Frequently Asked Questions

Systems Risk Advisory helps critical infrastructure organizations improve cybersecurity, physical security, OT/ICS and SCADA readiness, emergency planning, incident response planning, tabletop exercises, training, and leadership decision support. The work focuses on practical risk reduction for organizations that must keep essential services operating.

SRA works with water and wastewater utilities, public works departments, municipal utilities, electric power organizations, local government teams, and other critical infrastructure organizations. The firm is a strong fit for organizations that need cyber, physical, and operational risk support in one coordinated effort.

Start with a short scoping discussion. The goal is to understand your organization, the issue you are trying to solve, the systems or facilities involved, your timeline, your decision-makers, and the type of support you need. SRA can then recommend a focused assessment, planning project, workshop, exercise, briefing, or broader readiness effort.

Yes. Systems Risk Advisory is based in Washington State and serves clients nationally. Onsite and remote support are available depending on scope, schedule, client needs, travel requirements, and the type of work being performed.

Yes. Many small and mid-sized utilities face the same cyber, physical, vendor, staffing, and continuity risks as larger organizations, but with fewer resources. SRA structures recommendations so they are practical, prioritized, and usable by organizations with limited staff time.

No. Water and wastewater are a major focus, but SRA also supports electric power, public works, local government, and broader critical infrastructure organizations. The common thread is risk to essential services, operational continuity, safety, public trust, and cyber-physical dependencies.

Yes. SRA supports Risk and Resilience Assessment and Emergency Response Plan updates for water systems. Work can include reviewing existing materials, updating planning language, addressing cyber and physical security concerns, supporting leadership review, and preparing improvement recommendations tied to utility operations.

Yes. Many infrastructure risks cross cyber and physical boundaries. SRA can review account access, remote access, vendor access, OT/ICS and SCADA concerns, facilities, doors, gates, lighting, cameras, keys, field sites, communications, emergency access, and response procedures as part of a coordinated assessment.

Yes. SRA supports OT/ICS and SCADA security reviews, remote access reviews, vendor access reviews, segmentation planning, incident response planning, and readiness discussions for environments where reliability, safety, and continuity matter. The work is scoped to avoid unnecessary disruption to operations.

Yes. SRA can help organizations define roles, escalation paths, decision authority, communications, vendor coordination, containment decisions, continuity priorities, and recovery considerations. The planning approach connects cyber response, physical response, emergency management, operations, leadership, and public messaging.

Yes. SRA can review and improve emergency response planning for utilities and infrastructure organizations, including planning for degraded operations, loss of normal tools, communications issues, staffing constraints, physical site concerns, public messaging, and restoration priorities.

Yes. SRA can design and facilitate tabletop exercises for cyber incidents, cyber-physical incidents, ransomware, loss of visibility, compromised remote access, physical site concerns, emergency response, public communications, and continuity of service. Exercises can be built for executives, operators, IT, OT, emergency managers, public information staff, and partner agencies.

Yes. SRA can provide onsite or remote workshops for leadership, boards, operators, public works staff, IT and OT teams, emergency managers, and cross-functional groups. Topics can include cybersecurity basics, ransomware readiness, OT/ICS security, physical security, incident response, emergency planning, and tabletop exercise preparation.

A typical assessment may include document review, interviews, policy and procedure review, cyber and physical security discussions, selected technical review, site review if needed, and leadership discussion. Scope depends on the organization, risk questions, budget, schedule, and whether the work is focused or broad.

Yes, when the engagement calls for it. Reports can include an executive summary, findings, recommendations, prioritized actions, planning updates, risk themes, roadmap items, and briefing material. The report format is selected based on the intended audience and purpose.

Yes. SRA can prepare and deliver leadership briefings that explain cyber, physical, and operational risk in decision-ready language. These briefings are useful when leaders need to understand risk, approve next steps, evaluate investments, or prepare for regulatory, operational, or public communication concerns.

Yes. Recommendations are organized so clients can distinguish urgent fixes from larger planning, budget, policy, training, or project items. SRA focuses on practical sequencing rather than producing a long list that staff cannot use.

Yes. SRA helps clients prioritize by operational consequence, likelihood, feasibility, dependency, staffing impact, cost, and leadership risk. For many organizations, the first step is reducing the easiest attack paths and clarifying who must make key decisions during an incident.

Not always. Many engagements begin with interviews, document review, architecture discussions, access-path review, screenshots, policy review, or read-only evidence provided by the client. Any technical access should be limited, approved, documented, and scoped to the engagement purpose.

SRA structures engagements to limit unnecessary exposure of sensitive information. Reports and work products can avoid unnecessary technical detail, use limited distribution markings, separate executive material from technical material, and avoid publishing client-specific security details without authorization.

No. Do not submit passwords, network diagrams, vulnerability details, incident evidence, credentials, internal security findings, or sensitive operational information through the website form. Use the form only to request contact and describe the general nature of the need.

SRA does not publish client names, facility details, incident details, vendors, network information, findings, or sensitive security content without authorization. Public engagement examples are intentionally sanitized.

Yes. Engagement materials can be structured for different audiences, such as executives, boards, operations teams, IT and OT staff, emergency managers, or technical implementers. Sensitive details can be separated from leadership summaries when appropriate.

Engagements are principal-led. Kevin J. Owens typically serves as lead consultant and engagement principal. When additional depth is required, Systems Risk Advisory coordinates qualified specialists in technical, operational, physical security, emergency management, planning, training, or facilitation roles.

No. Systems Risk Advisory is structured as a specialized firm with principal-led delivery and access to qualified support when a project requires added depth. Clients get a senior lead who understands the full engagement while the firm can bring in focused expertise when needed.

No. SRA usually supports leadership, risk assessment, planning, review, prioritization, exercises, and decision support. Implementation may be performed by client staff, engineers, integrators, IT providers, managed service providers, vendors, or other qualified technical teams depending on the scope.

Yes. Many engagements involve coordination with IT providers, SCADA integrators, engineering firms, emergency managers, law enforcement, insurance contacts, legal counsel, vendors, and leadership teams. Roles and information-sharing rules should be defined during scoping.

Pricing depends on scope, number of interviews, number of facilities, document review volume, technical review needs, travel, workshop or exercise requirements, deliverables, schedule, and whether the work is focused or broad. A defined scope should be prepared before pricing is finalized.

Yes. After a scoping discussion, SRA can prepare a proposal, scope of work, task description, deliverables list, and pricing structure suitable for internal review or procurement processes.

Timing depends on scope, client availability, number of stakeholders, document review needs, facility visits, technical review, deliverables, and scheduling constraints. Focused engagements may be shorter. Broader assessments, planning projects, and exercises usually require more coordination.

Yes, many planning, interview, document review, briefing, and workshop tasks can be performed remotely. Onsite support may be better for facility reviews, physical security assessments, tabletop exercises, workshops, and engagements where seeing the operational environment matters.

Yes. Many organizations benefit from a phased approach that starts with immediate risk reduction, then moves into planning updates, training, technical improvements, exercises, and leadership briefings. Phasing helps match work to staff time, budget, and urgency.

No assessment can honestly certify that an organization is secure. SRA can help identify risk, prioritize improvements, update plans, strengthen readiness, and support leadership decisions. The goal is better preparedness and risk reduction, not a blanket guarantee.

No. SRA does not provide legal advice. For legal interpretations, regulatory advice, breach notification questions, contract issues, or liability questions, clients should consult qualified legal counsel.

Penetration testing is not the default starting point for most utility and critical infrastructure clients. Some technical testing may be appropriate depending on scope, authorization, safety constraints, and operational risk. SRA can help determine whether testing is appropriate and how it should be governed.

SRA can help with planning, coordination, leadership decision support, and incident response readiness. If there is an active emergency, immediate safety, emergency response, operational, legal, insurance, law enforcement, and technical incident response procedures should be followed. The website contact form should not be used for urgent incident details.