BC Hydro is not effectively managing parts of the power grid that could be susceptible to cyberattacks, the province’s auditor general said Tuesday.
Carol Bellringer’s new audit said the Crown utility is failing to look at grid areas that are generally equipment of lower power capacity. And that, Bell ringer said, might allow targeted cybersecurity incidents to cause localized outages. Those, in turn, could affect the system as a whole.
“Cybersecurity is no longer only about prevention, but also about quickly detecting and responding to attacks,” Bellringer said. “A strong capability for cybersecurity monitoring and response is fundamental to good cybersecurity practice.”
“A major power failure could cause significant interruptions and tremendous losses to businesses and people in B.C.,” her report said.
The audit focused on how BC Hydro is managing the cybersecurity risks to its industrial control systems, which Bellringer said are an integral part of its electric power infrastructure.
With the system providing power to 95 per cent of British Columbians, Bellringer said the system is considered “critical infrastructure.”
The auditor general made three recommendations for assessing cybersecurity risks: maintaining an inventory of BC Hydro’s hardware and software components, implementing detection mechanisms and monitoring in real time.
Bellringer found BC Hydro:
- has a well-developed program to prepare for cybersecurity incidents, but it is missing some key information resources;
- can’t monitor for some cybersecurity incidents, as it is missing detection mechanisms and monitoring on some system components;
- can respond to the cybersecurity incidents it detects;
- has the capability to respond and recover when an incident occurs, and;
- has processes in place to improve its responses to cybersecurity incidents
A U.S. cybersecurity expert speaking in Vancouver last week said power grids could be brought down through component parts.
Eric O’Neill, a former FBI agent and cyberspy hunter, said such countries gather information on infrastructure such as power systems.
“The next war won’t be fought with bullets and guns,” he said.
Instead, O’Neill said, it will be fought with information – with data attacks on systems such as water, electricity and other networks.
He said the only thing saving the U.S. electricity grid from complete vulnerability to cyberattacks is that it remains decentralized – as is much of Canada’s.