Organisations running critical infrastructure face some of the most complex and high-stakes cybersecurity challenges in the world. This project put that reality front and centre.
As part of a seven-member team, I conducted a comprehensive cybersecurity risk assessment for a simulated National Water Authority undergoing digital transformation — targeting SCADA systems, OT networks, and enterprise IT environments. We applied both qualitative and quantitative risk analysis methods to identify threats, evaluate vulnerabilities, and recommend cost-effective security controls.
Our fact-finding process included site walkthroughs, staff questionnaires, log reviews, and vulnerability scans. We uncovered critical risks including SQL injection vulnerabilities, weak Active Directory security, lack of MFA, phishing exposure, and significant gaps in business continuity planning.
The outcome? A structured risk mitigation strategy — including IDS/IPS deployment, network segmentation, SIEM monitoring, and staff security awareness training — with identified controls capable of mitigating up to $125M in potential annual cyber risk exposure. The strategy was fully aligned with NIST CSF and ISO 27001
Conducted a comprehensive cybersecurity risk assessment for a simulated National Water Authority undergoing digital transformation. The project focused on identifying cyber and physical security risks affecting critical infrastructure systems such as SCADA, OT networks, and enterprise IT environments.
As part of a team of seven, we applied both qualitative and quantitative risk analysis methods to evaluate threats, vulnerabilities, and cost-effective security controls.
Key activities included:
• Performing fact-finding discovery techniques such as site walkthroughs, staff questionnaires, log reviews, and vulnerability scans.
• Identifying critical risks including SQL injection vulnerabilities, weak Active Directory security, lack of MFA, phishing exposure, and gaps in business continuity planning.
• Conducting cost-benefit and ROSI (Return on Security Investment) analysis to evaluate security investments.
• Developing a risk mitigation strategy including MFA implementation, IDS/IPS deployment, network segmentation, staff security awareness training, SIEM monitoring, and business continuity planning.
Key outcomes:
• Identified controls capable of mitigating up to $125M in potential annual cyber risk exposure.
• Demonstrated strong ROI for cybersecurity investments such as physical security controls (ROSI 153), security training (ROSI 33), and environmental protections (ROSI 36).
• Produced a structured cybersecurity risk management strategy aligned with industry frameworks such as NIST and ISO 27001.