Three recommendations made to BC Hydro in assessing cybersecurity risks, maintaining an inventory of its hardware and software components, and implementing detection mechanisms
OFFICE OF THE AUDITOR GENERAL:
We found that BC Hydro is
effectively managing cybersecurity risk by detecting and responding to
cybersecurity incidents on the parts of its electric power system covered by
mandatory reliability standards — standards which are accepted across Canada
and the U.S.
But components that don’t fall under the mandatory standards may
be vulnerable to cybersecurity threats and should be monitored.
The components that BC Hydro
isn’t looking at—generally equipment of lower power capacity—may allow
cybersecurity incidents to cause localized outages and, in aggregate, could
have a large effect on the overall power system.
Cybersecurity is no longer only
about prevention, but also about quickly detecting and responding to attacks. A
strong capability for cybersecurity monitoring and response is fundamental to
good cybersecurity practice.
We focused on how BC Hydro is
managing the cybersecurity risks to its industrial control systems, which form
an integral part of its electric power infrastructure.
Through an extensive electric
power system, BC Hydro provides electricity to 95% of the people in British
Columbia. The system is considered “critical infrastructure” because it affects
every aspect of our lives and is essential to our economy.
For security reasons, we
don’t disclose findings that could expose details of BC Hydro’s power system.
As such, we provided BC Hydro with a detailed technical report that
specifically outlines the findings and recommendations.
Overall, we made three
recommendations to BC Hydro in this report around assessing the cybersecurity
risks, maintaining an inventory of its hardware and software components, and
implementing detection mechanisms and monitoring, in real time.
To watch a short video regrading
this report, CLICK HERE
Comments
Post a Comment