A Quebec-based consulting engineering firm has been awarded $160,000 to develop a model to help protect industrial control systems (ICS) of Canadian energy companies from cyber attacks.
BBA of Mont-Saint-Hilaire will use the money to hone an ICS cybersecurity risk methodology to help firms identify, assess and manage cyber risks associated with operational equipment.
BBA specializes in solutions for the energy and mining sectors. With ICS devices increasingly connecting to the internet their security has become vital.
“This important technology will protect the Canadian energy sector from cyber threats,” Natural Resources Minister Seamus O’Regan said in a statement. “This is how we ensure a secure and resilient sector.”
“More than ever, businesses are turning to digital technologies to make their operations smarter and more efficient – new technologies that surely bring great opportunities, but also carry their own set of risks,” said BBA president Andre Allaire in a statement. “It is with great pride that we were chosen by NRCan for our cybersecurity expertise and continue to be enthusiastic in helping raise awareness about the importance of protecting company operations, as well as workers, communities and the environment.”
Robert Wong, executive vice-president and CIO of Toronto Hydro welcomed the announcement. adding that it is long overdue. He noted in an email interview that the Ontario Energy Board (OEB) already compellsLocal Distribution Companies (LDC) like his utility to adopt a cybersecurity framework largely based on once created by the U.S. National Institute of Standards and Technology (NIST), which covers cybersecurity for operational IT networks and ICS.
Similarly, Canadian electricity generators and transmitters are subject to compliance with the North American Electric Reliability Corporation (NERC) standards. “Nevertheless,” Wong added, “any new government investment in improving the digital resilience of Canada’s energy systems is very welcome news.”
Historically cybersecurity was not a priority or an area of concern for ICS vendors, he noted. “In fact, many legacy ICS software products do not even have basic cybersecurity functionality to monitor and log transactions. Another challenge in protecting ICS is that they are typically operating critical business processes on a 24/7 basis, so taking them down for security patches or system upgrades are difficult to schedule. In some cases, old legacy ICS will remain unsecured until such time as the company finally replaces the old technology with new ICS software that comes with more robust security functionality.”
In an interview Jose Alvarado, BBA’s Calgary-based manager of ICS cybersecurity, said the first version of the methodology was published today. It came out of work done by BBA for itself. When the firm saw the government request for proposals the preliminary model was submitted for approval.
With the first version out BBA will consult with the energy industry on possible changes.
The money comes from $2.42 million over five years allocated in the 2018 federal budget for enhancing the cybersecurity and resilience of domestic and cross-border energy infrastructure under Canada’s National Cyber Security Strategy. In February the government said it was allocating $818,000 to the CIO Strategy Council to produce a series of cybersecurity standards for industrial Internet of Things devices in the North American electricity sector. This includes internet-connected machinery, infrastructure and advanced smart devices that collect, exchange and analyze data to enhance manufacturing, industrial processes and operational efficiencies.
The energy sector is one of 10 designated as critical infrastructure under Canada’s national cybersecurity strategy. The strategy helps companies within each sector collaborate on best practices. Within the strategy there is a Cyber Security and Critical Energy Infrastructure Program that funds research and development, processes for sharing knowledge and the setting of standards and best practices.
(This story has been updated from the original to add comments from Robert Wong and Jose Alvarado)