Summary

Conducting vulnerability assessments is often a costly, manual effort requiring many on-site resources – which is why assessments take place infrequently. Verve’s technology-enabled vulnerability assessment significantly reduces the time and labor requirements and enabled real-time continuous visibility to track progress and risks.

This case study describes how we applied a technology-driven vulnerability assessment with a leading water utility to quickly prioritize security gaps and remediation efforts.

 

The Challenge

One of the top five water utilities in the United States sought to assess cyber risks to their industrial control systems across six widely distributed sites (including one of the top three wastewater sites in the world). Due to regulatory requirements and the board of director’s recognition of the increased risk of cyber attacks to ICS, the client wanted to understand their risks and vulnerabilities at a detailed level. They had a small time frame and needed to include both IT and OT assets across these sites, which had multiple levels of network segmentation and protection.

The Solution

We brought together the Verve Security Center (VSC) platform and Verve Industrial Protection (VIP) services to provide a rapid, detailed and closed-loop solution for a technology-enabled vulnerability assessment. Verve deployed the small appliance-based solution inside the client’s DMZ. The appliance contains the necessary elements of the Verve platform including asset inventory, vulnerability management, patch management, etc.

Within one week, the agent-agentless architecture connected to all sites and subnets within the network to gather a full asset inventory. Critical to this effort was the ability to see detailed information from PLCs down into the backplane, as well as the devices behind the backplane. The solution gathered full visibility of all software, patch status, vulnerabilities, users and accounts, ports, services, configurations, etc. VSC analyzed the software and firmware for known vulnerabilities and insecure or non-compliant configurations. It also analyzed network gear for mis-configurations and inappropriate security rules.

The VIP services team leveraged the tech-enabled visibility to develop a prioritized risk ranking based on our proprietary asset risk score and the client’s PHA analysis of asset criticality. This led to a clear prioritized roadmap of remediation initiatives, which is integrated within the Verve platform.

The Impact

Verve delivered the tech-enabled vulnerability assessment in less than one month across all sites for roughly the same cost as a single site manual assessment. Within 30 days, the client received a robust assessment and roadmap to make progress on remediation using the closed-loop platform.

They immediately demonstrated progress to their board of directors against the specific gaps identified in the vulnerability assessment. They now track progress and provide updates on new risks in real-time with the ongoing presence of the Verve Security Center’s vulnerability analysis software.

Related Resources

News

Industry Reactions to U.S. Water Plant Hack

It was revealed this week that hackers had accessed systems at a Florida water plant and attempted to elevate levels of a certain chemical.

Learn More
Blog

3 Benefits of a 360-Degree Vulnerability Assessment

Defending critical infrastructure requires 360-degree visibility into asset and network vulnerabilities through a vulnerability assessment.

Learn More
News, Podcast

Ron Brash on the water plant hacks and the state of ICS security

Ron Brash joins Ryan Naraine on the show to talk about the recent water supply hack and the state of security in ICS/SCADA installations.

Learn More

Request a demo

Contact us to speak with one of our OT security experts and see Verve in action!

Request a Demo