skip to main content
Back to all blog posts

Posted in: Ontario | Energy Policy | Consumer Protection

Jun 16, 2017

OEB Provides First Look at Proposed New Cyber Security Framework

By Gaurav Gopinath and David Stevens

In December 2015, the lights blinked out across multiple provinces in the Ivano-Frankivsk region of Ukraine. Nearly a quarter of a million people lost power. Shortly after power was restored, Ukraine’s Computer Emergency Response Team announced they had identified the root cause: a cyberattack targeting as many as eight power distribution companies.

As cyber warfare comes of age, outmoded “dumb grids” look increasingly vulnerable. Moreover, the problem is not just technical, but institutional: when hackers infiltrated Target in late 2013, they did so by first hacking a vendor using a phishing attack. Although Target’s own security policies may have been robust, the firm’s stable of external vendors each brought their own vulnerabilities to the table.

Towards a Unified Cyber Security Framework for Ontario’s LDCs

Despite recent moves toward consolidation, Ontario’s electricity distribution system remains fragmented, with all the risks that entail. As we have discussed previously, the Ontario Energy Board is committed to creating a “sector-wide coherent framework” to address cyber risks. Through a process initiated in February 2016, the OEB indicated that it would work with key industry stakeholders to “establish a common framework referencing recognized industry standards, policy guidelines and auditing requirements.”

On June 1, 2017, the OEB released a Staff Report titled “On a Proposed Cyber Security Framework and Supporting Tools for the Electricity and Natural Gas Distributors,” along with a companion White Paper titled “Cyber Security Framework to Protect Access to Electronic Operating Devices and Business Information Systems within Ontario’s Non-Bulk Power Assets.” As stated in the OEB’s Cover Letter, the Report and White Paper are being “issued for comment.”

The White Paper sets out the proposed Cyber Security Framework which is intended “to provide oversight and validation of the Cyber Security measures taken by distributors and transmitters for non-bulk assets in Ontario for the protection of consumer privacy and the electricity system infrastructure.” The Framework is designed to address the primary problems facing LDCs: (1) insufficient threat awareness; (2) the convergence of IT and operational technology; (3) lack of cyber security-trained human resources; (4) copious third-party access;, and (5) insufficiently widespread use of security tools. It identifies potential vulnerabilities at various stages of the electricity system, including network protocols and physical security. The Framework then identifies best practices that should be built into Ontario’s smart grid to ensure reliability and consumer protection, and lays out a number of self-assessment tools to assess risk profile and preparedness at the LDC level. In sum, the Framework relies on LDC self-assessment and self-certification to ensure that best practices are uniformly applied across Ontario’s energy sector.

The OEB Staff Report provides context surrounding the Framework. As stated in the OEB’s Cover Letter, “[t]he Staff Report provides a background on the OEB’s expectations in relation to cyber security and privacy in the energy sector.” The Staff Report notes that the Framework was developed with Ontario’s distribution ecosystem in mind. It was specifically designed to minimize rework for distributors that already have advanced cyber security posture, as well as to provide support to ensure that resource constraints do not prevent smaller LDCs from being able to implement the Framework. The Framework was also developed with an eye to the future, with scalability and eventual industry ownership being a priority. The Staff Report suggests that the proposed Framework for LDCs could also be extended to apply to transmitters and natural gas distributors.

Importantly, the Staff Report includes proposed LDC reporting requirements intended “to provide measurable assurance to the OEB, that Ontario’s electricity distributors address cyber security risks based on a consistent approach and criteria in order to meet their reliability, security and privacy obligations.”

Implementation timeline

As stated in the OEB’s Cover Letter, the Framework is expected to be implemented in late 2017. LDCs will be required to start submitting cyber security reports to the OEB within three months of the issuance of the Framework. Additionally, LDCs will also be subject to annual cyber security self-certification of cyber security capability starting in 2018.

The OEB is inviting comments from all interested stakeholders by July 15, 2017 on the Framework or Staff Report. According to the OEB, “feedback is specifically appreciated with respect to the following aspects:

  • Regulatory Requirements and Reporting;
  • Additional Implementation tools and guidance required;
  • Adequate guidance with respect to integration of privacy requirements; and
  • Other aspects to be incorporated.”

Following receipt of all comments, the OEB will determine the next steps.

Related Blogs

Posted in: Practice & Procedure | Ontario | Energy Policy

Insights EnergyInsider
Ontario Superior Court Dismisses Claim Challenging Sale of Hydro One Shares By David Stevens Aug 18, 2017 On August 14, 2017, the Ontario Superior Court of Justice released a decision dismissing a claim made by the Canadian Union of Public Employees (CUPE) against the Ontario government related to the sale of shares of Hydro One Networks Inc. to the public. The Court dismissed CUPE’s claim as b...

Posted in: Practice & Procedure | Ontario

Insights EnergyInsider
OEB Approves Natural Gas Community Expansion Projects By Fred D. Cass Aug 11, 2017 Previously, we wrote about a decision of the Ontario Energy Board in a generic proceeding (EB-2016-0004) that established a framework for the expansion of natural gas service to communities without access to natural gas. In the generic decision, the OEB concluded that it is not necessary or appro...

Posted in: Facilities | Ontario

Insights EnergyInsider
OEB Approves Acquisition of Natural Gas Distribution System by EPCOR By Fred D. Cass Aug 10, 2017 On August 3, 2017, the Ontario Energy Board issued its Decision and Order with respect to an application by Natural Resource Gas Limited (NRG) for approval to sell its natural gas distribution system to EPCOR Natural Gas Limited Partnership (EPCOR), a wholly-owned, indirect subsidiary of EPCOR Ut...