Case Study: Iconic Power Systems

Overview

This Alberta construction company was facing an environment of growing cyber risk exposure, several contractual gaps highlighted by a client, and increasingly stringent regulatory demands related to critical infrastructure protection (CIP).

MNP reviewed the gaps in their CIP compliance and helped implement a robust governance and management program to meet and ultimately exceed stakeholder expectations.

Services

Cyber Security & Privacy • Energy & Utilities

 Challenge

Public utilities such as power generation and transmission facility operators are increasingly lucrative targets for cyber criminals, terrorists, and state-sponsored attackers. With the potential for virtual attacks to inflict significant real-world damage, companies like Iconic Power Systems (Iconic) must take steps to address stringent CIP requirements.

Iconic approached MNP to assist with the design and implementation of practical security processes and controls related to their utility construction work. The resulting policy, procedural and process changes would satisfy contractual obligations with clients and regulatory requirements of the Alberta Electric System Operator (AESO).

 Approach

Baseline assessment and gap analysis

Our first step was to review the current processes in place at Iconic — along with findings from an assessment prepared by one of their clients — to understand where critical information exists within their data security environment any inherent risks related to CIP. We used this information to develop a gap assessment which revealed the necessary changes to get to the desired state.

Data and security governance

MNP delivered updates to Iconic’s policies, processes, and procedures, and developed forms for cyber system information management to align with CIP requirements, contractual requirements, and the client’s recommendations. We developed compliance management program areas, including:

• physical and electronic security management reviews and assessments
• security incident management reporting, investigation and notification
• confidential and building component safety information BCSI client information reviews and assessment against affiliate contract and IPS policies
• third party / affiliate management controls, reviews, and assessments

Finally, we provided recommendations to the company’s IT service provider to ensure they could meet Iconic’s incident management and recovery needs.

Iconic approached MNP to assist with the design and implementation of practical security processes and controls related to their utility construction work. The resulting policy, procedural and process changes would satisfy contractual obligations with clients and regulatory requirements of the Alberta Electric System Operator AESO.

 Results

With MNP’s help and recommendations, Iconic exceeded the requirements of their client and AESO regulations and is now a recognized leader in their industry with regard to CIP.

“We were proactive and brought the right company to do the work for us,” says Jay Bruchet, President, Iconic Power Systems.