Projects
Cybersecurity, GRC, and Risk
Cybersecurity, GRC, and Risk
GRC, Risk-based Assessment, Secure OT Environment, Physical Security
Practical GRC Projects - completed part of the GRC Mastery Course
NIST-CSF, ISO 27001 Lead Auditor, TPRA, Asset Management CMDB
NIST CSF framework: Conducted an end-to-end cyber security maturity assessment Capstone project.
As part of the Capstone project I conducted a security assessment on Control Objectives with detailed descriptions, based on 5 CORE functions: Identify, Protect, Detect, Respond, and Recover. Each Control Objective was evaluated based on a comprehensive list of interview questions and "current state" fact sheet provided by the Capstone exercise. Each was evaluated as PASS/FAIL. Detailed comments were added in key areas.
As part of the Solution, I wrote a 3 year roadmap recommendation including key areas; Cybersecurity Governance, Asset Management, TPRM, IAM, Education & Awareness, DLP, Detection & Response.
ISO 27001 Lead Auditor training: Developed a full ISMS from scratch, risk assessments, the Statement of Applicability, and drafted all core security policies and procedures required for certification.
TPRA (third-party risk assessment): Conducted a TPRA on a supplier. The assessment consisted of reviewing a 3rd-party security assessment questionnaire, assessing and summarizing the top-10 key risk items.
Asset Management: Designed a process to capture assets and maintain a CMDB as part of Cyber Security GRC Mastery training course.
Skills Obtained: Cyber Security Risk Management, Cyber Security Audit, Asset Management, Identity and Access Management (IAM), Security Education and Awareness, Data Loss Protection (DLP), Incident Response, Third Party Risk Management.
Risk-based Approach for Electric Utility asset replacement (Zeitview)
Objective:
The objective was to demonstrate that value-based decision making, based on risk as a function of the likelihood and cost of consequence and failure. The client wanted to shift from age-based to value-based decision-making for powerline pole replacements. Historically, the client has been like-for-like replacing approximately 10,000 poles per year, primarily based on asset age. The pilot covers 4,395 poles out of a total network of 250,000 poles.
Tools and Techniques:
Asset risk for electric utilities is calculated per the following:
Risk = Probability of Failure (PoF) × Likelihood of Consequence (LoC) × Cost of Consequence (CoC)
Probability of Failure follows a Weibull distribution with age.
Consequences fall into 4 buckets:
● Cost to repair/replace the asset (20% more expensive to reactively replace than
proactively)
● Safety incidents (e.g. pole falls on a car)
● Reliability (e.g. outages)
● Fire (e.g. ignition and spread of a wildfire)
Replacing an asset incurs a high upfront
Process & Methodology:
Implemented Integrated Risk Model: Align Cost, Consequence, and Performance data into a unified model built on probabilistic risk factors
Calculate Total Risk Avoidance: Risk = Likelihood × Consequence LoC (%) x CoC ($$)
Decision Framework:
Replace if: Risk-cost > asset replacement cost (CoC) > (CapEx)
Defer if: Risk-cost <= asset replacement cost (CoC) <= (CapEx)
Findings and Results:
Age-based analysis would replace 178 poles (4% of 4,395) at a cost of (CapEx $2.44M) resulting in a relatively low Risk-Cost avoidance of ($1.98M). Risk-based analysis results in a higher Risk-Cost avoidance of ($36.66M) but at a much higher replacement cost of (CapEx $11.42M) to replace 951 poles (21.6% of 4395). Normalizing to a realistic budgetary constraint of ($2.44M), poles are prioritized by the highest CoC/CapEx benefit ratio resulting in a total of ($11.93M) of Risk-Cost avoidance to replace 203 poles.
Conclusion and Recommendations:
Next Steps: Conduct further analysis. See attached presentation for details.
Digital Twin used to assess, manage, and remediate risk for movable bridge asset owner in the Netherlands (Digital Twin Tech)
NIS2 Directives, Cyber Resiliency Act (CRA), and (ISO 26443) compliance.
Objective:
To assist large infrastructure clients assess, manage, and remediate risk by deploying highly accurate and secure digital replicas of critical infrastructure, combining 3D reality capture and real-time IoT data in a DTT cloud-based Saas platform, in support of NIS2 Directives, Cyber Resiliency Act (CRA), and ISO 26443 compliance in the EU.
Tools and Techniques:
Deployed a successful proof of concept (POC) that demonstrated the integration of hardened, zero-trust legacy OT communications (using aXite Security PLC Gateways) within a highly accurate digital twin.
Process & Methodology:
The movable bridge crossing the extensive canal network in the Netherlands were built differently at different times and to different specifications. Hardly any are alike. Most are automated (unmanned) around the clock with legacy PLC controllers that have not security other than the lock on the door. DTT partnered with aXite Security Tools who provide products that encrypt the PLC and automation equipment communications. The location, equipment status, and other IoT information was integrated into the DTT Digital Twin SaaS Platform which contained highly accurate and detailed 3D scan of each controller room. The final solution provided geospatial context (x,y,z location) of all the equipment and controls within the digital twin replica.
Findings and Results:
In the future, the DTT solution would provide scalable geospatial context to 1,000’s of uniquely different movable bridges across the Netherlands in a highly secure manner, thereby reducing the risk and cost of dispatching maintenance personnel.
Conclusion and Recommendations:
Digital Twin used to detect, identify & classify physical anomalies as potential security breaches or vulnerabilities within the airport terminals.
Objective:
I led requirements definition, proposal, and execution plan for POC intended to detect, identify & classify physical anomalies as potential security breaches or vulnerabilities within the airport terminals.
Tools, Techniques, Process, and Methodology
This included the daily collection and analysis of extensive LIDAR data, with ML/AI algorithms used to analyze anomalies within the DTT digital twin SaaS platform.
Findings and Results:
The proposal was accepted by the client and is expected to be deployed in 2026.
Conclusion and Recommendations: