SCADA Cyber Security Assessment
A QLD Regional Council had upgraded their telecommunications and corporate IT environment and was embarking on a number of Digitisation strategies under their Smart City agenda. It was realised that this would also impact their SCADA infrastructure, specifically water reticulation and treatment.
What was unknown within this environment was any Cyber security vulnerabilities and the risks posed by such security weaknesses if successfully exploited by persons with malicious intent.
Additionally, the Council was interested in carrying out a phishing campaign to identify user awareness and then trend increased awareness over a 12 month period.
RIOT was engaged to perform a vulnerability assessment and penetration test against the nominated water reticulation and treatment infrastructure. Using our defined methodology for assessing Critical Infrastructure, we identified technical vulnerabilities within the SCADA environment and completed a penetration test from there, back into the Corporate network. Potential risks were confirmed and documented, showing sample attack and exploitation steps, along with a prioritised list of recommendations for risk mitigation.
The phishing campaign identified and confirmed the current awareness levels for phishing type attacks against Council staff and provided training material should a user be phished, in order to increase staff awareness around these attack methods.
Furthermore, a RIOT Principal Consultant provided advisory services directly to the CIO post the engagement to assist with delivering key information to internal stakeholders and communicate with the Council’s service providers and partners.
The vulnerability assessment and penetration testing identified a number of security risks which did not previously have the appropriate controls in place, and provided the Council with recommended steps to mitigate risks to the business. This information also assisted with identifying any effective security controls currently deployed to protect the SCADA infrastructure.
The phishing campaign helped Council staff to recognise potential phishing email attacks and in turn provide the knowledge necessary to protect Council infrastructure from well-orchestrated phishing campaigns.
Overall, it provided the Council with a level of comfort as to what steps needed to take place to increase the level of security maturity within their OT and IT environments to support future Digitisation projects.
Customer name has been withheld due to confidentiality. More information can be provided by contacting RIOT directly.