Critical Infrastructure Security for Southeast Turkey Municipalities
Municipalities sit at the intersection of citizen data, critical infrastructure and public services — a high-value target. A dedicated security roadmap for Southeast Turkey municipalities, tuned to public-sector budgets.
Layers of Critical Infrastructure
Municipal security has three layers: 1) e-gov web and mobile portals (citizen-facing), 2) internal operational systems (GIS, HR, accounting), 3) OT/SCADA systems (water treatment, traffic, waste). Each has a different threat profile.
The e-gov layer is classic web security — OWASP Top 10, KVKK compliance. The OT layer lives in post-Stuxnet reality — since air-gap is rarely real, IT-OT segmentation matters. An attacker moving from IT to OT can touch city infrastructure.
E-Government: Citizen Portal
Debt queries, tax payments, citizenship services — all involve national ID + payment + PII. High KVKK risk. Typical flaws: weak session management, missing 2FA, no brute-force protection, outdated software.
Minimum standard: TLS 1.3, A+ security headers, 15-min session tokens, 2FA (SMS + TOTP option), rate limiting (5/min at login), audit logs on every financial transaction. WAF at Cloudflare / Akamai level. VERBIS registered.
Internal Operations and Staff
Systems used by municipal staff — GIS, HR, billing, accounting. Many legacy systems, Windows XP still in circulation, shared admin accounts.
Priorities: clean AD (Active Directory) configuration, unique per-user accounts, MFA on Office 365, EDR on every endpoint, patch management (WSUS/SCCM), segmented networks (finance on its own VLAN).
OT/SCADA: Water, Traffic, Waste
Water treatment control, traffic lights, waste routing — hacking these affects the city. Follow the Purdue model for IT-OT segmentation: Level 0-1 (sensors, PLCs) ↔ Level 2-3 (SCADA, HMI) ↔ Level 4 (corporate IT). DMZs between each level, unidirectional gateways for exports.
Asset inventory is critical — which PLC, from which vendor, at which version? Most municipalities lack this. Phase one of any engagement is always inventory + risk analysis.
Regional Approach: Diyarbakır Example
Diyarbakır Metropolitan shares infrastructure with surrounding districts (water distribution, traffic). A regional security consortium makes sense — shared SOC, pooled threat intelligence, joint pentest budgets.
We designed such a program for municipalities: two annual pentests per municipality with pooled budgets, shared SOC-as-a-Service, an annual regional cyber drill and threat intel sharing. 30-40% cost saving with higher maturity.
Talk to VefaSec about your project or audit needs.
Our Diyarbakır-based team delivers end-to-end software development, penetration testing and cybersecurity advisory to enterprise clients. The discovery call is free and non-binding.