← ICS Risk Assessment
Engagement Overview

What a RedEye ICS Engagement Looks Like

Phases, timelines, what we assess, what we deliver, and what happens after. If you are evaluating whether to move forward, this page answers the questions people usually ask us at the booth or on a first call.

How an Engagement Runs

A standard ICS security engagement has four phases. The first is always free. The full assessment runs six weeks from your first call to final report. Ongoing monitoring is optional and month-to-month.

1
Phase 1
Scoping Call
Free — No obligation

30 minutes. We ask about your system size, network topology, existing controls, and compliance posture. By the end, we tell you which federal grants you qualify for, what your likely compliance gaps are, and what a fixed-price engagement would cost. You get that in writing before anything starts. There is no pressure to move forward.

2
Phase 2 — Weeks 1-4
Passive Assessment
$18,500 fixed price

We ship you a small sensor (a hardened mini-PC, roughly the size of a deck of cards). Your network team plugs it into a monitoring SPAN port — this takes about 30 minutes and requires no changes to your existing systems. The sensor is read-only. It does not touch, communicate with, or modify your PLCs, HMIs, or SCADA software. It watches traffic.

Over four weeks we build a complete picture of every networked device on your OT network: make, model, firmware version, protocols in use, and any communications that leave your perimeter. We do this without active probing — nothing from us reaches out and touches your equipment.

3
Phase 3 — Week 5-6
Report and Presentation
Included in assessment

We deliver a written report your board and operations team can both read. It is not a dump of raw data — it is a prioritized list of findings (Critical, High, Medium) with a plain-English explanation of what each finding means operationally, what the remediation looks like, and a rough cost to fix it. Every finding is mapped to the specific AWIA Section 2013 or CISA Performance Goal it addresses.

We then present the findings live to your team or board — remote or on-site, your choice. Most utilities use this presentation as the basis for board-level budget conversations and grant applications.

4
Phase 4 — Optional, month-to-month
Ongoing Monitoring
$5,000–$12,000 / month

The sensor stays on your network and continues watching. You get a monthly report and real-time alerts for anomalous behavior: unexpected device communications, new devices appearing on the OT network, unusual protocol activity, or anything that looks like reconnaissance. You own all the data. If you cancel, the sensor stops reporting and can be returned or wiped — nothing leaves your network.

What Is in Scope

We assess the full OT/ICS attack surface, not just PLCs. Everything that could be used to reach or manipulate your control systems is in scope.

In scope

  • PLCs and RTUs (all makes, all protocols)
  • HMIs and operator workstations
  • SCADA servers and historians
  • Engineering workstations
  • Network infrastructure in the OT zone (switches, routers, firewalls)
  • Remote access paths (VPNs, cellular modems, jump servers)
  • Internet-facing assets and exposed services
  • IT/OT boundary and DMZ configuration
  • Vendor and third-party remote access accounts
  • Physical access controls where relevant

Not in scope by default

  • Active penetration testing of OT systems (we do not send attack traffic to your PLCs)
  • Corporate IT infrastructure outside the OT network
  • Phishing simulation or social engineering
  • Windows domain assessments (Active Directory, GPO, etc.)
  • Physical security red-teaming
  • Source code review of custom SCADA software

Any of these can be added as a separate statement of work if needed.

Why passive only?

Active probing of OT systems carries real operational risk — a malformed packet to a PLC running a water treatment process is not the same as a malformed packet to a web server. We have made a deliberate choice not to run active scans against control system devices. Everything we learn, we learn by listening. This is the standard used by ICS-CERT during on-site assessments.

What You Receive

🗺

OT Asset Inventory

Every networked device identified: make, model, firmware version, protocols, and communication patterns. Most utilities have never seen a complete list.

📊

Risk-Ranked Findings

Prioritized findings (Critical / High / Medium) with operational context. Each finding explains the risk in plain language, not CVE numbers.

📋

AWIA and CISA Compliance Mapping

Each finding mapped to the specific AWIA Section 2013 requirement or CISA Performance Goal it addresses. Usable directly in your certification documentation.

🏗

Network Topology Diagram

Documented OT network topology showing zones, boundaries, and communication flows. Most small utilities do not have current documentation of their own network.

💰

Grant Application Support

We identify which federal programs (CWSRF, DWSRF, EPA SECURE, FEMA HSGP) your findings support applying for and provide documentation to support the application.

📄

Remediation SOW

A fixed-price statement of work for any remediation work you want to proceed with, written in a format that can be attached directly to a grant application.

What a Typical Customer Looks Like

Most of our water utility customers share a similar profile. They are small to mid-size community water systems — typically serving between 3,000 and 50,000 people — with one or two operations staff and no dedicated IT or cybersecurity personnel. Their SCADA system was installed by an integrator years ago, some equipment has direct cellular or internet connections they may or may not be fully aware of, and they have received the AWIA compliance notices but are not sure what doing it right actually entails.

They are not negligent. They simply do not have staff with ICS security expertise, and the enterprise cybersecurity vendors they have talked to either quoted far more than their budget or proposed solutions that would require significant changes to their operational environment.

We are built for that profile. Our methods are non-intrusive specifically because our customers run systems that cannot tolerate disruption, and our pricing is structured to work with federal grant programs because we know what our customers' budgets actually look like.

Common Questions

Do you do a full security audit, or is it only PLCs?

It covers the full OT environment — PLCs, HMIs, SCADA servers, historians, engineering workstations, network devices, and all the remote access paths into your OT network (VPNs, cellular modems, vendor jump servers). The scope is everything that can touch your control systems, not just the controllers themselves.

What we do not assess is your corporate IT environment, Active Directory, email, or standard office network — unless those systems have a direct connection into the OT network, in which case that boundary is in scope.

Will this affect our operations or require downtime?

No. The sensor is entirely passive — it monitors a copy of network traffic via a SPAN port and does not inject any traffic onto your network. Installing it takes about 30 minutes and requires no changes to your SCADA configuration or PLC programming. Your operators will not notice anything different during the assessment period.

We already have an IT vendor. Do we still need this?

Probably yes, and most IT vendors will tell you the same. General IT managed service providers are not trained in ICS/OT security and are typically not assessing your control systems — they are managing your office network, email, and endpoints. The OT environment (PLCs, SCADA, historians) requires different tools, different protocols knowledge, and a different methodology. We frequently work alongside existing IT vendors rather than replacing them.

What happens after the report?

You decide what to do with it. The report is yours to use however is useful — board presentation, grant application, regulatory documentation, or procurement justification for remediation work. There is no obligation to continue with us.

If you want to proceed with remediation, we write a fixed-price SOW for each finding and can manage the implementation. If you want to apply for federal funding first, we help with that. If you just want the report for your AWIA certification and nothing else, that is a completely valid outcome.

How long does the sensor stay on our network?

For the assessment only, the sensor is on your network for approximately four weeks. After the report is delivered you can return it or keep it running under a monthly monitoring agreement. If you choose to return it, we wipe it before shipment. No data is retained on our end beyond what is in the report we delivered to you.

What does the $18,500 price include?

Everything: the sensor hardware (shipped to you), four weeks of passive monitoring and analysis, the written findings report, the compliance mapping, the network topology diagram, the grant application documentation, and a live presentation of findings to your team or board. There are no additional fees for the report, the presentation, or the grant documentation. The only thing not included in the flat price is remediation work, which is scoped and priced separately if you choose to proceed.

Can this be fully funded by a federal grant?

It can often be substantially or fully offset. The EPA SECURE Water grant specifically allocates funds for cybersecurity assessments. DWSRF and CWSRF programs accept cybersecurity as an eligible expense under IIJA. We identify which programs you qualify for during the scoping call and provide documentation formatted for those applications. We cannot guarantee grant approval, but we have experience with what gets funded and how to frame the application.

We are a small system under 3,300 people. Is this relevant to us?

AWIA's mandatory requirements apply to systems serving over 3,300 people. If you are below that threshold you are not legally required to certify — but small systems have been specifically targeted in several documented incidents precisely because they tend to have less security infrastructure. CISA's voluntary performance goals apply regardless of size. If you have internet-connected SCADA equipment, you have exposure regardless of your population served.

AWIA Deadline: June 30, 2026

Community water systems serving 50,000 or more people must complete their AWIA Risk and Resilience Assessment and submit certification to EPA by June 30, 2026. Systems serving 3,300–49,999 have rolling deadlines through 2026–2027. A 6-week assessment timeline leaves limited runway if you have not started.

Start with the scoping call

30 minutes, no cost, no commitment. We tell you which grants you qualify for and what it would cost before anything starts.

Email Matt directly

Take the risk questionnaire first

Not sure where you stand? The 10-minute questionnaire gives you a baseline assessment of your current exposure before the call.

Go to questionnaire