A major regional electric utility operating regulated transmission and distribution assets across multiple U.S. states received an intelligence notification from a federal partner indicating that indicators of compromise (IOCs) associated with a known nation-state threat actor had been observed in traffic attributable to the utility's network. The utility's internal security team lacked specialized OT/ICS forensic capability and engaged Law & Forensics through outside counsel to lead the incident response under privilege. The engagement required simultaneous management of three competing imperatives: forensic thoroughness, operational safety, and regulatory compliance.
The Situation
Incidents in OT environments present risks that are categorically different from IT-only intrusions. Standard incident-response playbooks — isolating affected systems, pulling forensic images, rebooting to clean states — can cause cascading failures in grid-connected environments. The threat actor in this case had demonstrated, in prior campaigns against other utilities, the capability and willingness to manipulate OT systems to cause physical effects. Any eviction strategy that triggered an uncontrolled grid event would have caused harm to the utility's customers and exposed the company to significant regulatory and legal liability.
At the same time, NERC CIP standards imposed strict timelines for incident reporting to the E-ISAC, and the utility's board required a clear, written factual record before any regulatory submission could be made.
Our Approach
Law & Forensics structured the response around a phased, IT-before-OT forensic methodology, ensuring that the threat actor's full kill chain was mapped before any eviction actions were taken in the OT environment.
IT Environment Forensics. The team began with the utility's corporate IT network, identifying the initial access vector — a spear-phishing email delivering a commodity loader that had been modified with custom OT-targeting modules. Lateral movement analysis traced the threat actor's progression through IT infrastructure over a multi-month period, identifying credential harvesting activity, command-and-control (C2) infrastructure, and the specific IT/OT boundary crossing points exploited.
OT/ICS Forensic Investigation. Using passive network capture analysis and endpoint artifacts collected through OT-safe acquisition techniques, the team mapped the threat actor's presence within the ICS/SCADA environment. Two previously unidentified footholds — one on a historian server and one on an engineering workstation with direct PLC programming access — were discovered. Neither had been flagged by existing OT monitoring tooling.
Coordinated Threat Eviction. Law & Forensics worked directly with the utility's grid operations team to design a sequenced eviction plan tied to a scheduled maintenance window, allowing isolation and remediation of affected OT systems without live-grid exposure. The plan included pre-positioned clean-state images and a tested rollback procedure.
Regulatory Reporting Support. The firm's regulatory counsel team prepared the NERC CIP E-ISAC mandatory disclosure and coordinated information sharing with CISA, ensuring the utility met its reporting obligations while protecting privileged investigative findings.
The Impact
Complete threat eviction was achieved during the planned maintenance window with no grid events, no customer impact, and no operational disruptions. The 11-month intrusion timeline — one of the longest confirmed OT dwell times documented in the utility's sector — was fully reconstructed and documented in a board-ready forensic report.
The NERC CIP disclosure was filed on time. CISA incorporated the utility's IOCs into a sector-wide advisory that benefited peer utilities. The utility subsequently engaged Law & Forensics to redesign its OT network segmentation architecture and implement a persistent OT monitoring program.
Related Practice Area
Cybersecurity Services — OT/ICS and Critical Infrastructure Incident Response; Nation-State Threat Investigations; Regulatory Compliance and Mandatory Disclosure; Threat Intelligence Integration
