Infrastructure Security Assessment

Independent Evaluation of Critical Systems

Most infrastructure operators believe their control systems are adequately secured.

Very few can prove it.

The Infrastructure Security Assessment is a focused, independent evaluation designed to answer a single question:

What can you actually prove about the security, configuration integrity, and operational resilience of your critical systems?

This is not a penetration test, a compliance checklist, or a vendor evaluation. It is an architectural and evidentiary analysis of how security and control are enforced (or not enforced) in practice.

What the Assessment Examines

Depending on scope, the assessment evaluates:

Internet Exposure
Identification of SCADA systems, PLCs, HMIs, and other industrial controls visible from the internet. Analysis includes authentication requirements, known vulnerabilities (CVEs), and exploitability.

Network Segmentation
Evaluation of OT/IT separation, data diodes, firewall rules, and actual traffic patterns. Identification of undocumented or unsafe network paths between corporate and control networks.

Configuration Management
How system configurations are tracked, versioned, and verified. Whether unauthorized changes can be detected and attributed. Whether rollback to known-good state is possible.

Vulnerability Management
How CVEs are tracked, prioritized, and remediated. Whether patch status is known and current. Whether vulnerable systems are isolated or protected by compensating controls.

Access Control
Who can access control systems, from where, and with what authentication. Identification of default credentials, shared accounts, and undocumented access methods.

Change Integrity
How operational changes (PLC programming, HMI updates, SCADA configuration) are authorized, logged, and reviewed. Whether changes can be traced to responsible parties.

Incident Response Readiness
Whether audit logs exist, are protected from tampering, and contain sufficient detail for forensic analysis. Whether incident response procedures are documented and tested.

The assessment explicitly distinguishes provable guarantees from assumed protections.

What You Receive

Deliverables are designed to be usable by operators, management, and regulators:

Exposure Report
Complete inventory of internet-visible systems with vulnerability analysis and risk prioritization.

Security Architecture Map
Visual representation of network topology, segmentation boundaries, and data flow between IT and OT environments.

Assurance Gaps
Specific points where security claims are not mechanically enforced or verifiable.

Remediation Roadmap
Prioritized list of architectural changes to eliminate critical exposures and establish provable controls.

Compliance Guidance
Alignment with CISA directives, state regulations, and industry frameworks (NIST, ICS-CERT).

No generic maturity scores. No marketing language. No unnecessary product recommendations.

What This Is Not

To avoid confusion, the Infrastructure Security Assessment is not:

  • A penetration test or red team exercise
  • A compliance audit or certification
  • A vendor evaluation or product selection study


  • A policy review or training program

It does not attempt to assign blame. It exists to surface truth about current security posture.

Who This Is For

The assessment is appropriate for operators of:

  • Water and wastewater treatment facilities
  • Power generation and distribution systems
  • Municipal infrastructure (traffic, emergency services)
  • Industrial control systems in manufacturing or processing

If you are confident your systems are secure and can prove it, this assessment is unnecessary.

Engagement Structure

  • Fixed-scope, fixed-fee engagement
  • Typically completed in 2-4 weeks
  • Minimal disruption to operations (read-only analysis, no active testing)
  • Independent and confidential

Follow-on hardening or implementation work is optional and not required.

Pricing

Assessment scope and pricing varies by facility size and complexity:

  • Small facilities (single site, < 50 control systems): $25,000 – $50,000
  • Medium facilities (multiple sites or complex systems): $50,000 – $100,000


  • Large or distributed systems: Custom pricing

Contact us for a scope discussion and fixed-fee proposal.

Contact

For inquiries: info@lexrosa.com

We respond to serious inquiries within 48 hours.