skip to main content
Back to all blog posts

Posted in: Ontario | Energy Policy | Consumer Protection

Jun 16, 2017

OEB Provides First Look at Proposed New Cyber Security Framework

By Gaurav Gopinath and David Stevens

In December 2015, the lights blinked out across multiple provinces in the Ivano-Frankivsk region of Ukraine. Nearly a quarter of a million people lost power. Shortly after power was restored, Ukraine’s Computer Emergency Response Team announced they had identified the root cause: a cyberattack targeting as many as eight power distribution companies.

As cyber warfare comes of age, outmoded “dumb grids” look increasingly vulnerable. Moreover, the problem is not just technical, but institutional: when hackers infiltrated Target in late 2013, they did so by first hacking a vendor using a phishing attack. Although Target’s own security policies may have been robust, the firm’s stable of external vendors each brought their own vulnerabilities to the table.

Towards a Unified Cyber Security Framework for Ontario’s LDCs

Despite recent moves toward consolidation, Ontario’s electricity distribution system remains fragmented, with all the risks that entail. As we have discussed previously, the Ontario Energy Board is committed to creating a “sector-wide coherent framework” to address cyber risks. Through a process initiated in February 2016, the OEB indicated that it would work with key industry stakeholders to “establish a common framework referencing recognized industry standards, policy guidelines and auditing requirements.”

On June 1, 2017, the OEB released a Staff Report titled “On a Proposed Cyber Security Framework and Supporting Tools for the Electricity and Natural Gas Distributors,” along with a companion White Paper titled “Cyber Security Framework to Protect Access to Electronic Operating Devices and Business Information Systems within Ontario’s Non-Bulk Power Assets.” As stated in the OEB’s Cover Letter, the Report and White Paper are being “issued for comment.”

The White Paper sets out the proposed Cyber Security Framework which is intended “to provide oversight and validation of the Cyber Security measures taken by distributors and transmitters for non-bulk assets in Ontario for the protection of consumer privacy and the electricity system infrastructure.” The Framework is designed to address the primary problems facing LDCs: (1) insufficient threat awareness; (2) the convergence of IT and operational technology; (3) lack of cyber security-trained human resources; (4) copious third-party access;, and (5) insufficiently widespread use of security tools. It identifies potential vulnerabilities at various stages of the electricity system, including network protocols and physical security. The Framework then identifies best practices that should be built into Ontario’s smart grid to ensure reliability and consumer protection, and lays out a number of self-assessment tools to assess risk profile and preparedness at the LDC level. In sum, the Framework relies on LDC self-assessment and self-certification to ensure that best practices are uniformly applied across Ontario’s energy sector.

The OEB Staff Report provides context surrounding the Framework. As stated in the OEB’s Cover Letter, “[t]he Staff Report provides a background on the OEB’s expectations in relation to cyber security and privacy in the energy sector.” The Staff Report notes that the Framework was developed with Ontario’s distribution ecosystem in mind. It was specifically designed to minimize rework for distributors that already have advanced cyber security posture, as well as to provide support to ensure that resource constraints do not prevent smaller LDCs from being able to implement the Framework. The Framework was also developed with an eye to the future, with scalability and eventual industry ownership being a priority. The Staff Report suggests that the proposed Framework for LDCs could also be extended to apply to transmitters and natural gas distributors.

Importantly, the Staff Report includes proposed LDC reporting requirements intended “to provide measurable assurance to the OEB, that Ontario’s electricity distributors address cyber security risks based on a consistent approach and criteria in order to meet their reliability, security and privacy obligations.”

Implementation timeline

As stated in the OEB’s Cover Letter, the Framework is expected to be implemented in late 2017. LDCs will be required to start submitting cyber security reports to the OEB within three months of the issuance of the Framework. Additionally, LDCs will also be subject to annual cyber security self-certification of cyber security capability starting in 2018.

The OEB is inviting comments from all interested stakeholders by July 15, 2017 on the Framework or Staff Report. According to the OEB, “feedback is specifically appreciated with respect to the following aspects:

  • Regulatory Requirements and Reporting;
  • Additional Implementation tools and guidance required;
  • Adequate guidance with respect to integration of privacy requirements; and
  • Other aspects to be incorporated.”

Following receipt of all comments, the OEB will determine the next steps.

Related Blogs

Posted in: Consumer Protection | Ontario | Ratemaking | Energy Policy

Insights EnergyInsider
OEB Announces New Electricity Prices to Reflect the Fair Hydro Plan By David Stevens Jun 23, 2017 On June 22, 2017, the Ontario Energy Board announced new electricity prices that are intended to implement the promised 25% bill reduction from the Ontario Government’s Fair Hydro Plan.1 For most consumers, the impact will be seen in the form of reduced Regulated Price Plan (RPP) electricit...

Posted in: Ontario | Ratemaking | Consumer Protection | Energy Policy

Insights EnergyInsider
Regulations Published to Implement Ontario's Fair Hydro Plan By David Stevens Jun 22, 2017 On May 31, 2017, the Ontario Government passed Bill 132, which is intended to implement the Government’s promised Fair Hydro Plan (discussed in earlier posts, here, here and here). The main part of Bill 132 is the Ontario Fair Hydro Plan Act, 2017, which is included as Schedule I and is ref...

Posted in: Ontario | Climate Change / Renewables | Energy Policy

Insights EnergyInsider
All Current Allowances Sold at Ontario’s Second Carbon Credit Auction By David Stevens Jun 15, 2017 On June 14, 2017, the results from Ontario’s second Cap and Trade Program Auction of Greenhouse Gas Allowances were released. All available current allowances were sold at the June 6, 2017 auction, along with more than half of the future allowances available for sale. The recent auction was...