Water & Wastewater

The water and wastewater industry is a critical component of public infrastructure, with growing reliance on digital systems to manage complex operations. However, this increased dependence on technology exposes the sector to a wide array of cybersecurity risks, including potential attacks on Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other operational technology (OT). Threat actors targeting water and wastewater systems aim to disrupt essential services, compromise water quality, or even cause physical harm by manipulating chemical treatments or altering water distribution.

We understand the unique vulnerabilities faced by the water and wastewater industry. Our cybersecurity services are tailored to safeguard both information technology (IT) and operational technology systems. We employ a holistic approach to match the current need of your network environment to ensure risks are identified and vulnerabilities remediated to align to your policies and procedures.

Our team also focuses on ensuring compliance with industry standards such as the Water Infrastructure Act, American Water Works Association Cybersecurity Guidance and Practices, and NIST’s cybersecurity framework. We provide continuous assessments and ongoing advisory services, protecting water treatment facilities from both internal and external attacks. In addition, we offer specialized incident response plans to mitigate the impact of a breach and maintain the operational integrity of water systems.

S3 can assist with your RRA and ERP for both cybersecurity and physical security to prepare and comply with the AWIA (2018).   Certification to the EPA of your RRA and ERP is due based on the following schedule:

• Bottom line: Know what you’re protecting against.

• By gathering relevant threat assessment information from trusted sources, a clear picture of the adversary’s attributes and capabilities can be documented.

• The DBT is the threat against which an asset must be protected and upon which the protective system’s design is based. It is the baseline threat that facilities and other high-consequence assets are designed to withstand. The DBT includes the characteristics, attributes, and tactics of outsiders and insiders that could be used against the asset. Furthermore, a DBT is derived from credible intelligence information and other relevant threat data and is updated annually.

• The VISA Methodology is one of the many VA tools that can use a specified DBT to determine the overall system effectiveness of an integrated PPS (Physical Protection System). VISA looks at the functions of Detection, Assessment, Delay, and Response to baseline the PPS to make informed, risk-based decisions and determine cost-effective upgrades. VISA is a methodology relying on SME input to help determine overall systems effectiveness against attack scenarios involving outsiders, insiders, and insiders colluding with outsiders.

• The VISA tool and methodology has been used within the Department of Energy for decades along with other tools to protect and safeguard critical and strategic nuclear assets. While not new, it is effective. S3 has applied VISA to the government sector and other critical infrastructure.

• Process: S3 utilizes a 5-step process that is flexible to adapt to the current state of maturity of our clients’ security. The process may be followed from start to finish, in a serial fashion, or a specific step may be implemented to fit the current need. This process was developed by key personnel at S3 over decades of experience in the military, cybersecurity, law enforcement, and national security and by utilizing, adapting, and organizing best practices, tools, and methodologies from that experience.

• People and Teams: There are three teams critical to the success of the process: 1) the Core Stakeholder Team to define the objectives and oversee the process, 2) the Design Basis Threat Team to define the threat and unacceptable consequences, 3) and the Vulnerability Assessment Team to exercise the situations against the DBT and to meet the objectives set by the Core Stakeholder Team.

• Methodology and tools to facilitate the key steps, specifically the Design Basis Threat Tool and Vulnerability Assessment Tool for steps 2 and 3.

• For organizations with a dedicated professional security team in-house, we can train your team in the DBT and VISA methodology and tool to augment your current capabilities.

• There are many tools and methodologies an organization can use to assess its physical protection systems and the associated response. S3 offers a formal, customizable training program via hands-on workshops and mentoring to build risk management capacity within an organization.  The VISA workshop provides the user with extensive training on a proven systematic and methodical vulnerability analysis process.  The asset owner / operator will be able to apply the VISA process on its own.

An insider is any person who has or had authorized access to or knowledge of an organization’s resources and operations including personnel, facilities, information, equipment, networks, and systems. This includes employees, contractors, and vendors and both physical access (e.g., facilities and substations) and cybersecurity domains (IT or OT access).  Your insider threat is the potential for an insider to use their authorized access or understanding of your organization to cause harm or collude with outsiders.

S3 can help you develop an Insider Threat Mitigation Program to:

• Define the threats
• Identify and detect insider threats
• Assess insider threats
• Manage the threats