Which statement best describes vulnerability assessment vs penetration testing in a utility context?

• A. Vulnerability assessment identifies known weaknesses; penetration testing attempts to exploit weaknesses to validate exploitable risk.
• B. Penetration testing and vulnerability assessment are the same.
• C. Penetration testing only checks for configuration errors, not exploitable risks.
• D. Vulnerability assessment involves designing new security controls.

Answer: (A)

Understanding the difference between vulnerability assessment and penetration testing helps utilities plan effective risk actions. A vulnerability assessment focuses on finding weaknesses in systems, networks, and configurations using automated scanners, threat intel, and best-practice checks. It collects a list of known vulnerabilities, often with severity ratings, to help prioritize what to fix based on exposure and potential impact.

Penetration testing takes the next step by actively trying to exploit those weaknesses in a controlled, authorized test. The goal is to prove whether a vulnerability can actually be used to gain access, escalate privileges, or disrupt operations. This validates the real risk rather than just knowing a vulnerability exists, which is crucial in a utility environment where the ability to exploit a flaw translates to tangible impact on safety, reliability, and uptime.

So the best statement captures both parts: identifying known weaknesses and attempting to exploit them to confirm exploitable risk. In practice, the other ideas—treating the two as the same, limiting testing to configuration checks, or implying vulnerability assessment designs new controls—don’t fit because they misstate the purpose and outcomes of these activities.