The organization
How an energy company achieved a holistic cyber defence strategy
Polaris Infrastructure Inc. is a publicly traded Canadian company that develops and operates renewable energy projects in Latin America. It currently runs power plants through subsidiaries in Nicaragua and Peru, with plans for further expansion within the region.
In Nicaragua, the company operates a geothermal power plant with an installed capacity of 77 megawatts. As one of the largest generators of renewable energy in Nicaragua, the plant contributes significantly to the overall energy requirements of the country. Polaris also operates three separate hydroelectric power plants in Peru, capable of cumulatively generating 32 megawatts of energy. A portfolio of early-stage development projects is expected to grow its power generating capabilities in Peru to approximately 189 megawatts.
The challenge
As a multinational company that is heavily reliant on technology, Polaris observed shortfalls in its existing cybersecurity strategy. The company required support in developing a comprehensive, yet immediate, cybersecurity program that would provide actionable insight on how to stay secure and compliant in a changing threat landscape. This included a clear understanding of its vulnerabilities, security gaps, and technology shortfalls, as well as recommendations for cybersecurity investments that generate the most value.
Recognizing that cybercrime is inevitable in today’s increasingly digital environment, our client was keen to purchase cyber insurance, but required guidance to show sufficient existing protection to qualify for the coverage they needed.
All businesses, irrespective of the industry, have data assets they need to protect from cyber attacks, from site plans and client lists to financial information. But energy companies have another layer of industry-specific risk to account for.
Energy companies have recognized the importance of integrating OT and IT infrastructure for long-term resilience, but in doing so, they’re potentially increasing their exposure to security threats. As cyber attacks on natural resources companies increase in frequency, severity, and sophistication, it is becoming more important than ever to be aware of their vulnerabilities and put policies and practices in place to mitigate them."
The solution
People, processes, and technology together form the nexus of cybersecurity—drop the ball on one, and it can lead to serious repercussions. Recognizing that Polaris is only as strong as its weakest link, BDO developed a cybersecurity plan within the framework of these three components.
Here’s what each component entailed:
- People: The people aspect is considered “the weakest link in a cybersecurity chain,” observes Rustogi. Our team created training materials to coach employees how to properly identify and address various kinds of cyber threats.
- Process: We evaluated the effectiveness of existing cyber policies and procedures, identified gaps, and assessed the overall resiliency of the business.
- Technology: Our team revised the existing technology controls that may be exploited by attackers.
In today's digital economy, cyber threats have become a growing concern for businesses of all sizes. Proactive and preventative controls can minimize the impact of a cybersecurity incident and help you recover faster.
Through this lens, BDO developed industry-specific solutions to help strengthen Polaris’ overall cybersecurity posture, as well as a cost analysis for each implementation option.
The primary accomplishments and deliverables included:
- Policy documentation based on industry best practices, including an incident response plan, a cybersecurity playbook, and a patch management policy.
- Process documentation on web vulnerability and security administration management.
- A hardening standard for servers and workstations, used to set a baseline of requirements for each system.
- A web application penetration test to uncover flaws in Internet-based programs.
- Multi-factor authentication and password policies.
- Third-party and vendor security assessments that help Polaris analyze risks when working with external partners.
- Training materials for employees regarding mobility and portable media security.
We were able to build a proactive cybersecurity roadmap that was scalable, aligned with Polaris’ wider strategic objectives, and allowed for timely recovery in case of a breach.
The outcome & benefits
Polaris has gained a very valuable asset: a tactical vision for its present and future cybersecurity strategy. By taking a people, process, and technology approach, BDO not only helped Polaris close security gaps, but handed Polaris the knowledge, tools, and resources to continue its cybersecurity journey.
With comprehensive measures in place, our client is now able to benchmark their security posture with respect to industry standards, optimize their investments in cybersecurity controls by effectively prioritizing security needs, and effectively communicate a security strategy to their staff and executives. Polaris, equipped with a thorough cybersecurity assessment and exhaustive cyber hygiene, also qualifies for the cyber insurance coverage its operations require.
Resilience against cybercrime is a continuous journey, not a set-and-forget exercise. Polaris continues to rely on BDO as a trusted advisor and we continue working on a strategic IT roadmap to further increase its security posture, leverage new technologies, and progress towards its ESG objectives.
Contact
BDO recognizes that natural resources companies have specific cybersecurity requirements and concerns when it comes to modernizing their cybersecurity policies. Our multi-faceted team has the knowledge and experience to develop the appropriate preventative and reactive tools for businesses operating in the power-generating sector.
For more information, contact:
Chetan Sehgal, Partner, Forensics & Litigation Support
Stephen Payne, Partner, Energy & Natural Resources
Steve Brown, Senior Project Manager, Cybersecurity
Dishank Rustogi, Senior Manager, Cybersecurity