critical infrastructure site is built around scheduled maintenance access. Utility crews, contractor teams, regulatory inspectors, and vendor technicians all have legitimate reasons to enter. Every successful insider-threat incident at a critical site has used exactly this framework: a person with authorized credentials, on a scheduled work order, with physical access to control infrastructure. The badge log shows them at the gate. The work order shows the authorized scope. Neither shows whether the work performed matched the work authorized, or whether unauthorized devices were brought into the control house.

Digital Tripwire produces the missing layer. Per-site proximity logs cross-referenced against the work order management system surface patterns the access logs alone cannot. The contractor whose device cluster spent forty minutes in the control house when the work order was for a transformer inspection. The vendor technician whose secondary device matches one seen at a competitor utility two months earlier. The patterns exist in the data. The data has not historically existed in a form operators could query. Now it does.

Regulatory Framework Stack
Built for the Sector-Specific
Authorities.

Critical infrastructure security is governed by sector-specific regulatory frameworks, each with its own physical security mandates and reporting requirements. Electric utilities, water utilities, pipelines, and data centers each answer to a different authority, each with mandatory perimeter monitoring, access control, and incident reporting obligations. CISA provides voluntary cross-sector frameworks, and federal investigation runs through the FBI and the sector-specific ISACs.

Digital Tripwire is engineered against this regulatory stack from the start. The export package, the chain-of-custody framework, and the audit log are built for the authorities that the sector evaluator already knows how to read. Deployment is structured to satisfy the documented physical security requirements of each framework, and the cross-site pattern matching capability is designed for sector-specific intelligence sharing through the appropriate ISAC.

NERC CIP-014 NERC CIP-006 TSA Pipeline AWIA CISA CFATS SOC 2 E-ISAC / ONG-ISAC
Regulatory documentation and compliance review
The Difference
Cameras & Perimeter Alarms vs. Digital Tripwire
CapabilityDigital TripwireExisting Layer
Identifies devices, not silhouettes-
Operates without site bandwidthLTE-M cellularRequires backhaul
Solar-and-battery for unmanned sitesWired power
Pre-attack reconnaissance detection-
Cross-site portfolio pattern matching-
Detects insider maintenance threatsLimited
NERC CIP-014 readyYesVaries
Federal evidentiary exportCSV / JSON + hashVaries
Survives site power lossOften fails
Operator FAQ
Common Questions
How does this work at a remote site with no power and no network?+
The system is engineered for exactly that environment. Outdoor fixed nodes use a weatherproof solar-and-battery design with multi-week battery autonomy in low-light conditions. Communication is LTE-M cellular, which has significantly better rural coverage and building penetration than standard LTE. For sites without any cellular coverage at all, the node stores scan data locally and synchronizes when a maintenance truck-roll arrives in cellular range. The data is never lost. The deployment moves with the site, which is fundamentally different from a hard-wired camera system that requires backhaul.
How does this satisfy NERC CIP-014 perimeter monitoring requirements?+
NERC CIP-014 requires perimeter monitoring, access control, and incident response for physical security of bulk electric system assets identified as critical. Digital Tripwire is engineered to supplement existing CIP-014 compliance with a forensic device-level layer that the standard does not currently mandate but increasingly recommends. The proximity log produces hash-signed records for every approach event and every access event, which is exactly the documentation reviewers want for the access control and incident response components. We work with utility compliance teams during deployment to ensure the system is documented as a supplement to existing CIP-014 controls, not as a replacement for them.
What about coordinated multi-site attack indicators?+
Cross-site pattern matching across the operator's full asset portfolio is the highest-value capability of the system in this vertical. When the same vehicle device cluster appears at three different substations within an operating territory in the days before a coordinated attack, that is detectable in the proximity data, and that detection is the difference between forensic post-mortem and defensive intelligence. The system supports opt-in cross-operator pattern sharing through the appropriate ISAC (E-ISAC for electric, WaterISAC for water, ONG-ISAC for oil and gas), with hashed identifier sharing that protects operator data while enabling sector-wide threat detection.
How does this handle authorized maintenance and contractor access?+
Authorized maintenance is the dominant access pattern at most critical infrastructure sites, and the system is designed to identify normal operational patterns first and flag deviations from them. Per-site proximity logs cross-reference against work order management systems (Maximo, SAP PM, vendor portals) to surface the routine and isolate the anomalous. Authorized contractor crews show as expected patterns. Unauthorized after-hours access, contractor device clusters appearing at sites not on the work order, or maintenance work performed outside the documented scope all surface as deviations that warrant operator review.
Can a maintenance contractor or insider disable the nodes?+
Tamper events are themselves logged. Removing a node, blocking its signal, or attempting to disable it generates an immediate alert with the timestamp and device list at the moment of tampering. Logs are uploaded over LTE-M and stored off-site, so they cannot be deleted by anyone with site access or contractor-level credentials. The system is designed under the explicit assumption that the threat may include personnel with authorized site access, which is appropriate for a sector where insider threat is a documented concern under both NERC and CISA frameworks.
How do we deploy across hundreds of sites?+
Utility, pipeline, and telecom deployments are designed for full-portfolio rollouts, which is where the cross-site pattern matching value compounds. Each site gets a hub and a node kit sized to the site footprint and risk classification. Hubs auto-provision over LTE-M on first power-up. No site-level IT involvement required. Most operator pilots are 5-10 sites across the highest-risk classification (typically NERC-designated critical substations or Tier 1 water intakes) for 90-180 days, with cross-site pattern matching enabled, then a phased rollout across the asset portfolio. Contact us for sector-specific scoping.
Pilot Digital Tripwire
Your Sites Deserve
a Witness.

Operator pricing scaled to site count and classification. Pilot 5-10 critical sites in 90-180 days. Cellular IoT operation, cross-site pattern matching, NERC CIP-014 ready documentation, federal evidentiary export.

Request a Site Briefing