Business & Technology Planning

Enterprise Asset & Maintenance Management

Business Systems & Solutions

Process Automation & SCADA Systems

Telecommunications

Infrastructure & Security

Program & Project Management

Success Stories

INFORMATION SECURITY VULNERABILITY ASSESSMENTS

More than 40 water and wastewater utilities of various sizes have contracted with Westin to conduct vulnerability assessments of their information systems. Due to the sensitive nature of information system Security Vulnerability Assessments and remediation, client names are not provided.

Issue
Many organizations recognize the need to assess the security of their networks, control systems and telecommunications. Following 9/11, water utilities were required to perform a vulnerability assessment which, in part, evaluated the security of their control system networks.

Every year, thousands of new vulnerabilities are discovered by hackers and security researchers. These affect operating systems, applications, databases, and telecommunications hardware and software for systems controlling critical infrastructure. Network and system administrators need to test their control systems and networks using the same access methods that a hacker or unauthorized person might use.

As customer data, payroll information, and other sensitive personal information is often the target of identity thieves and organized crime, this information must also be protected with due diligence. The rise in this type of crime has resulted in several national and state laws which can hold an organization responsible if diligence was not taken to secure this information.

Solution
Westin’s Certified Information System Security Professionals (CISSP) apply AWWA’s RAM-W for SCADA methodology, as well as techniques endorsed by the International Information Systems Security Certification Consortium and the Information Systems Security Association.

Depending on needs of the specific utility, Westin provides a network assessment to determine security status. Westin assesses system architecture, physical security and access controls, networks and computers, wired and wireless LAN/WAN’s, telephone lines, firewalls and VPNs, passwords, as well as policies and procedures. In many cases, Westin found previously unknown and undocumented connections to the control system network.

In some cases, Westin conducts Penetration Tests to access systems from the outside. The purpose of a Penetration Test is to exploit specific vulnerabilities found during the initial Security Vulnerability Assessment, with the goal of reaching specific targets inside a protected network. Westin has been highly successful in penetrating systems including complete access to the SCADA Master Station. In other cases, highly sensitive information was found on the general-purpose IT network that would give a physical attacker an advantage. Successful Penetration Tests are effective in convincing upper management and staff to remediate the issues. Westin only performs Penetration Tests with complete knowledge by, and written authorization from, the target and with full coordination of IT staff and management.

Outcome
The final step in the vulnerability assessment is a detailed report of specific and prioritized action items, estimated costs, and/or labor estimates. This enables the customer to quickly remediate the most critical items in a timely and cost-effective manner while also enabling them to develop a long-term strategy and budget for continually improving their security posture.

 

| Terms of use | Privacy Policy | Contact Us | Site Map |
Copyright 2008 Westin Engineering, Inc. All Rights Reserved
Quick Links
Contact Westin Site Map Westin's SILC Methodology Locations News Recent Presentations