BC Hydro is not effectively managing parts of the power grid that could be susceptible to cyberattacks, the province’s auditor general said Tuesday.
Carol Bellringer’s new audit said the Crown utility is failing to look at grid areas that are generally equipment of lower power capacity. And that, Bell ringer said, might allow targeted cybersecurity incidents to cause localized outages. Those, in turn, could affect the system as a whole.
“Cybersecurity is no longer only about prevention, but also about quickly detecting and responding to attacks,” Bellringer said. “A strong capability for cybersecurity monitoring and response is fundamental to good cybersecurity practice.”
“A major power failure could cause significant interruptions and tremendous losses to businesses and people in B.C.,” her report said.
The audit focused on how BC Hydro is managing the cybersecurity risks to its industrial control systems, which Bellringer said are an integral part of its electric power infrastructure.
With the system providing power to 95 per cent of British Columbians, Bellringer said the system is considered “critical infrastructure.”
The auditor general made three recommendations for assessing cybersecurity risks: maintaining an inventory of BC Hydro’s hardware and software components, implementing detection mechanisms and monitoring in real time.
Bellringer found BC Hydro:
• has a well-developed program to prepare for cybersecurity incidents, but it is missing some key information resources;
• can’t monitor for some cybersecurity incidents, as it is missing detection mechanisms and monitoring on some system components;
• can respond to the cybersecurity incidents it detects;
• has the capability to respond and recover when an incident occurs, and;
• has processes in place to improve its responses to cybersecurity incidents
Responding to Bellringer’s report, BC Hydro said it has a well-developed cybersecurity incident program and is able to respond to cybersecurity incidents.
“After investing over $30M over two years in our cyber and physical security programs, BC Hydro is operating within the mandatory standards and the legal requirements in British Columbia,” the utility said. “BC Hydro has ongoing programs to meet anticipated compliance requirements as they become law in British Columbia.”
The utility agreed its cybersecurity practices should consider all aspects of industrial control systems, beyond those that affect the critical facilities involved in the production and distribution of power.
“We will extend our assessment of cybersecurity risks to areas of the power system not already covered by mandatory standards and legal requirements in British Columbia,” it said.
A U.S. cybersecurity expert speaking in Vancouver last week said power grids could be brought down through component parts.
Eric O’Neill, a former FBI agent and cyberspy hunter, said such countries gather information on infrastructure such as power systems.
“The next war won’t be fought with bullets and guns,” he said.
Instead, O’Neill said, it will be fought with information – with data attacks on systems such as water, electricity and other networks.
He said the only thing saving the U.S. electricity grid from complete vulnerability to cyberattacks is that it remains decentralized – as is much of Canada’s.
And, said Bellringer, BC Hydro can’t be sure of cybersecurity risk levels until it assesses risk for its entire network and not just the systems that fall under the mandatory standards.
Globally, she said, the energy sector is among the most frequent targets of cyberattacks levelled at critical infrastructure sectors.
Public Safety Canada lists energy and utilities first on its list of critical infrastructure sectors – followed by information and communication technology, finance, manufacturing, food, safety, government, transportation, health and water.
B.C.’s power grid is connected with those of Alberta, 14 western states in the United States, and the northern portion of Mexico’s Baja California state.
“The interconnections of all the grids allow transmission of power throughout the western region and enables BC Hydro to ensure electrical energy is continuously available in B.C.,” Bellringer’s report said.
Standards have been set for North America and are administered by the U.S.-based Western Electricity Coordinating Council.
Bellringer said BC Hydro’s security does cover the interconnections and there is a small chance an attack on BC could cascade into the wider system.
Note: This story has been updated with a response by BC Hydro.