skip to content
Contact
Click to open search Open mobile navigation menu Close mobile navigation menu
Home

Boosting the cybersecurity nexus

briefcase

The organization

How an energy company achieved a holistic cyber defence strategy

Polaris Infrastructure Inc. is a publicly traded Canadian company that develops and operates renewable energy projects in Latin America. It currently runs power plants through subsidiaries in Nicaragua and Peru, with plans for further expansion within the region.

In Nicaragua, the company operates a geothermal power plant with an installed capacity of 77 megawatts. As one of the largest generators of renewable energy in Nicaragua, the plant contributes significantly to the overall energy requirements of the country. Polaris also operates three separate hydroelectric power plants in Peru, capable of cumulatively generating 32 megawatts of energy. A portfolio of early-stage development projects is expected to grow its power generating capabilities in Peru to approximately 189 megawatts.

magnifying glass with question mark

The challenge

As a multinational company that is heavily reliant on technology, Polaris observed shortfalls in its existing cybersecurity strategy. The company required support in developing a comprehensive, yet immediate, cybersecurity program that would provide actionable insight on how to stay secure and compliant in a changing threat landscape. This included a clear understanding of its vulnerabilities, security gaps, and technology shortfalls, as well as recommendations for cybersecurity investments that generate the most value.

Recognizing that cybercrime is inevitable in today’s increasingly digital environment, our client was keen to purchase cyber insurance, but required guidance to show sufficient existing protection to qualify for the coverage they needed.

All businesses, irrespective of the industry, have data assets they need to protect from cyber attacks, from site plans and client lists to financial information. But energy companies have another layer of industry-specific risk to account for.

"Natural resource and utility companies use Supervisory Control and Data Acquisition (SCADA) systems to monitor their plant’s performance and ensure it’s operating efficiently. This means they have to protect both their Information Technology (IT) and Operational Technology (OT) environments.

Energy companies have recognized the importance of integrating OT and IT infrastructure for long-term resilience, but in doing so, they’re potentially increasing their exposure to security threats. As cyber attacks on natural resources companies increase in frequency, severity, and sophistication, it is becoming more important than ever to be aware of their vulnerabilities and put policies and practices in place to mitigate them."
light bulb

The solution

People, processes, and technology together form the nexus of cybersecurity—drop the ball on one, and it can lead to serious repercussions. Recognizing that Polaris is only as strong as its weakest link, BDO developed a cybersecurity plan within the framework of these three components.

"The first step was to conduct a comprehensive current state assessment. We identified exactly where Polaris was vulnerable and which controls would be most effective in mitigating these risks. From there, we were able to build a proactive cybersecurity roadmap that was scalable, aligned with Polaris’ wider strategic objectives, and allowed for timely recovery in case of a breach."

Here’s what each component entailed:

  • People: The people aspect is considered “the weakest link in a cybersecurity chain,” observes Rustogi. Our team created training materials to coach employees how to properly identify and address various kinds of cyber threats.
  • Process: We evaluated the effectiveness of existing cyber policies and procedures, identified gaps, and assessed the overall resiliency of the business.
  • Technology: Our team revised the existing technology controls that may be exploited by attackers.

In today's digital economy, cyber threats have become a growing concern for businesses of all sizes. Proactive and preventative controls can minimize the impact of a cybersecurity incident and help you recover faster.

Through this lens, BDO developed industry-specific solutions to help strengthen Polaris’ overall cybersecurity posture, as well as a cost analysis for each implementation option.

The primary accomplishments and deliverables included:

  • Policy documentation based on industry best practices, including an incident response plan, a cybersecurity playbook, and a patch management policy.
  • Process documentation on web vulnerability and security administration management.
  • A hardening standard for servers and workstations, used to set a baseline of requirements for each system.
  • A web application penetration test to uncover flaws in Internet-based programs.
  • Multi-factor authentication and password policies.
  • Third-party and vendor security assessments that help Polaris analyze risks when working with external partners.
  • Training materials for employees regarding mobility and portable media security.

We were able to build a proactive cybersecurity roadmap that was scalable, aligned with Polaris’ wider strategic objectives, and allowed for timely recovery in case of a breach.

Women working together
trophy

The outcome & benefits

Polaris has gained a very valuable asset: a tactical vision for its present and future cybersecurity strategy. By taking a people, process, and technology approach, BDO not only helped Polaris close security gaps, but handed Polaris the knowledge, tools, and resources to continue its cybersecurity journey.

With comprehensive measures in place, our client is now able to benchmark their security posture with respect to industry standards, optimize their investments in cybersecurity controls by effectively prioritizing security needs, and effectively communicate a security strategy to their staff and executives. Polaris, equipped with a thorough cybersecurity assessment and exhaustive cyber hygiene, also qualifies for the cyber insurance coverage its operations require.

Resilience against cybercrime is a continuous journey, not a set-and-forget exercise. Polaris continues to rely on BDO as a trusted advisor and we continue working on a strategic IT roadmap to further increase its security posture, leverage new technologies, and progress towards its ESG objectives.

ESG is front and centre for any natural resources company. Our cybersecurity efforts assisted Polaris with their sustainability journey.
Stephen Payne
Partner, Energy & Natural Resources Leader
computer

Contact

BDO recognizes that natural resources companies have specific cybersecurity requirements and concerns when it comes to modernizing their cybersecurity policies. Our multi-faceted team has the knowledge and experience to develop the appropriate preventative and reactive tools for businesses operating in the power-generating sector.

For more information, contact:

Chetan Sehgal, Partner, Forensics & Litigation Support

Stephen Payne, Partner, Energy & Natural Resources

Steve Brown, Senior Project Manager, Cybersecurity

Dishank Rustogi, Senior Manager, Cybersecurity

Find your local BDO office location

This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our privacy statement for more information on the cookies we use and how to delete or block them.

Accept and close