By Alena Mae S. Flores
Transmission and grid operator National Grid Corp. of the Philippines assured it is conducting periodic network sweeps on its operational technology network in the wake of the Deloitte India hacking reports.
NGCP president and chief executive Anthony Almeda sent a letter to the Energy Regulatory Commission dated Nov. 10 expressing concern over news that an employee of Deloitte India was the mastermind of an international hacking gang.
Almeda cited a report from Business Standard Online dated Nov. 7 which stated that the Deloitte India employee “targeted British businesses, government officials and journalists” and had been “running a network of computer hackers for the past seven years.”
Almeda said the ERC engaged Deloitte-Philippines to conduct the vulnerability assessment and penetration testing for NGCP’S critical operational technology network. Deloitte-Philippines engaged Deloitte India to conduct the assessment.
“We cannot overemphasize the importance of our OT network to transmission grid operations. We had hoped that all decisions and activities in relation to the cybersecurity audit currently being undertaken were done with a special view to this critically,” Almeda said.
He said ERC was supposed to have vetted the integrity and credibility of Deloitte-Philippines and its counterpart in India for the VAPT activities.
“It is alarming that the firm tasked by the ERC to conduct audit activities and given access to our systems is implicated in a ‘computer hacking gang.’ In opening our systems to the audit activities, we had relied on the ERC’s prudence and circumspection in choosing its representative,” Almeda said.
He said ERC failed to inform NGCP of the potential breach in security in Deloitte.
“An immediate disclosure was not only appropriate but necessary to protect the integrity of our systems. The minute the potential breach was discovered, we should have been advised so that we could have conducted mitigating activities,” he said.
Almeda said NGCP immediately initiated a network sweep scan of the OT network to ensure that the VAPT activities conducted by Deloitte-Philippines and Deloitte-India did not compromise its systems.