Is Manitoba Hydro prone to a cyber-attack? Could the lights go off because of a hacker, terrorist, disgruntled employee or hostile government? Or could simple equipment failure or bad weather cause havoc?
That's what the province's auditor general set out to find in an examination of the Crown corporation's fail-safes in its industrial control systems (ICS).
Auditor general Carol Bellringer said ICS controls and monitors much of Hydro's electrical generation, transmission and natural gas distribution system.
"Everything going into the electrical system has a computer control that's really critical," she said. "What we found (was) the attention to the full risks was insufficient."
Specifically, the audit looked at Hydro's compliance to the North American Electric Reliability Corporation's (NERC) critical infrastructure protection standards, which include cyber-security control.
The audit sets out a number of recommendations Hydro should follow to meet NERC compliance -- recommendations the utility says it's already addressing.
They include conducting an internal assessment of its ICS cyber-security risks, including cyber-security as a corporate risk, and assigning corporate-wide cyber-security to one executive and corporate-wide physical security to one executive. It should also develop and deliver a security training and awareness program for all staff involved with ICS systems.
Why does it matter?
"To monitor and control the generation, transmission and distribution of electricity, as well as the distribution of natural gas, Manitoba Hydro uses many industrial control systems (ICS)," said the Office of the Auditor General. "We chose to audit Manitoba Hydro's ICS systems because of the significant impact that a loss in the reliable flow of power and gas can have on public safety and on the provincial economy.
"ICS systems control and monitor actual physical devices that, if compromised, could result in unintentional and/or inappropriate commands that could lead to equipment malfunction, causing significant risk to the health and safety of Manitobans as well as the environment. It is essential that the risks to ICS systems are properly managed."
Source: the Office of the Auditor General