OT Security · Energy Sector
EPDK Energy Cybersecurity Assessments
Perseus is an authorized assessor for the Turkish Energy Market Regulatory Authority (EPDK), conducting cybersecurity maturity assessments across all seven energy subsectors. Our Capability Maturity Model based assessments help energy organizations meet regulatory requirements and strengthen their cybersecurity posture.
Energy Sector Cybersecurity Regulation
Overview
Turkey's energy sector represents critical national infrastructure that demands robust cybersecurity protection. The Energy Market Regulatory Authority (EPDK) has established comprehensive cybersecurity regulations requiring all energy sector organizations to undergo periodic cybersecurity assessments conducted by authorized assessment bodies.
These assessments use a Capability Maturity Model (CMM) approach to evaluate the cybersecurity capabilities of energy organizations across multiple domains. The maturity-based framework provides a structured path for continuous improvement, helping organizations progressively strengthen their cybersecurity posture while meeting regulatory compliance requirements.
Perseus is authorized to conduct EPDK cybersecurity assessments across all seven energy subsectors: electricity generation, electricity transmission, electricity distribution, natural gas distribution, natural gas storage, natural gas & crude oil transmission, and refinery. Our assessors bring deep expertise in both operational technology security and energy sector operations, enabling assessments that are technically rigorous and operationally informed.
Authorized Assessor
EPDK-authorized to assess all 7 energy subsectors
Maturity Model
Capability Maturity Model based assessment methodology
Energy Expertise
Deep domain knowledge of energy sector operations and systems
Improvement Roadmap
Actionable recommendations for progressive maturity advancement
EPDK Authorization Certificate
Authorization
Perseus is authorized by EPDK as an auditor firm under the Energy Sector Cybersecurity Capability Model Regulation. Authorization certificate no. SGYM/1302572/BSF3L2MJ62P (issued 31.03.2026).
Seven Energy Subsectors
Coverage
Electricity Generation
Cybersecurity capability assessment for thermal, hydro, wind, solar, and other generation facilities and their control systems.
Electricity Transmission
Assessment of high-voltage transmission networks, substations, and energy management systems (EMS).
Electricity Distribution
Assessment of medium- and low-voltage distribution networks, SCADA systems, and smart-grid infrastructure.
Natural Gas Distribution
Evaluation of gas distribution networks, pressure-regulation stations, and metering infrastructure.
Natural Gas Storage
Assessment of underground and surface natural gas storage facilities and their control and monitoring systems.
Natural Gas & Crude Oil Transmission
Security assessment for high-pressure transmission pipelines, compressor and pumping stations, and pipeline SCADA.
Refinery
Cybersecurity capability assessment for refinery process control, safety instrumented systems, and plant automation.
Technical Controls by Sector, Class & Level
Control Coverage
Number of technical controls an organization must satisfy at each maturity level, by sector. Controls are cumulative — Class C must reach Level 1 (within 12 months), Class B Level 2 (18 months), and Class A Level 3 (24 months). The Additional column is an optional, advanced control set. Source: EPDK sector annexes (Ek-1–Ek-7).
Technical Control Domains
Assessment Framework
EPDK's capability maturity model organizes its technical controls into 13 domains, assessed across every energy sector.
Smart Device Security
Security of smart field devices and IIoT endpoints across the OT environment.
Physical Security
Physical access controls protecting control rooms, equipment, and network infrastructure.
Incident Management & Continuity
Detection, response, recovery, and operational continuity for OT cyber events.
Industrial Network Security
Segmentation, zone and conduit enforcement, and monitoring of OT networks.
Client & Server Security
Hardening and protection of OT workstations, servers, and HMIs.
Cybersecurity Risk Management
Risk identification, assessment, and treatment for industrial control systems.
Threat & Vulnerability Management
Threat intelligence, vulnerability identification, and remediation tracking.
Supply Chain & External Dependencies
Security of suppliers, service providers, and third-party connections.
Operations Security
Secure day-to-day operation, change windows, and operational procedures.
Identity & Access Management
Identity governance, privileged access, and remote access control for OT.
Asset, Change & Configuration
Inventory, configuration baselines, and change control of OT assets.
Human Resources Security
Personnel security, awareness, and role-based responsibilities.
PLC Security
Protection and secure configuration of programmable logic controllers.
Control Distribution by Domain
How each sector's technical controls are distributed across domains and maturity levels — select a sector to explore.
Number of technical controls in each domain for the selected sector, by the maturity level at which they are introduced. Hover a segment for its count. Source: EPDK sector annexes (Ek-1–Ek-7).
EPDK Assessment Process
Our Approach
Information
We create the audit project and capture the licensed organization's details, then assign the audit team — a lead auditor and at least one auditor — each verified for competence and bound by confidentiality and impartiality agreements before work begins.
Click a step or drag to explore the assessment process
Frequently Asked Questions
FAQ
EPDK (Enerji Piyasası Düzenleme Kurumu) is the Turkish Energy Market Regulatory Authority responsible for regulating and overseeing Turkey's energy markets. EPDK has established cybersecurity regulations requiring organizations operating in the energy sector to undergo periodic cybersecurity assessments. These assessments evaluate the cybersecurity maturity of energy sector organizations using a Capability Maturity Model approach, ensuring that critical energy infrastructure maintains adequate cybersecurity posture.
Meet EPDK Cybersecurity Requirements
As an authorized EPDK assessor across all seven energy subsectors, Perseus provides expert cybersecurity maturity assessments that satisfy regulatory requirements and drive genuine security improvement.