← All industries
Energy & Utilities · Power · Oil & Gas · Renewables · Smart Grid

Test the grid
without tripping it.

ICS/SCADA penetration testing for generation, transmission, distribution, oil and gas, and renewables. NERC CIP, IEC 62443, NIS2, India CEA Cyber Security Regulations 2024, NIST CSF 2.0 and ISO/IEC 27001:2022 — delivered with digital-substation replicas, hardware-in-the-loop rigs and outage-window planning so the lights stay on.

NERC CIP
CIP-002 → CIP-014
IEC 62443
FR1–FR7 · SL1–SL4
CEA 2024
India power sector
ATT&CK for ICS
every finding mapped

Pain points the CISO and the operations director actually argue about

Legacy ICS/SCADA and unpatchable protection relays

Siemens SIPROTEC, ABB REL/REF/RET, GE Multilin, Schneider MiCOM and SEL relays running 10–20 year old firmware with no vendor patch path or with patches that require a planned outage to apply. Modbus RTU/TCP, DNP3 without secure authentication, IEC 60870-5-101/104 without TLS, OPC Classic still in production. Compensating controls only — strict segmentation, allow-listing, protocol-aware deep packet inspection.

IT-OT convergence and dual-homed engineering workstations

Engineering workstations dual-homed to corporate Active Directory and the substation or plant LAN. Historian servers bridging the Industrial DMZ. Vendor remote-access VPNs with shared service accounts and no session recording. The single largest recurring root cause across every public-record OT incident from 2015 onwards — Ukraine, Norsk Hydro, Colonial Pipeline, Oldsmar, the Iranian fuel-distribution outage.

Smart-meter and AMI fleet exposure

Millions of endpoints, often deployed faster than the security programme can catch up. Optical-port and DLMS/COSEM authentication weaknesses, NAN key-management gaps, signed-firmware bypass via JTAG / UART, headend systems with weak tenant isolation between the DSO and the third-party MDM-as-a-service operator, and exposed vendor cloud APIs that own remote disconnect on the meter fleet.

Ransomware lateral movement IT → OT

Conti, LockBit, BlackCat, Akira, Cl0p, Black Basta — every major crew has hit a utility, refinery or pipeline operator and pivoted toward operations. Colonial Pipeline halted fuel distribution to the US east coast on a billing-system encryption alone. Indian discoms, EU TSOs and US IOUs are all in the active target set. Backups, identity infrastructure and engineering workstations are the routine pivot points.

Regulatory mandate and reporting clock pressure

NERC CIP audit cycles (regional entity audits, spot checks, self-reports), NIS2 management-board personal liability and 24-hour early-warning timelines, India CERT-In six-hour incident reporting, CEA 2024 conformance audits, SEC Item 1.05 four-business-day disclosure for US-listed parents, ENISA / ENTSO-E guidance for European TSOs. A single missed timeline can become a board-level event before the technical response is even drafted.

Renewables and DER vendor-cloud single points of failure

Solar inverter clouds (SMA, Sungrow, Huawei, Fronius, Enphase), battery-energy-storage management portals (Tesla, Fluence, Wartsila), EV-charging CSMS platforms with OCPP back-haul — each of which can remotely curtail or trip a fleet measured in gigawatts. The vendor cloud is in the threat model whether the asset owner likes it or not.

Compliance frameworks the engagement maps to

NERC CIP — North American Bulk Electric System

link ↗

Mandatory FERC-approved standards for the North American Bulk Electric System: CIP-002 (BES Cyber System categorisation), CIP-003 (security management controls), CIP-004 (personnel & training), CIP-005 (Electronic Security Perimeter), CIP-006 (physical security), CIP-007 (systems security management), CIP-008 (incident reporting), CIP-009 (recovery), CIP-010 (configuration change & vulnerability assessments — active VA mandatory every 15 months on High-impact systems), CIP-011 (information protection), CIP-013 (supply-chain risk management), CIP-014 (physical security of Transmission stations).

IEC 62443 — Industrial Automation & Control Systems Security

link ↗

International standard for IACS security used across generation, transmission, distribution, oil and gas, and renewables outside North America (and as a technical reference inside it). Part 2-1 (asset-owner programme), 2-4 (service-provider requirements — AxVeil engagements are written against 2-4), 3-2 (risk assessment, zones and conduits), 3-3 (system security requirements and Security Levels SL1–SL4), 4-1 (secure product development for component suppliers), 4-2 (component-level technical requirements).

NIS2 Directive (EU 2022/2555) — Energy as a Sector of High Criticality

link ↗

Electricity, district heating and cooling, oil, gas, hydrogen and the related transmission, distribution and storage operators are classified as essential entities under Annex I. State-supervised cybersecurity risk-management obligations under Article 21, 24-hour early-warning and 72-hour incident notification (Article 23), management-board accountability and personal liability for non-compliance. ENISA and ENTSO-E sector-specific guidance referenced per finding.

India — CEA Cyber Security in Power Sector Regulations 2024

link ↗

The Central Electricity Authority (Cyber Security in Power Sector) Regulations 2024 plus the CEA Guidelines on Cyber Security in the Power Sector 2021. Applies to generation, transmission and distribution utilities, load dispatch centres and RLDCs/NLDC. Designated CISO, cyber crisis management plan, mandatory annual conformance audit, integration with CERT-In and the sectoral CERT (CERT-Trans / CERT-Thermal / CERT-Hydro). Layered with CERT-In's 28 April 2022 directions for six-hour incident reporting and the DPDP Act 2023 where personal data of consumers is processed (smart metering, EV charging accounts, prosumer portals).

NIST Cybersecurity Framework 2.0 + NIST SP 800-82 Rev. 3

link ↗

CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover) used as the cross-cutting governance overlay. NIST SP 800-82 Rev. 3 (Guide to OT Security) used as the technical reference architecture for ICS, SCADA, DCS, PLC and IIoT environments — Purdue Enterprise Reference Architecture overlay, defence-in-depth zoning, OT-specific risk-management lifecycle.

ISO/IEC 27001:2022 + 27019:2017 (Energy-utility-specific controls)

link ↗

ISO/IEC 27001:2022 with the 2022 Annex A revision (93 controls across four themes) and ISO/IEC 27019:2017 — the energy-utility-specific Code of Practice that supplements 27002 with controls for process control systems, communication networks, telecontrol and related operational technology. AxVeil reports include an Annex-A and 27019 mapping appendix for stage-1 and stage-2 audit evidence.

MITRE ATT&CK for ICS

link ↗

Adversary technique matrix for industrial control systems — Inhibit Response Function, Impair Process Control, Damage to Property tactics with techniques drawn from real incidents: Modify Parameter (T0836), Spoof Reporting Message (T0856), Loss of Safety (T0880), Manipulation of Control (T0831), Block Reporting Message (T0804). Used to structure adversary simulation against the achieved Security Level of the relevant zone.

Sample attack scenarios exercised

Three scenarios commonly run in an energy or utilities adversary-simulation engagement. Each is drawn from a public-record incident pattern and mapped to MITRE ATT&CK for ICS. Active testing is performed against digital-substation test bays, hardware-in-the-loop simulators or scheduled outage windows — never against a live protection relay or safety system.

Scenario 1 — Modbus / DNP3 injection on a substation PLC or RTU
Initial Access via a compromised engineering workstation reached through the IT-OT pivot chain (T0817 Drive-by Compromise / T0865 Spear-phishing Attachment on the corporate side, lateral movement across an under-segmented IDMZ). On the OT side: replay and forged Modbus function-code 5 / 6 / 15 / 16 writes (or DNP3 Group 12 / 41 control-relay-output and analog-output-block requests) against a test-bay PLC or RTU. Execution of a Modify Parameter (T0836) within tolerance bounds to observe SCADA-side alarm propagation and operator response. Block Reporting Message (T0804) replay to test whether the control-room HMI detects a stale telemetry condition. Reset to baseline before the test window closes.
Scenario 2 — Smart-meter firmware tamper and signed-firmware bypass
Physical access to a meter in the AxVeil lab. Hardware enumeration of the metrology and communications boards — JTAG, SWD and UART exposure, secure-boot fuse state, debug-pin lockout. Firmware extraction via NAND or SPI dump where lockout is incomplete. Signed-firmware bypass attempts: image substitution, downgrade attack against pre-signature-enforcement bootloader versions, MCU swap on populated debug headers. Optical-port (IEC 62056-21) and DLMS/COSEM HLS authentication review — key-strength, master-key reuse across the fleet, replay resistance. Outcome: a defensible position on whether a single physical-access incident pivots to a fleet-wide remote-disconnect risk via the headend.
Scenario 3 — IT-OT pivot through a dual-homed engineering workstation
Corporate-IT initial access (commodity phishing payload, no live ransomware deployed). Enumeration of dual-homed engineering workstations, jump hosts and historian servers bridging the Industrial DMZ. Active Directory abuse to obtain credentials for an EngWS-class machine. From the engineering workstation: HMI client launch under a legitimate engineer session, demonstration of read access to the live SCADA process database, demonstration of write capability to the engineering replica (never the production PLC). Maps to the Ukraine 2015 / 2016, Colonial Pipeline 2021 and the Iranian fuel-distribution 2021 / 2023 pivot patterns. Deliverable: a kill-chain reconstruction with prioritised segmentation, identity-tier and detection-engineering remediations against NERC CIP-005, CIP-007 and IEC 62443 FR3 / FR5.

Case study

Redacted reference — available under NDA

Regional electricity distribution utility, ~4 million consumers, two states. 16-week engagement across two load-despatch centres, eleven 33/11 kV substations, an Itron AMI rollout (~1.2 M meters in flight) and the supporting MDM-as-a-service platform. Findings: flat L3 routing between the corporate WAN and the SCADA back-haul on one of two LDCs, 60+ engineering and operator workstations dual-homed, vendor jump-host with shared credentials, DLMS HLS master-key reuse across an early meter batch, exposed headend API with broken tenant isolation between the DSO and the MDM operator.

Outcome: Industrial DMZ rolled out per substation across two outage windows, vendor access centralised through a single bastion with session recording, AMI per-batch key derivation rotated, headend tenant-isolation fixed before consumer billing go-live, full CEA 2024 conformance evidence pack delivered for the annual audit. CERT-In incident-reporting playbook tabletop-tested with the SOC.

Full redacted report and reference call available under mutual NDA. Request via the scoping form →

Related work

Services
Reading
Sibling industries

Frequently asked questions

Can you safely test a live substation, generation plant or pipeline SCADA without risking an outage?+

Yes — and that constraint shapes the engagement from day one. On the operational technology side (substation bay-level IEDs, generating-unit DCS, pipeline RTUs, distribution feeder automation) the default posture is passive: span-port packet capture against IEC 61850 GOOSE / MMS, DNP3, Modbus TCP and OPC UA flows, vendor-manual review, configuration-export analysis from engineering workstations and HMI servers, and asset enumeration from the historian. Active testing is reserved for digital-substation test bays, factory-acceptance-test rigs, hardware-in-the-loop simulators, or planned outage windows agreed with the system operator and (where required) the load dispatcher. Rules of Engagement explicitly exclude anything that could trip a protection relay, mis-operate a breaker, drift a generation setpoint, or interfere with a safety-instrumented system on a hydrocarbon facility.

How does NERC CIP shape a North-American utility engagement versus IEC 62443 or the India CEA regulations?+

NERC CIP is the mandatory standard for the North-American Bulk Electric System — CIP-002 through CIP-014 with auditable controls per BES Cyber System impact rating (High / Medium / Low), enforced by the regional entities under FERC oversight. The engagement maps findings per CIP requirement: CIP-005 Electronic Security Perimeter, CIP-007 Systems Security Management, CIP-010 Configuration Change and Vulnerability Assessments (which itself mandates an active vulnerability assessment every 15 calendar months on High-impact BES Cyber Systems), CIP-011 Information Protection, CIP-013 Supply Chain Risk Management. IEC 62443 is the international standard used outside North America (and increasingly inside it as a technical reference) — zone-and-conduit modelling, Foundation Requirements FR1–FR7, Security Levels SL1–SL4 per zone. India's CEA Cyber Security in Power Sector Guidelines 2021 plus the CEA (Cyber Security in Power Sector) Regulations 2024 layer Indian-specific requirements on top — designated CISO, mandatory cyber crisis management plan, CERT-In incident reporting within six hours under the 2022 directions, and conformance audit against the CEA framework. We map findings to whichever set the asset owner is regulated under, and to ATT&CK for ICS regardless.

What does smart-grid and smart-meter testing actually look like — AMI, headend, MDMS, the meter itself?+

End-to-end. The meter (hardware tamper review of the metrology board, JTAG / UART / SWD exposure, firmware extraction via NAND or SPI dump, signed-firmware bypass attempts, optical-port (IEC 62056-21) and DLMS/COSEM authentication review, key-management review). The neighbourhood-area network (RF-mesh or PLC layer protocol analysis, key-derivation and join-process testing on Wi-SUN / 6LoWPAN / G3-PLC / Prime). The headend system (web and API testing against the AMI vendor stack — Itron, Landis+Gyr, Honeywell Elster, Secure Meters, HPL, Genus). The Meter Data Management System (authorisation between the DSO, the third-party MDM-as-a-service operator, and downstream billing). India-specific: alignment to the Smart Meter National Programme rollout, BIS IS 16444 / IS 15959 meter standards, and the Ministry of Power model technical specifications.

We had a ransomware near-miss on the corporate IT side. How do you test whether it could have reached operations?+

This is the dominant engagement driver today. The pattern: IT-side initial access (commodity phishing, exposed RDP, Citrix or VPN appliance CVE, public-record stolen-credential reuse) plus lateral movement through shared Active Directory, shared file servers, shared backup infrastructure, dual-homed engineering workstations and operator stations, vendor jump hosts with always-on access. The Colonial Pipeline 2021 incident, the Ukrainian power-grid attacks (BlackEnergy 2015, Industroyer 2016, Industroyer2 2022), the Saudi Aramco wiper events and Pipedream / Incontroller toolkit demonstrate the exact paths an adversary takes. AxVeil exercises that path against your environment under controlled conditions: no real ransomware payload, no destructive actions, but the full enumeration and pivot chain to a defined point in the OT estate, with detection-quality testing at every hop. The deliverable is a kill-chain reconstruction with prioritised segmentation, identity and detection-engineering remediations.

How do you handle the renewables and distributed-energy-resource (DER) angle — solar farms, wind, BESS, EV charging?+

Renewables and DER assets sit at the awkward intersection of high deployment velocity, internet-exposed vendor cloud, OEM remote-access requirements and rapidly-evolving standards. We map the inverter and battery-management-system fleet (SMA, Sungrow, Huawei, Fronius, Enphase, Tesla, Fluence, Wartsila) and test the vendor cloud APIs that own remote control of those assets — historically a recurring source of fleet-wide compromise on the public record. EV-charging infrastructure is tested against OCPP 1.6 and 2.0.1, ISO 15118 (Plug-and-Charge) and the operator's CPO / CSMS stack. For UK / EU operators we map to NIS2 essential-entity obligations and ENISA guidance; for US-listed operators we add the SEC cyber-disclosure rule materiality assessment; for Indian DISCOMs and DER aggregators we map to CEA 2024, CERT-In and the Smart Meter National Programme alignment.

Scope an energy or utilities engagement

Send the asset class (generation / transmission / distribution / oil & gas / renewables / smart metering), the OEM stack (Siemens / ABB / GE / Schneider / SEL / Hitachi / Yokogawa / Honeywell / Emerson / Itron / Landis+Gyr), the target regulator (NERC CIP / NIS2 / CEA 2024 / CERT-In / SEC) and any planned outage windows. We respond with a fixed-fee proposal and a redacted reference under NDA.

Request a scoping call