Representative engagements

Engagement Examples for Critical Infrastructure Risk and Resilience

Systems Risk Advisory supports assessments, planning, exercises, training, and executive briefings for organizations responsible for essential services. These examples show how engagements can be structured without disclosing client names, facility details, system designs, or sensitive security information.

Discuss an engagement View services

Representative engagements, not public case studies

Critical infrastructure leaders often know they need help, but they may not know what an assessment, planning project, exercise, or workshop should include. This page provides representative engagement examples that show the types of support Systems Risk Advisory can provide.

The examples below are intentionally sanitized. They describe common engagement structures and outcomes without identifying clients, facilities, vendors, network details, security weaknesses, or incident-sensitive information.

Each engagement is scoped around the organization, operating environment, leadership questions, risk tolerance, and available staff time. Some projects are narrow and focused. Others combine cyber, physical, OT/ICS, emergency planning, training, and tabletop exercise components into a broader readiness effort.

Confidentiality note

SRA does not publish client names, facility details, network diagrams, findings, incident details, or sensitive security information without authorization.

These examples are not fixed packages. Final scope, schedule, level of detail, site work, interviews, deliverables, and pricing depend on the organization and engagement goals.

The page should not imply that all examples have been performed for a named client unless a specific case study has been approved for public release.

Engagement examples

These examples show common ways Systems Risk Advisory can help organizations move from concern to a defined scope, practical findings, and next steps.

AWIA RRA and ERP Update for a Water Utility

Typical client

Municipal water or wastewater utility

Need

Update risk and resilience assessment material and emergency response planning so the documents better reflect current operations, cyber risk, physical security concerns, and continuity needs.

Common activities

Review existing RRA and ERP materials
Conduct leadership, operations, IT, OT, and emergency management discussions
Review cyber, physical, operational, and emergency response dependencies
Identify practical improvement items and planning gaps
Prepare updated plan language and leadership-ready summaries

Possible outputs

Updated RRA and ERP content
Findings and improvement list
Executive summary or board briefing material
Suggested training and exercise follow-up

OT/ICS and SCADA Remote Access Review

Typical client

Utility, public works department, electric power organization, or infrastructure operator

Need

Understand who can remotely access control-system environments, how vendors connect, where shared access may exist, and which paths create operational risk.

Common activities

Map remote access paths used by staff, vendors, integrators, and support providers
Review VPN, remote support tools, accounts, MFA, approval steps, and logging practices
Identify paths from business systems into OT or SCADA assets
Review vendor support practices and emergency access assumptions
Prioritize controls that reduce risk without disrupting operations

Possible outputs

Remote access findings summary
Vendor access improvement recommendations
Prioritized remediation roadmap
Leadership briefing on access risk and next steps

Ransomware Readiness Assessment

Typical client

Utility, local government, public works department, or infrastructure organization

Need

Prepare for ransomware that affects billing, email, work orders, file shares, backups, remote access, vendor coordination, public messaging, or operational visibility.

Common activities

Review backup, restoration, account, endpoint, and remote access practices
Assess likely operational impacts if business systems or visibility tools are unavailable
Review escalation, decision authority, insurance, legal, vendor, and communication assumptions
Identify first-hour and first-day decisions that leaders should prepare before an incident
Develop improvement priorities tied to continuity of service

Possible outputs

Ransomware readiness findings
First-hour decision checklist
Recovery priority recommendations
Executive risk briefing or tabletop exercise option

Cybersecurity Assessment for a Small or Mid-Sized Utility

Typical client

Water, wastewater, public works, or municipal utility organization

Need

Identify the most important cybersecurity gaps without overwhelming limited staff or producing an unused technical report.

Common activities

Review policies, accounts, MFA, remote access, patching, backups, endpoint protection, and logging
Discuss roles across leadership, IT, OT, operations, engineering, finance, and administration
Review internet exposure and third-party dependencies at a practical level
Separate quick fixes from larger planning items
Prepare findings in plain language for leadership and staff use

Possible outputs

Prioritized cybersecurity assessment report
Near-term fix list
Management roadmap
Briefing material for executives, boards, councils, or commissioners

Physical Security Review for Critical Facilities

Typical client

Utility, public works department, electric power organization, facility operator, or critical infrastructure site owner

Need

Review facility security conditions that could affect operations, safety, incident response, or continuity of essential services.

Common activities

Review access control, keys, gates, fencing, doors, lighting, cameras, signage, yards, and field sites
Discuss after-hours response, law enforcement coordination, and emergency access needs
Assess cyber-physical dependencies such as communications, control cabinets, telemetry sites, and power dependencies
Prioritize findings by operational consequence and feasibility
Recommend practical improvements aligned to site conditions and budget constraints

Possible outputs

Physical security findings summary
Site-specific improvement recommendations
Prioritized action list
Optional briefing or exercise scenario inputs

Cyber-Physical Incident Response Planning

Typical client

Critical infrastructure organization with connected cyber, physical, operational, and public communication dependencies

Need

Prepare for incidents where cyber events, facility access, field operations, public messaging, vendors, and emergency response must be coordinated.

Common activities

Review existing incident response and emergency response procedures
Clarify roles, escalation paths, decision authority, vendor contacts, and external coordination
Identify where cyber response and emergency operations need to connect
Develop decision points for containment, continuity, public messaging, and recovery
Prepare plan language that can be used during an actual incident

Possible outputs

Incident response planning improvements
Role and escalation matrix
Cyber-physical decision checklist
Tabletop exercise scenario option

Tabletop Exercise for a Utility Cyber-Physical Incident

Typical client

Water utility, wastewater utility, electric power organization, public works department, or local government team

Need

Test how leadership, operations, IT, OT, communications, emergency management, and outside partners make decisions under incident pressure.

Common activities

Design a realistic scenario based on utility operations and likely decision points
Develop injects that test communications, containment, continuity, public messaging, and recovery
Facilitate discussion with executives, operators, IT, OT, emergency management, and public information staff
Capture strengths, gaps, assumptions, and unresolved decisions
Prepare after-action findings and improvement recommendations

Possible outputs

Exercise plan and facilitation materials
Scenario injects and discussion questions
After-action summary
Improvement plan with practical next steps

Executive or Board Cyber Risk Briefing

Typical client

Board, council, commission, executive team, general manager, city manager, public works director, or senior leadership group

Need

Help decision-makers understand cyber, physical, and operational risk in terms of service continuity, public trust, cost, and leadership responsibility.

Common activities

Review current concerns, recent findings, regulatory drivers, and leadership questions
Translate technical risks into decision-ready language
Explain risk scenarios without unnecessary technical detail
Frame investment options, governance issues, and practical improvement priorities
Support discussion around next steps and management accountability

Possible outputs

Executive briefing deck or memo
Leadership risk discussion points
Recommended next-step options
Optional follow-on assessment or workshop scope

Emergency Response Planning and Continuity Workshop

Typical client

Utility, public works department, local government organization, or critical infrastructure operator

Need

Improve emergency response planning for disruptions that affect operations, staffing, communications, facilities, vendors, public messaging, and recovery.

Common activities

Review current emergency response, continuity, and communication materials
Identify decision points for degraded operations and loss of normal tools
Discuss roles across leadership, operations, emergency management, public information, IT, OT, and vendors
Develop practical updates to planning materials
Identify training and exercise needs

Possible outputs

Planning workshop summary
Updated plan language or improvement recommendations
Continuity decision checklist
Training and exercise recommendations

Electric Power Control-System Readiness Review

Typical client

Municipal electric utility, public power agency, electric cooperative, or organization with electric power operational dependencies

Need

Review cyber, physical, and operational readiness issues affecting substations, field assets, remote access, distribution automation, control systems, and incident response.

Common activities

Discuss control-system architecture, remote access, field assets, vendor support, and operational dependencies
Review physical security issues affecting substations, yards, cabinets, communications, and access points
Identify incident response considerations for loss of visibility, abnormal control activity, or remote support compromise
Prioritize improvements that account for reliability and safety
Prepare leadership-ready findings and next steps

Possible outputs

Control-system readiness findings
Cyber and physical improvement priorities
Incident response planning recommendations
Optional tabletop exercise or training scope

Common engagement models

Engagements can be narrow, standard, or expanded depending on the question, schedule, risk level, staff availability, and required deliverables.

Focused engagement

A narrow project aimed at one issue, such as remote access, ransomware readiness, physical security, tabletop exercise facilitation, or an executive briefing.

Standard assessment or planning project

A structured engagement that includes interviews, document review, selected technical or facility review, findings, recommendations, and leadership briefing material.

Expanded readiness effort

A larger effort that combines assessment, planning, workshops, exercise design, facilitation, after-action reporting, and improvement tracking.

Best-fit organizations

Water and wastewater utilities preparing AWIA RRA and ERP updates
Public works departments responsible for multiple essential services
Municipal electric utilities, public power agencies, and electric cooperatives
Local government organizations that need cyber, physical, and emergency planning support
Critical infrastructure organizations with OT/ICS, SCADA, field assets, facilities, and vendor dependencies
Boards, councils, commissioners, executives, and managers who need decision-ready risk information

Common deliverables

Deliverables are selected during scoping. The goal is to provide clear material that can be used by leadership, staff, boards, councils, commissioners, emergency managers, and technical teams.

Executive summary

A concise leadership-facing summary of key risks, priorities, decisions, and recommended next steps.

Findings and recommendations

A practical report organized by risk area, consequence, priority, and suggested improvement path.

Improvement roadmap

A sequenced list of near-term, mid-term, and longer-term actions based on feasibility and operational importance.

Plan updates

Suggested updates to incident response plans, emergency response plans, continuity plans, communications plans, or exercise materials.

Briefing material

Slides or talking points for boards, councils, executives, managers, and department leaders.

Exercise package

Scenario, injects, facilitator notes, participant questions, after-action findings, and improvement recommendations when tabletop support is included.

How Systems Risk Advisory works

The approach is practical, mission-focused, and designed for organizations that must keep essential services operating under real constraints.

Start with mission and consequence

Engagements focus first on what services must continue, what could affect safety or public trust, and which decisions matter most.

Use plain language

Findings are written for leaders, operators, IT, OT, emergency managers, and public works staff who need to act on the results.

Connect cyber and physical risk

SRA reviews how facilities, field assets, networks, remote access, vendors, communications, and emergency procedures affect each other.

Prioritize what can be improved

Recommendations are organized so the client can distinguish urgent fixes from larger planning or budget items.

Support leadership decisions

Reports and briefings help managers, boards, councils, commissioners, and executives understand risk and choose next steps.

Protect sensitive information

Engagement materials avoid unnecessary exposure of security-sensitive details and can be structured for limited distribution when needed.

Use these pages to review related sectors and services.

Discuss the right engagement for your organization

Use these examples as a starting point. Systems Risk Advisory can help define a focused assessment, planning project, workshop, exercise, executive briefing, or broader readiness effort based on your operating environment and risk concerns.

Discuss an engagement Review our approach

Engagement Examples for Critical Infrastructure Risk and Resilience

Representative engagements, not public case studies

Confidentiality note

Engagement examples

AWIA RRA and ERP Update for a Water Utility

Common activities

Possible outputs

OT/ICS and SCADA Remote Access Review

Common activities

Possible outputs

Ransomware Readiness Assessment

Common activities

Possible outputs

Cybersecurity Assessment for a Small or Mid-Sized Utility

Common activities

Possible outputs

Physical Security Review for Critical Facilities

Common activities

Possible outputs

Cyber-Physical Incident Response Planning

Common activities

Possible outputs

Tabletop Exercise for a Utility Cyber-Physical Incident

Common activities

Possible outputs

Executive or Board Cyber Risk Briefing

Common activities

Possible outputs

Emergency Response Planning and Continuity Workshop

Common activities

Possible outputs

Electric Power Control-System Readiness Review

Common activities

Possible outputs

Common engagement models

Focused engagement

Standard assessment or planning project

Expanded readiness effort

Best-fit organizations

Common deliverables

Executive summary

Findings and recommendations

Improvement roadmap

Plan updates

Briefing material

Exercise package

How Systems Risk Advisory works

Start with mission and consequence

Use plain language

Connect cyber and physical risk

Prioritize what can be improved

Support leadership decisions

Protect sensitive information

Related pages

Discuss the right engagement for your organization