Vertical
Electric Utilities
Illumant provides compliance and security assessment services to electric utilities — NERC-registered entities of every size, from investor-owned utilities to municipal utilities, cooperatives, and renewable IPPs.
The electric utility security landscape
The Bulk Electric System is one of the most critical and most targeted infrastructures in the country. NERC CIP exists because the consequences of a successful attack — physical damage to long-lead-time equipment, regional outages, cascading failure — are categorically different from a typical IT breach. The compliance regime is correspondingly strict: $1M-per-day-per-violation penalties, mandatory Regional Entity audits, and ever-tightening standards covering supply chain (CIP-013), cloud (CIP-011 updates), and physical attack (CIP-014).
Illumant works across the full spectrum of NERC-registered entities — investor-owned utilities, municipal utilities, electric cooperatives, generation owners and operators, transmission owners and operators, balancing authorities, and reliability coordinators. We meet you where you are: full CIP-C engagements for entities preparing for audit, targeted assessments for specific standards, and OT-aware testing that respects the constraints of operational environments.
Sub-segments we serve
Investor-owned utilities
Multi-state, vertically integrated utilities with high-impact BES Cyber Systems and the most aggressive Regional Entity audit posture.
Municipal & public power
City-owned utilities balancing CIP requirements with municipal budgeting and broader IT/OT integration.
Generation & IPPs
Independent power producers, including renewables (wind, solar) — generation-specific CIP applicability and OEM remote-access risk.
Transmission & distribution
TO/TOP and DP entities with substation security and physical-attack (CIP-014) considerations.
Cooperatives
Generation and distribution co-ops navigating CIP scope while serving rural customer bases.
IT/OT convergence — the harder problem
Purdue model
Level 0 (sensors/actuators) through Level 5 (enterprise IT) — we assess each, with special attention to the conduits between Levels 3 and 3.5.
OT vs. IT testing
Active scanning is rarely safe in OT. We use passive techniques and engineering-workstation analysis to assess risk without putting operations at risk.
Vendor remote access
OEM remote access is a top-three attack path against OT environments. CIP-005 and CIP-013 both touch it; we test it as both a compliance and a real-risk issue.
Engineering workstations
Engineering workstations bridge IT and OT and are a routine pivot point. They get specific attention in our CIP and OT assessments.
Popular assessment services
PSA
Perimeter Security Assessment & Penetration Testing
External perimeter testing — corporate IT, customer portals, MyAccount, outage-map infrastructure.
CASA
Critical Asset Security Assessment
Crown-jewel testing — EMS, OMS, SCADA front-ends, GIS, asset-management systems.
LANSA
LAN Security Assessment
Internal IT network testing — corporate side and the IT/OT boundary.
ADSA
Active Directory Security Assessment
Active Directory review — frequently the connective tissue between IT and OT.
NISA
Network Infrastructure Security Assessment
Network infrastructure review — routers, switches, firewalls, and OT/IT segmentation.
PhySA
Physical Security Assessment
Physical security review — substations, control centers, generation sites, CIP-014 alignment.
SocEng
Social Engineering
Phishing and pretext testing of corporate, dispatch, and field personnel.
PPPA
Policies, Procedures and Practices Assessment
Policies & procedures gap analysis aligned with CIP standards and NIST CSF.
Ready to start a conversation?
Talk to a senior consultant — we'll scope an engagement that fits your environment.