Case Studies

IEC 62443 Gap Assessment
Regional Water Utility

Total findings

Critical gaps identified

Security zones modelled

Remediation funded

The Challenge

A network with no defined boundaries — and a regulatory deadline approaching

A regional water utility operating multiple treatment plants and a network of remote pumping stations was notified of its status as a responsible entity under the SOCI Act. The board had commissioned a CIRMP. The IT team had been tasked with extending the existing ISO 27001-aligned program to cover OT. Neither task could proceed without a clear, accurate picture of what the OT environment actually looked like.

"The OT environment had grown organically over 15 years. No formal security architecture. No documented zone and conduit model. No prior OT-specific security assessment — ever."

The core problem was not a lack of intent — it was a lack of visibility. Leadership did not know what assets were on the OT network, how they were connected, or what the realistic threat surface looked like. The CIRMP could not be defensible without that foundation.

Our Approach

A structured six-week assessment aligned to IEC 62443-3-2

The engagement followed the IEC 62443-3-2 risk assessment methodology, structured across four phases. Scope covered the primary treatment plant, two remote pumping stations, the IT/OT boundary, and all third-party vendor access pathways.

Phase 1

Week 1

Document & Architecture Review

Network diagrams and asset register review
Vendor documentation and support agreements
Existing policies and access control records
Stakeholder interviews — OT engineers and IT team

Phase 2

Weeks 2–3

On-Site Assessment

Treatment plant walkthrough and architecture verification
Remote pump station inspection
Network topology validation against documentation
Control room and HMI environment review

Phase 3

Week 4

Risk Assessment & Zone Modelling

Zone and conduit identification and documentation
Threat modelling per zone with consequence analysis
Target security level (SL-T) assignment per zone
IEC 62443-3-2 risk assessment per zone-conduit relationship

Phase 4

Weeks 5–6

Gap Analysis & Reporting

SL-A assessment across FR1–FR7 per zone
Risk-prioritised finding development
CIRMP technical annexure preparation
Board-ready executive summary and full technical report

What We Found

Seven significant findings across network architecture, access control, and detection

Selected findings from the 18-item remediation register. Four findings were rated Critical under the IEC 62443-3-2 risk scoring methodology — each representing a condition where the gap between current state and target security level created material operational risk.

Critical No network segmentation between OT and corporate zones

Treatment plant control systems, remote pump station RTUs, and the corporate network shared a single flat network. No firewall, conduit, or zone boundary existed between the IT environment and OT control systems. The network architecture was inconsistent with any security level above SL 0.

Consequence A successful phishing attack on a corporate workstation could propagate to treatment plant control systems without crossing a single network boundary. No technical control would impede lateral movement from IT to OT.
Critical Process historian directly accessible from corporate network

The process historian had no DMZ separation, data diode, or unidirectional gateway between itself and the corporate network. Read and write access was available to any authenticated domain user. The historian also maintained direct connectivity to the OT control network.

Consequence The historian represented a pivot point — a compromised corporate endpoint could reach OT control systems via the historian without requiring exploitation of any OT-specific vulnerability.
Critical Persistent vendor remote access with static credentials and no MFA

The primary SCADA vendor maintained a persistent, always-on VPN connection to the OT environment. Credentials were static, shared across vendor support staff, never rotated, and not subject to any access review cycle. Multi-factor authentication was not in use. No session logging existed.

Consequence A credential compromise at the vendor — through phishing, data breach, or former employee misuse — would grant unconstrained access to OT control systems with no time limit and no detection capability.
Critical No OT monitoring or detection capability

No network visibility, anomaly detection, or security monitoring existed on the OT network. The security team had no mechanism to detect unauthorised connections, protocol anomalies, device configuration changes, or lateral movement activity across any OT zone.

Consequence An active intrusion could persist undetected for an extended period. The utility had no ability to meet the SOCI Act's 12-hour critical incident reporting obligation — it could not detect an incident, let alone report one within the required window.
High Shared HMI credentials across all shift operators

A single shared account was used by all control room staff on the primary HMI. No individual user accounts, no role-based access control, and no session audit trail. All operators had equivalent access to all control functions regardless of role.

Consequence Insider incidents — whether malicious, negligent, or accidental — could not be attributed to an individual. This condition also fails the SOCI Act personnel hazard requirements for access control over critical workers.
High HMI workstations running end-of-life operating systems

Primary HMI workstations at the treatment plant ran Windows 7 — unsupported since January 2020 and unpatched for over three years at the time of assessment. Vendor support constraints prevented OS upgrades without a full system replacement, creating a patching impasse.

Consequence Known exploitable vulnerabilities with public proof-of-concept code existed for the installed OS version. Compensating controls (network isolation, application whitelisting) were absent, leaving the systems directly exposed.
Medium No lateral movement controls between remote sites and treatment plant

Remote pump station RTUs connected directly to the treatment plant control network with no intervening conduit controls. A compromised device at any remote site had an unobstructed network path to the primary control zone.

Consequence Remote sites — physically less secure and often unattended — represented a lower-effort entry point to the treatment plant control network than a direct attack on the plant itself.

Security Level Assessment

Treatment plant control zone — FR1 through FR7

Assessed against IEC 62443-3-3. Target security levels (SL-T) derived from the IEC 62443-3-2 risk assessment. Achieved security levels (SL-A) reflect verified current state across all seven foundational requirements.

Foundational Requirement	Ref	SL-T	SL-A	Gap Rating
FR 1 — Identification & Authentication	SR 1.1–1.13	2	<1	Critical
FR 2 — Use Control	SR 2.1–2.12	2	1	High
FR 3 — System Integrity	SR 3.1–3.9	2	<1	Critical
FR 4 — Data Confidentiality	SR 4.1–4.2	1	1	Met
FR 5 — Restricted Data Flow	SR 5.1–5.4	2	<1	Critical
FR 6 — Timely Response to Events	SR 6.1–6.2	2	0	Critical
FR 7 — Resource Availability	SR 7.1–7.8	2	1	High

What We Delivered

Seven deliverables. One integrated program.

All deliverables were structured to serve a dual purpose: provide the technical evidence base for IEC 62443 gap remediation, and satisfy the documentary requirements of the SOCI Act CIRMP cyber hazard vector.

Zone and conduit model — six security zones documented and diagrammed, covering treatment plant, remote pump stations, IT/OT DMZ, vendor access, safety systems, and corporate IT
IEC 62443-3-2 risk assessment — target security level (SL-T) assignment per zone, based on threat modelling and operational consequence analysis for water treatment disruption scenarios
SL-A gap assessment — current security level assessed across all seven foundational requirements for each zone, with finding-level evidence for each gap rating
18-finding remediation register — risk-prioritised across four severity levels (4 critical, 7 high, 5 medium, 2 low), each with root cause, risk rating, and specific remediation guidance
Prioritised remediation roadmap — phased implementation plan accounting for operational constraints, outage windows, legacy system limitations, and budget cycle timing
CIRMP technical annexure — IEC 62443 controls mapped to SOCI Act cyber hazard vector obligations, providing the defensible technical evidence base required for board attestation
Board-ready executive summary — non-technical risk posture overview, investment priorities, and SOCI Act compliance implications for board and senior leadership

The Outcome

From zero OT visibility to a funded, board-approved security strategy

The board had the technical evidence they needed to attest to CIRMP currency. Three critical remediation projects were scoped and funded within six weeks of report delivery.

Prior to the engagement, the utility had no documented OT architecture, no security baseline, and no clear pathway to SOCI Act compliance. The assessment changed all three. The zone and conduit model and SL gap analysis were incorporated directly into the CIRMP cyber vector as the technical evidence base — giving the board a defensible, auditable record underpinning their annual attestation.

Historian segmentation project scoped and approved within four weeks — estimated 30-day implementation, funded from existing IT security budget
Vendor remote access replaced with MFA-enforced, session-logged, time-limited access solution within six weeks of report delivery
OT network segmentation approved as a capital project in the next budget cycle — 90-day implementation, separating the corporate IT zone from all OT control zones
CIRMP cyber vector completed with IEC 62443 control mapping, supporting board attestation in the current reporting cycle

SOCI Act CIRMP Advisory
Regional Electricity Network Operator

Hazard vectors covered

Critical OT assets mapped

Cyber threat scenarios

10w

Program delivered

The Challenge

An 18-month compliance gap — with an audit window approaching

A regional electricity distribution network operator had been subject to SOCI Act obligations for over 18 months but had not developed a compliant Critical Infrastructure Risk Management Program. An upcoming ACS audit cycle, combined with a board directive to address the regulatory exposure, prompted the engagement.

"The CIRMP existed in name only. It listed hazard categories without identifying specific risks, referenced generic mitigations with no asset context, and had never been presented to the board."

The operator had no all-hazards risk assessment, no documented OT asset register, and no process for annual review. Directors were attesting to CIRMP currency without the evidentiary basis required under the Act.

Our Approach

A structured ten-week program aligned to the SOCI Act and ACS Rules

The engagement followed a four-phase structure covering obligation mapping, asset documentation, all-hazards risk assessment, and CIRMP development with board reporting.

Phase 1

Weeks 1–2

Obligation & Gap Review

Review existing CIRMP against ACS Rules
Map compliance gaps Rule by Rule
Review asset register against critical infrastructure asset definition
Stakeholder interviews — board, operations, IT

Phase 2

Weeks 3–4

Asset & Dependency Mapping

Identify and document critical OT assets
Map operational dependencies and failure impacts
Develop asset criticality register
Identify single points of failure and dependency chains

Phase 3

Weeks 5–8

All-Hazards Risk Assessment

Develop OT-specific cyber threat scenarios
Assess physical, personnel, and supply chain vectors
Consequence analysis for each hazard category
Risk rating and treatment identification

Phase 4

Weeks 9–10

CIRMP Development & Reporting

Full CIRMP redevelopment against ACS Rules
Board attestation package
Annual review schedule and trigger criteria
Executive briefing and findings presentation

What We Found

Six compliance gaps across obligation mapping, risk assessment, and documentation

The gap review identified material deficiencies across all four hazard vectors. The existing CIRMP did not meet the minimum requirements of the ACS Rules and could not withstand audit scrutiny in its current form.

Critical No asset-specific cyber threat scenarios in the CIRMP

The CIRMP's cyber hazard vector contained three generic statements referencing "cyber threats" without identifying specific threat actors, attack vectors, or OT-specific scenarios relevant to electricity distribution SCADA and EMS environments. No threat modelling had been conducted.

Consequence The document provided no basis for assessing whether existing controls were adequate or what residual risk remained. It could not withstand regulatory scrutiny under ACS Rule 10.
Critical CIRMP not underpinned by a documented risk assessment

The SOCI Act requires CIRMP to be developed following a risk assessment process. No documented risk assessment existed. Risk ratings in the CIRMP were assigned without methodology, evidence, or supporting analysis.

Consequence Board attestation was being made without the evidentiary basis required under the Act, exposing responsible officers to potential personal liability.
High Supply chain hazard vector entirely absent from CIRMP

Third-party vendor access to OT systems was not assessed in the CIRMP. Two vendors held persistent remote access to SCADA systems. Neither had been subject to a supply chain risk assessment, and neither was referenced in the CIRMP.

Consequence A material attack surface — vendor compromise — was entirely unaddressed in the compliance program, and the operator was not meeting supply chain obligations under ACS Rule 13.
High Personnel hazard vector incomplete — insider threat not addressed

The personnel section referenced background check requirements for new hires only. It did not address ongoing personnel risk, privileged access reviews, separation procedures, or insider threat scenarios for OT environments.

Consequence The operator was not meeting personnel hazard obligations under ACS Rule 12, and had no control framework for managing the most statistically likely source of operational incidents.
High OT assets absent from critical infrastructure asset register

The asset register used as the basis for CIRMP was the corporate IT asset register. SCADA servers, the Energy Management System, and RTUs at substation level were not documented as critical infrastructure assets and had no associated risk treatment records.

Consequence Without an accurate OT asset register, risk assessments and control mapping had no technical foundation, and the highest-consequence assets were outside the scope of the compliance program.
Medium No annual review process or version control

The CIRMP contained no review schedule, no version history, and no documented process for triggering reviews following material changes to the operational environment such as new assets, new vendors, or changes to the threat landscape.

Consequence Without a review mechanism, the CIRMP would become progressively less accurate and less defensible over time, compounding the compliance risk with each passing year.

Compliance Assessment

CIRMP obligations — ACS Rules compliance status

Assessed against the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023. Compliance status reflects the state of the CIRMP at the time of engagement.

CIRMP Requirement	Rule Ref	Status	Gap Rating
Critical asset identification and register	Rule 8	Partial	High
Cyber & information security hazard assessment	Rule 10	Not met	Critical
Physical security hazard assessment	Rule 11	Partial	High
Personnel hazard assessment	Rule 12	Partial	High
Supply chain hazard assessment	Rule 13	Not met	Critical
Annual review process and schedule	Rule 24	Not met	High

What We Delivered

Seven deliverables. One compliant program.

All deliverables were structured to satisfy the ACS Rules requirements and provide the board with a defensible, auditable evidentiary base for annual attestation.

CIRMP gap assessment report — Rule-by-Rule compliance mapping with evidence of deficiency and remediation guidance for each gap
Critical OT asset register — 12 assets documented with criticality ratings, operational dependencies, and single-point-of-failure analysis
All-hazards risk assessment — cyber, physical, personnel, and supply chain vectors assessed with consequence analysis and risk treatment identification
Six OT cyber threat scenarios — tailored to electricity distribution SCADA and EMS environments, with threat actor profiles and consequence modelling
Full CIRMP redevelopment — compliant with the SOCI Act and ACS Rules across all four hazard vectors, with Rule-by-Rule evidence mapping
Board attestation package — risk posture summary, compliance evidence, and board briefing slides structured for formal endorsement
Annual review schedule — documented review triggers, version control process, and responsible officer assignment for ongoing CIRMP currency

The Outcome

From a non-compliant template to a board-endorsed, audit-ready compliance program

The board attested to CIRMP currency for the first time with a defensible evidentiary base. The engagement resolved an 18-month compliance gap in ten weeks.

Prior to the engagement, the operator was formally non-compliant under the SOCI Act, with a CIRMP that could not withstand scrutiny. The redeveloped program gave the board the documentation, risk evidence, and audit trail they needed to attest with confidence — and gave the operations team a practical framework for managing OT security risk going forward.

Board endorsed the revised CIRMP at the next scheduled meeting, with the all-hazards risk assessment as the underpinning evidence base for each hazard vector
Supply chain review prompted immediate action — both persistent vendor connections replaced with time-limited, session-logged remote access solutions within four weeks of report delivery
OT asset register became the foundation for a broader security uplift program, with an IEC 62443 gap assessment scoped for the following financial year
ACS audit conducted eight months post-engagement found no material deficiencies in the CIRMP

Ready to address your SOCI Act obligations?

CIRMP development, gap assessment, and board reporting for responsible entities under the SOCI Act. Every engagement is scoped to your sector and operational environment.

Get in Touch SOCI Act Advisory →

Client details withheld by mutual agreement. Findings, methodology, and outcomes are representative of engagements conducted in the water and wastewater and electricity sectors.

IEC 62443 Gap AssessmentRegional Water Utility