OEB Provides First Look at Proposed New Cyber Security Framework
In December 2015, the lights blinked out across multiple provinces in the Ivano-Frankivsk region of Ukraine. Nearly a quarter of a million people lost power. Shortly after power was restored, Ukraine’s Computer Emergency Response Team announced they had identified the root cause: a cyberattack targeting as many as eight power distribution companies.
As cyber warfare comes of age, outmoded “dumb grids” look increasingly vulnerable. Moreover, the problem is not just technical, but institutional: when hackers infiltrated Target in late 2013, they did so by first hacking a vendor using a phishing attack. Although Target’s own security policies may have been robust, the firm’s stable of external vendors each brought their own vulnerabilities to the table.
Towards a Unified Cyber Security Framework for Ontario’s LDCs
Despite recent moves toward consolidation, Ontario’s electricity distribution system remains fragmented, with all the risks that entail. As we have discussed previously, the Ontario Energy Board is committed to creating a “sector-wide coherent framework” to address cyber risks. Through a process initiated in February 2016, the OEB indicated that it would work with key industry stakeholders to “establish a common framework referencing recognized industry standards, policy guidelines and auditing requirements.”
On June 1, 2017, the OEB released a Staff Report titled “On a Proposed Cyber Security Framework and Supporting Tools for the Electricity and Natural Gas Distributors,” along with a companion White Paper titled “Cyber Security Framework to Protect Access to Electronic Operating Devices and Business Information Systems within Ontario’s Non-Bulk Power Assets.” As stated in the OEB’s Cover Letter, the Report and White Paper are being “issued for comment.”
The White Paper sets out the proposed Cyber Security Framework which is intended “to provide oversight and validation of the Cyber Security measures taken by distributors and transmitters for non-bulk assets in Ontario for the protection of consumer privacy and the electricity system infrastructure.” The Framework is designed to address the primary problems facing LDCs: (1) insufficient threat awareness; (2) the convergence of IT and operational technology; (3) lack of cyber security-trained human resources; (4) copious third-party access;, and (5) insufficiently widespread use of security tools. It identifies potential vulnerabilities at various stages of the electricity system, including network protocols and physical security. The Framework then identifies best practices that should be built into Ontario’s smart grid to ensure reliability and consumer protection, and lays out a number of self-assessment tools to assess risk profile and preparedness at the LDC level. In sum, the Framework relies on LDC self-assessment and self-certification to ensure that best practices are uniformly applied across Ontario’s energy sector.
The OEB Staff Report provides context surrounding the Framework. As stated in the OEB’s Cover Letter, “[t]he Staff Report provides a background on the OEB’s expectations in relation to cyber security and privacy in the energy sector.” The Staff Report notes that the Framework was developed with Ontario’s distribution ecosystem in mind. It was specifically designed to minimize rework for distributors that already have advanced cyber security posture, as well as to provide support to ensure that resource constraints do not prevent smaller LDCs from being able to implement the Framework. The Framework was also developed with an eye to the future, with scalability and eventual industry ownership being a priority. The Staff Report suggests that the proposed Framework for LDCs could also be extended to apply to transmitters and natural gas distributors.
Importantly, the Staff Report includes proposed LDC reporting requirements intended “to provide measurable assurance to the OEB, that Ontario’s electricity distributors address cyber security risks based on a consistent approach and criteria in order to meet their reliability, security and privacy obligations.”
As stated in the OEB’s Cover Letter, the Framework is expected to be implemented in late 2017. LDCs will be required to start submitting cyber security reports to the OEB within three months of the issuance of the Framework. Additionally, LDCs will also be subject to annual cyber security self-certification of cyber security capability starting in 2018.
The OEB is inviting comments from all interested stakeholders by July 15, 2017 on the Framework or Staff Report. According to the OEB, “feedback is specifically appreciated with respect to the following aspects:
- Regulatory Requirements and Reporting;
- Additional Implementation tools and guidance required;
- Adequate guidance with respect to integration of privacy requirements; and
- Other aspects to be incorporated.”
Following receipt of all comments, the OEB will determine the next steps.