How BC Hydro fares in managing its cyber security risk

British Columbia’s electric utility is managing its cyber security risk for system components that must conform to mandatory reliability standards, but not for components to which the standards do not apply, the province’s auditor general has found.

“We concluded that BC Hydro is effectively managing cybersecurity risk by detecting, and responding to, security incidents on its electric power infrastructure for system components where mandatory standards apply,” Auditor General Carol Bellringer wrote in Detection and Response to Cybersecurity Threats on BC Hydro’s Industrial Control Systems, released Tuesday. “However, it is missing the ability to detect cybersecurity incidents on most components where the standards do not apply. As a result, a security incident that goes undetected may cause localized power outages in B.C. and increases risks to the broader system.”

Components overlooked by BC Hydro are “generally equipment of lower power capacity.” The auditor general added that “for security reasons, we are not disclosing findings that could expose details of BC Hydro’s power system.” Instead, it provided the utility with a detailed technical report outlining the findings.

“Cybersecurity is no longer only about prevention, but also about quickly detecting and responding to attacks,” Bellringer said in a press release Tuesday.

The audit focused on how BC Hydro is managing the cyber security risks to its industrial control systems (ICS), which form an integral part of the electric power infrastructure. The utility provides electricity to 95% of B.C. and is part of an interconnected power grid with Alberta and the western United States. “The standards BC Hydro follows help to prevent a power failure in B.C. from cascading to other parts of the grid outside of the province,” the report noted.

The auditor general recommended that BC Hydro:

• Assess cyber security risk over its entire ICS environment to ensure appropriate detection and response measures are implemented
• Maintain an inventory of hardware and software components, including their configuration settings, for all ICS-related systems and devices, regardless of whether they currently fall under the mandatory standards
• Implement detection mechanisms and monitor, in real time, for anomalous activity on ICS-related systems and devices not currently under the mandatory standards.

BC Hydro responded to the audit by saying it supports the recommendations and will implement them to the best of its abilities. “We will use a risk-based approach to prioritize mitigation measures where needed,” the utility said.