Closing the Gaps That Left a Utility's Domain Open to Phishing

The Challenge

The utility operated with a lean IT staff and had grown its technology footprint without a corresponding security baseline. A security assessment found: no EDR deployed on field devices, administrative accounts without MFA, SPF records misconfigured and DMARC not set — meaning the district's domain was actively being spoofed in phishing campaigns targeting residents. There was no documented incident response plan and no defined escalation path if a system was compromised. As a CISA-designated critical infrastructure operator, the exposure was significant.

What We Did

1. 1

   Conducted a full security assessment: firewall configuration, endpoint coverage, access controls, email security, patch posture, and IR readiness

2. 2

   Produced a risk-prioritized findings report (Critical / High / Medium / Low) with a remediation roadmap

3. 3

   Deployed EDR (endpoint detection and response) across all managed endpoints — including six field devices that had no previous coverage

4. 4

   Enforced MFA on all administrative and privileged accounts within 30 days of engagement start

5. 5

   Corrected SPF records, implemented DKIM signing, and configured DMARC at reject policy — stopping domain spoofing

6. 6

   Documented an incident response plan with defined roles, an escalation contact list, and a tested notification process

7. 7

   Aligned the security baseline to CISA critical infrastructure guidance and NIST CSF core functions

8. 8

   Enrolled the environment in NavTech Managed Operations for ongoing alerting, patch management, and quarterly security reviews

Outcomes