BC Hydro needs to beef up protection, response to cyber attacks: B.C.’s AG
Posted March 19, 2019 12:44 pm.
Last Updated March 19, 2019 4:15 pm.
This article is more than 5 years old.
VICTORIA (NEWS 1130) – BC Hydro has some work to do detecting and reacting to cyber attacks. After taking a close look at what the company is doing, B.C.’s auditor general has three recommendations for improvement.
“This is not an immediate alarm bell for people out there,” said Carol Bellringer, who notes BC Hydro is meeting mandatory standards for cyber attack detection for components connected to energy delivery out of province.
But she says the corporation needs to do the same across the board. “The risks is there are further attacks that have yet to be activated so that they remain undetected.”
“The components that BC Hydro isn’t looking at is generally components of lower-power capacity can, in aggregate, have an overall impact on the overall power system and may allow cyber security incidents to could cause localized outages,” Bellringer added.
Bellringer says Hydro should have real-time detection and monitoring and inventory of components beyond what’s mandatory — and do an overall assessment of cyber security risk and reaction ability.
The auditor general has recommended that BC Hydro:
- assess cybersecurity risk over its entire industrial control systems (ICS) environment to ensure appropriate detection and response measures are implemented.
- maintain an invesntory of hardware and software components, including their configuration settings, for all ICS-related systems and devices, regardless of whether they currently fall under the mandatory standards.
- implement detection mechanisms and monitor, in real time, for anomalous activity on ICS-related systems and devices not currently under the mandatory standards.
For security reasons, specific details of what the audit uncovered are only being released to the corporation — not to the general public.
BC Hydro says it is constantly working to ensure its systems are protected. The utility points to several steps it has recently taken to improve cyber security:
investing $30 million over two years to strengthen our physical and cybersecurity controls that are mandated by law in B.C.
completing penetration testing on our critical control systems, which has not revealed any vulnerability
creating a cyber operations centre so that a team is in place and ready to respond in the event of an incident.
BC Hydro says there are measures in place to avoid system-wide impacts.
It says is working on a plan to address the report’s recommendations, “including taking immediate steps to continue to expand our monitoring and detection capabilities to all BC Hydro facilities.”
