The electrical industry uses ICS to control and monitor critical components such as turbines and circuit breakers in power generation and distribution. These control systems help to ensure electricity reaches Albertans and other markets efficiently, safely and securely. Therefore, IT security must be carefully considered when designing and using ICS.
We decided to audit ICS because we believe Albertans may be at risk if ICS are unsecured or do not meet minimum IT security standards.
The Alberta Utilities Commission is a provincial agency that provides independent, adjudicative functions. The AUC is accountable to the Legislature through the Minister of Energy, who is designated the responsible minister. The Government of Alberta has given the AUC a regulatory mandate over the utilities sector, and natural gas and electricity markets to protect the social, economic and environmental interests of Alberta where competitive market forces do not. The AUC also establishes mandatory requirements and standards of practice for the retail electric markets through the use of a rule-making procedure involving a consultative process with stakeholders and interested parties.
On September 15, 2015 the AUC approved mandatory IT security standards for ICS in the electrical industry. Although some electrical operators may have already implemented IT security standards for ICS, they do not have to comply with these new standards until October 2017.
What we examined
We examined the Alberta Utilities Commission’s role in:
- assessing risks and developing, implementing and communicating adequate IT security standards for ICS to mitigate those risks
- monitoring operators in the electrical industry for compliance with IT security standards for ICS and enforce compliance with the standards
The AUC fulfilled its role and followed its processes, as required by regulation, to adjudicate and approve the IT security standards recommended by the Alberta Electric System Operator (AESO). However, Alberta’s electrical operators do not have to comply with the newly-approved IT security standards until October 2017.
What we found
The AUC and AESO have clear roles and responsibilities for developing and approving IT security standards for ICS used by Alberta’s electricity operators. The AESO’s role is to develop and recommend the standards. The AUC’s role is to approve the recommended standards. If there are objections to the standards from electrical industry operators or Albertans, the AUC is required to assess the objections before deciding whether to approve the recommended standards.
Why this is important to Albertans
Electricity is essential to modern life. Disruption or loss of electricity from accidental or targeted disruption to Alberta’s electricity grid could harm the safety of Albertans or the environment.