Case Study: CVWA | C2M2 Program Portal

🏢 Organization Profile

▼

1957

Year Founded

138,000

Customers Served

412 mi²

Service Area

$24.2M

FY2024 Revenue

Background

The Clearwater Valley Water Authority (CVWA) is a publicly chartered regional water and wastewater authority established by the Virginia General Assembly in 1987, consolidating the former Cedar Falls Municipal Water Department (est. 1957) and two county-run sewer districts. CVWA provides safe drinking water and wastewater treatment services to approximately 138,000 residents and commercial customers across Harrington, Millbrook, and Ridgeline Counties in central Virginia.

CVWA is governed by a five-member Board of Directors appointed by the county boards of supervisors. Day-to-day operations are managed by an Executive Director reporting to the board. The authority is a self-sustaining enterprise fund — not supported by general tax revenue — funded entirely through water and sewer rates, connection fees, and occasional state/federal grants.

Mission & Regulatory Obligations

CVWA operates under multiple regulatory frameworks including the Safe Drinking Water Act (SDWA), Clean Water Act (CWA), Virginia DEQ NPDES discharge permit (VA0055123), and is subject to the America's Water Infrastructure Act (AWIA) of 2018 — requiring risk and resilience assessments and emergency response plan certification to EPA.

Attribute	Detail
Legal Name	Clearwater Valley Water Authority (CVWA)
Headquarters	1200 Oak Street, Cedar Falls, VA 24018
Organization Type	Public Regional Water Authority (Virginia Code §15.2-5100)
Service Territory	Harrington County, Millbrook County, Ridgeline County (portions)
DUNS / SAM	07-294-5512 / Active (federal grant recipient)
EPA PWSID	VA6061200
NPDES Permit	VA0055123 (Cedar Valley WWTP, expires 2026)
WaterISAC Member	Yes — annual subscription since 2021
AWIA Certification	Last certified 2021; 2025 cycle recertification pending
IT Support Model	1 internal IT Coordinator + contracted MSP (TechPoint Systems)
Cybersecurity Staff	NONE — Zero dedicated cybersecurity personnel

🏭 Facilities & Locations

▼

Facility ID	Name	Address	Type	Capacity	Physical Security
FAC-01	Administration Building	1200 Oak Street, Cedar Falls, VA	Headquarters / Office	—	Card access, CCTV
FAC-02	Cedar Falls Water Treatment Plant (WTP)	800 Reservoir Drive, Cedar Falls, VA	Surface Water Treatment	12 MGD permitted / 8.5 MGD avg	Fence, padlock, 8 CCTV cameras
FAC-03	Millbrook Groundwater Treatment Facility	225 Well Field Road, Millbrook, VA	Groundwater Treatment (Wells)	4 MGD	Standard door lock only, no CCTV, no alarm
FAC-04	Cedar Valley Wastewater Treatment Plant (WWTP)	445 River Bend Road, Cedar Falls, VA	Wastewater Treatment	8 MGD permitted / 5.8 MGD avg	Fence, 6 CCTV (2 inoperable), guard shack unstaffed
FAC-05	Ridgeline Booster Pump Station	CR-15, Ridgeline County, VA	Pressurization / Distribution	—	Padlock only, remote site — no alarm, no CCTV
FAC-06	Elevated Storage Tanks (3)	Various — Cedar Falls, Millbrook, Ridgeline	Potable Water Storage	50K / 250K / 500K gal	Ladder locks, limited inspection frequency
FAC-07	Ground Storage Tank	800 Reservoir Drive (co-located with WTP)	Potable Water Storage	2,000,000 gal	Fenced, locked
FAC-08	Remote Lift Stations (18)	Distributed — Harrington, Millbrook, Ridgeline	Wastewater Collection	Varies	15 of 18 have inadequate physical security

Physical Security Gap: FAC-03 (Millbrook Groundwater Facility) has no CCTV, no intrusion alarm, and is staffed only during scheduled maintenance visits (approx. 2×/week). The facility contains active SCADA equipment and chemical dosing systems accessible via a single keyed door lock.

Critical Gap: 15 of 18 remote lift stations have inadequate physical security. Six (LS-13 through LS-18) have no digital telemetry whatsoever — control panel tampering would go undetected until the next scheduled visit.

👥 Organizational Structure & Staffing

▼

Critical Finding: CVWA has zero dedicated cybersecurity personnel. All IT and OT network responsibilities are managed by a single IT Coordinator (Kevin Patel) who has a background in general IT support and network administration but no formal cybersecurity training or certifications. Kevin manages ~35 workstations, 6 servers, the SCADA network, all OT communications, and vendor remote access — with no backup or redundancy.

Name	Title	Department	Cybersecurity Role
Robert Hensley	Executive Director	Executive	None formal — approves IT budget
Maria Santos	Director of Operations	Operations	None
James Whittaker	Chief Financial Officer	Finance	None
Kevin Patel	IT Coordinator	IT / OT	All IT + OT networking — sole IT staff
Linda Harmon	Chief Water Treatment Operator	Operations – WTP	None
Greg Ochoa	Chief Wastewater Operator	Operations – WWTP	None
Sandra Kim	Compliance & Regulatory Officer	Compliance	Partial — manages AWIA documentation
8 Water Treatment Operators	Operator I–IV	Operations – WTP	None
7 Wastewater Operators	Operator I–IV	Operations – WWTP	None
12 Distribution Crew	Technician / Crew Lead	Distribution	None
8 Collection Crew	Technician / Crew Lead	Collection	None
4 Lab Technicians	Lab Analyst I–II	Laboratory	None
6 Customer Service / Billing	CSR / Billing Specialist	Finance	None

Board of Directors

CVWA's five-member Board of Directors includes appointees from each of the three counties plus two at-large members. Cybersecurity has never appeared as a formal agenda item in board minutes reviewed for this assessment. The board receives an annual IT budget summary but does not review cybersecurity risk posture or incident history.

💻 IT Asset Inventory

▼

Asset Management Gap: CVWA has no formal IT asset management system. The inventory below was reconstructed from Kevin Patel's personal spreadsheet, vendor invoices, and physical walk-throughs during this assessment. No configuration management database (CMDB) exists.

Servers

Host Name	Function	OS	Location	Status	Risk
CVWA-SRV-01	Active Directory / Domain Controller	Windows Server 2019	FAC-01 Server Room	Current	Medium
CVWA-SRV-02	File Server / SharePoint On-Prem	Windows Server 2019	FAC-01 Server Room	Current	Medium
CVWA-SRV-03	Ignition SCADA Application Server	Windows Server 2016	FAC-02 Control Room	Mainstream Support Only	High
CVWA-SRV-04	AVEVA PI Historian Server	Windows Server 2012 R2	FAC-02 Control Room	EOL — No Patch Support	Critical
CVWA-SRV-05	Infor ERP Application Server	Windows Server 2019	FAC-01 Server Room	Current	Medium
CVWA-SRV-06	Cayenta CIS / Billing Server	Windows Server 2016	FAC-01 Server Room	Mainstream Support Only	Medium
MILL-SRV-01	Millbrook Facility SCADA Server (standalone)	Windows Server 2016	FAC-03 Equipment Room	Mainstream Support Only	Critical — isolated, no monitoring

Business Applications

Application	Vendor	Version	Purpose	Hosting
Ignition SCADA	Inductive Automation	8.1.25	OT/SCADA platform — WTP & WWTP	On-prem (CVWA-SRV-03)
Ignition Perspective HMI	Inductive Automation	7.9.x (outdated)	Local HMI — Millbrook Facility only	On-prem (MILL-SRV-01)
AVEVA PI Historian	AVEVA / OSIsoft	PI Server 2018	Process data historian — all plants	On-prem (CVWA-SRV-04)
Cayenta Utilities	N. Harris Computer	10.3	Customer billing / CIS	On-prem (CVWA-SRV-06)
Infor CloudSuite	Infor	SaaS	ERP — finance, procurement, HR	Cloud (Infor-managed)
Cityworks AMS	Trimble	2022.1	CMMS — work orders, maintenance	Cloud (SaaS)
LabWorks LIMS	LabWorks	7.2	Lab information management — water quality compliance	On-prem (CVWA-SRV-02)
Esri ArcGIS Enterprise	Esri	10.9.1	GIS — asset mapping, service territory	On-prem (CVWA-SRV-02)
Microsoft 365	Microsoft	E3 Plan	Email, Teams, SharePoint Online	Cloud (Microsoft)
TeamViewer	TeamViewer GmbH	15.x	Vendor remote access — SCADA integrator & MSP	SaaS — shared license, 3 vendors

Network Infrastructure

Device	Model	Location	Function	Support Status
Primary Firewall	Cisco ASA 5545-X	FAC-01 Network Closet	Perimeter firewall / VPN gateway	End of SW Maintenance 2025
Millbrook Firewall/Router	SonicWall TZ600	FAC-03 Equipment Room	Millbrook site router / remote access	End of Support — admin/admin default creds
Core Switch (Corp)	Cisco Catalyst 2960X-48	FAC-01 Server Room	Corporate LAN core switching	EOL hardware, SW supported
OT Switch (WTP)	Cisco IE-2000-16TC	FAC-02 Control Room	Industrial Ethernet — OT segment	Supported
WAN Router	Cisco ISR 4321	FAC-01 Network Closet	Internet uplink (Comcast 1Gbps)	Supported
Wi-Fi APs (8)	Zyxel NWA210AX	FAC-01, FAC-02, FAC-04	Corporate wireless	Supported
VPN	Cisco AnyConnect (ASA)	FAC-01	Remote operator access	No MFA configured

Critical Finding: The SonicWall TZ600 at Millbrook Facility (FAC-03) is beyond end-of-support and was found using factory-default administrator credentials (admin / admin). This device provides the only network boundary between the Millbrook SCADA system and the internet.

⚙️ OT / ICS Asset Inventory

▼

Cedar Falls Water Treatment Plant (FAC-02) — OT Assets

Asset ID	Description	Vendor / Model	Firmware/SW Ver.	Network Segment	Risk
WTP-PLC-01	Primary Plant PLC	Rockwell AB ControlLogix 5580	v33.011	OT LAN (10.10.1.x)	Medium
WTP-PLC-02	Redundant/Backup PLC	Rockwell AB ControlLogix 5580	v32.018	OT LAN (10.10.1.x)	Medium — outdated FW vs primary
WTP-HMI-01–03	Operator HMI Workstations (3)	Dell OptiPlex / Ignition Client	Win 10 LTSC 2019	OT LAN (10.10.1.x)	Medium
WTP-FM-01–06	Magnetic Flow Meters (6)	Yokogawa ADMAG AXF	HW Rev 4	OT LAN via PLC I/O	Low
WTP-TURB-01–04	Online Turbidity Analyzers (4)	Hach TU5400sc	v2.01	OT LAN (Modbus TCP)	Low
WTP-CL-01–03	Free Chlorine Analyzers (3)	Hach CL17sc	v3.5	OT LAN (Modbus TCP)	Low
WTP-VFD-01–12	Variable Frequency Drives — Pump Motors (12)	ABB ACS550	Firmware 2.25a	OT LAN (Profibus)	Medium — some EOL models
WTP-CHEM-01–04	Chemical Metering Pumps — Chlorine/Alum/Fluoride (4)	ProMinent Dulcoflex DFBa	n/a (analog)	Hardwired / PLC I/O	Low
WTP-GEN-01–02	Emergency Diesel Generators (2)	Cummins QSK23-G7 (900 kW)	HMI v1.4	Hardwired / local panel	Low

Cedar Valley Wastewater Treatment Plant (FAC-04) — OT Assets

Asset ID	Description	Vendor / Model	Firmware/SW Ver.	Network Segment	Risk
WWTP-PLC-01	Primary Plant PLC	Rockwell AB ControlLogix 5580	v33.011	OT LAN (10.10.2.x)	Medium
WWTP-PLC-02–04	Secondary Process PLCs (3)	Rockwell AB CompactLogix 5380	v32.011	OT LAN (10.10.2.x)	Medium
WWTP-HMI-01–02	Operator HMI Workstations (2)	Dell OptiPlex / Ignition Client	Win 10 LTSC 2019	OT LAN (10.10.2.x)	Medium
WWTP-BLW-01–03	Aeration Blowers (3)	Atlas Copco ZS+ VSD Screw Blower	Firmware v5.1	OT LAN (Profinet)	Medium — critical process
WWTP-DO-01–08	Dissolved Oxygen Sensors (8)	YSI EXO2 Sonde	v2.5.3	OT LAN (SDI-12 / RS-485)	Low
WWTP-UV-01	UV Disinfection System	Trojan Technologies UV3000	v3.2.1	OT LAN (Modbus TCP)	Medium — safety-critical
WWTP-BG-01	Biogas Monitoring & Flare Control Panel	Enefit / standalone panel	v1.8	Hardwired / local panel	Medium — safety-critical
WWTP-VFD-01–03	Return Sludge Pump VFDs (3)	Danfoss VLT AQUA FC202	Firmware 7.53	OT LAN (Profibus)	Low

Millbrook Groundwater Facility (FAC-03) — OT Assets

Critical Isolation Gap: The Millbrook Facility OT systems are NOT connected to the main CVWA SCADA system. Operators must physically drive to the site (~22 miles from HQ) to check system status. The standalone Ignition HMI is running version 7.9.x — a significantly outdated release no longer receiving security patches.

Asset ID	Description	Vendor / Model	Version	Risk
MILL-PLC-01	Facility PLC (standalone)	Siemens SIMATIC S7-1200	FW v4.4	Medium
MILL-HMI-01	Local HMI / Ignition Perspective	Inductive Automation Ignition	v7.9.21 — EOL	Critical — unpatched, no remote visibility
MILL-WP-01–03	Submersible Well Pumps (3)	Grundfos SP 77-7	—	Low
MILL-CHEM-01	Sodium Hypochlorite Dosing Skid	ProMinent Sigma S2Ba	—	Medium — safety-critical
MILL-FM-01–02	Magnetic Flow Meters (2)	Badger Meter M-Series Mag	—	Low

Remote Lift Stations (18) — Telemetry Status

Station Range	Count	PLC / RTU	Telemetry	Credentials	Risk
LS-01 – LS-06	6	AB CompactLogix 5380	AT&T LTE cellular modem	LS-03: default `admin/1234` — NOT CHANGED	Critical (LS-03), Medium (others)
LS-07 – LS-12	6	Schneider Telemetry RTU (ION7300)	900 MHz radio (EOL hardware)	Vendor-set, undocumented	High — EOL devices, no secure telemetry
LS-13 – LS-18	6	Pneumatic level float controls	None — no digital connectivity	N/A	Critical — blind operation, no alarms

🌐 Network Architecture

▼

Critical Architecture Gap: The AVEVA PI Historian server (CVWA-SRV-04) has a dual-NIC configuration with one interface on the OT network (10.10.0.x) and one on the Corporate LAN (192.168.1.x) — creating a direct network bridge between IT and OT segments with NO firewall or DMZ in between. This is the primary IT/OT pivot point.

CVWA NETWORK ARCHITECTURE — LOGICAL DIAGRAM (Simulated)

  ╔══════════════════════════════════════════════════════════════════╗
  ║                     INTERNET (Comcast 1Gbps)                    ║
  ╚══════════════════════╦═══════════════════════════════════════════╝
                         │
                  ┌──────▼──────┐
                  │ Cisco ISR   │  WAN Router
                  │  4321       │  192.0.2.1 (public)
                  └──────┬──────┘
                         │
           ┌─────────────▼────────────┐
           │     Cisco ASA 5545-X     │  Perimeter Firewall / VPN GW
           │   (EOL SW Maintenance    │  ⚠ No MFA on AnyConnect VPN
           │    – End 2025)           │  ⚠ TeamViewer allowed inbound
           └──────┬───────────┬───────┘
                  │           │
     ─────────────────────────────────────────────────────────
     CORPORATE LAN (192.168.1.0/24)             GUEST Wi-Fi (172.16.0.0/24)
     Cisco Catalyst 2960X-48                   Zyxel NWA210AX APs
     ─────────────────────────────────────────────────────────
          │         │         │
     ┌────▼──┐  ┌───▼───┐  ┌─▼──────┐
     │SRV-01 │  │SRV-05 │  │SRV-06  │
     │AD/DC  │  │ ERP   │  │CIS/BIL │
     │Win19  │  │Infor  │  │Cayenta │
     └───────┘  └───────┘  └────────┘
          │         │
     ┌────▼──┐  ┌───▼───┐
     │SRV-02 │  │SRV-04 │◄══════════════════╗
     │File   │  │PI HIST│  ◄── DUAL NIC ──►  ║ CRITICAL GAP:
     │Server │  │Win2012│                   ║ Historian bridges
     └───────┘  └──┬────┘                   ║ Corp LAN ↔ OT LAN
                   │ (second NIC — NO DMZ)  ║ No firewall between
     ─────────────────────────────────────────────────────────
     OT NETWORK (10.10.0.0/16)
     Cisco IE-2000-16TC Industrial Switch
     ─────────────────────────────────────────────────────────
          │              │              │
   ┌──────▼──────┐  ┌────▼────┐  ┌─────▼────────────┐
   │  WTP OT     │  │WWTP OT  │  │   SCADA SERVER   │
   │ 10.10.1.x   │  │10.10.2.x│  │   CVWA-SRV-03    │
   │             │  │         │  │  Ignition 8.1.25  │
   │WTP-PLC-01/02│  │WWTP-PLC │  │  Win Server 2016  │
   │HMI-01–03    │  │HMI-01/02│  └──────────────────┘
   │Flow/Turb/CL │  │Blowers  │
   │VFDs, Pumps  │  │DO/UV/BG │
   └─────────────┘  └─────────┘

     ── WAN LINKS ──────────────────────────────────────────────
   WWTP (FAC-04)               County fiber lease — 100 Mbps
   Millbrook (FAC-03)          AT&T Business Broadband (50/10 Mbps)
                               ⚠ SonicWall TZ600 EOL — admin/admin creds
                               ⚠ NO connection to main OT SCADA network
   LS-01 – LS-06               AT&T LTE cellular (per-station modem)
   LS-07 – LS-12               900 MHz radio telemetry (EOL hardware)
   LS-13 – LS-18               NO digital connectivity

     ── VENDOR REMOTE ACCESS ───────────────────────────────────
   TechPoint MSP               AnyConnect VPN → Corp LAN
                               ⚠ No MFA  ⚠ Admin AD access
   Ignition Integrators LLC    AnyConnect VPN → OT LAN + TeamViewer
                               ⚠ Shared TeamViewer license (3 vendors)
                               ⚠ No session logging, no time limits
   Hach / Yokogawa (field svc) TeamViewer (same shared license)

Network Segments Summary

Segment	VLAN / Subnet	Systems	Separation	Risk
Corporate LAN	VLAN 10 / 192.168.1.0/24	Admin workstations, servers, billing, ERP	Firewall from internet	Medium
OT Network	10.10.0.0/16	SCADA, PLCs, HMI, historians	Historian bridges to Corp LAN — NO DMZ	Critical
Millbrook Site	Isolated / 10.20.1.0/24	Standalone SCADA, S7-1200 PLC	SonicWall TZ600 (EOL, default creds)	Critical
Guest Wi-Fi	172.16.0.0/24	Visitor devices, contractor tablets	Firewall-separated	Low

🔒 Security Controls Assessment

▼

Control Area	IT Status	OT Status	Notes
Firewall / Perimeter	Partial	Gap	ASA in place for IT perimeter; no firewall between IT and OT (historian bridge)
Multi-Factor Authentication (MFA)	None	None	Zero MFA deployment anywhere — VPN, admin accounts, cloud apps all single-factor
Privileged Access Mgmt (PAM)	Gap	Gap	Shared "scada_admin" account used by 4 staff. No privileged session recording.
Patch Management	Partial	Gap	IT patches lag 60–90 days; OT systems patched "when convenient" — no formal process. SRV-04 (PI Historian) EOL — no patches available.
Endpoint Detection (EDR)	Partial	None	Windows Defender on IT workstations; no EDR on OT HMI or SCADA servers
SIEM / Log Management	None	None	No centralized logging. Windows event logs retained 30 days max on local disk. No OT log collection.
Vulnerability Scanning	None	None	No credentialed or uncredentialed scanning has ever been performed on CVWA's network.
Network Monitoring (IDS/IPS)	None	None	No IDS/IPS, no NetFlow, no OT network monitoring (e.g., Claroty, Dragos, Nozomi)
Backup & Recovery	Partial	Gap	IT: Veeam backups to local NAS; last restore test: 2022. OT: No SCADA configuration backups documented.
Password Policy	Informal	Gap	No documented password standard. Multiple shared accounts. OT device default passwords not inventoried.
Remote Access Controls	Gap	Gap	VPN without MFA. TeamViewer shared among 3 vendors. No session time limits, recording, or approval workflow.
Security Awareness Training	Partial	None	IT staff received one general cybersecurity briefing in 2022. No phishing simulations. No OT-specific training.
Incident Response Plan	None	None	No documented cyber IR plan. Emergency Response Plan (2020) covers physical/natural events only.
Asset Inventory / CMDB	Partial	Gap	IT assets tracked in Kevin Patel's personal spreadsheet. No formal OT asset inventory.
Vendor / Supply Chain Risk	None	None	No vendor cybersecurity assessments, no security addenda in contracts, no supply chain risk policy.
Cybersecurity Governance	None	None	No formal cybersecurity program, policy framework, or board-level oversight.

🤝 Third-Party & Vendor Relationships

▼

Supply Chain Risk: CVWA has no supply chain cybersecurity policy, no formal vendor risk assessment process, no cybersecurity addenda in any vendor contracts, and no mechanism to monitor or revoke vendor remote access. TechPoint MSP holds Domain Admin credentials and has never undergone a security assessment.

Vendor	Service	Access Level	Contract Cyber Clauses	Risk Rating
TechPoint Systems Inc. (Cedar Falls, VA)	IT MSP — helpdesk, patch management, network monitoring	Domain Admin on Active Directory	None	CRITICAL
Ignition Integrators LLC (Richmond, VA)	SCADA/OT systems integrator — programs and maintains Ignition SCADA, PLC logic	AnyConnect VPN to OT segment + shared TeamViewer	None	CRITICAL
Hach Company	Water quality analyzer service, reagent supply, calibration	Shared TeamViewer (same license as SCADA integrator)	None	HIGH
Yokogawa Corporation of America	Flow meter calibration, service contracts	On-site visits only	None	MEDIUM
Smith Chemical Supply Co. (Roanoke, VA)	Chlorine, alum, fluoride supply — weekly delivery	Physical access to FAC-02 chemical room	None	MEDIUM
Reference Laboratory Services (RLS)	Third-party drinking water compliance testing (SDWA)	Sample pickup only	Basic HIPAA-style data agreement	LOW
Infor (SaaS ERP)	Cloud ERP platform (CloudSuite)	SaaS — no on-prem access	SOC 2 Type II	LOW
AT&T Business	Internet uplink + LTE cellular for lift stations LS-01–06	Carrier — no CVWA system access	Standard carrier SLA	LOW
WaterISAC	Water sector threat intelligence sharing	Read-only portal access	Membership agreement	LOW — beneficial

📋 Policies & Governance

▼

Policy / Document	Status	Last Updated	Notes
Acceptable Use Policy (AUP)	Exists — Outdated	2018	Does not address cloud services, mobile devices, or remote work. Not signed by current staff.
Password / Account Management Policy	None	—	No documented minimum password standards or account lifecycle procedures.
Network Security Policy	None	—	No documented network segmentation, remote access, or firewall change control policy.
Incident Response Plan (Cyber)	None	—	General Emergency Response Plan (ERP) covers physical/natural events. No cyber-specific IRP.
OT / ICS Security Policy	None	—	No policy governing OT device management, vendor access, or industrial control system changes.
Third-Party / Vendor Security Policy	None	—	No vendor risk assessment process, no security addenda in contracts.
Data Classification Policy	None	—	No data classification scheme. Customer PII, SCADA configs, and legal documents stored without differentiation.
AWIA Risk & Resilience Assessment	Partial — Stale	2021	Completed per AWIA 2018 requirements. 2025 recertification cycle due. Does not fully address cyber threats to OT.
Emergency Response Plan (ERP)	Exists — Outdated	2020	Covers pipe breaks, natural disasters, chemical spills. No cyber incident annexes.
Business Continuity Plan (BCP)	None	—	No documented BCP. Recovery Time Objectives (RTOs) not defined for any CVWA systems.
Cybersecurity Program Charter	None	—	No formal cybersecurity program. No budget line item for cybersecurity. No board-level oversight.

📊 Indicative C2M2 Domain Assessment

▼

Student Instruction: The maturity levels below are indicative — derived from the assessment findings above. Your task is to review the evidence, validate or challenge these scores, identify the specific unmet practices for each domain, and develop a prioritized remediation plan. Use the official C2M2 v2.1 Practice Reference (see Domains page) to map findings to specific practice IDs.

Indicative MIL: 1 (Partial)

🗂️ ASSET — Asset, Change & Config Mgmt

No formal IT or OT asset inventory exists. Kevin Patel's personal spreadsheet is the only IT asset record. No OT device inventory. No configuration management baselines. No software inventory or unauthorized software controls.

IT asset list reconstructed during assessment
Zero OT asset documentation
No change management process for OT modifications
MILL-SRV-04 and MILL-HMI-01 running EOL software

Indicative MIL: 0

🛡️ THREAT — Threat & Vulnerability Mgmt

No vulnerability scanning has ever been performed. No threat intelligence program. No patch management policy. CVWA has no subscription to ICS-CERT alerts or WaterISAC OT threat feeds beyond basic membership.

No credentialed or uncredentialed scanning — ever
OT systems unpatched for 2–6+ years
No CISA KEV tracking
Default credentials unidentified until this assessment

Indicative MIL: 1

⚖️ RISK — Risk Management

AWIA RRA (2021) provides a high-level risk register for physical and some cyber risks. No formal enterprise risk management program. Cybersecurity risk has not been presented to the Board.

AWIA RRA is stale (2021) and cyber portion is incomplete
No formal risk scoring methodology
Risk appetite undefined
No risk tracking or remediation monitoring

Indicative MIL: 0–1

🔑 ACCESS — Identity & Access Mgmt

Multiple default and shared credentials on OT systems. No MFA anywhere. No privileged access management. Vendor remote access is uncontrolled and unmonitored. Four staff share the "scada_admin" account.

LS-03 PLC: admin/1234 unchanged
Millbrook SonicWall: admin/admin
Shared scada_admin account — no individual accountability
No MFA on VPN, admin accounts, or cloud apps
No vendor access provisioning/deprovisioning process

Indicative MIL: 0

👁️ SITUATION — Situational Awareness

No SIEM or centralized log management. No OT network monitoring. Windows event logs retained only 30 days on local disk. No anomaly detection. No network traffic analysis. Millbrook facility has no remote visibility whatsoever.

No SIEM deployed
No OT/ICS monitoring (Claroty, Dragos, Nozomi, etc.)
No NetFlow or packet capture capability
Log retention inadequate for forensics

Indicative MIL: 0–1

🚨 RESPONSE — Incident Response & Continuity

No documented cyber incident response plan. The 2020 Emergency Response Plan covers physical/natural emergencies only. No cyber-specific playbooks, no tabletop exercises, no defined communication chain for cyber events.

No cyber IRP exists
Staff do not know who to call for a cyber incident
No OT recovery runbooks
No Business Continuity Plan or RTOs defined
No relationship with FBI, CISA, or WaterISAC for incident coordination

Indicative MIL: 0

🤝 THIRD-PARTIES — Third-Party Risk Mgmt

No vendor risk assessment process. No cybersecurity addenda in any vendor contracts. No mechanism to monitor or revoke vendor remote access. TechPoint MSP has Domain Admin and has never been audited.

No supply chain cybersecurity policy
No vendor security questionnaires
Shared TeamViewer license among 3 vendors
No vendor access logs or session recording

Indicative MIL: 1

👷 WORKFORCE — Workforce Management

One general IT cybersecurity briefing delivered in 2022. No annual security awareness training. No phishing simulation program. No role-based cybersecurity training for operators or field crews. No background check policy for privileged access roles.

No formal security awareness program
No OT-specific training for plant operators
No insider threat program
Succession planning gap: Kevin Patel is sole IT staff

Indicative MIL: 0–1

🏗️ ARCHITECTURE — Cyber Architecture

No IT/OT demarcation DMZ. PI Historian dual-NIC creates direct bridge between corporate and OT networks. Millbrook facility has no security boundary. No Zero Trust controls. No encryption for OT communications.

PI Historian dual-NIC = critical pivot point
Millbrook EOL SonicWall with default creds as sole boundary
900 MHz radio telemetry unencrypted
No OT network segmentation between WTP and WWTP
No DMZ architecture documented

Indicative MIL: 0

📋 PROGRAM — Cybersecurity Program Mgmt

No formal cybersecurity program exists. No cybersecurity budget line item. No executive sponsor for cybersecurity. Board has never discussed cybersecurity risk. No performance metrics or audit cycle. Kevin Patel manages all cybersecurity informally alongside general IT duties.

No program charter or governance structure
No dedicated cybersecurity budget
No board-level reporting on cyber risk
No formal policy framework
No cybersecurity audit or review cycle

🎓 Training Exercise — Discussion Questions & Scenario Injects

▼

Discussion Questions

Q1 — Asset & Architecture Review

The PI Historian server (CVWA-SRV-04) has a dual-NIC configuration bridging the Corporate LAN and OT network with no DMZ. What specific C2M2 ARCHITECTURE and ASSET domain practices does this violate? What is the attack path an adversary could take from a phishing email to the Cedar Falls WTP SCADA system? Sketch the lateral movement path.

Q2 — Access Control Prioritization

CVWA has at least three confirmed default credential findings (LS-03 PLC, Millbrook SonicWall, and the shared scada_admin account). Using C2M2 ACCESS domain practices, rank these by risk severity and justify your ranking. What is the minimum viable remediation for each within 30 days at near-zero cost?

Q3 — AWIA Compliance Gap

CVWA's AWIA Risk and Resilience Assessment was last certified in 2021. The 2025 recertification cycle is approaching. Given the OT vulnerabilities identified in this assessment, what new risks must be added to the RRA? Does the current ERP (2020) satisfy AWIA cybersecurity requirements? Cite the specific AWIA section.

Q4 — Vendor Risk Triage

TechPoint Systems Inc. holds Domain Admin credentials on CVWA's Active Directory and has never been assessed. Ignition Integrators LLC has VPN and shared TeamViewer access to the OT segment. Using C2M2 THIRD-PARTIES domain practices, what immediate actions should CVWA take? Draft the first three items for a vendor cybersecurity remediation plan.

Q5 — MIL Challenge

The indicative C2M2 assessment scores the ACCESS domain at MIL 0–1. Review the ACCESS domain practices from C2M2 v2.1. Do you agree with this score? What specific practices (by ID) would CVWA need to fully implement to achieve MIL 2 in the ACCESS domain? What evidence artifacts would demonstrate compliance?

Q6 — Incident Response Planning

CVWA has no cyber incident response plan. An attacker has compromised the shared TeamViewer license and is now connected to Ignition Integrators LLC's session on the OT network. Using C2M2 RESPONSE domain practices, outline the first 60 minutes of incident response. Who at CVWA needs to be notified? What external bodies (federal, state) must be contacted and under what timelines?

Q7 — Remediation Planning with Budget Constraint

The CVWA Board of Directors has approved a one-time $75,000 cybersecurity improvement budget and has authorized hiring one part-time cybersecurity consultant for 90 days. Using the C2M2 domain gap scores, develop a prioritized 90-day remediation roadmap. Which gaps do you address first? What does $75,000 buy? What remains unresolved and why?

Scenario Injects

🚨 Inject 1 — Suspicious Lift Station Behavior

Scenario: It is 2:47 AM on a Tuesday. The on-call operator receives an automated alarm from LS-04 (Cedar Hills Lift Station) indicating the wet well level is unexpectedly high despite normal inflow. Simultaneously, Kevin Patel receives a VPN connection alert from an unfamiliar IP address in Romania connecting to the AnyConnect VPN.

Discussion:

Using only the tools and resources CVWA currently has, what can the operator actually do to investigate?
What is the worst-case scenario if LS-04's PLC has been compromised?
What C2M2 RESPONSE and SITUATION domain gaps made this scenario possible?
Draft the first five entries in an incident log for this event.
Should CVWA notify CISA? WaterISAC? Virginia DEQ? Under what conditions and timelines?

🚨 Inject 2 — Millbrook Chemical Dosing Anomaly

Scenario: During a routine site visit to the Millbrook Groundwater Facility (scheduled twice weekly), the operator notices the sodium hypochlorite dosing pump is running at an unusually high rate. The local Ignition HMI (v7.9.x) shows a setpoint that no one at CVWA authorized. The SonicWall TZ600 log shows an inbound connection 36 hours prior from an IP address not associated with any known vendor.

Discussion:

What are the public health implications if the chlorine dosing setpoint was elevated significantly?
The SonicWall was using default credentials (admin/admin). How does this change your analysis of the intrusion timeline?
What evidence should be preserved before making any system changes?
Which C2M2 domains and specific practice gaps enabled this attack?
What AWIA reporting obligations does CVWA have for a potential cyber attack on the treatment process?

🚨 Inject 3 — Ransomware on Corporate Network

Scenario: A billing department employee clicks a malicious link in a phishing email. By 10 AM, ransomware has encrypted CVWA-SRV-01 (Active Directory), CVWA-SRV-02 (File Server), and CVWA-SRV-06 (Billing/CIS). A ransom note demands $180,000 in Bitcoin within 72 hours. Because the PI Historian has a dual-NIC bridge to the corporate LAN, the SCADA team is unable to confirm whether the OT network was reached.

Discussion:

What is CVWA's immediate priority — restoring billing operations or protecting the OT environment? How do you isolate the OT network now?
CVWA has Veeam backups to a local NAS. The NAS is on the Corporate LAN. What problem does this create?
The last verified backup restore test was in 2022. What does this mean for recovery time estimates?
Without Active Directory, operators cannot log into SCADA HMI workstations. What is the operational impact on the WTP and WWTP?
Map this entire scenario to C2M2 domain failures across PROGRAM, ARCHITECTURE, RESPONSE, ACCESS, THREAT, and SITUATION.

90-Day Challenge: After completing the domain assessment, use the Gap Analysis & POA&M tool to build a formal Plan of Action & Milestones for CVWA. Assign domain owners from the org chart, estimate resource costs, and set target completion dates. Consider: which gaps can be closed at near-zero cost? Which require capital investment? Which require vendor negotiations?