Cybersecurity is an essential part of providing safe and reliable service to customers, as businesses increasingly rely on connected technology.
The BCUC carries out several activities to identify cyber risks and monitor entities' compliance to defense measures.
British Columbia's (BC) electricity system is protected by
Mandatory Reliability Standards,
which are the rules for operating a reliable and secure system.
Entities that own and/or operate critical infrastructure (systems, facilities, technologies) to generate, transmit, and control the flow of electricity over BC’s bulk electric system must follow Mandatory Reliability Standards. They must also develop cybersecurity protection plans for their critical infrastructure.
We determine if entities are following the required standards and plans, by using audits and investigations to assess an entity’s compliance.Learn more
In June 2023, the BCUC established a two-year pilot of a Cybersecurity Framework for regulated public utilities in BC. The pilot is effective January 1, 2024.
When concerns arise, the BCUC issues information bulletins to advise public utilities and those in the MRS program of alerts and recommendations on actions to mitigate cybersecurity risks.
The BCUC monitors cybersecurity issues related to public utilities and those under the Mandatory Reliability Standards through:
The BCUC assesses and examines a public utility’s cybersecurity expenditures when the utility submits its rate application to the BCUC.
The BCUC attends cybersecurity threat briefings for the energy and utilities sector and monitors threat alerts issued by local, provincial, federal, and international government agencies.
The BCUC requires public utilities to report all cybersecurity incidents to the BCUC so they can be followed up on until they are resolved.
The BCUC conducts meetings with public utilities on cybersecurity issues.
The BCUC recommends that regulated entities take steps to reduce their cybersecurity risks that are specific to their needs and capabilities. Cybersecurity risks can be decreased by applying administrative and technical security controls to protect devices, systems, and personnel.
Basic security controls include asset management, access management, backup and recovery, cybersecurity policies, incident response, patch management, personnel training and awareness on critical systems, and physical security.
There are several public resources that provide more information on cybersecurity. Click on the headings to open the list. This list does not imply endorsement by the BCUC.