Energy Cybersecurity Risk Assessment Checklist Template | Energy Templates

Asset Identification & Inventory

1 of 10

Identify critical energy assets and maintain a comprehensive inventory including hardware, software, and data locations.

Asset Name

Asset ID

Asset Description

Asset Type (e.g., Turbine, Substation, Solar Panel)

Turbine

Substation

Solar Panel

Wind Turbine

Generator

Transformer

Date of Last Inventory Update

Asset Location (GPS Coordinates)

Asset Documentation (Manuals, Schematics)

Network Security

2 of 10

Assess network segmentation, firewall configurations, intrusion detection/prevention systems, and remote access controls.

Firewall Rule Count

Firewall Vendor

Cisco

Palo Alto

Fortinet

Check Point

Other

Network Segmentation Zones

OT Network

IT Network

DMZ

Guest Network

Last Firewall Rule Review Date

Description of Network Segmentation Strategy

Intrusion Detection System (IDS) Status

Active

Inactive

Needs Review

Number of VPN Connections

Endpoint Security

3 of 10

Evaluate endpoint protection, vulnerability scanning, patch management, and mobile device security policies.

Last Vulnerability Scan Score

Last Patching Date

Antivirus Software

Enabled

Disabled

Not Installed

Software Updates Enabled?

Automatic

Manual

Disabled

Latest Endpoint Security Report

Firewall Status

Enabled

Disabled

Number of Active EDR Agents

Data Security & Privacy

4 of 10

Review data encryption, access controls, data loss prevention measures, and compliance with data privacy regulations.

Data Encryption Status

Fully Encrypted

Partially Encrypted

Not Encrypted

Number of Data Breaches (Last Year)

Data Privacy Regulations Compliance

GDPR

CCPA

NERC CIP

Other

Data Classification Policy Description

Access Control Review Frequency

Monthly

Quarterly

Annually

Last Data Privacy Impact Assessment Date

Identity & Access Management (IAM)

5 of 10

Assess user account management, authentication methods (MFA), privileged access management, and role-based access control.

Authentication Method Used

Password

Multi-Factor Authentication (MFA)

Biometrics

Certificate-Based Authentication

Number of Active User Accounts

Privileged Access Management (PAM) Implementation

Implemented

Partially Implemented

Not Implemented

Last Password Policy Review Date

Account Access Review Frequency

Monthly

Quarterly

Annually

Ad Hoc

Description of Role-Based Access Control (RBAC) Model

Typical Time for User Account Provisioning

Account Lockout Policy Enforced?

Yes

Supply Chain Risk Management

6 of 10

Evaluate cybersecurity practices of third-party vendors and service providers involved in the energy supply chain.

Vendor Tier Level

Tier 1 (Critical)

Tier 2 (Important)

Tier 3 (Supporting)

Vendor Risk Score (1-10)

Vendor Cybersecurity Assessment Completed?

Yes

Pending

Last Cybersecurity Assessment Date

Summary of Vendor Cybersecurity Assessment Findings

Vendor Cybersecurity Assessment Report

Key Services Provided by Vendor

Software Development

Data Storage

Network Services

Physical Security

Remediation Plan for Identified Risks (if any)

Incident Response & Recovery

7 of 10

Review incident response plans, disaster recovery procedures, and business continuity planning for cybersecurity events.

Date of Incident

Time of Incident

Detailed Description of Incident

Incident Severity Level

Low

Medium

High

Critical

Systems Affected

SCADA

Historian

Network Infrastructure

Workstations

Cloud Services

Containment Actions Taken

Eradication Actions Taken

Recovery Actions Taken

Estimated Downtime (hours)

Incident Responder Signature

Security Awareness & Training

8 of 10

Assess the effectiveness of cybersecurity awareness training programs for employees and contractors.

Number of Employees Trained (Last Year)

Training Delivery Method (Select all that apply)

Online Modules

Classroom Sessions

Phishing Simulations

Tabletop Exercises

Date of Last Cybersecurity Awareness Training

Summary of Key Training Topics Covered

Frequency of Refresher Training (Choose one)

Annually

Bi-Annually

Quarterly

Training Content Topics (Select all that apply)

Phishing Awareness

Password Security

Malware Prevention

Data Privacy

Social Engineering

Regulatory Compliance

9 of 10

Verify adherence to relevant cybersecurity regulations and industry standards (e.g., NERC CIP, GDPR).

Applicable Regulations (Select all that apply)

NERC CIP

FERC Regulations

State-Specific Energy Regulations

GDPR (if applicable)

Other (Specify in Long Text)

Specify 'Other' Regulations (if selected)

Last Compliance Audit Date

Audit Score (if applicable)

Upload Compliance Documentation

Compliance Status

Compliant

Non-Compliant

Partial Compliance

Details of Non-Compliance (if applicable)

Physical Security

10 of 10

Evaluate physical access controls, surveillance systems, and security measures protecting energy infrastructure.

Location of Main Control Room

Number of Security Cameras (Active)

Type of Perimeter Fencing

Chain-link

Welded Mesh

Concrete Wall

None

Date of Last Perimeter Fence Inspection

Access Control Methods Employed

Keycards

Biometrics

PIN Codes

Guards