NGCP acts after Deloitte staff tagged hackers’ mastermind
BY LENIE LECTURA – NOVEMBER 16, 2022
from Business Mirror
THE National Grid Corporation of the Philippines (NGCP) announced it immediately conducted a sweep scan of its network after a Deloitte-India employee was reportedly tagged as the mastermind of a computer hacking group.
In a letter to Energy Regulatory Commission (ERC) Chairman Monalisa C. Dimalanta, NGCP President Anthony L. Almeda said the firm “immediately initiated a network sweep scan of our OT [operational technology] network to ensure that VAPT [vulnerability assessment and penetration] activities by Deloitte-Philippines and Deloitte-India did not compromise our systems.”
It can be recalled that the ERC has tapped the services of a third party to conduct the VAPT activities on NGCP’s OT network. Deloitte-Philippines, which then engaged the services of Deloitte-India, was the third party chosen by the ERC to conduct an audit on NGCP. Almeda said it is alarming that the firm was tasked by the ERC to conduct audit activities and given access to the grid operator’s systems is implicated in computer hacking activities.
“In opening our systems to the audit activities, we had relied on ERC’s prudence and circumspection in choosing its representatives.”
“In engaging Deloitte-Philippines, and the counterpart in India, for the VAPT activities, their integrity and credibility were vetted by the ERC,” added Almeda. “We cannot overemphasize the importance of our OT network to transmission grid operations. We had hoped that all decisions and activities in relation to the cyber security audit currently being undertaken were done with a special view to this critically.”
It was through the recent news that NGCP found out that the employee had been “running a network of computer hackers for the past seven years,” and that the hacking activities “targeted British businesses, government officials and journalists.”
To date, the NGCP said it has yet to be informed of the potential breach in security in Deloitte. It stressed that an immediate disclosure was not only appropriate but necessary to protect the integrity of NGCP’s systems. “The minute the potential breach was discovered, we should have been advised so that we could have conducted mitigating activities,” it said.
The NGCP holds a 25-year concession and a 50-year Congressional franchise to expand and operate the country’s power transmission grid. NGCP is the sole and exclusive operator of the country’s nationwide transmission network linking the power generators and distribution utilities to deliver electricity to end-users.
