Client Background
Ukrhydroenergo is the largest hydroelectric power generating company in Ukraine operating 10 power plants.
The total capacity of 104 hydro units installed at the company’s power plants is 6,208.3 MW which is 8% in the total energy balance of the country.
Project trigger
The client recognized the critical importance of securing their IT, as well as their cybersecurity infrastructure. The primary objective was to identify existing vulnerabilities, and to assess the ability to gain SCADA network unauthorized access.
Solution
A comprehensive penetration testing engagement was undertaken. Testing included network and application levels, organizational security aspects, and existing processes. Two phases were conducted – first on externally accessible systems, and second on the internal corporate network, focusing on SCADA attacks. BlackBox and GreyBox approaches used.
Methodologies
Our pentesting methodology is based on leading standards like PTES, NIST SP 800-115, OSSTMM, OWASP and improved by our own 15 years of experience
Tools used
During pentesting, a full set of common pentester tools was used, but the main key to success was manual analysis, interconnecting individual vulnerabilities exploitation results to escalate privileges and demonstrate practical IT-infrastructure compromise
Results
The engagement provided invaluable insights into vulnerabilities and potential attack vectors that could compromise the client’s critical infrastructure and gain unauthorized SCADA access.
Detailed recommendations and remediation strategies were provided to address vulnerabilities, enabling the client to prioritize and implement necessary security enhancements. The assessment also highlighted areas for improving information security processes, controls, and overall cybersecurity posture.
By addressing the findings, the client can significantly reduce cyber threats, safeguard critical infrastructure, and ensure continuity and reliability of hydropower operations.
