In a new report, the Office of the Auditor General of British Columbia said that Canadian provincial utility BC Hydro is effectively managing cybersecurity risk by detecting and responding to incidents on the parts of its electric power system covered by mandatory reliability standards, but components that don’t fall under the mandatory standards may be vulnerable to cybersecurity threats and should be monitored.
In Detection and Response to Cybersecurity Threats on BC Hydro’s Industrial Control Systems, the auditor found that these components, generally equipment of lower power capacity, may allow cybersecurity incidents to cause localized outages and, in aggregate, could have a large effect on the overall power system.
The office made three recommendations around: assessing the cybersecurity risks, maintaining an inventory of BC Hydro’s hardware and software components, and implementing detection mechanisms and monitoring in real-time.
“Cybersecurity is no longer only about prevention, but also about quickly detecting and responding to attacks,” said Carol Bellringer, auditor general. “A strong capability for cybersecurity monitoring and response is fundamental to good cybersecurity practice.”
BC Hydro provides electricity to 95% of the people in British Columbia. The audit focused on how BC Hydro is managing the cybersecurity risks to its industrial control systems, which form an integral part of its electric power infrastructure. The utility’s extensive electric power system is considered “critical infrastructure” because it affects every aspect of life and is essential to the economy, according to a press release.
BC Hydro issues statement
BC Hydro issued a statement in response to the auditor general’s report:
Providing safe, reliable electricity to our customers is BC Hydro’s top priority. That is why the security of our grid is so important and we are constantly working to improve our cybersecurity programs to ensure our systems are protected.
BC Hydro has taken a number of steps recently to improve cybersecurity, including:
- Investing $30 million over two years to strengthen our physical and cybersecurity controls that are mandated by law in B.C.;
- Completing penetration testing on our critical control systems, which has not revealed any vulnerability; and,
- Creating a cyber operations centre so that a team is in place and ready to respond in the event of an incident.
We’re pleased the Auditor General’s audit concluded that our cybersecurity programs are well-developed and we have measures in place to avoid system-wide impacts. We are developing a plan to address the report’s recommendations, including taking immediate steps to continue to expand our monitoring and detection capabilities to all BC Hydro facilities.