The Office of the Auditor General of British Columbia has released a new report: Detection and Response to Cybersecurity Threats on BC Hydro’s Industrial Control Systems.
The audit found that BC Hydro is effectively managing cybersecurity risk by detecting and responding to cybersecurity incidents on the parts of its electric power system covered by mandatory reliability standards – standards that are accepted across Canada and the U.S. But components that do not fall under the mandatory standards may be vulnerable to cybersecurity threats and should be monitored.
The components that BC Hydro is not looking at – generally equipment of lower power capacity – may allow cybersecurity incidents to cause localized outages and, in aggregate, could have a large effect on the overall power system.
“Cybersecurity is no longer only about prevention, but also about quickly detecting and responding to attacks.” said Carol Bellringer, auditor general. “A strong capability for cybersecurity monitoring and response is fundamental to good cybersecurity practice.”
The audit focused on how BC Hydro is managing the cybersecurity risks to its industrial control systems, which form an integral part of its electric power infrastructure. Through an extensive electric power system, BC Hydro provides electricity to 95% of the people in British Columbia. The system is considered “critical infrastructure” because it affects every aspect of life and is essential to the economy.
For security reasons, the office does not disclose findings that could expose details of BC Hydro’s power system. As such, the office provided BC Hydro with a detailed technical report that specifically outlines the findings and recommendations.
Overall, the office made three recommendations in its report around assessing the cybersecurity risks, maintaining an inventory of BC Hydro’s hardware and software components, and implementing detection mechanisms and monitoring, in real time.
The full report is available on the Office of the Auditor General website.