Case Studies
Securing the Flow

Securing the Flow: A European Water Company's Journey to OT Cyber Resilience

By
Spencer Summons
June 6, 2025
5 Minutes
Share this post

Conducting assurance of a European Water Companies current approach to OT and their delivery of a new OT project. We were tasked with conducting a review of the organisations approach to Operational Technology cyber security, as a first step toward obtaining proportionate OT cyber insurance.The company had a legacy operating environment but were also mid-way through an OT transformation project.

We completed the following actions:

  1. Pre-engagement: A pre-engagement meeting where we agreed aim, objectives, scope, activities and time scales. The work included applying elements from both the NIST and IEC62443 frameworks
  2. Stakeholder interview: We conducted interviews with key stakeholders including managerial operational and transformation project staff.  During interview we collected evidence to align with the requirements of the frameworks but also investigated plausible incident scenarios from which we could assign estimated operational impact and cost.   
  3. Qualitative and Quantitative Analysis: We conducted qualitative and quantitative analysis using both the information obtained through interview and investigation into incident cost.  Our analysis concluded with several outcomes with recommendations. The most significant included:
    1. Current OT maturity: Using several of the IEC62443 framework sections and security levels, we were able to identify gaps in approach and align recommendations to the standard, while also adding pragmatic advice where direct alignment may be considered disproportionate.   
    2. OT Transformation opportunity: Also using the IEC62443 framework, we were able to identify gaps in the security transformation programme.  However, deeper analysis demonstrated that the most significant gap was in the readiness of the organisation to transition from project to operation.
    3. Incident cost summary:  We identified components of business interruption. We were able to determine both direct and indirect costs to digital and physical assets as well as the readiness of the incident team to address physical impacts.

Findings and reporting: To ensure the report could be interpreted by the intended audience, we created a simple bubble chart that enabled the reader to compare the level of risk with the cyber capability maturity and within the context of estimated losses for an incident.   

The report was agreed and recommended mitigations were accepted by the company.

Share this post