Polaris Infrastructure Inc. is a publicly traded Canadian company that develops and operates renewable energy projects in Latin America. It currently runs power plants through subsidiaries in Nicaragua and Peru, with plans for further expansion within the region.

In Nicaragua, the company operates a geothermal power plant with an installed capacity of 77 megawatts. As one of the largest generators of renewable energy in Nicaragua, the plant contributes significantly to the overall energy requirements of the country. Polaris also operates three separate hydroelectric power plants in Peru, capable of cumulatively generating 32 megawatts of energy. A portfolio of early stage development projects is expected to grow its power generating capabilities in Peru to approximately 189 megawatts.

“Natural resource and utility companies have to protect their IT environment, but also their OT environment,” explains cybersecurity partner, Dishank Rustogi, who led the project with Polaris. “They distribute natural resources through Supervisory Control and Data Acquisition (SCADA) systems, which are not always aligned with their corporate IT systems. COVID has led companies to focus more on integrating their OT environments with their corporate IT infrastructure, thereby increasing the attack surface and potentially creating more gaps for hackers to exploit.”

As a multinational company that is heavily reliant on technology, Polaris observed shortfalls in its existing cybersecurity strategy. The company required support in developing a comprehensive, yet immediate, cybersecurity program that would provide actionable insight on how to stay secure and compliant in a changing threat landscape. This included a clear understanding of its vulnerabilities, security gaps, and technology shortfalls, as well as recommendations for cybersecurity investments that generate the most value.

Recognizing that cybercrime is inevitable in today’s increasingly digital environment, our client was keen to purchase cyber insurance, but required guidance to show sufficient existing protection to qualify for the coverage they needed.

All businesses, irrespective of the industry, have data assets they need to protect from cyber attacks, from site plans and client lists to financial information. But energy companies have another layer of industry-specific risk to account for.

“We wanted to do a very holistic and comprehensive assessment so that our solutions would also be scalable.”

—Dishank Rustogi, Senior Manager, Cybersecurity

People, processes, and technology together form the nexus of cybersecurity—drop the ball on one, and it can lead to serious repercussions. Recognizing that Polaris is only as strong as its weakest link, BDO developed a cybersecurity plan within the framework of these three components.

“We wanted to conduct a very holistic and comprehensive assessment so that any solutions we developed for Polaris would also be scalable,” says Rustogi. “First we conducted a current state assessment to figure out which controls are applicable to Polaris. Then, we built a roadmap to achieve a better level of cybersecurity posture, so that they not only protect their data assets, but also recover timely in case of a cyber breach.”

Here’s what each component entailed:

People: The people aspect is considered “the weakest link in a cybersecurity chain,” observes Rustogi. Our team created training materials to coach employees how to properly identify and address various kinds of cyber threats.

Process: We evaluated the effectiveness of existing cyber policies and procedures, identified gaps, and assessed the overall resiliency of the business.

Technology: Our team revised the existing technology controls that may be exploited by attackers.

“It's not a matter of if a breach can happen, but when. With proactive and preventative controls in place, you can recover faster"

—Dishank Rustogi, Senior Manager, Cybersecurity

Through this lens, BDO developed industry-specific solutions to help strengthen Polaris’ overall cybersecurity posture, as well as a cost analysis for each implementation option.

The primary accomplishments and deliverables included:

• Policy documentation based on industry best practices, including an incident response plan, a cybersecurity playbook, and a patch management policy.
• Process documentation on web vulnerability and security administration management.
• A hardening standard for servers and workstations, used to set a baseline of requirements for each system.
• A web application penetration test to uncover flaws in Internet-based programs.
• Multi-factor authentication and password policies.
• Third-party and vendor security assessments that help Polaris analyze risks when working with external partners.
• Training materials for employees regarding mobility and portable media security.

Polaris has gained a very valuable asset: a tactical vision for its present and future cybersecurity strategy. By taking a people, process, and technology approach, BDO not only helped Polaris close security gaps, but handed Polaris the knowledge, tools, and resources to continue its cybersecurity journey.

With comprehensive measures in place, our client is now able to benchmark their security posture with respect to industry standards, optimize their investments in cybersecurity controls by effectively prioritizing security needs, and effectively communicate a security strategy to their staff and executives. Polaris, equipped with a thorough cybersecurity assessment and exhaustive cyber hygiene, also qualifies for the cyber insurance coverage its operations require.

Resilience against cybercrime is a continuous journey, not a set-and-forget exercise. Polaris continues to rely on BDO as a trusted advisor and we continue working on a strategic IT roadmap to further increase its security posture, leverage new technologies, and progress towards its ESG objectives.

“ESG is front and centre for any natural resources company. Our cybersecurity efforts assisted Polaris with their sustainability journey.”

—Stephen Payne, Partner, Energy & Natural Resources Leader