Three recommendations made to BC Hydro in assessing cybersecurity risks, maintaining an inventory of its hardware and software components, and implementing detection mechanisms

OFFICE OF THE AUDITOR GENERAL:

We found that BC Hydro is effectively managing cybersecurity risk by detecting and responding to cybersecurity incidents on the parts of its electric power system covered by mandatory reliability standards — standards which are accepted across Canada and the U.S. 

But components that don’t fall under the mandatory standards may be vulnerable to cybersecurity threats and should be monitored.

The components that BC Hydro isn’t looking at—generally equipment of lower power capacity—may allow cybersecurity incidents to cause localized outages and, in aggregate, could have a large effect on the overall power system.

Cybersecurity is no longer only about prevention, but also about quickly detecting and responding to attacks. A strong capability for cybersecurity monitoring and response is fundamental to good cybersecurity practice.

We focused on how BC Hydro is managing the cybersecurity risks to its industrial control systems, which form an integral part of its electric power infrastructure.

Through an extensive electric power system, BC Hydro provides electricity to 95% of the people in British Columbia. The system is considered “critical infrastructure” because it affects every aspect of our lives and is essential to our economy.

For security reasons, we don’t disclose findings that could expose details of BC Hydro’s power system. As such, we provided BC Hydro with a detailed technical report that specifically outlines the findings and recommendations.

Overall, we made three recommendations to BC Hydro in this report around assessing the cybersecurity risks, maintaining an inventory of its hardware and software components, and implementing detection mechanisms and monitoring, in real time.

To watch a short video regrading this report, CLICK HERE