Information Security Vulnerability Assessments
Professional IT security assessment and testing services improve safety
More than 40 water and wastewater utilities of various sizes have contracted with Westin to conduct vulnerability assessments of their information systems. These organizations recognize the need to assess the security of their networks, control systems and telecommunications. Following 9/11, water utilities were required to perform a vulnerability assessment which, in part, evaluated the security of their control system networks.
Every year, thousands of new vulnerabilities are discovered by hackers and security researchers. These affect operating systems, applications, databases, and telecommunications hardware and software for systems controlling critical infrastructure. As customer data, payroll information, and other sensitive personal information is often the target of criminals, this information must also be protected with due diligence. The rise in these crimes has resulted in several national and state laws which can hold an organization responsible if diligence was not taken to secure this information. Network and system administrators need to test their control systems and networks using the same access methods that an unauthorized person might use.
Westin’s Certified Information System Security Professionals (CISSP), Certified Information Security Managers (CISM) and Certified SCADA Security Architects (CSSA) apply AWWA’s RAM-W for SCADA methodology, as well as techniques endorsed by the International Information Systems Security Certification Consortium and the Information Systems Security Association.
Westin can provide a network assessment, reviewing system architecture, physical security and access controls, networks and computers, wired and wireless LAN/WAN’s, telephone lines, firewalls and VPNs, passwords, as well as policies and procedures. In many cases, Westin has found previously undiscovered connections to the control system network.
Westin can also conduct penetration tests to access systems from the outside. The purpose of this kind of test is to exploit specific vulnerabilities found during the initial security vulnerability assessment to determine whether specific targets inside a protected network can be reached. Westin has been highly successful in penetrating systems including complete access to the SCADA Master Station. In other cases, highly sensitive information was found on the general-purpose IT network that would give a physical attacker an advantage. Successful penetration tests are effective in convincing management and staff to remediate the issues.
The final step in the vulnerability assessment is a detailed report of specific and prioritized action items, as well as estimated costs. This enables customers to quickly remediate the most critical items while also enabling them to develop a long-term strategy and budget for continually improving security.