SCADA Vulnerability Assessment & Penetration Testing

Learn how Orro helped a local council identify several security risks via vulnerability assessment and penetration testing services to increase the organisation’s security maturity.

SCADA Cyber Security Assessment

Challenge

A QLD Regional Council had upgraded their telecommunications and corporate IT environment and was embarking on a number of Digitisation strategies under their Smart City agenda. It was realised that this would also impact their SCADA infrastructure, specifically water reticulation and treatment.

What was unknown within this environment was any Cyber security vulnerabilities and the risks posed by such security weaknesses if successfully exploited by persons with malicious intent.

Additionally, the Council was interested in carrying out a phishing campaign to identify user awareness and then trend increased awareness over a 12 month period.

Solution

Orro was engaged to perform a vulnerability assessment and penetration test against the nominated water reticulation and treatment infrastructure. Using our defined methodology for assessing Critical Infrastructure, we identified technical vulnerabilities within the SCADA environment and completed a penetration test from there, back into the Corporate network. Potential risks were confirmed and documented, showing sample attack and exploitation steps, along with a prioritised list of recommendations for risk mitigation.

The phishing campaign identified and confirmed the current awareness levels for phishing type attacks against Council staff and provided training material should a user be phished, in order to increase staff awareness around these attack methods.

Furthermore, a Orro Principal Consultant provided advisory services directly to the CIO post the engagement to assist with delivering key information to internal stakeholders and communicate with the Council’s service providers and partners.

Outcome

The vulnerability assessment and penetration testing identified a number of security risks which did not previously have the appropriate controls in place, and provided the Council with recommended steps to mitigate risks to the business. This information also assisted with identifying any effective security controls currently deployed to protect the SCADA infrastructure.

The phishing campaign helped Council staff to recognise potential phishing email attacks and in turn provide the knowledge necessary to protect Council infrastructure from well-orchestrated phishing campaigns.

Overall, it provided the Council with a level of comfort as to what steps needed to take place to increase the level of security maturity within their OT and IT environments to support future Digitisation projects.

Customer name has been withheld due to confidentiality. More information can be provided by contacting Orro directly.

Related Resources

7 November 2020
Learn how Orro helped a QLD Government Agency address critical components across visibility and response time for their Security Improvement Program.
3 September 2021
Learn how Orro helped a water utility organisation converge disparate WANs into a reference architecture for improved network performance, availability and to support future growth.
City Beach
1 January 2022
Learn how Orro helps deliver SIEM, Vulnerability Management and Penetration Testing services for imperative 24/7 eyes on glass, and cyber resilience capabilities that provide City Beach with a fit-for-purpose cyber security strategy and roadmap for the future.