BC Hydro is doing a good job protecting core components of its system from hackers, but may be vulnerable in other areas, according to a new report from B.C.’s auditor general.
The utility has both the ability to detect and respond to cyber attacks on key parts of its industrial control system (ICS) that are governed by North America-wide reliability standards, the auditor general said.
However, the audit also found that most smaller, localized components of BC Hydro’s system that aren’t governed by those standards may be vulnerable to malicious attackers.
According to the report, the components the utility isn’t looking at, mostly lower power capacity equipment, could allow malicious actors to cause localized power outages, and enough such outages could cause risks to the larger system, or even a cascading failure into Alberta or the U.S.
WATCH: Help wanted: Canada struggling for experts in war against hackers
“Globally, the energy sector is one of the most cyberattacked of all critical infrastructure sectors,” wrote Auditor General Carol Bellringer.
Get daily National news
“Cybersecurity is no longer only about prevention, but also about quickly detecting and responding to attacks — because some are almost certain to get through.”
Details of the report were only communicated with the public in broad strokes, due to the potential to alert malicious actors to areas vulnerable to threat. A detailed technical report was forwarded to BC Hydro.
However, the Auditor General’s Office is making three public recommendations.
WATCH: Ottawa unveils new plan to ‘detect, deter, investigate and prosecute’ cybercrime
First, it advises that BC Hydro work on assessing its cybersecurity risk to ensure appropriate detection and response measures are implemented.
Second, it recommends the utility keep an inventory of its hardware and software components, whether they are covered by North American mandatory standards or not.
Finally, the auditor general recommends BC Hydro implement real-time detection mechanisms and monitoring for unusual activity on parts of the system that aren’t currently covered by those standards.
In its response to the report, BC Hydro says it has invested $30 million over the last two years into security, and that it has a well developed and effective cybersecurity program.
However, it acknowledged the need to extend its cybersecurity practices and accepted the recommendations to assess risk over parts of the system not covered by current standards.
It said it also accepted the recommendation to maintain an inventory of hardware and software components, and where technically possible, to extend real-time monitoring and detection to systems not currently covered.
Comments