skip to main content
Back to all blog posts

Posted in: Ontario | Energy Policy | Consumer Protection

Jun 16, 2017

OEB Provides First Look at Proposed New Cyber Security Framework

By Gaurav Gopinath and David Stevens

In December 2015, the lights blinked out across multiple provinces in the Ivano-Frankivsk region of Ukraine. Nearly a quarter of a million people lost power. Shortly after power was restored, Ukraine’s Computer Emergency Response Team announced they had identified the root cause: a cyberattack targeting as many as eight power distribution companies.

As cyber warfare comes of age, outmoded “dumb grids” look increasingly vulnerable. Moreover, the problem is not just technical, but institutional: when hackers infiltrated Target in late 2013, they did so by first hacking a vendor using a phishing attack. Although Target’s own security policies may have been robust, the firm’s stable of external vendors each brought their own vulnerabilities to the table.

Towards a Unified Cyber Security Framework for Ontario’s LDCs

Despite recent moves toward consolidation, Ontario’s electricity distribution system remains fragmented, with all the risks that entail. As we have discussed previously, the Ontario Energy Board is committed to creating a “sector-wide coherent framework” to address cyber risks. Through a process initiated in February 2016, the OEB indicated that it would work with key industry stakeholders to “establish a common framework referencing recognized industry standards, policy guidelines and auditing requirements.”

On June 1, 2017, the OEB released a Staff Report titled “On a Proposed Cyber Security Framework and Supporting Tools for the Electricity and Natural Gas Distributors,” along with a companion White Paper titled “Cyber Security Framework to Protect Access to Electronic Operating Devices and Business Information Systems within Ontario’s Non-Bulk Power Assets.” As stated in the OEB’s Cover Letter, the Report and White Paper are being “issued for comment.”

The White Paper sets out the proposed Cyber Security Framework which is intended “to provide oversight and validation of the Cyber Security measures taken by distributors and transmitters for non-bulk assets in Ontario for the protection of consumer privacy and the electricity system infrastructure.” The Framework is designed to address the primary problems facing LDCs: (1) insufficient threat awareness; (2) the convergence of IT and operational technology; (3) lack of cyber security-trained human resources; (4) copious third-party access;, and (5) insufficiently widespread use of security tools. It identifies potential vulnerabilities at various stages of the electricity system, including network protocols and physical security. The Framework then identifies best practices that should be built into Ontario’s smart grid to ensure reliability and consumer protection, and lays out a number of self-assessment tools to assess risk profile and preparedness at the LDC level. In sum, the Framework relies on LDC self-assessment and self-certification to ensure that best practices are uniformly applied across Ontario’s energy sector.

The OEB Staff Report provides context surrounding the Framework. As stated in the OEB’s Cover Letter, “[t]he Staff Report provides a background on the OEB’s expectations in relation to cyber security and privacy in the energy sector.” The Staff Report notes that the Framework was developed with Ontario’s distribution ecosystem in mind. It was specifically designed to minimize rework for distributors that already have advanced cyber security posture, as well as to provide support to ensure that resource constraints do not prevent smaller LDCs from being able to implement the Framework. The Framework was also developed with an eye to the future, with scalability and eventual industry ownership being a priority. The Staff Report suggests that the proposed Framework for LDCs could also be extended to apply to transmitters and natural gas distributors.

Importantly, the Staff Report includes proposed LDC reporting requirements intended “to provide measurable assurance to the OEB, that Ontario’s electricity distributors address cyber security risks based on a consistent approach and criteria in order to meet their reliability, security and privacy obligations.”

Implementation timeline

As stated in the OEB’s Cover Letter, the Framework is expected to be implemented in late 2017. LDCs will be required to start submitting cyber security reports to the OEB within three months of the issuance of the Framework. Additionally, LDCs will also be subject to annual cyber security self-certification of cyber security capability starting in 2018.

The OEB is inviting comments from all interested stakeholders by July 15, 2017 on the Framework or Staff Report. According to the OEB, “feedback is specifically appreciated with respect to the following aspects:

  • Regulatory Requirements and Reporting;
  • Additional Implementation tools and guidance required;
  • Adequate guidance with respect to integration of privacy requirements; and
  • Other aspects to be incorporated.”

Following receipt of all comments, the OEB will determine the next steps.

Related Blogs

Ontario Proposes New Regulations to Support Expanded Net Metering By David Stevens Dec 08, 2017 A series of recent postings to Ontario’s Regulatory Registry set out proposed amended or new regulations that are intended to support expanded net metering opportunities in Ontario. These proposals follow the commitment in Ontario’s 2017 Long-Term Energy Plan (2017 LTEP) to give customers new way...

Posted in: Practice & Procedure | Ontario | Consumer Protection

Insights EnergyInsider
Court Denies Certification of Proposed Class Action Against Hydro One By David Stevens Dec 07, 2017 On November 28, 2017, the Ontario Superior Court dismissed a motion to certify a class action against Hydro One Networks Inc. (Hydro One) that sought damages of $100 million related to alleged overcharges resulting from the rollout of a new customer information system (CIS) starting in 2013. As s...

Posted in: Ratemaking | Practice & Procedure | Ontario

Insights EnergyInsider
OEB Plans to Introduce “Proportionate Review” of Utility Rate Applications By David Stevens Dec 01, 2017 A recent webinar presented by Ontario Energy Board staff to representatives of Ontario’s electricity distributors sets out the OEB’s plan to link utility performance and regulatory review. As seen in the presentation from the webinar, the OEB intends to employ a more light-handed review process f...