Our Capabilities

Overview

Our goal is to help water utilities meet the developing threats targeting the water and wastewater sector.  S3 will assist you in conducting Risk & Resiliency Assessments (RRA) and developing Emergency Response Plans (ERP) related to the AWIA Section (2018) and outlined in AWWA J100.  S3 can assist you with using the results of the assessments to identify and implement upgrades.

S3 is uniquely qualified to provide this service with key personnel experienced in physical and cybersecurity with backgrounds in military special operations, cybersecurity, law enforcement, school security, nuclear/radiological, national security, training, and capacity building.  S3 has a long and reliable history working at the federal, state, and local government level.  We are active members of AWWA and the Washington PUD Association (WPUDA) and work with small, medium, and large utilities.

We know utilities. S3 is a trusted partner in the electricity sector and we bring that experience and related capabilities to the Water & Waster Water sector.

Cybersecurity

American Water Infrastructure Act (2018) Compliance

Design Basis Threat Development (DBT)

Vulnerability of Integrated Security Assessment (VISA)

Comprehensive Site Security Assessment (CSSA)

Capacity Building

Insider Threat Mitigation

Fortress Your Future: Cybersecurity Reimagined

The water and wastewater industry is a critical component of public infrastructure, with growing reliance on digital systems to manage complex operations. However, this increased dependence on technology exposes the sector to a wide array of cybersecurity risks, including potential attacks on Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other operational technology (OT). Threat actors targeting water and wastewater systems aim to disrupt essential services, compromise water quality, or even cause physical harm by manipulating chemical treatments or altering water distribution.

We understand the unique vulnerabilities faced by the water and wastewater industry. Our cybersecurity services are tailored to safeguard both information technology (IT) and operational technology systems. We employ a holistic approach to match the current need of your network environment to ensure risks are identified and vulnerabilities remediated to align to your policies and procedures.

Our team also focuses on ensuring compliance with industry standards such as the Water Infrastructure Act, American Water Works Association Cybersecurity Guidance and Practices, and NIST’s cybersecurity framework. We provide continuous assessments and ongoing advisory services, protecting water treatment facilities from both internal and external attacks. In addition, we offer specialized incident response plans to mitigate the impact of a breach and maintain the operational integrity of water systems.

Cybersecurity + physical security for Risk & Resilience Assessment (RRA) & Emergency Response Plan (ERP)

S3 can assist with your RRA and ERP for both cybersecurity and physical security to prepare and comply with the AWIA (2018).   Certification to the EPA of your RRA and ERP is due based on the following schedule:

Community Water System
(pop served)
Certify RRA by Certify ERP within 6 months of RRA, but no later than
≥ 100,000 Mar 31, 2025 Sep 30 2025
50,000 – 99,999 Dec 31, 2025 Jun 30, 2026
3,300 – 49,999 Jun 30, 2025 Dec 30,2026

 

DBT - The Foundation of Security by Design

  • Bottom line: Know what you’re protecting against.
  • By gathering relevant threat assessment information from trusted sources, a clear picture of the adversary’s attributes and capabilities can be documented.
  • The DBT is the threat against which an asset must be protected and upon which the protective system’s design is based. It is the baseline threat that facilities and other high-consequence assets are designed to withstand. The DBT includes the characteristics, attributes, and tactics of outsiders and insiders that could be used against the asset. Furthermore, a DBT is derived from credible intelligence information and other relevant threat data and is updated annually.

Threat and Vulnerability Analysis

  • The VISA Methodology is one of the many VA tools that can use a specified DBT to determine the overall system effectiveness of an integrated PPS (Physical Protection System). VISA looks at the functions of Detection, Assessment, Delay, and Response to baseline the PPS to make informed, risk-based decisions and determine cost-effective upgrades. VISA is a methodology relying on SME input to help determine overall systems effectiveness against attack scenarios involving outsiders, insiders, and insiders colluding with outsiders.
  • The VISA tool and methodology has been used within the Department of Energy for decades along with other tools to protect and safeguard critical and strategic nuclear assets. While not new, it is effective. S3 has applied VISA to the government sector and other critical infrastructure.

Combining DBT, VISA, training, and testing

  • Process: S3 utilizes a 5-step process that is flexible to adapt to the current state of maturity of our clients’ security. The process may be followed from start to finish, in a serial fashion, or a specific step may be implemented to fit the current need. This process was developed by key personnel at S3 over decades of experience in the military, cybersecurity, law enforcement, and national security and by utilizing, adapting, and organizing best practices, tools, and methodologies from that experience.
  • People and Teams: There are three teams critical to the success of the process: 1) the Core Stakeholder Team to define the objectives and oversee the process, 2) the Design Basis Threat Team to define the threat and unacceptable consequences, 3) and the Vulnerability Assessment Team to exercise the situations against the DBT and to meet the objectives set by the Core Stakeholder Team.
  • Methodology and tools to facilitate the key steps, specifically the Design Basis Threat Tool and Vulnerability Assessment Tool for steps 2 and 3.

VISA Workshop - Train your professional security team

  • For organizations with a dedicated professional security team in-house, we can train your team in the DBT and VISA methodology and tool to augment your current capabilities.
  • There are many tools and methodologies an organization can use to assess its physical protection systems and the associated response. S3 offers a formal, customizable training program via hands-on workshops and mentoring to build risk management capacity within an organization.  The VISA workshop provides the user with extensive training on a proven systematic and methodical vulnerability analysis process.  The asset owner / operator will be able to apply the VISA process on its own.

The danger from within: cyber + physical

An insider is any person who has or had authorized access to or knowledge of an organization’s resources and operations including personnel, facilities, information, equipment, networks, and systems. This includes employees, contractors, and vendors and both physical access (e.g., facilities and substations) and cybersecurity domains (IT or OT access).  Your insider threat is the potential for an insider to use their authorized access or understanding of your organization to cause harm or collude with outsiders.

S3 can help you develop an Insider Threat Mitigation Program to:

  • Define the threats
  • Identify and detect insider threats
  • Assess insider threats
  • Manage the threats
Contact

Let's Talk

Please fill out the form below and let's have a conversation about your organization's needs!

Darryl Judge

Director of Business Development