SCADA Vulnerability Assessment & Penetration Testing

Learn how Orro helped a local council identify several security risks via vulnerability assessment and penetration testing services to increase the organisation’s security maturity.

SCADA Cyber Security Assessment


A QLD Regional Council had upgraded their telecommunications and corporate IT environment and was embarking on a number of Digitisation strategies under their Smart City agenda. It was realised that this would also impact their SCADA infrastructure, specifically water reticulation and treatment.

What was unknown within this environment was any Cyber security vulnerabilities and the risks posed by such security weaknesses if successfully exploited by persons with malicious intent.

Additionally, the Council was interested in carrying out a phishing campaign to identify user awareness and then trend increased awareness over a 12 month period.


Orro was engaged to perform a vulnerability assessment and penetration test against the nominated water reticulation and treatment infrastructure. Using our defined methodology for assessing Critical Infrastructure, we identified technical vulnerabilities within the SCADA environment and completed a penetration test from there, back into the Corporate network. Potential risks were confirmed and documented, showing sample attack and exploitation steps, along with a prioritised list of recommendations for risk mitigation.

The phishing campaign identified and confirmed the current awareness levels for phishing type attacks against Council staff and provided training material should a user be phished, in order to increase staff awareness around these attack methods.

Furthermore, a Orro Principal Consultant provided advisory services directly to the CIO post the engagement to assist with delivering key information to internal stakeholders and communicate with the Council’s service providers and partners.


The vulnerability assessment and penetration testing identified a number of security risks which did not previously have the appropriate controls in place, and provided the Council with recommended steps to mitigate risks to the business. This information also assisted with identifying any effective security controls currently deployed to protect the SCADA infrastructure.

The phishing campaign helped Council staff to recognise potential phishing email attacks and in turn provide the knowledge necessary to protect Council infrastructure from well-orchestrated phishing campaigns.

Overall, it provided the Council with a level of comfort as to what steps needed to take place to increase the level of security maturity within their OT and IT environments to support future Digitisation projects.

Customer name has been withheld due to confidentiality. More information can be provided by contacting Orro directly.

Related Resources

3 September 2021
Learn how Orro helped a large regional Council realise an IoT network architecture strategy document to best assess and integrate IoT products and services for their “Smart City” initiatives.
16 February 2022
The Finite Group is a leading provider of diverse IT solutions in Australia and New Zealand. Founded in 1998 to offer specialist IT recruitment expertise and people-based services, the Group later expanded in 2003 to offer IT Professional services. 
10 June 2022
Townsville City Council (TCC) engaged Orro to provide a new managed cybersecurity service. TCC was seeking to increase its resilience against threats with an automated approach to cybersecurity.