Expert Testing, Expertly Executed.

Learn how RIOT helped a local council identify several security risks via vulnerability assessment and penetration testing services to increase the organisation’s security maturity.

SCADA Cyber Security Assessment


A QLD Regional Council had upgraded their telecommunications and corporate IT environment and was embarking on a number of Digitisation strategies under their Smart City agenda. It was realised that this would also impact their SCADA infrastructure, specifically water reticulation and treatment.

What was unknown within this environment was any Cyber security vulnerabilities and the risks posed by such security weaknesses if successfully exploited by persons with malicious intent.

Additionally, the Council was interested in carrying out a phishing campaign to identify user awareness and then trend increased awareness over a 12 month period.


RIOT was engaged to perform a vulnerability assessment and penetration test against the nominated water reticulation and treatment infrastructure. Using our defined methodology for assessing Critical Infrastructure, we identified technical vulnerabilities within the SCADA environment and completed a penetration test from there, back into the Corporate network. Potential risks were confirmed and documented, showing sample attack and exploitation steps, along with a prioritised list of recommendations for risk mitigation.

The phishing campaign identified and confirmed the current awareness levels for phishing type attacks against Council staff and provided training material should a user be phished, in order to increase staff awareness around these attack methods.

Furthermore, a RIOT Principal Consultant provided advisory services directly to the CIO post the engagement to assist with delivering key information to internal stakeholders and communicate with the Council’s service providers and partners.


The vulnerability assessment and penetration testing identified a number of security risks which did not previously have the appropriate controls in place, and provided the Council with recommended steps to mitigate risks to the business. This information also assisted with identifying any effective security controls currently deployed to protect the SCADA infrastructure.

The phishing campaign helped Council staff to recognise potential phishing email attacks and in turn provide the knowledge necessary to protect Council infrastructure from well-orchestrated phishing campaigns.

Overall, it provided the Council with a level of comfort as to what steps needed to take place to increase the level of security maturity within their OT and IT environments to support future Digitisation projects.

Customer name has been withheld due to confidentiality. More information can be provided by contacting RIOT directly.

Related Resources

7 November 2021
Learn how Orro delivered critical testing services against internal and external IT infrastructure for a large financial institution.
23 February 2022
Our client is an Australian company providing financial services nationwide as well as in 26 other countries. The client is also ranked among the world’s top general insurers.
30 November 2022
In order to bring the best-in-class learning experiences to their students, TAFE Queensland sought Orro’s help to upgrade and future-proof their network.