Sector-specific fictional organizations with realistic IT/OT environments, network diagrams, asset inventories, and security gaps — designed for hands-on C2M2 assessment practice.
Each case study presents a fully developed fictional organization in a specific critical infrastructure sector. Students receive a complete organizational profile, IT and OT asset inventory, network architecture diagram, security control gaps, vendor relationships, and an indicative C2M2 domain assessment. The exercise asks students to validate maturity scores, map findings to specific C2M2 practice IDs, build a prioritized remediation roadmap, and work through scenario injects that simulate realistic cyber incidents. One case study per sector will be developed — covering all eight sectors from the C2M2 framework overview.
A small rural electric distribution cooperative in three Ohio counties operating substations, AMI infrastructure, and GE e-terra SCADA. MVEC has zero dedicated cybersecurity staff, no MFA deployment, default relay passwords, and significant IT/OT architecture gaps — making it an ideal baseline C2M2 assessment target for electric sector students.
A regional water and wastewater authority serving 138,000 residents across three Virginia counties. CVWA operates a 12 MGD surface water treatment plant, an 8 MGD wastewater plant, a standalone groundwater facility, and 18 remote lift stations — with a single IT coordinator managing all IT and OT systems and critical gaps including default credentials, an EOL historian bridging IT/OT networks, and no incident response plan.
847-mile natural gas gathering & transmission pipeline across the Permian Basin. Zero dedicated cybersecurity staff, MIL 0–1 baseline across most domains. Default credentials on 5 field RTUs, partial IT/OT segmentation, and TSA SD-02C partially compliant — an ideal scenario for pipeline sector C2M2 assessment practice.
Mid-size specialty chemical manufacturer with DCS/batch process controls, CFATS Tier 3 obligations, and a Safety Instrumented System. Zero dedicated cybersecurity staff, Windows XP DCS workstation, utilities PLCs on a flat corporate network, and an unknown internet-facing batch server port — an ideal scenario for ICS/OT C2M2 assessment in a manufacturing environment.
A 350-bed nonprofit regional hospital and Level III Trauma Center with Epic EHR, 1,240+ IoMT devices, and no dedicated CISO. Features HIPAA Security Rule gaps, ransomware vulnerabilities, unpatched infusion pumps with a known CVE, and a flat medical device network. Covers HIPAA, HITECH, FDA medical device cybersecurity, and patient safety implications of cyber incidents.
A $620M-asset OCC-chartered community bank with 7 branches, 14 ATMs, and Jack Henry Silverlake core banking. No dedicated CISO, 9 ATMs on Windows 7 EOL, wire transfer dual-control gaps, unreviewed fintech integrations, and FFIEC CAT assessed at Baseline — making it an ideal C2M2 assessment scenario for financial services sector students covering GLBA, PCI DSS, and fraud risk.
A 94,200-resident county government operating 911 emergency dispatch, law enforcement systems (CJIS), election infrastructure, courts, health services, and public finance — all with 9 IT staff and no CISO. Features two EOL domain controllers, an unpatched 911 CAD server, an election management system air-gap violation, shared domain admin credentials, and CJIS non-compliance. Covers MS-ISAC membership, IRS Pub 1075, HIPAA, FBI CJIS Security Policy, and election security — an ideal county government C2M2 scenario.
An R1 research university with $185M in annual research expenditure, handling CUI under NIST SP 800-171, ITAR-controlled export data, NIH/HIPAA research data, and DoD contracts requiring CMMC Level 2. Features an HPC cluster with internet-exposed SSH, a CUI data commingling violation, an active ITAR deemed export issue, decentralized IT governance with 24 departmental admins, and an SPRS score of −87. Covers the tension between academic openness and federal cybersecurity compliance.