04/06/2025

Reading time: 10min

Panagiotis (Panos) Chiotis

Principal GIS Consultant

Water operations: Cyber-physical risk assessment & management

Geospatial Security Critical Infrastructure GIS

 

In our connected world, there are constant attempts to attack computers for a variety of reasons, such as financial gain, political agendas, espionage, but also for the thrill and challenge. Although we usually hear about cyberattacks aiming to compromise computer systems or networks, often with the goal of stealing, altering or destroying data, or disrupting services, there is a type of cyberattack, the “cyber-physical attack”, which can affect both digital and physical systems and can be equally as threatening and harmful -if not more.

Cyber-physical systems are systems composed of computational and physical components that interact with each other and the real world. Examples include smart grids, automobiles, medical devices, and Industrial Control Systems (ICS). Cyber-physical risk refers to the vulnerabilities and threats that arise from the interaction between cyber (digital) and physical systems, potentially leading to physical harm, operational disruptions, environmental damage, financial losses, or compromised data.

With that in mind, it becomes obvious that a cyber-physical attack to Critical National Infrastructure, which encompasses the critical assets, facilities, systems and networks that are essential for a nation’s functioning, including its economy, security and public health, can have a significant effect on the population.

The infographic below shows the stages a threat actor must follow to attack a node and cause harm to the intended target (which are common to both biological and computer viruses). Therefore, understanding these stages, and identifying and analysing the exposure to cyber-physical attacks across an organisation, is key for an enduring cyber-physical risk management process.

To tackle this issue, the Mitre Corporation released in 2013 the Adversarial Tactics, Techniques and Common Knowledge, commonly known as MITRE ATT&CK, which is a globally accessible knowledge base for classifying and describing cyberattacks and intrusions. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cyber security product and service community, and it is open and available to any person or organisation for use at no charge.

Project background

Sweco’s Client, a Water Utility company in the England, in order to comply with the requirements of the Network and Information Systems (NIS) Regulation, they have committed to its Competent Authority (the Drinking Water Inspectorate (DWI)) to embark on a programme of works so as to close the security gaps identified in the annual Cyber Assessment Framework (CAF) return. This project was the culmination of that programme of works and is an important component of their regulatory commitment, building on earlier projects in the programme that documented the organisation’s cyber-physical assets and associated risk factors.

The project covered the risk assessment and high-level design of associated counter measures for the programmable endpoints and computer networks, directly involved in the control of the company’s physical clean and waste assets, at highly critical water and waste treatment works.

As part of the solution, the following two requirements under the NIS Regulation needed to be addressed:

•       Implementation of an ongoing risk management process

•       Application of that process to the cyber-physical assets used by the company to deliver its core, regulated business.

By making cyber‑physical risk visible through GIS, we can bring the threat landscape together in one place – turning regulatory requirements into a practical, repeatable risk management process and enabling water operators to understand and act on their most critical vulnerabilities before they become real‑world incidents.

Panos Chiotis, Principal GIS Consultant

The challenge

The project’s main objectives and, at the same time, challenges were to:

  1. Identify risks to different outcomes
  2. Calculate the cyber-physical risks based on asset information across all clean water, wastewater and depot sites
  3. Automate the required GIS analysis workflows
  4. Visualise all company sites based on the calculated cyber-physical risk
  5. Provide an environment for identifying critical and high-risk sites where action is required.

Our solution

In a nutshell, the solution Sweco designed and implemented is called Cyber-physical Risk Assessment Tool for SPEAR (in short “CRAT for SPEAR”), and it is an innovative, GIS-based tool which:

  1. Identifies five risk outcomes, comprising Service, People, Environment, Asset, and Reputation (SPEAR)
  2. Integrates data from the company’s asset management systems, and cyber-physical risk logs developed by Sweco, based on the MITRE ATT&CK approach, into a central ArcGIS geodatabase
  3. Runs the CRAT for SPEAR Model within ArcGIS Pro, a bespoke analysis model to calculate the required cyber-physical risks and KPIs per site
  4. Maps and visualises the calculated cyber-physical risks and KPIs per site across the company’s entire estate and identifies critical and high-risk sites where action is required, through the CRAT for SPEAR Dashboard, an interactive ArcGIS Dashboard on ArcGIS Online.

The CRAT for SPEAR Model, which is the backbone of the solution, was developed based on existing information from the company’s asset management systems, including:

  1. Sites and Installations (SI)
  2. Industrial Control and Automation (ICA) Equipment Assets
  3. Regional Telemetry Systems (RTS)
  4. Register of Sites where a Third-party Conduit has been installed

…and a methodology, designed by Sweco, which considers multiple factors, such as:

Eight Demilitarised Zone (DMZ) types/solutions

  • DMZ Type 1: Network Measurement Point
  • DMZ Type 2: Network Measurement Point + Control
  • DMZ Type 3: Network Measurement Control with 3rd Party IoT Device#
  • DMZ Type 4: Site with PLC for Local Control
  • DMZ Type 5: Site with PLCs and 3rd Party Connection
  • DMZ Type 6: Site with Single SCADA and PLC(s)
  • DMZ Type 7: Complex Site with SCADA and 3rd Party Connection
  • DMZ Type 8: Complex Site and Regional SCADA / Hub Site

Ten threat scenarios

  • Denial of Service
  • Malware attack (general IT)
  • Bespoke Op Sys Malware attack
  • Man in the Middle attack
  • Phishing and Spear Phishing attacks
  • Drive by attack
  • Password attack
  • SQL Injection attack
  • Cross Scripting – XSS
  • Advanced Persistent Threats (or Treatments) – APT

Financial risk per annum

A matrix of twenty-five Risk values (matched with calibrated values of financial risk per annum), ranked in increasing levels of impact severity from low (green) to medium (yellow) to high (amber) to critical (red) risk, as shown below.

NB: In the Water sector in the UK, cyber-physical attacks have caused twice a £120 million financial damage to water companies (but not to this Client)

Three cyber-physical risks

  • Risk 1 – the considered risk without countermeasures,
  • Risk 2 – the risk considering effectiveness of countermeasures, and
  • Risk 3 – the residual risk after further evaluation and actions, should Risk 2 be considered intolerable.

As part of the methodology, the risk is calculated as the combination of Likelihood (from 1 to 5) of cyber-physical attack, and Impact (from E to A) to Service, People, Environment, Asset and Reputation, using the matrix of twenty-five Risk values. The result is a series of fifteen cyber-physical risk logs (tables) per Threat scenario and DMZ type for each Cyber-physical Risk (Risk 1, 2 and 3) and risk outcome (SPEAR).

Next, the CRAT for SPEAR Model is calculating a zone complexity word (<RTU, Slave, PLC, LOI, SCADA>) and a conduit complexity word (<WAN, TEL, 3rd Party>) per site, based on technological characteristics of the associated assets. Also, the Model is assigning a DMZ type to each site, based on a logic that maps the site’s type and criticality to the DMZ types.

After that, the CRAT for SPEAR Model is calculating Risks 1, 2 and 3 for the five impact categories within the scope of SPEAR for each site by assuming the worst-case threat scenario in terms of risks (i.e. highest risk), and then it is identifying the highest probable risk from any one of the five impact categories for Risk 3 as “Risk 3 Maximum”.

Finally, the Model is transforming the sites dataset from a flat table (i.e. records without geometry) to an ArcGIS file geodatabase point feature class, projected in the British National Grid (EPSG:27700) and symbolised based on the calculated Risk 3 Maximum scores and the colour code system (green, yellow, amber and red) used for the twenty-five risk values ranked from low to critical by cost of financial risk per annum.

GIS as the enabler

Key role to the development of the Sweco solution played the Geoprocessing and Analysis workflows that were developed for:

  1. Data ingestion tasks
  2. Analysing the asset management information against the cyber-physical risk logs to calculate the three risks for the five impact categories within the scope of SPEAR, and Risk 3 Maximum, per site
  3. Transforming the sites’ UK National Grid Map References to point geometries and connecting them to their associated ICS (Industrial Control Systems) nodes.

Due to the large amount of data used, and the number and complexity of the workflows required, automation was deemed necessary, which resulted in transforming those workflows into twenty-seven (27) custom model tools and custom script tools developed with ModelBuilder, Python and ArcPy for ArcGIS Pro.

Apart from that, the CRAT for SPEAR Dashboard was developed to map the entire site network, based on the calculated Risk 3 Maximum values, and offer querying and filtering capabilities, as well as access to KPIs, enabling Managers and Analysts at the Water Utility company to easily compare the level of risk across the site network, and identify critical or high-risk sites where action is required.

Where action is required, a Process Hazard Analysis (PHA) workshop is taking place for a site to identify potential cyber-physical hazards and risks, and to develop strategies for mitigating those risks. An ArcGIS Survey123 form has been specifically created for that, and embedded into the Dashboard, enabling end users to edit the site’s Risk 3 values that need revision during a PHA workshop, save the workshop’s date and attach any relevant workshop files.

For this case study, a fictitious water supply and treatment utility company, called “Britannia Water”, servicing areas in Scotland and Northern England, has been used. Due to data confidentiality, a demo dataset has been created to show the locations and attributes of Britannia Water’s sites. The map shown above depicts the locations and risk levels from that demo dataset.

Outcome & benefits

The Sweco ArcGIS solution unlocked previously unexplored insights for the Client, including Risks 1, 2 and 3 for the five impact categories within the scope of SPEAR, across the whole site network. It also revealed weaknesses in the Client’s asset data inventories, which are currently being reviewed and updated.

Sweco provided an innovative, ArcGIS-based solution which:

  1. Offers a portfolio of automated GIS workflows for re-running the cyber-physical risk assessment model and updating the online spatial content, ensuring accuracy of the outputs and improving efficiencies
  2. Maps and visualises location-based analytics through a dynamic ArcGIS Dashboard, providing a data-driven view of the sites and ICS information and key insights for an at-a-glance decision-making
  3. Enabled the Client to compare the level of risk across the site network, and proactively identify critical or high-risk sites to prioritise mitigation measures
  4. Successfully leveraged the ArcGIS technology the Client has access to, by creating a comprehensive technical solution that improves their return on investment and adds value to their asset data inventories.

Sweco’s Cyber-physical Risk Assessment Tool for SPEAR is the best solution in the UK and an example for other Water Utility companies.

Drinking Water Inspectorate, July 2022

Future vision and further development

Sweco’s Client has incorporated CRAT for SPEAR into their monthly cyber-physical risk assessments to identify sites where action is required.

For Asset Management Period 8 (which is spanning from April 2025 to March 2030), the Client is considering two further developments for enhancing the risk assessment process:

  1. As threats and vulnerabilities are identified by the National Cyber Security Centre (in the UK), alarms and warnings need to be raised automatically through a new vulnerability mapping capability, so that proper actions can be taken
  2. The capability for a holistic view of the assets and connected machines’ situational awareness and state, by integrating real-time data streams with location intelligence.
GIS ConsultancySecurity Consultancy