Home
BlogContact Us
Solutions  /  Security & Compliance  /  EPDK Compliant Penetration Testing
Compliance · Energy

EPDK-compliant
ICS penetration testing

Under EPDK Board Decision No. 11956, we carry out security analysis and penetration testing on SCADA and industrial control systems without putting production at risk.

Board Decision 11956ICS / SCADA focusedMinimal impact on OTTSE 13638 certified
Contact UsView Test Scope
Legal Basis
EPDK · Energy ICS security
RegulationBoard Decision 11956ICS Security Analysis Principles
Official Gazette16.07.2023No. 32250
ScopeICS / OTSCADA · PLC · RTU · HMI
Maturity Model06.06.2023Cybersecurity in Energy
01 — Overview

What is EPDK Compliant Penetration Testing?

EPDK penetration testing is the security analysis and penetration test that licensed energy organizations must perform on their Industrial Control Systems (ICS) under the "Procedures and Principles for Security Analysis and Testing of Industrial Control Systems Used in the Energy Sector", enacted by EPDK Board Decision No. 11956 dated 13 July 2023 (Official Gazette No. 32250 dated 16 July 2023).

The test scope covers operational technology (OT) components such as SCADA, DCS (Distributed Control Systems), PLC (Programmable Logic Controllers), RTU (Remote Terminal Units) and HMI (Human-Machine Interfaces). Unlike the classic IT-focused approach, it is conducted with an ICS-centric methodology and a minimal-intervention principle on live systems, without putting production continuity at risk.

Regulatory references
  • EPDK Board Decision No. 11956 (13 July 2023) — "Procedures and Principles for Security Analysis and Testing of Industrial Control Systems Used in the Energy Sector", published in Official Gazette No. 32250 dated 16 July 2023.
  • Energy Sector Cybersecurity Competency Model Regulation (6 June 2023) — defines the cybersecurity maturity levels licensees must reach and the principles for periodic assessment.
  • Security analyses and penetration tests are required to be performed by independent and competent firms holding TSE 13638 qualification.
02 — In Scope

Who Is Required to Comply?

The regulation covers licensees operating critical energy infrastructure. The main obligated organizations are:
Electricity generation plants with an installed capacity of 100 MWe and above, and plants with Black-Start capability
Electricity transmission and distribution license holders
Natural gas transmission license holders operating pipelines
Natural gas distribution license holders required to establish a dispatch control center
Natural gas storage (LNG and underground) license holders
Crude oil transmission license holders and refinery license holders
The scope of the obligation varies by facility type, installed capacity and criticality; the current version of EPDK legislation should be taken as the basis for the applicable scope.
03 — Technical Scope

EPDK Requirements

An ICS-centric test scope from industrial control systems to IT-OT transition points, from incident response to continuous monitoring.

Critical Infrastructure & ICS Security

Verifying the resilience of SCADA, DCS, PLC, RTU and HMI components against unauthorized access, manipulation and service disruption. Segmentation and transition points between the IT and OT networks (DMZ, data diodes, remote access) are tested separately.

Regulatory Compliance

Compliance with EPDK Board Decision No. 11956 and the Energy Sector Cybersecurity Competency Model (6 June 2023). Findings are reported in a format suitable for EPDK and internal audit reviews.

Incident Response

Testing ICS-CERT (incident response team) processes and incident response plans against realistic attack scenarios; measuring detection, isolation and recovery capabilities.

Continuous Monitoring

Validating anomaly detection, log collection and security monitoring capabilities across the OT network; surfacing unmonitored assets and blind spots.

Reporting

A structured report suitable for EPDK reviews, including an executive summary, technical finding details, CVSS-based risk scores and prioritized remediation steps.

Risk Management

Building an ICS asset inventory, asset-threat mapping and risk mitigation tables; prioritizing identified vulnerabilities by business impact.

04 — Methodology

Testing Process

Our five-stage methodology that conducts ICS security analysis without risking production and with minimal intervention on live systems.
1

Scope & ICS Inventory

Identifying the SCADA/DCS/PLC/RTU/HMI assets, network segments and remote access points to be tested; agreeing the test window and intervention limits with the operations team.

2

Security Analysis & Penetration Testing

Performing ICS network and architecture review, vulnerability scanning, wireless network tests, social engineering and controlled exploitation testing; prioritizing passive and low-impact techniques in the OT environment.

3

Vulnerability Validation & Analysis

Validating identified vulnerabilities by eliminating false positives, and assessing their exploitability and real business impact on the ICS.

4

Risk Scoring

Prioritizing findings based on CVSS and business impact; incorporating the energy continuity and safety dimension into the risk assessment.

5

Reporting & Verification Testing

Preparing a report suitable for EPDK reviews and confirming, via post-remediation retesting, that the vulnerabilities have been closed.

05 — Deliverables

Audit-ready deliverables

Every security analysis results in documents that both the technical team can act on and that can be submitted for EPDK review.

A comprehensive security analysis report suitable for EPDK reviews, with an executive summary and technical detail
A prioritized emergency action plan for critical findings
ICS inventory, risk assessment and risk mitigation tables
Post-remediation verification (retest) report and closure documentation
06 — FAQ

Your questions

Is EPDK penetration testing mandatory?
Yes. For licensed energy organizations within the scope of EPDK Board Decision No. 11956 dated 13 July 2023, ICS security analysis and penetration testing is a legal obligation — not an optional "best practice" but a responsibility defined by regulation.
Who is required to perform EPDK penetration testing?
The main obligated organizations are: electricity generation plants of 100 MWe and above, Black-Start plants, and electricity transmission/distribution license holders; natural gas transmission, dispatch-controlled distribution and storage (LNG/underground) license holders; and crude oil transmission and refinery license holders.
How often should EPDK penetration testing be performed?
In line with sector practice and the Cybersecurity Competency Model, it is recommended that tests be repeated at least once a year and whenever a significant change is made to the architecture or critical systems (e.g. a new SCADA component, remote access or cloud service going live). The exact period should be based on the EPDK legislation in force.
What is the scope of EPDK penetration testing?
The scope includes ICS network and architecture review, vulnerability scanning, wireless network penetration testing, social engineering testing, malware analysis and controlled exploitation testing. The test targets SCADA, DCS, PLC, RTU and HMI components as well as IT-OT transition points.
Which firms can perform EPDK penetration testing?
Security analyses and penetration tests should be performed by independent and competent firms holding TSE 13638 qualification. Experience in OT/ICS environments is critical for conducting testing without disrupting production.
Why does EPDK testing differ from classic IT penetration testing?
In OT/ICS systems, availability and safety take priority over confidentiality; aggressive scanning and exploitation can halt production. Therefore tests under EPDK prioritize passive/low-impact techniques, the test window is agreed in advance, and testing follows a minimal-intervention principle on live systems.
What is delivered after the test?
A structured security analysis report suitable for EPDK reviews, an executive summary, technical findings with CVSS-based risk scores, an ICS inventory with risk mitigation tables, and a post-remediation verification (retest) report are delivered.
Contact

Request a Meeting for EPDK Compliant Penetration Testing

Meet your energy sector security requirements

Contact Us

Cookie Usage

We use cookies to improve your experience on our website. By continuing, you accept the use of cookies.

Cookie Policy