Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

Assessments May Lead to Insecurity

By Ryan Averbeck
March 1, 2008

Mandated vulnerability assessments and security experts may make facilities less secure.

Following the aftermath of September 11 and the enactment of the Public Health Security and Bioterrorism Response Act of 2002 (PL 107-188) various water entities (water treatment and wastewater facilities) were designated as critical infrastructures thus warranting increased protection.  The Environmental Protection Agency (EPA) was assigned the responsibility to develop plans for improving water infrastructure security. 

LACK OF EXPERIENCE

The first step towards improving security was the mandate to conduct vulnerability assessments.  With over 50,000 critical water entities the EPA was unable to conduct these assessments themselves and opted to require that “self” assessments be completed.  

With the explosive growth of the security market, a plethora of self proclaimed “experts” emerged to assist larger entities with these vulnerability assessments.  Most of these experts traditionally had a strong background in physical security or traditional information technology (IT) security, but no direct experience or understanding of the nuances of the daily operations of water facilities.  Even fewer had any experience or understanding of the specific cyber threats and vulnerabilities inherent in SCADA systems or other aspects of the operations that affect the availability, reliability or maintainability (ARM) of the entire system.

The adage calm seas do not make expert seamen also applies to security professionals, meaning experience with only one discipline of security (physical, IT, etc) or against one type of adversary (such as terrorists) does not an expert make.

While proficient at operating the facilities, most of the in-house staff assigned to complete the assessment did not have a background or experience in security. 

INSECURITY EXISTS

What emerged were two distinct versions or approaches to conduct vulnerability assessments:  one version completed by external security experts with limited knowledge of the systems they were assessing and the other version completed by system experts with limited knowledge of security and protection.  This divide causes difficulties because both approaches failed to identify several critical vulnerabilities and threats, incorrectly assumed existing protection was adequate, and did not highlight a specific path forward or roadmap to improve security over time in a cost effective manner. The fact that a vulnerability analysis was completed (albeit poorly) gave the asset owner a false sense of security.

The shortfalls that evolved because of the two types of assessments were highlighted during a case study conducted in April 2007 of a small municipal water treatment facility.  The entity under review provided the results of their previous vulnerability assessment and allowed site visits and interviews to assess their current levels of security and make recommendations for improvement.  The utility was chosen because they utilized three different self-assessment methods and tools to complete the initial self assessment, and it was conducted without the assistance of a security or protection professional.

CHECK THE PITFALLS

The case study highlights some of the pitfalls that occur when a vulnerability assessment is conducted by a person knowledgeable about the system but not intimately knowledgeable about security.

The results of the case study revealed that over 70 percent of the self assessment answers actually conflicted with what was observed by a security professional. For example, computer/server firewalls were installed but not properly configured (usually still set at the highly vulnerable factory presets), wireless networks were not properly secured, password policies and procedures did not exist (for the business as well as SCADA terminals). Most of the self assessments focused on physical security, where significant deviations were also noted such as fencing was present but contained significant holes or breaches and surveillance systems were present but placed in the wrong locations. Additionally, several high risk vulnerabilities were discovered that were not addressed in any of the previous vulnerability assessments.  Many of these concerned the ease with which sensitive customer data could be obtained and used for identity theft purposes.

The three main areas requiring attention included deficiencies in physical security, information technology security (both for business and SCADA systems), and the absence of adequate policies and procedures.  Common trends included: crediting specific security measures as being in place when in fact they were inadequate, and being unaware of specific risks and thus unaware of the need to implement additional countermeasures.  Examples of these trends include: Fencing was credited as in place at all locations when in fact all the fencing contained significant breaches, and management was unaware that sensitive customer information (name, address, SSN, credit card numbers, etc) is at risk to compromise and has not implemented any countermeasures to safeguard this data.

The self assessment did not accurately portray the security posture of the organization under review. A common thread with both versions of the assessments is that once completed the report was simply filed and no remediation or ongoing protection activities occurred.  The self assessment exercise was viewed as a regulatory paper drill and not seen as a security tool. Often, the items that were identified for enhanced protection during the assessment remained unprotected.  As a final note, after conducting an initial vulnerability assessment during the 2002-2004 timeframe, many water entities have not conducted follow-up reviews or updates to the assessments. 

By completing a self assessment many managers thought they were finished with the security requirements, and it is this false sense of completion that makes the facilities more vulnerable than ever. Additionally, having assistance from the wrong experts may be akin to calling a plumber for electrical problems. Security is a continuous process and not a quick fix.  

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Ryan Averbeck is a principal systems security engineer in the Technology Protection and Management Office (TPMO) at Concurrent Technologies Corp. He is also currently a counterintelligence officer and commander in the U.S. Army Reserve.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
close

1 COMPLIMENTARY ARTICLE(S) LEFT

Unlock the future of cybersecurity news with Security.
As a leader in enterprise security, we have you covered with the information to keep you ahead of the curve.

JOIN TODAY

Already Registered? Sign in now.

Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Half closed laptop

Sudo Vulnerability Discovered, May Exposes Linux Systems

Person holding cellphone

Millions of Android, iPhone Users Could Be Sending Data to China

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Did Federal Building “Insecurity” Scandal Lead to Federal Protective Service Shake-up?

    See More
  • American flag in front of building columns

    Proposed rules may lead to increased compliance requirements ahead

    See More
  • Laptop in a dark room with coding on screen

    72% of CISOs believe AI solutions may lead to security breaches

    See More

Related Products

See More Products
  • school security.jpg

    School Security: How to Build and Strengthen a School Safety Program

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!