CSIRT-Power/01/CS-Audit/2024/01

Government of India

Ministry of Power

Computer Security Incident Response Team - Power

Subject: Guidelines on Scope of Cybersecurity Audit in the Power Sector - regd.

Power sector utilities are mandated to conduct periodic cybersecurity aud1t of both
Information Technology (IT) and Operational Technology (OT) assets, through auditors
empanelled by the CERT-In as per Article 14 of Central Electricity Authority (Cyber Security
Power Sector) Guidelines 2021. As the scope of such aud1t varies across utilities, it was
necessitated to fornmulate the scope of cyber security audit for power sector utilities.
Accordingly, CSIRT-Power has prepared "Guidelines on Scope of Cybersecurity Audit
in Power Sector" in consultation with various power sector utilities, sub-sectoral CERTs,
CERT-In, NCIIPCetc. The same is issued hereby for compliance of all concerned.
Encl.: Guidelines on Scope of Cybersecurity Aud1t in Power Sector

(R. P. Pradhan)
CISO, Ministry of Power

To: CISOs of All Power Sector Utilities

Copy for kind information to:

1. Secretary, Ministry of Power
2.Chairperson, Central Electricity Authority
3.Additional Secretary (IT), Ministry of Power
4.DG, CERT-In
5.DG, NCIIPC
6.CMDs/MDs of AIl Power Sector Utilities

3rd Floor, NRPC.Shaheed Jeet Singh Marg New Delh1 Tele 011-26561171 Ema1l cso nopg gov in
 Guidelines on
Scope of Cybersecurity Audit
in the Power Sector

Issued by

Computer Security Incident Response Team-Power

(CSIRT-Power)

Version 1.0, November 2024

Table of Contents:
1 Purpose and Objectives ................................................................................................... 3
1.1 Purpose .................................................................................................... 3
1.2 Objectives ................................................................................................ 3
2 Part 1 - Guidelines for Scope of comprehensive Cybersecurity Audit. ...................... 5
2.1 Scope of Audit ......................................................................................... 5
2.2 Systems, Assets, Policies, Processes & Procedures ................................ 5
2.3 Detail of the Audit Areas ........................................................................ 6
2.3.1 Audit of the Cybersecurity Policy, Process and Procedure ............................... 6
2.3.2 Audit of Identity and Access Management (IAM) ............................................ 8
2.3.3 Application and Data Security ........................................................................... 8
2.3.4 Logging and Monitoring .................................................................................... 9
2.3.5 Audit of Incident Management Process ............................................................. 9
2.3.6 Audit of the Architecture, Networks and Systems............................................. 9
2.3.7 Audit of Physical Security ............................................................................... 10
2.3.8 Vulnerability Assessment/Penetration Testing (VA/PT) ................................. 10
2.3.9 Special Considerations for VA/PT of OT Systems.......................................... 10
2.3.10 Audit to Check Conformance and Compliance ............................................... 11
2.4 Audit Deliverables................................................................................. 12
2.5 References & Sources ........................................................................... 13
3 Part-2: Guideline on the Scope of Vulnerability Assessment (VA) & Penetration
Testing (PT) ............................................................................................................................ 14
3.1 Scope of Work ....................................................................................... 14
3.2 Vulnerability Assessment (VA) ............................................................ 15
3.2.1 Activities .......................................................................................................... 15
3.2.2 Methodology .................................................................................................... 15
3.2.3 Deliverables ..................................................................................................... 16
3.3 Penetration Testing:............................................................................... 16
3.3.1 Internal Penetration Testing (PT)..................................................................... 17
3.3.2 External Penetration Testing ............................................................................ 18
3.4 Website/Web Application Assessment ................................................. 19
3.4.1 Scope ................................................................................................................ 19
3.4.2 Activities .......................................................................................................... 20
3.4.3 Methodology .................................................................................................... 20
3.4.4 Deliverables ..................................................................................................... 20
3.5 Resolution, Compliance, and closure of Cybersecurity Vulnerabilities
20
3.6 Re-Scan ................................................................................................. 21
3.6.1 Scope of Work ................................................................................................. 21
3.7 Standards and Guidelines ...................................................................... 22

Page 2 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
1 Purpose and Objectives

1.1 Purpose
1. Power sector utilities are mandated to conduct periodic cybersecurity audit of both
Information Technology (IT) and Operational Technology (OT) assets, through auditors
empanelled by the Computer Emergency Response Team - India (CERT-In). In alignment
with the directions provided, these cybersecurity audits go beyond Vulnerability Assessment
and Penetration Testing (VA/PT) of applications and systems. They encompass a thorough,
comprehensive audit of the deployed cyber infrastructure, ensuring a robust and holistic
approach to cybersecurity.
2. The utility should engage a CERT-In empanelled auditor with domain-specific
expertise to assess both IT and OT environments, as applicable. To ensure an independent
audit, the utility should directly hire a third-party CERT-In empanelled auditor, regardless of
whether the infrastructure is managed by the utility or a service provider. This approach
avoids conflicts of interest and ensures a neutral evaluation.

3. The specific purpose of this document is to provide a template for scope of

conducting cybersecurity audits in the power sector against a set of
requirements/standards/baselines, through CERT-In empanelled auditors.

4. Part 1 outlines guidelines for scope of cybersecurity audits to assess and validate the
utility's overall cybersecurity posture, focusing on policies, processes, procedures, practices,
governance structures, and compliance with regulatory requirements. Part 2 defines the
scope of Vulnerability Assessment (VA) and Penetration Testing (PT) to address technical
cybersecurity evaluations.

1.2 Objectives
The audit should adhere to applicable cybersecurity standards, such as ISO 27001, IS 16335,
and the IEC 62443 series, and verify the utility’s cybersecurity resilience, including its
compliance with applicable cybersecurity rules, regulations, directives, and guidelines.

The objectives of the mandated Cybersecurity Audit:

1. Comprehensive Coverage of Cyber Assets: The audit should ensure a thorough and
comprehensive cybersecurity assessment of cyber assets within the power sector utility,
enabling the identification and mitigation of vulnerabilities.

Page 3 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
2. Assessment of IT and OT Architecture Resilience: It should assess the robustness of IT
and/or OT architecture within the utility's interconnected environment.

3. Verification of Technical Controls and System Hardening: The audit should provide a
structured evaluation of the effectiveness of implemented technical controls, hardening
measures, and the configuration of security devices.

4. Assessment of Operational Technology (OT) Systems: The audit should include a

comprehensive cybersecurity review of OT systems, considering the practical constraints
inherent in OT environments.

5. Regulatory Compliance: The audit should enable the utility to verify compliance with
applicable Acts, Rules, Regulation, Directives, and Guidelines issued by Government of
India.

6. Gap Analysis Against Cybersecurity Frameworks: This audit should conduct a

detailed gap analysis of the utility's cybersecurity practices in relation to the adopted
cybersecurity frameworks, such as ISO 27001 for IT systems and IEC 62443-2-1 for OT
systems, to guide ongoing improvements and enhance resilience.

Page 4 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
2 Part 1 - Guidelines for Scope of comprehensive
Cybersecurity Audit.

2.1 Scope of Audit

The scope of the audit should encompass a systematic evaluation of both Information
Technology (IT) and Operational Technology (OT) systems within the utility, ensuring that
all deployed cyber assets are included in the assessment. It should cover all critical
components such as network infrastructure, security devices, technical controls, and system
hardening measures, while also addressing the unique cybersecurity requirements of OT
systems, which are vital to the power sector. The audit should further assess the effectiveness
of existing security configurations and verify compliance with relevant cybersecurity
frameworks and regulatory guidelines. Additionally, a detailed gap analysis should be
conducted to identify areas for improvement, supporting the utility’s ongoing cybersecurity
enhancement efforts.

The specific audit areas are outlined in detail in the following sections.

2.2 Systems, Assets, Policies, Processes & Procedures

The audit scope shall include, but not be limited to, the following:

1. all the identified Critical Information Infrastructures and notified Protected Systems of
the utility,

2. all Critical and High-risk Assets as identified by the utility,

3. all medium and low-risk assets, (If the number of assets is too large to be audited in a
single audit, the utility may use a sampling and rotational approach)

4. all web applications, mobile applications and cloud-based applications including APIs,
internal applications as per risk based,

5. the utility's existing cybersecurity policies, processes, and procedures. This includes
reviewing of the Service Level Agreements (SLAs) with third-party vendors to ensure
that SLA meets appropriate cybersecurity requirements,

6. the statement of applicability, selection, and implementation of cybersecurity controls,

7. review of the network architecture and data flow in both IT and OT environments,

8. configuration assessment of deployed security devices,

Page 5 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
9. vulnerability analysis of all notified protected systems and critical and high-risk assets,
with medium and low-risk assets covered on a sample and rotational basis,

10. penetration testing of all web-based applications, mobile applications, cloud-based

applications, publicly exposed/internet-facing services, websites, mobile apps, and in-
house developed applications. It should involve active identification and exploitation of
vulnerabilities in the system, including those listed in the OWASP Top Ten, to assess
whether an attacker could exploit these weaknesses in real-world scenarios.

11. verification audit for compliance with applicable cybersecurity Rules, Regulations
Directives and Guidelines issued by CERT-In, National Critical Information
Infrastructure Protection Centre (NCIIPC), Central Electricity Authority (CEA) and other
Government Entities.

12. review of the architecture at both main and backup control centers including their
interconnections and data flow.

13. mechanism of Backup /Storage/DR Systems in place,

14. review of Cyber Crisis Management Plan of the utility and effectiveness of its
implementation,

15. review of Emergency Preparedness Plan and Business Continuity Plan,

16. evaluation of physical security controls,

17. any additional system deemed suitable by the utility.

2.3 Detail of the Audit Areas

2.3.1 Audit of the Cybersecurity Policy, Process and Procedure

1. Audit of Cybersecurity Policy Effectiveness and Alignment: The auditor will verify
whether cybersecurity policy complies with latest edition of ISO 27001 and ISO 27019
standards, as applicable. This includes ensuring alignment with business goals, legal
obligations, and contractual terms. Audit shall also verify the exceptions to ensure that
these exceptions are authorised, legitimate and valid.

2. As applicable, audit of the OT specific cybersecurity policy, and its compliance with
sector specific cybersecurity standards like IS 16335 and IEC 62443 series.

Page 6 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
3. Audit of the cybersecurity governing structure such as designation of CISO with ring
fenced cybersecurity duties, existence of dedicated division for cybersecurity with
defined roles & responsibilities and staffed with adequate and trained manpower.

4. Audit of the asset management process, and verification of the asset identification and
classification process is in place.

5. Audit of the Vulnerability Management Process in both IT and OT systems for periodic
identification and closure of vulnerabilities,

6. Audit of Risk Management Process to evaluate how the utility identifies, assesses, and
manages cybersecurity risks.

7. Audit of the processes for managing changes to IT and OT systems and configurations.
Audit of patch management procedures for applying patches to IT and OT systems,
including pre-patch testing, post-patch validation, and rollback procedures.

8. Audit of the implemented process/mechanism for regular backups of critical operational

and business data with tested recovery procedures.

9. Audit of the personnel risk assessment process present with utility to mitigate internal and
external cybersecurity risks from their own personnel or from that of their Service
Provider having access to their critical and high-risk assets

10. Audit of the process and procedure, in place for safe & secure disposal of legacy systems
to verify that such systems are disposed as per established process.

11. Audit of the Supply Chain Risk Management system to evaluate their effectiveness in
securing the supply chain and managing associated risks. This includes audit of the
outsourced activities to mitigate risks from third-party vendors and their adherence to
utility cybersecurity policy and regulatory requirements.

12. Audit of existing cybersecurity training and awareness program to verify its suitability
and adequacy. This includes assessment of user awareness w.r.t organisation’s security
policies, evaluation of the employee’s susceptibility to social engineering attacks, such as
phishing and impersonation.

13. Verification of the availability of a tailored and approved Cyber Crisis Management Plan
(CCMP) that includes utility-specific cyber-attack scenarios and procedures, and
assessment of whether the CCMP's efficacy is tested through mock drills and exercises.

14. Review of the business continuity and disaster recovery plans to ensure they are
comprehensive and up to date.

Page 7 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
2.3.2 Audit of Identity and Access Management (IAM)

1. Audit of the access control policies to check the implementation of authentication,

authorization, role-based access control, segregation of duties, and least privilege
principles.

2. Assessment of password policies and effectiveness of its implementation.

3. Assessment of the implementation of Multi Factor Authentication for critical systems.

4. Audit of defined remote access policies and implemented cybersecurity measures by the
utility for remote access cybersecurity.

5. Audit of mobile device policies, addressing cybersecurity risks associated with use of
external removable and BYOD systems as defined in cybersecurity policy.

2.3.3 Application and Data Security

1. Audit of the process for data classification based on sensitivity and criticality.
2. Audit to check the implementation of data retention, data access controls, and data
leakage prevention mechanism. This includes audit of the mechanism/ system used for
data encryption to evaluate their effectiveness in protecting sensitive data, both at rest and
in transit.

3. Audit to check the effectiveness of data backup strategies and the ability to recover from
data loss or corruption.
4. Audit of Cryptographic controls, key management, and key storage mechanism (if in
use).
5. Audit of the practices used or followed for In-house or Out-sourced application
development, secured coding practices and code testing process.
6. Audit to check implementation of data security and data privacy measures to ensure
compliance with applicable rules and regulations for protection of sensitive data.
7. Audit the cybersecurity mechanisms deployed in the database to identify potential threats
and ensure the protection of sensitive information.
8. Evaluation of the measures in place for data protection in cloud environments, including
backup and encryption.
9. Review of the security practices of cloud service providers and any third-party
integrations.

Page 8 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
2.3.4 Logging and Monitoring

1. Audit of the mechanism/system in place to monitor, detect and log events of deployed
security devices, networks, end devices and hosts.

2. Review of the logs storage systems in place to comply with existing regulatory
requirements. This includes review of the operational and functional efficacy of the
Security Operational Centre (SOC) to check for threat detection and response capabilities.

3. Review of the deployment and effectiveness of logging and monitoring solutions, such as
SIEM, to ensure timely detection and response to security incidents.

2.3.5 Audit of Incident Management Process

1. Audit of the incident response process and customization for the power sector, and its
effectiveness across IT and OT systems.

2. Evaluation of the effectiveness of the deployed tools and processes for detecting and
monitoring of the cybersecurity incidents

3. Audit of procedures for identifying and reporting security incidents.

4. Review of previous audit / Incident Report (IR) reports and their compliance status.

5. Assessment of the processes for conducting post-incident reviews and implementing

lessons learned.

2.3.6 Audit of the Architecture, Networks and Systems

1. Audit of the IT/OT System as-built Architecture for Assessment of Structural

Weaknesses, Interconnections, Data Flow, Communication Protocols, and System
Convergence and identification of gap.

2. Review of the deployment of appropriate perimeter security devices, Security of trusted

zones & conduits, network segmentation, and IT/OT convergence.

3. Audit to check the security configurations of servers, workstations, and other endpoints
and to verify the deployment of Endpoint Security solutions such as Antivirus, EDR
solutions.

4. Audit of configurations of security devices, host devices and network devices

configurations and to review implementation of required hardening measures such as

Page 9 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
 blocking of unnecessary ports and services, whitelisting of applications, and others in
comparison with cybersecurity benchmarks like CIS Benchmarks.

5. Audit of standard operating procedure for configuration management of systems and

devices.

6. Review of DC / DR Systems - Review of security Architectures of Main / Backup sites,

their interconnections, and data flow.

2.3.7 Audit of Physical Security

1. Audit of physical Access controls to evaluate the effectiveness of physical access controls
and surveillance systems, visitor management, and employee identification systems.

2. Review of logs and records of physical access and Comparison of physical security
measures with industry standards and best practices.

3. Audit of the mechanism/system in place for Protection from physical and environmental
threats, such as natural disasters and other intentional or unintentional physical threats to
infrastructure.

2.3.8 Vulnerability Assessment/Penetration Testing (VA/PT)

1. Vulnerability analysis of all notified Protected Systems, critical and high-risk assets.
Medium and low-risk assets should be covered on a sample and rotation basis.

2. VA/PT of web applications, web-based services, mobile applications, on cloud hosted

applications, IoT applications, other publicly exposed services including assessment of
security architecture and design review of these applications.

2.3.8.1 Detail scope of VA/PT is provided in part-2 of this document.

2.3.9 Special Considerations for VA/PT of OT Systems

1. In OT systems, where active Vulnerability Assessment (VA) and Penetration Testing

(PT) may not be feasible, VA should be conducted in passive mode or through
physical verification to avoid disruptions to critical processes. The use of passive
scanning tools that do not actively interact with OT devices should be ensured.

Page 10 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
 2. Active Vulnerability Assessments and Penetration Testing may be conducted in
simulated environments or isolated test setups. Additionally, whenever possible,
targeted testing should be performed on testbeds or during planned maintenance
windows to assess system vulnerabilities. In latter case, the target OT systems and
their components should be clearly identified to minimize operational impact.
Components that cannot tolerate downtime or interruptions should be excluded from
testing.

2.3.10 Audit to Check Conformance and Compliance

1. Cybersecurity Audit of IT/OT Infrastructure to check conformance with utility

Cybersecurity Policy.

2. Verification audit to check compliance with applicable Cybersecurity rules, regulations,

directives, and guidelines issued by CERT-In, NCIIPC, Ministry of Power and other
relevant Authority.

3. Verification Audit to check utility cybersecurity program alignment with cybersecurity

standards and best practices such as ISO 27001, ISO 27019, IS 16335, IEC 62443 series
standards as applicable.

4. Verification Audit to check compliance with Cyber Security Audit – Baseline

Requirements (CSA-BR) 2020, issued by the NSCS.

Page 11 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
2.4 Audit Deliverables
1. Detailed plan outlining objectives, scope, methodology, and timeline.

2. Auditor should immediately inform the critical findings observed (if any) during audit to
utility for their immediate action.

3. Gap analysis report with respect to framework and architecture

4. Suggestions and recommendations to address audit findings.

5. Suggestion for having secure network architecture.

6. A roadmap for implementing recommended security measures and improvements.

7. Schedule of follow-up audits to verify the implementation of corrective actions.

8. Identified gap and Suggestion to update cybersecurity policies, procedures, and controls
based on audit findings and evolving threats.

9. The audit report shall provide a comprehensive and detailed account of the entire audit
process. It should include identified vulnerabilities, risks, non-compliance issues, with
artefacts and evidence and areas for improvement.

10. The audit report should also encompass the audit mechanism, detailed scope, duration,
methodologies, standards used, tools, manual processes, findings, prioritization, sampling
decisions, manpower involved, as well as any exemptions, limitations, and other
constraints encountered during the audit. Additionally, a list of the testing software or
tools used should be included.

11. The report should begin with an executive summary that offers a concise overview of the
audit findings, highlighting the associated risks to the organization and the overall
security posture of the audited application or infrastructure. This summary is intended for
submission to higher management, including board members.

12. Exit briefing: Convey preliminary interim audit observations to the utility, such as critical
findings, vulnerabilities, major gaps etc. which require immediate attention / action and
educating the utility in providing feedback to the empanelling agency about the quality of
the audit performed by empanelled auditors at utility end.

Page 12 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
2.5 References & Sources
1. International Organization for Standardization. ISO/IEC 27001: Information technology
– Security techniques – Information security management systems – Requirements.
2. International Organization for Standardization. ISO/IEC 27005: Information technology
– Security techniques – Information security risk management.
3. National Institute of Standards and Technology. (2008). NIST SP 800-115: Technical
guide to information security testing and assessment.
4. Open Web Application Security Project. OWASP Testing Guide.
5. SANS Institute. (n.d.). SANS Penetration Testing Methodology.
6. International Electrotechnical Commission. IEC 62443-3-2: Industrial communication
networks – Network and system security – Part 3-2: Security risk assessment and system
design.
7. National Institute of Standards and Technology. (2010). NIST IR 7628: Guidelines for
Smart Grid Cybersecurity.
8. North American Electric Reliability Corporation. (n.d.). NERC CIP Standards.

Page 13 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
3 Part-2: Guideline on the Scope of Vulnerability
Assessment (VA) & Penetration Testing (PT)
This guideline outlines the scope, activities, methodology, and deliverables for conducting a
Vulnerability Assessment (VA) & Penetration Testing (PT) audit. Part-2 should be
implemented in conjunction with Part-1 for a comprehensive cybersecurity audit.

3.1 Scope of Work

The scope of work should include conducting comprehensive Vulnerability Assessment and
Penetration Testing (VA/PT) as defined, documenting and reporting identified vulnerabilities
and cybersecurity issues, supporting the remediation and closure of identified gaps, and
ensuring compliance with VA/PT requirements in alignment with security standards and best
practices.

The scope of the VA/PT assessment should be defined in accordance with the Scope of Audit
(2.1) outlined in Part 1 - Guidelines for the Scope of a Comprehensive Cybersecurity Audit.

It should include, but is not limited to, the following:

1. Assessment of systems and networks of identified Critical Information Infrastructures
(CII), notified Protected Systems, critical and high-risk systems including servers, virtual
machines, software applications, workstations, and other endpoint devices.
2. Assessment of systems and networks segment having medium and low risk cyber assets
in sample and rotation basis.
3. Vulnerability assessment and penetration testing (VA/PT) of web applications, mobile
applications, cloud-based applications, APIs, in-house-developed applications and other
internal applications.
4. Assessment of network architecture and data flow within IT and OT environments for
structural weaknesses, interconnections, communication protocols, data flow, and system
convergence.
5. Assessment of security configurations for deployed devices, including firewalls,
intrusion prevention systems (IPS), intrusion detection systems (IDS), routers, switches,
and other network devices.
6. Assessment of perimeter security devices and network including testing for potential
exploitations from outside.
Note: 1. The utility should provide a detailed Bill of Quantity (BoQ) covering the whole
scope.
2. For special considerations in VA/PT of OT systems, kindly refer to Section 2.3.9
of Part 1.

Page 14 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
3.2 Vulnerability Assessment (VA)
Objective is systematic examination of IT and OT system or product to identify security
deficiencies, determine the adequacy of security measures, provide data from which to
predict the effectiveness of proposed security measures, and confirm the adequacy of such
measures after implementation.

3.2.1 Activities

The vulnerability assessment should cover a range of activities to identify security

weaknesses, the list of sample activities to is mentioned below:

i. Port and Network Scanning: Identify open ports and services running on the network.
ii. Vulnerability Scanning: Use automated tools to detect vulnerabilities across all systems
in scope.
iii. System and Service Identification: Enumerate and fingerprint operating systems and
services.
iv. Malware Scanning: Detect and analyse any malware or potential threats within the
network.
v. Password Strength Assessment: Assessment of the strength of passwords.
vi. Authentication and Authorization Testing: Test access control mechanisms and account
lockout policies.
vii. Configuration Assessment: Assessment of network devices configuration such as
firewall configurations for security gaps.
viii. Server and Database Assessment: Evaluate OS and database configurations for
vulnerabilities.
ix. Any additional activities as mutually agreed upon by the utility and the auditor.

3.2.2 Methodology

The utility, in consultation with the selected vendor, should finalize the methodologies.
However, at a broader level, the following structured approach is suggested:

i. Preparation: Define the scope, identify assets, and determine the boundaries for
analysis.

ii. Execution: Conduct assessments using both automated tools and manual techniques, as
applicable.

Page 15 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
iii. Analysis: Analyse the results to identify the vulnerabilities and security gaps.

iv. Reporting: Document findings, categorize vulnerabilities by risk level, and provide
remediation recommendations.

v. Validation: Perform a validation assessment to confirm the resolution of identified

vulnerabilities.

3.2.3 Deliverables

The vulnerability assessment should systematically identify security vulnerabilities, provide

actionable steps for remediation, and outline a plan to enhance the overall security posture.
The deliverables may include the following:

i. Vulnerability Assessment Report having

(a) detailed Findings of identified vulnerabilities, including their severity, potential
impact, and affected systems or applications.

(b) categorization of vulnerabilities by risk level (e.g., Critical, High, Medium, Low).

(c) assessment of the potential impact of the vulnerabilities on the system and operations
of the utility.

(d) technical documentation with scan results and screenshots supporting the identified
vulnerabilities.

ii. Remediation Plan outlining

(a) the steps necessary to close identified vulnerabilities, including any required patches
or configuration changes.

(b) comparison of current security posture against industry benchmarks and standards.

(c) plan for overall improvement of the cybersecurity posture by adherence to relevant
security standards and best practices

3.3 Penetration Testing:

The objective is to simulate real-world attacks to identify methods for bypassing the security
features of the utility's applications, systems, or networks. Assessors, operating under defined
constraints, attempt to exploit or circumvent these security measures. Most penetration tests
involve discovering and exploiting combinations of vulnerabilities across one or multiple

Page 16 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
systems to achieve broader access than would be possible through a single vulnerability
alone.

3.3.1 Internal Penetration Testing (PT)

Internal Penetration Testing may be conducted to simulate an insider attack for identification
of potential vulnerabilities within the internal network and applications.

Internal Penetration Testing should cover:

i. Network Infrastructure: Routers, switches, firewalls, and security appliances within the
internal network.

ii. Servers and Workstations: Internal-facing servers, desktops, and other endpoints.

iii. Applications: Internal web and client-server applications.

iv. Any additional systems or products as specified within the scope.

3.3.1.1 Activities

A list of sample activity for Internal Penetration Testing may include:

i. Port Scanning and System Enumeration: Identify open ports, running services, and
system details.

ii. Security Bypass: Attempt to bypass security controls such as EDR, firewalls and
intrusion detection/prevention systems (IDS/IPS).

iii. Privilege Escalation: Test for potential paths to escalate privileges within the network.

iv. Exploitation of Vulnerabilities: Attempt to exploit identified vulnerabilities to assess

their impact.

v. Lateral Movement: Evaluate the ability to move laterally within the network after initial
compromise.

vi. Data Exfiltration: Simulate data exfiltration scenarios to test data security.

3.3.1.2 Methodology:

The following approach may be broadly suggested:

i. Pre-engagement: Agree on the rules of engagement, define the testing scope,

objectives, and constraints in consultation with the utility. Identification of key
systems, networks, and applications to be tested.

Page 17 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
 ii. Reconnaissance: Gathering the information about the internal network, systems, and
users to identify potential targets and vulnerabilities.

iii. Vulnerability Identification: vulnerability scanning to identify security weaknesses

within the internal environment.

iv. Exploitation: Attempting to exploit identified vulnerabilities to gain unauthorized

access, escalate privileges, or move laterally within the network.

v. Post-Exploitation: Assessment of the potential impact of successful exploitation,

including access to sensitive data, disruption of services, or compromise of critical
systems.

vi. Reporting: Detailed findings, including exploited vulnerabilities, impact analysis,

and remediation recommendations.

3.3.1.3 Deliverables

Penetration Testing Report: A comprehensive report detailing the tests performed,

vulnerabilities exploited, and the impact on the organization.

Mitigation Strategies: Recommendations to mitigate identified risks, including policy updates

and system configuration changes.

3.3.2 External Penetration Testing

To assess the organization’s exposure to external threats by simulating real-world attacks

against public-facing infrastructure.

3.3.2.1 Scope

The external PT covers:

i. Public-Facing IPs: All external IP addresses exposed to the internet.

ii. Web Applications: Web applications and Mobile applications accessible via the internet.

iii. Firewall and Security Devices: External security devices such as firewalls and IDS/IPS
systems.

3.3.2.2 Activities

Testing will include:

i. Reconnaissance: Gather information about the target network and its public IPs.

ii. Port Scanning: Identify open ports and services on public-facing systems.

Page 18 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
iii. Vulnerability Exploitation: Attempt to exploit known vulnerabilities in public-facing
systems.

iv. Attack Simulation: Simulate various attacks such as SQL injection, cross-site scripting
(XSS), and remote code execution (RCE).

v. Denial of Service (DoS) Testing: Simulate DoS attacks to assess system resilience.

vi. Firewall and IDS/IPS Testing: Assess the effectiveness of perimeter defences.

3.3.2.3 Methodology

i. Preparation: Define the scope, identify public-facing assets, and establish testing
windows.

ii. Testing: Conduct external penetration tests using both manual techniques and automated
tools.

iii. Analysis: Analyse test results to identify vulnerabilities and potential security risks.

iv. Reporting: Document all findings and provide recommendations for improving external
security.

3.3.2.4 Deliverables

i. External Penetration Testing Report: A detailed report of the findings with

recommendations for mitigating risks.

ii. Security Improvement Plan: A plan outlining steps to enhance the security posture of
external-facing systems.

3.4 Website/Web Application Assessment

Objective- To ensure the security of web applications through a detailed assessment of their
security posture. The OWASP guidelines may be used.

3.4.1 Scope

This should include:

i. Web and Mobile Applications: All publicly exposed web-based and mobile applications.

ii. APIs: Application Programming Interfaces (APIs) associated with the web applications.

Page 19 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
3.4.2 Activities

The assessment will focus on:

i. Input Validation: Test for vulnerabilities such as SQL injection, cross-site scripting, and
input validation flaws.

ii. Authentication and Session Management: Assess the security of authentication

mechanisms and session management.

iii. Access Control: Test the effectiveness of access control measures.

iv. Security Misconfigurations: Identify misconfigurations that could lead to vulnerabilities.

v. Data Exposure: Test for sensitive data exposure and improper data handling.

vi. API Security: Assess the security of APIs associated with the web applications.

3.4.3 Methodology

i. Black Box Testing: Conduct testing without prior knowledge of the internal workings of
the application.

ii. Gray Box Testing: Combine black box testing with some knowledge of the application’s
internals.

iii. Manual and Automated Testing: Use a combination of automated tools and manual
techniques to identify vulnerabilities.

3.4.4 Deliverables

i. Web Application Security Report: A report detailing identified vulnerabilities, risk

levels, and recommended mitigations.

ii. Compliance Check: Ensure that the application complies with relevant security standards
such as OWASP Top Ten.

3.5 Resolution, Compliance, and closure of Cybersecurity

Vulnerabilities
Objective- To ensure that identified vulnerabilities are properly closed and that the
compliance with the requirements.

Page 20 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
3.5.1.1 Scope

i. Vulnerability Closure: Suggestions and technical recommendations to close identified

vulnerabilities including patches and configuration changes.

ii. Compliance Assurance: Ensure that all remediation activities align with power sector
requirements and relevant standards.

3.5.1.2 Deliverables

i. Remediation Report: A report detailing the remediation efforts and verifying the closure
of identified vulnerabilities.

ii. Compliance Documentation: Documentation to support compliance as required by the

utility.

3.6 Re-Scan
Objective -To verify that previously identified vulnerabilities have been effectively
remediated.

3.6.1 Scope of Work

Re-Scan Activities: Conduct a follow-up assessment to confirm that all identified

vulnerabilities have been resolved.

Validation: Validate the effectiveness of the remediation efforts through a comprehensive re-
scan.

Re-Scan Report: A report confirming the closure of vulnerabilities and the overall
improvement in security posture.

Page 21 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024
3.7 Standards and Guidelines
1. National Institute of Standards and Technology. (2008). NIST SP 800-115:
Technical guide to information security testing and assessment.

2. Open Web Application Security Project. (n.d.). OWASP Testing Guide.

3. International Organization for Standardization. ISO/IEC 27001: Information

technology – Security techniques – Information security management systems –
Requirements.

4. SANS Institute. (n.d.). SANS Penetration Testing Methodology.

End of Document

Page 22 of 22

Guidelines on Scope of Comprehensive Cybersecurity Audit in the Power Sector Version 1.0, Nov 2024