Quick access
Asset Fuel Materials Diversion
Identity And Access
Iot Sensor And Telemetry Fraud
Ot Network And Ics Integrity
Procurement Payroll And Safety
Asset Fuel Materials Diversion
Fuel Vs Engine Hours Outliers
Fuel consumption scales with engine hours. Points cluster on a predictable trend.
Night Time Refuels On Same Rfid
Overnight refuels are minimal and evenly distributed. Bars remain low.
In Out Weight Deltas Spike
Your weighbridge is vulnerable to manipulation. The series shows sustained positive deltas far above tolerance.
Device-fingerprint solution: Binds weighbridge consoles and sessions to trusted hardware to limit tampering.
See: https://www.crossclassify.com/solutions/device-fingerprint/
One Grade Distribution Shifts
Your grade reporting is vulnerable to blending fraud. A new low-grade tail appears in the distribution.
Behavioral-biometrics solution: Detects unusual operator editing or sampling behavior linked to grade drift.
See: https://www.crossclassify.com/solutions/behavioral-biometrics/
Inventory Adjustments By User At Odd Hours
Your warehouse is vulnerable to hidden shrinkage. One user clusters adjustments late at night.
Account-takeover solution: Catches compromised or shared accounts performing after hours inventory edits.
See: https://www.crossclassify.com/solutions/account-takeover/
High Returns By Same User
Returns are low and evenly spread. Bars show no stand-out user.
Identity And Access
New Logins At Atypical Mine Site X Hours Before Privileged Actions
Your app is vulnerable to ATO patterns across sites. The heatmap shows spikes at unusual hours for a site that the account rarely touches.
Account-takeover solution: Detects risky logins from unusual sites or hours before privileged actions.
See: https://www.crossclassify.com/solutions/account-takeover/
Spike In Failed Logins Followed By A Success
Failures remain flat and do not precede any rebound in successes. The trend lines are steady without takeover signatures.
Privilege Escalation Outside Change Window
Your app is vulnerable to off-window admin abuse. The line shows escalations clustering well outside approved windows.
MFA solution: Enforces step up and approvals for admin elevation outside planned windows.
See: https://www.crossclassify.com/solutions/account-takeover/
Same Admin Credential Used On Many Endpoints
Credentials map cleanly to few hosts. Bars are low and even.
Vpn Sessions From New Asn Prior To Config Change
Contractor traffic comes from known ASNs. The new-ASN series stays near zero.
One Contractor Hits Many Sites In A Single Shift
Access is contained to one site per shift. Bars are mostly at one.
Iot Sensor And Telemetry Fraud
Sensor Diverges From Ambient Physics
Your telemetry is vulnerable to spoofed readings. The sensor line spikes while ambient remains stable.
Device-fingerprint solution: Confirms sensor identity and flags spoofed devices.
See: https://www.crossclassify.com/solutions/device-fingerprint/
Flatline Despite Operational Variance
Variance remains above zero during operations. The rolling band breathes with activity.
Truck Speed Exceeds Safe Threshold
Your fleet tracking is vulnerable to spoofing or reckless driving. The series crosses the threshold sharply.
Behavioral-biometrics solution: Profiles driver interaction and motion patterns to flag unsafe anomalies.
See: https://www.crossclassify.com/solutions/behavioral-biometrics/
Teleport Distances Between Pings
Your fleet tracking is vulnerable to GPS manipulation. Distance jumps indicate impossible movement between pings.
Device-fingerprint solution: Binds GPS data to trusted hardware to reduce spoofing.
See: https://www.crossclassify.com/solutions/device-fingerprint/
Reading Cluster At Regulation Edge
Values distribute normally around operating mean. The limit line is not a mode.
Post Collection Edits To Telemetry
Edits are rare and documented long after capture. The table shows low counts and healthy delays.
| record_id | metric | edited_by | minutes_after_collection |
|---|---|---|---|
| R-10012 | PM2.5_mg_m3 | env_officer1 | 1440 |
| R-10047 | NOx_ppm | qa_lead | 2880 |
| R-10103 | SO2_ppm | system | 360 |
Ot Network And Ics Integrity
Elevated Writecoil Or Stop Counts
Your plant network is vulnerable to malicious write/stop operations. The bar chart shows abnormal write and stop frequencies.
MFA solution: Requires dual control and step up for sensitive control commands.
See: https://www.crossclassify.com/solutions/account-takeover/
Run Stop Fired During Active Production
Control commands do not occur during peak throughput. The lines remain decorrelated.
Modbus Polling Surge For One Node
Your plant network shows scraping or brute polling. One node’s polling rate surges far above peers.
Detects automated high rate polling against ICS endpoints.
Industrial Protocol On Unexpected Port
Protocols map to standard ports. The table shows no outliers.
| timestamp | source | protocol | dest_port |
|---|---|---|---|
| 2025-08-18T01:15:00Z | hmi-01 | modbus | 502 |
| 2025-08-18T03:40:00Z | plc-02 | dnp3 | 20000 |
| 2025-08-18T05:10:00Z | eng-station-1 | opcua | 4840 |
| 2025-08-18T06:20:00Z | hist-collector | modbus | 502 |
Checksum Or Signature Changed
Device checksums and signatures match baseline. The table shows “Signed = Yes” and unchanged digests.
| device | fw_version | checksum_before | checksum_after | signed |
|---|---|---|---|---|
| plc-01 | 1.2.3 | a9c1f3...42b | a9c1f3...42b | Yes |
| plc-02 | 1.2.3 | bb77ee...19a | bb77ee...19a | Yes |
| rtu-07 | 3.4.1 | c0ffee...dad | c0ffee...dad | Yes |
| hmi-01 | 2.0.0 | deadbe...ef0 | deadbe...ef0 | Yes |
Unassigned Firmware Uploads By Month
Your ICS is accepting unsigned payloads. Recent months show elevated counts.
Continuous monitoring for unsigned firmware uploads is recommended.
Time window analysis
Procurement Payroll And Safety
Invoices Just Under Approval Threshold
Invoice amounts distribute naturally around thresholds. The counts are even.
Same Bank Account By Multiple Vendors
Your payables are vulnerable to shell vendors. The network shows repeated accounts across different vendors.
account-opening solution: Flags duplicate beneficiaries and enforces KYB before payouts.
See: https://www.crossclassify.com/solutions/account-opening/
Badge In Without Geofence Confirmation
Entries show valid geofence hits. The table lists “Yes” for access checks.
| employee | badge_time | site | Geofence_Hit |
|---|---|---|---|
| emp1 | 2025-08-18T06:55:00Z | Pit-A | Yes |
| emp2 | 2025-08-18T07:02:00Z | Pit-B | Yes |
| emp3 | 2025-08-18T06:59:00Z | Mill-1 | Yes |
| emp4 | 2025-08-18T07:05:00Z | Mill-2 | Yes |
| emp5 | 2025-08-18T06:50:00Z | Plant | Yes |
| emp6 | 2025-08-18T07:10:00Z | Warehouse | Yes |
| emp7 | 2025-08-18T06:57:00Z | Pit-A | Yes |
| emp8 | 2025-08-18T07:03:00Z | Plant | Yes |
Identical Timestamp Patterns Across Employees
Activity varies by person and day. The heatmap lacks synchronized spikes.
Bulk Submissions In A Burst Minute
Your safety records are vulnerable to post-hoc form fills. One minute shows a large submission burst.
Bot-attack solution: Stops bulk auto submitted inspection forms.
Expired Or Near Expired Certification Used
Your site is exposed to compliance risk. Negative day counts indicate expired certificates in use.
| employee | cert | days_to_expiry |
|---|---|---|
| emp2 | MSHA_SiteSafety | -3 |
| emp3 | FirstAid_L1 | 5 |
| emp4 | Rigging_Safe | -1 |
| emp5 | ConfinedSpace | 2 |
| emp6 | Electrical_LowV | 0 |
| emp7 | Forklift_Op | -10 |
MFA solution: Requires step up and gate checks to block logins that use expired credentials.
See: https://www.crossclassify.com/solutions/account-takeover/