The Site Security
Vulnerability Assessment.
One engagement. Two disciplines. Broker-ready evidence of what a hostile actor could find about your site — and what a broker or underwriter can review before renewal.
Cable Theft at Unmanned UK Renewables Sites.
Patterns, Losses and Prevention.
A broker- and underwriter-facing analysis drawn from UK public data, trade reporting, vendor and field intelligence, and peer-reviewed crime-science literature. 25 pages · 35 sources · 80 KB PDF.
Aerial capture and threat intelligence — in one engagement.
Most drone operators don’t carry out intelligence work. Most security consultancies don’t fly. We do both, for one fixed price, in one site visit.
A fixed-scope, productised engagement built around a single day on site: a pre-visit OSINT (open-source intelligence — structured review of public sources: forums, marketplaces, leaked breach data, dark-web sites, Telegram channels and social media) and credential-exposure sweep, on-site aerial capture with 3D digital twin, structured physical walkdown, and a broker-ready briefing pack your broker can hand to the underwriter.
From brief to briefing pack.
Free scoping call. Asset, insurer concerns, site constraints. Fixed-price quote within 2 working days.
Pre-visit OSINT: public attack surface, breach-data credential checks, dark-web and Telegram-channel monitoring for solar-sector targeting chatter, geolocation and social signals.
One visit. Aerial capture, 3D digital twin, structured walkdown — fences, gates, lighting, sightlines, access control.
Dual-graded findings register, operator-owned control-review pathway across three horizons, and a one-page broker summary for underwriter handover.
Eight deliverables. One assessment.
Two grades on every finding.
Intelligence discipline requires two scores on every finding, not one. What’s the priority, and how firm is the evidence? We run both systems on every item in the report, and we keep them separate.
Keeping the two systems separate is why the findings stand up under broker and underwriter review — and why evidence-weak items are never weighted the same as evidence-strong ones. Source-reliability grading is applied under the methodology recognised in formal cyber threat intelligence (SANS GIAC GCTI · Treadstone 71 CTIA · UK PHIA framework).
What an entry in the register looks like.
Two specimen findings in the register format — one physical, one OSINT. Dual grading, source trail and control-review horizon on every entry. The examples below are illustrative; site names, identifiers and dates are fictional.
40-metre gap between camera NE-1 and NE-2 coverage cones. Access-track terminus is unmonitored. Perimeter visibility interrupted by poplar line; night-time PIR lighting does not extend across gap.
On-site walkdown · aerial capture ref. DT-2140 · daylight and after-dark lighting walk.
The operator may refer this finding to a qualified CCTV/security and electrical contractor to verify camera coverage, lighting coverage and operational requirements. Critical Asset does not specify the design response or assess control adequacy.
Shared service address facilities@[client-domain] appears on a 2024 credential dump with plaintext password. Cross-checked against 2025 dark-web references — the mailbox address continues to appear in relevant exposure sources. Credential validity is untested. Potential re-use across site authentication and supplier portals.
Breach dataset ref. DWD-2024-Q2 · corroborating dark-web ref. DW-2025-09-14.
The operator may refer this finding to its IT/security function or a qualified cyber provider to confirm credential status and determine any appropriate account, MFA, supplier-portal or incident-response steps. Critical Asset does not test credential validity and does not certify the status of any account.
A standalone single-page extract: top findings, dual-graded, aggregate risk rating, operator-owned control-review pathway and insurer-relevant callouts. Built for renewal handover — so the broker or underwriter can understand the headline position before reviewing the full pack if required.
Specimen content throughout. Both downloadable specimens are linked further down this page.
- · A structured set of observations, banded for risk priority and source-graded for evidence confidence.
- · Control-review areas against each finding — for client and adviser consideration, not specifications or fix-by-date commitments.
- · A snapshot in time, valid until material site, threat-actor or breach-data conditions change.
- · Not a chartered security-engineering specification or a CSyP/SyI consultant’s opinion.
- · Not a guarantee against incident, and not a numerical risk score — priorities are banded judgements.
- · Not a fix-by-date deadline. Horizons are indicative sequencing; control choices, design and timing remain with the client and its qualified advisers.
Two specimen PDFs you can download.
Most prospective broker, underwriter and asset-owner readers have never seen this category of deliverable before. Rather than describe it, here it is. Both PDFs are watermarked SPECIMEN on every page and use fictional site, operator and source detail — the structure, grading, scope boundary, broker one-pager and chain-of-custody anatomy match what a real engagement produces.
Specimen SSVA — report format
A specimen example of the SSVA report anatomy — cover, executive summary, dual-graded findings register, two deep-dives, annotated site schematic, OSINT summary, operator-owned control-review pathway, standalone broker one-pager, chain-of-custody and source-list appendices. This is a format sample only.
Specimen SSVA — engagement report
A fuller fictional worked example showing how a single site visit flows into the final deliverable — on-day weather, the tractor-on-the-access-track delay logged in chain-of-custody, the full five-question operator interview, four graded findings and broker handover material.
Both PDFs are illustrative only and are not engagement evidence. Asset, operator, kit serials, interview content and findings are fictional — modelled on the structure of a Critical Asset SSVA and on publicly reported UK renewables risk patterns. For an actual engagement quote or to discuss the deliverable for a specific asset, contact info@criticalasset.co.uk.
Illustrative economics.
A day’s revenue, in context.
Three indicative UK solar profiles at recent wholesale and PPA pricing — ~£75/MWh blended, ~11% capacity factor, ~£10k/MW/year OPEX. Day-rate figures are revenue, not net profit (debt structure varies widely). The point is the order of magnitude an underwriter or asset owner is reading off.
Illustrative loss range, drawn from reported UK insurance, police and industry examples for cable theft, copper theft and arson at unmanned renewables sites. The ratio divides the lower and upper bounds of that range by our £3,950 Complex-tier fee. Not a guarantee. Actual loss exposure depends on site capacity, downtime, repair cost, location, incident history and insurer requirements. We quote against your scope, not a model.
- ✗ Credential testing or password validation
- ✗ Penetration testing of OT/SCADA systems
- ✗ Hardware vulnerability assessment
- ✗ Panel performance or thermal efficiency work
- ✗ Anything touching live operational technology
- ✗ Infiltration of closed dark-web forums or Telegram groups — monitoring is restricted to publicly accessible sources
We identify credential and infrastructure exposure — we do not test, validate or authenticate with it. If intrusive cyber testing is needed, we recommend that the client instruct an appropriately accredited cyber provider, such as a CREST-accredited firm. Scope remains limited to evidence capture, intelligence-led assessment and operator-review reporting.
Credential exposure checks use lawful, publicly available intelligence sources and licensed breach datasets. We do not test, validate or attempt to authenticate with any credential we identify. Plaintext passwords are never reproduced in client reports.
Where a credential is found exposed, the report contains only risk-relevant indicators — account type, exposure context, source confidence (Admiralty grade), likely business impact and operator-review considerations. Personal data is processed under UK GDPR; see the privacy notice for the lawful basis and retention.
CREDENTIAL: OSINT and threat-intelligence work is performed under SANS Institute methodology (GIAC GCTI + GOSI certified) and Treadstone 71 Certified Threat Intelligence Analyst tradecraft — aligned with the UK Professional Head of Intelligence Analysis (PHIA) framework used across UK government intelligence functions.
Transparent pricing, every engagement.
Before you enquire.
The questions buyers ask most often before signing — answered honestly.
How long is the Assessment valid for?
How is this different from a standard drone inspection?
Will my insurer recognise the Admiralty grading?
What’s not covered?
How fast can you deliver?
If your site has already been hit, the Assessment isn’t the right starting point.
Cable theft, arson or vandalism in the last few days needs Incident Response: rapid aerial documentation, an OSINT indicator review for targeting, opportunistic or cluster-linked indicators, and a broker- and insurer-facing evidence pack. The Assessment is what comes next — preventing the second hit, with a discount applied if signed within 30 days of an incident engagement.