Digital background with locks and connectors

Boosting the cybersecurity nexus

How an energy company achieved a holistic cyber defence strategy

Case study

Briefcase

The organization

Polaris Infrastructure Inc. is a publicly traded Canadian company that develops and operates renewable energy projects in Latin America. It currently runs power plants through subsidiaries in Nicaragua and Peru, with plans for further expansion within the region.

In Nicaragua, the company operates a geothermal power plant with an installed capacity of 77 megawatts. As one of the largest generators of renewable energy in Nicaragua, the plant contributes significantly to the overall energy requirements of the country. Polaris also operates three separate hydroelectric power plants in Peru, capable of cumulatively generating 32 megawatts of energy. A portfolio of early stage development projects is expected to grow its power generating capabilities in Peru to approximately 189 megawatts.

geothermal energy plant
Magnifying glass with question mark

The challenge

“Natural resource and utility companies have to protect their IT environment, but also their OT environment,” explains cybersecurity partner, Vivek Gupta, who led the project with Polaris. “They distribute natural resources through Supervisory Control and Data Acquisition (SCADA) systems, which are not always aligned with their corporate IT systems. COVID has led companies to focus more on integrating their OT environments with their corporate IT infrastructure, thereby increasing the attack surface and potentially creating more gaps for hackers to exploit.”

As a multinational company that is heavily reliant on technology, Polaris observed shortfalls in its existing cybersecurity strategy. The company required support in developing a comprehensive, yet immediate, cybersecurity program that would provide actionable insight on how to stay secure and compliant in a changing threat landscape. This included a clear understanding of its vulnerabilities, security gaps, and technology shortfalls, as well as recommendations for cybersecurity investments that generate the most value.

Recognizing that cybercrime is inevitable in today’s increasingly digital environment, our client was keen to purchase cyber insurance, but required guidance to show sufficient existing protection to qualify for the coverage they needed.

All businesses, irrespective of the industry, have data assets they need to protect from cyber attacks, from site plans and client lists to financial information. But energy companies have another layer of industry-specific risk to account for.

man looking at coding on computer screens in a dark room
lightbulb

The solution

“We wanted to do a very holistic and comprehensive assessment so that our solutions would also be scalable.”

—Vivek Gupta, Partner, Cybersecurity & Digital Forensics

People, processes, and technology together form the nexus of cybersecurity—drop the ball on one, and it can lead to serious repercussions. Recognizing that Polaris is only as strong as its weakest link, BDO developed a cybersecurity plan within the framework of these three components.

“We wanted to conduct a very holistic and comprehensive assessment so that any solutions we developed for Polaris would also be scalable,” says Gupta. “First we conducted a current state assessment to figure out which controls are applicable to Polaris. Then, we built a roadmap to achieve a better level of cybersecurity posture, so that they not only protect their data assets, but also recover timely in case of a cyber breach.”

Here’s what each component entailed:

People: The people aspect is considered “the weakest link in a cybersecurity chain,” observes Gupta. Our team created training materials to coach employees how to properly identify and address various kinds of cyber threats.

Process: We evaluated the effectiveness of existing cyber policies and procedures, identified gaps, and assessed the overall resiliency of the business.

Technology: Our team revised the existing technology controls that may be exploited by attackers.

“It's not a matter of if a breach can happen, but when. With proactive and preventative controls in place, you can recover faster"

—Vivek Gupta, Partner, Cybersecurity & Digital Forensics

Through this lens, BDO developed industry-specific solutions to help strengthen Polaris’ overall cybersecurity posture, as well as a cost analysis for each implementation option.

The primary accomplishments and deliverables included:

  • Policy documentation based on industry best practices, including an incident response plan, a cybersecurity playbook, and a patch management policy.
  • Process documentation on web vulnerability and security administration management.
  • A hardening standard for servers and workstations, used to set a baseline of requirements for each system.
  • web application penetration test to uncover flaws in Internet-based programs.
  • Multi-factor authentication and password policies.
  • Third-party and vendor security assessments that help Polaris analyze risks when working with external partners.
  • Training materials for employees regarding mobility and portable media security.
two women looking at computer screen thinking
trophy with star

The outcome & benefits

Polaris has gained a very valuable asset: a tactical vision for its present and future cybersecurity strategy. By taking a people, process, and technology approach, BDO not only helped Polaris close security gaps, but handed Polaris the knowledge, tools, and resources to continue its cybersecurity journey.

With comprehensive measures in place, our client is now able to benchmark their security posture with respect to industry standards, optimize their investments in cybersecurity controls by effectively prioritizing security needs, and effectively communicate a security strategy to their staff and executives. Polaris, equipped with a thorough cybersecurity assessment and exhaustive cyber hygiene, also qualifies for the cyber insurance coverage its operations require.

Resilience against cybercrime is a continuous journey, not a set-and-forget exercise. Polaris continues to rely on BDO as a trusted advisor and we continue working on a strategic IT roadmap to further increase its security posture, leverage new technologies, and progress towards its ESG objectives.

“ESG is front and centre for any natural resources company. Our cybersecurity efforts assisted Polaris with their sustainability journey.”

—Stephen Payne, Partner, Energy & Natural Resources Leader

Computer with mouse arrow

Contact

BDO recognizes that natural resources companies have specific cybersecurity requirements and concerns when it comes to modernizing their cybersecurity policies. Our multi-faceted team has the knowledge and experience to develop the appropriate preventative and reactive tools for businesses operating in the power-generating sector.

Learn how BDO can help your company evolve its tolerance towards cyber-related risks. Contact us.

Vivek Gupta, 
Partner, Cybersecurity 

Chetan Sehgal, 
Partner, Forensics & Litigation Support 

Stephen Payne
Partner, Energy & Natural Resources 

Steve Brown, 
Senior Project Manager, Cybersecurity 

Dishank Rustogi, 
Senior Manager, Cybersecurity 

BDO Canada LLP, a Canadian limited liability partnership, is a member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms.

Digital background with locks and connectors

Case study

Boosting the cybersecurity nexus

How an energy company achieved a holistic cyber defence strategy

Briefcase

The organization

Polaris Infrastructure Inc. is a publicly traded Canadian company that develops and operates renewable energy projects in Latin America. It currently runs power plants through subsidiaries in Nicaragua and Peru, with plans for further expansion within the region.

In Nicaragua, the company operates a geothermal power plant with an installed capacity of 77 megawatts. As one of the largest generators of renewable energy in Nicaragua, the plant contributes significantly to the overall energy requirements of the country. Polaris also operates three separate hydroelectric power plants in Peru, capable of cumulatively generating 32 megawatts of energy. A portfolio of early stage development projects is expected to grow its power generating capabilities in Peru to approximately 189 megawatts.

geothermal energy plant
Magnifying glass with question mark

The challenge

“Natural resource and utility companies have to protect their IT environment, but also their OT environment,” explains cybersecurity partner, Vivek Gupta, who led the project with Polaris. “They distribute natural resources through Supervisory Control and Data Acquisition (SCADA) systems, which are not always aligned with their corporate IT systems. COVID has led companies to focus more on integrating their OT environments with their corporate IT infrastructure, thereby increasing the attack surface and potentially creating more gaps for hackers to exploit.”

As a multinational company that is heavily reliant on technology, Polaris observed shortfalls in its existing cybersecurity strategy. The company required support in developing a comprehensive, yet immediate, cybersecurity program that would provide actionable insight on how to stay secure and compliant in a changing threat landscape. This included a clear understanding of its vulnerabilities, security gaps, and technology shortfalls, as well as recommendations for cybersecurity investments that generate the most value.

Recognizing that cybercrime is inevitable in today’s increasingly digital environment, our client was keen to purchase cyber insurance, but required guidance to show sufficient existing protection to qualify for the coverage they needed.

All businesses, irrespective of the industry, have data assets they need to protect from cyber attacks, from site plans and client lists to financial information. But energy companies have another layer of industry-specific risk to account for.

man looking at coding on computer screens in a dark room
lightbulb

The solution

“We wanted to do a very holistic and comprehensive assessment so that our solutions would also be scalable.”

—Vivek Gupta, Partner, Cybersecurity & Digital Forensics

People, processes, and technology together form the nexus of cybersecurity—drop the ball on one, and it can lead to serious repercussions. Recognizing that Polaris is only as strong as its weakest link, BDO developed a cybersecurity plan within the framework of these three components.

“We wanted to conduct a very holistic and comprehensive assessment so that any solutions we developed for Polaris would also be scalable,” says Gupta. “First we conducted a current state assessment to figure out which controls are applicable to Polaris. Then, we built a roadmap to achieve a better level of cybersecurity posture, so that they not only protect their data assets, but also recover timely in case of a cyber breach.”

Here’s what each component entailed:

People: The people aspect is considered “the weakest link in a cybersecurity chain,” observes Gupta. Our team created training materials to coach employees how to properly identify and address various kinds of cyber threats.

Process: We evaluated the effectiveness of existing cyber policies and procedures, identified gaps, and assessed the overall resiliency of the business.

Technology: Our team revised the existing technology controls that may be exploited by attackers.

“It's not a matter of if a breach can happen, but when. With proactive and preventative controls in place, you can recover faster"

—Vivek Gupta, Partner, Cybersecurity & Digital Forensics

Through this lens, BDO developed industry-specific solutions to help strengthen Polaris’ overall cybersecurity posture, as well as a cost analysis for each implementation option.

The primary accomplishments and deliverables included:

  • Policy documentation based on industry best practices, including an incident response plan, a cybersecurity playbook, and a patch management policy.
  • Process documentation on web vulnerability and security administration management.
  • A hardening standard for servers and workstations, used to set a baseline of requirements for each system.
  • web application penetration test to uncover flaws in Internet-based programs.
  • Multi-factor authentication and password policies.
  • Third-party and vendor security assessments that help Polaris analyze risks when working with external partners.
  • Training materials for employees regarding mobility and portable media security.
two women looking at computer screen thinking
trophy with star

The outcome & benefits

Polaris has gained a very valuable asset: a tactical vision for its present and future cybersecurity strategy. By taking a people, process, and technology approach, BDO not only helped Polaris close security gaps, but handed Polaris the knowledge, tools, and resources to continue its cybersecurity journey.

With comprehensive measures in place, our client is now able to benchmark their security posture with respect to industry standards, optimize their investments in cybersecurity controls by effectively prioritizing security needs, and effectively communicate a security strategy to their staff and executives. Polaris, equipped with a thorough cybersecurity assessment and exhaustive cyber hygiene, also qualifies for the cyber insurance coverage its operations require.

Resilience against cybercrime is a continuous journey, not a set-and-forget exercise. Polaris continues to rely on BDO as a trusted advisor and we continue working on a strategic IT roadmap to further increase its security posture, leverage new technologies, and progress towards its ESG objectives.

“ESG is front and centre for any natural resources company. Our cybersecurity efforts assisted Polaris with their sustainability journey.”

—Stephen Payne, Partner, Energy & Natural Resources Leader

Computer with mouse arrow

Contact

BDO recognizes that natural resources companies have specific cybersecurity requirements and concerns when it comes to modernizing their cybersecurity policies. Our multi-faceted team has the knowledge and experience to develop the appropriate preventative and reactive tools for businesses operating in the power-generating sector.

Learn how BDO can help your company evolve its tolerance towards cyber-related risks. Contact us.

Vivek Gupta, 
Partner, Cybersecurity 

Chetan Sehgal, 
Partner, Forensics & Litigation Support 

Stephen Payne
Partner, Energy & Natural Resources 

Dishank Rustogi, 
Senior Manager, Cybersecurity 

Steve Brown, 
Senior Project Manager, Cybersecurity 

BDO Canada LLP, a Canadian limited liability partnership, is a member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms.

This publication uses cookies

We use functional and analytical cookies to improve our website. In addition, third parties place tracking cookies to display personalised advertisements on social media. By clicking accept you consent to the placement of these cookies.