Conducting vulnerability assessments is often a costly, manual effort requiring many on-site resources – which is why assessments take place infrequently. Verve’s technology-enabled vulnerability assessment significantly reduces the time and labor requirements and enabled real-time continuous visibility to track progress and risks.

This case study describes how we applied a technology-driven vulnerability assessment with a leading water utility to quickly prioritize security gaps and remediation efforts.

The Challenge

One of the top five water utilities in the United States sought to assess cyber risks to their industrial control systems across six widely-distributed sites (including one of the top three wastewater sites in the world). Due to regulatory requirements and the board of director’s recognition of increased risk of cyber attacks to ICS, the client wanted to understand their risks and vulnerabilities at a detailed level. They had a small time frame and needed to include both IT and OT assets across these sites, which had multiple levels of network segmentations and protection.

The Solution

We brought together the Verve Security Center (VSC) platform and Verve Industrial Protection (VIP) services to provide a rapid, detailed and closed-loop solution for a technology-enabled vulnerability assessment. Verve deployed the small appliance-based solution inside the client’s DMZ. The appliance contains the necessary elements of the Verve platform including asset inventory, vulnerability management, patch management, etc.

Within one week, the agent-agentless architecture connected to all sites and subnets within the network to gather a full asset inventory. Critical to this effort was the ability to see detailed information from PLCs down into the backplane, as well as the devices behind the backplane. The solution gathered full visibility of all software, patch status, vulnerabilities, users and accounts, ports, services, configurations, etc. VSC analyzed the software and firmware for known vulnerabilities and insecure or non-compliant configurations. It also analyzed network gear for mis-configurations and inappropriate security rules.

The VIP services team leveraged the tech- enabled visibility to develop a prioritized risk ranking based on our proprietary asset risk score and the client’s PHA analysis of asset criticality. This led to a clear prioritized roadmap of remediation initiatives, which is integrated within the Verve platform.

The Impact

Verve delivered the tech-enabled vulnerability assessment in less than one month across all sites for roughly the same cost as a single site manual assessment. Within 30 days, the client received a robust assessment and roadmap to make progress on remediation using the closed-loop platform.

They immediately demonstrated progress to their board of directors against the specific gaps identified in the vulnerability assessment. They now track progress, and provide updates on new risks in real-time with the ongoing presence of the Verve Security Center’s vulnerability analysis software.

Related Resources

Data Sheet

Riio-2 Mapping to Verve

See how Verve aligns with OFGEM’s new set of cyber security resilience guidelines (RIIO-2) for electricity and gas distribution networks

Learn More
Data Sheet

Verve Competitive Comparison

See how Verve differentiates from other OT security vendor methods and approaches across visibility, assessment, protection, response, detection, reporting, services, support and cost.

Learn More
Data Sheet

Verve Overview

Learn about Verve’s OT cyber security expertise, platform and services for protecting industrial organizations.

Learn More