Security reviews for control systems, SCADA access, and operational technology.
Systems Risk Advisory helps water, wastewater, electric power, local government, and industrial organizations understand who can reach operational systems, what they can affect, and which practical changes reduce risk without disrupting operations.
Control system security decisions affect operations.
OT security is different from standard IT security. A recommendation that ignores plant operations, vendor support, maintenance windows, operator workflows, field devices, or restoration sequence can create new risk.
Systems Risk Advisory reviews OT/ICS and SCADA environments from the perspective of infrastructure operations. The goal is to identify realistic exposure, clarify access paths, and prioritize improvements that protect essential services.
The core question
Who can reach the control environment, what can they touch, and how quickly can the organization continue or recover if something goes wrong?
That question drives the review. It connects cyber access, physical access, vendor support, network paths, operator visibility, and recovery planning.
Practical review areas for OT, ICS, and SCADA environments.
The review is tailored to the client environment. For water and wastewater utilities, this may include SCADA, HMIs, PLCs, remote sites, lift stations, pump stations, treatment systems, vendor support, radio paths, cellular connections, and city IT dependencies.
Architecture and pathways
Review how OT systems connect to business systems, remote access tools, vendors, field networks, radio systems, cloud services, and support environments.
Remote and vendor access
Identify who connects remotely, how access is approved, whether MFA is used, whether sessions are logged, and whether accounts are removed when support ends.
Segmentation and exposure
Review separation between IT and OT, firewall rules, exposed services, direct internet exposure, wireless paths, cellular access, and third-party pathways.
Accounts and privileges
Review named accounts, shared accounts, administrator rights, service accounts, vendor accounts, password practices, and MFA coverage for critical access.
Backups and recovery
Review backup coverage, configuration backups, recovery expectations, restoration dependencies, vendor roles, and the sequence needed to return systems to service.
Operations and continuity
Review operator visibility, manual operations, fallback procedures, alarm handling, documentation, staffing limits, and continuity options during a cyber or SCADA event.
When to request an OT/ICS and SCADA security review.
- New or changed remote access to SCADA, PLCs, HMIs, historians, or engineering workstations.
- Concern about vendor access, shared credentials, or former vendor accounts.
- Unclear segmentation between city IT, business systems, and operational networks.
- Recent ransomware concern, cyber incident, audit finding, or insurance request.
- Upcoming SCADA upgrade, network redesign, radio upgrade, or remote site project.
- Need to support an AWIA Risk and Resilience Assessment or Emergency Response Plan update.
Focused OT Exposure Review
A focused review can start small. It can examine remote access, vendor access, internet exposure, segmentation, account controls, backups, and high-priority changes.
This is often a good first engagement for utilities that need a clear view of SCADA exposure without starting with a large assessment.
How the review works.
Understand the environment
Review operations, critical functions, architecture, vendors, field assets, remote access, and recovery expectations.
Review access and pathways
Assess how users, vendors, systems, and networks reach OT assets and where exposure could affect operations.
Prioritize findings
Rank findings by operational impact, ease of exploitation, recovery difficulty, and practical implementation constraints.
Provide a roadmap
Deliver practical recommendations, quick wins, longer-term improvements, and briefing material for leadership.
Clear outputs for technical teams and leadership.
The final deliverables are written for decision-making. Technical findings are translated into operational meaning, priority, and next steps.
- OT/ICS and SCADA findings summary
- Remote access and vendor access review notes
- Architecture and pathway observations
- Risk-ranked recommendations
- Quick wins and longer-term improvement roadmap
- Executive briefing summary
- Optional action tracker for implementation support
- Optional tabletop scenario to validate response actions
Engineering-informed OT security guidance.
Systems Risk Advisory brings experience across cybersecurity, physical security, operational technology, SCADA environments, electrical power systems, water and wastewater operations, and critical infrastructure resilience.
That matters because OT security is not only a network issue. It affects treatment, pumping, field operations, protective functions, alarms, vendor support, emergency response, and recovery.
Best-fit clients
- Water and wastewater utilities
- Electric utility and power-sector environments
- Local government and public works organizations
- Industrial operations with control system dependencies
- Organizations preparing for cyber, physical, or operational disruption
OT and SCADA security connects to broader resilience work.
Cybersecurity Assessments
Review accounts, MFA, backups, logging, vendors, policies, and incident readiness.
Incident Response Planning
Prepare for ransomware, OT disruption, communications, containment, and recovery decisions.
Tabletop & Operational Exercises
Test whether teams can make decisions during SCADA disruption, loss of visibility, or vendor compromise.
Need to understand your SCADA and OT exposure?
Start with a focused conversation about remote access, vendor access, network pathways, backups, and the systems needed to keep operations running.