skip to main content
Back to all blog posts

Posted in: Data Security/Privacy | Data Protection

Jun 16, 2017

OEB Provides First Look at Proposed New Cyber Security Framework

By Gaurav Gopinath and David Stevens

In December 2015, the lights blinked out across multiple provinces in the Ivano-Frankivsk region of Ukraine. Nearly a quarter of a million people lost power. Shortly after power was restored, Ukraine’s Computer Emergency Response Team announced they had identified the root cause: a cyberattack targeting as many as eight power distribution companies.

As cyber warfare comes of age, outmoded “dumb grids” look increasingly vulnerable. Moreover, the problem is not just technical, but institutional: when hackers infiltrated Target in late 2013, they did so by first hacking a vendor using a phishing attack. Although Target’s own security policies may have been robust, the firm’s stable of external vendors each brought their own vulnerabilities to the table.

Towards a Unified Cyber Security Framework for Ontario’s LDCs

Despite recent moves toward consolidation, Ontario’s electricity distribution system remains fragmented, with all the risks that entail. As we have discussed previously, the Ontario Energy Board is committed to creating a “sector-wide coherent framework” to address cyber risks. Through a process initiated in February 2016, the OEB indicated that it would work with key industry stakeholders to “establish a common framework referencing recognized industry standards, policy guidelines and auditing requirements.”

On June 1, 2017, the OEB released a Staff Report titled “On a Proposed Cyber Security Framework and Supporting Tools for the Electricity and Natural Gas Distributors,” along with a companion White Paper titled “Cyber Security Framework to Protect Access to Electronic Operating Devices and Business Information Systems within Ontario’s Non-Bulk Power Assets.” As stated in the OEB’s Cover Letter, the Report and White Paper are being “issued for comment.”

The White Paper sets out the proposed Cyber Security Framework which is intended “to provide oversight and validation of the Cyber Security measures taken by distributors and transmitters for non-bulk assets in Ontario for the protection of consumer privacy and the electricity system infrastructure.” The Framework is designed to address the primary problems facing LDCs: (1) insufficient threat awareness; (2) the convergence of IT and operational technology; (3) lack of cyber security-trained human resources; (4) copious third-party access;, and (5) insufficiently widespread use of security tools. It identifies potential vulnerabilities at various stages of the electricity system, including network protocols and physical security. The Framework then identifies best practices that should be built into Ontario’s smart grid to ensure reliability and consumer protection, and lays out a number of self-assessment tools to assess risk profile and preparedness at the LDC level. In sum, the Framework relies on LDC self-assessment and self-certification to ensure that best practices are uniformly applied across Ontario’s energy sector.

The OEB Staff Report provides context surrounding the Framework. As stated in the OEB’s Cover Letter, “[t]he Staff Report provides a background on the OEB’s expectations in relation to cyber security and privacy in the energy sector.” The Staff Report notes that the Framework was developed with Ontario’s distribution ecosystem in mind. It was specifically designed to minimize rework for distributors that already have advanced cyber security posture, as well as to provide support to ensure that resource constraints do not prevent smaller LDCs from being able to implement the Framework. The Framework was also developed with an eye to the future, with scalability and eventual industry ownership being a priority. The Staff Report suggests that the proposed Framework for LDCs could also be extended to apply to transmitters and natural gas distributors.

Importantly, the Staff Report includes proposed LDC reporting requirements intended “to provide measurable assurance to the OEB, that Ontario’s electricity distributors address cyber security risks based on a consistent approach and criteria in order to meet their reliability, security and privacy obligations.”

Implementation timeline

As stated in the OEB’s Cover Letter, the Framework is expected to be implemented in late 2017. LDCs will be required to start submitting cyber security reports to the OEB within three months of the issuance of the Framework. Additionally, LDCs will also be subject to annual cyber security self-certification of cyber security capability starting in 2018.

The OEB is inviting comments from all interested stakeholders by July 15, 2017 on the Framework or Staff Report. According to the OEB, “feedback is specifically appreciated with respect to the following aspects:

  • Regulatory Requirements and Reporting;
  • Additional Implementation tools and guidance required;
  • Adequate guidance with respect to integration of privacy requirements; and
  • Other aspects to be incorporated.”

Following receipt of all comments, the OEB will determine the next steps.

Related Blogs

Posted in: Privacy | Data Security/Privacy

Insights TheSpotlight
Equifax Breach - The Breach That Will Keep on Giving By Paige Backman and Meghan A. Cowan Sep 14, 2017 At this point, if you haven’t heard of the Equifax data breach, it could only be because you have rightfully been glued to the coverage of (or living through) Hurricane Irma, Harvey or Jose. On September 7, 2017, Equifax revealed that it was the subject of a cybersecurity breach over the s...

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
Ontario Court of Appeal Established New Privacy Rights – Utility Consumption Data and Grow Ops By Paige Backman Aug 21, 2017 If you are a utility monitoring consumption data, think twice before providing any of that information to the police. You may need to ensure the police first provide you with a warrant or other judicial authorization specifically requesting the information. The Ontario Court of Appeal, distinguis...

Posted in: Data Security/Privacy | CASL | GDPR | Data Protection

Insights TheSpotlight
With All Eyes Turned to CASL, is Anyone Paying Attention to GDPR? With Less Than 1 Year Before GDPR Takes Effect, Make Sure Your Organization is Ready By Paige Backman and Aaron Baer Jul 21, 2017 In early June, the Government of Canada came to its senses by suspending the provision of Canada’s Anti-Spam Legislation (“CASL”) that would have enabled a private right of action to be brought as of July 1, 2017. While this decision provided temporary relief to businesses who f...