Enhancing cybersecurity protects our customers

At its best, the internet can seem like a window to the rest of the world. In reality, it’s more like a door.

A door connects the inside world to the outside world: the flow of traffic can be in or out. And if the internet is an open door to the rest of the world, any business — especially one responsible for critical infrastructure like a utility— needs to make sure it’s monitoring who’s coming through.

The ease and utility of all our connected devices can make it easy to forget the internet is a door to potential bad actors.

The ease and utility of all our connected devices can make it easy to forget the internet is a door to potential bad actors.

Among the thousands of miles of transmission and distribution lines, towers, substations, converter stations, generating stations, and everything in between, sensors and other devices connected to our telecommunications infrastructure feed data to computers that give us control and key information to manage and maintain our assets. In other words, they’re doors in need of intentional guarding.

“The integration of new technologies with Manitoba Hydro’s electric grid — and others we are connected to — will continue to create new opportunities and capabilities, but it also means increased risk because it creates more points of entry for cyber attackers,” said Matthew Szyda, who leads Manitoba Hydro’s Industrial Control Systems Cyber Security Risk Management Program (ICS CSRM). “Our cybersecurity measures — like all utilities across North America — needs to be that much stronger to protect us from bad actors and cyber threats.”

Formed in 2017, with representatives from key functional areas of the company, the ICS CSRM team’s main objective is to reduce the risk of a cyberattack on Manitoba Hydro’s critical infrastructure by performing risk assessments and developing new and enhanced security standards.

In particular, the team focuses on preventing loss of corporate information or assets, prolonged outages, and costly recovery efforts that could occur as a result of a successful cyberattack.

This focus has led to a few significant security changes and improvements:

  • Remote logins from certain countries have been blocked.
  • Only Manitoba Hydro issued and managed devices will be allowed to connect to our corporate network.
  • In the event we see an increase in cyber risks, we can immediately deactivate remote connections.
  • We’re enhancing cybersecurity awareness and training and making it easier for employees to report suspicious activity, spam, or phishing attempts to our Cyber Security Office.
  • We’re reviewing business impacts and business continuity planning in case of a significant cyber incident.

Manitoba Hydro also complies with the North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements for cybersecurity, as monitored by the Midwest Reliability Organization (MRO), to help ensure the reliability and security of the Bulk Power System of North America. As part of these requirements, there are self-certifications, spot checks, and audits. Independent third parties regularly assess and verify the appropriateness and effectiveness of our cybersecurity controls, and we regularly report cybersecurity and mitigation actions to our regulator. Internally, we conduct annual assessments of how we’re complying with NERC CIP requirements for cybersecurity and updating processes, procedures, and practices as needed to support the ongoing compliance with these requirements.

It can’t — and won’t — stop there. One of the core mandates of Manitoba Hydro is electrical reliability, and that means keeping a steady flow of electricity to all our customers. And as Szyda said:

“For as long as we’ll be talking about system reliability, we’ll be talking about cybersecurity.”