A large US power production and distribution company
The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) plan consists of 9 standards and 45 requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning. Under NERC CIP covered entities are required to identify critical assets and to regularly perform a risk analysis of those assets.
DNV has a long-standing relationship with this customer, having completed Cyber Vulnerability Assessments (CVAs) and software acceptance testing for them. DNV has performed a NERC CIP CVA in 2017.
As under the NERC regulations, CVAs are required, but penetration tests not. The customer wanted to make sure their operations networks were as secure as possible, so they made the decision to have DNV perform a penetration test on the same networks that DNV were performing the CVAs on. We performed a penetration test in 2017, using Shodan, Kali Linux and other tools.
The testing was done and there were no exploitable vulnerabilities found; their network is secure. This work was performed in 2017 and the customer have asked us to return in 2018 to perform another CVA and penetration test on their networks.