The Canadian energy sector has been buying Internet-connected sensors for monitoring a range of activities in generating plants, distribution networks and home smart meters for several years. However, so far industrial IoT device makers have been creating their own security standards for devices, leaving energy producers and utilities at their mercy.
The industry hopes to change that by creating national cybersecurity standards for industrial IoT devices, with the goal of improving its ability to predict, prevent, respond to and recover from cyber threats.
To help, the federal government today announced an $818,000 grant support a CIO Strategy Council project oversee the setting of standards.
In an interview council executive director Keith Jansa said the money will help a three-year effort that will include holding a set of cross-country meetings with industry, government, academics and interest groups to create the standards, tools to be able to test devices against the standards and the development of product repository of IoT safe devices companies can consult before making purchases.
“The challenge is there are a number of these devices that will be coming online over the next few years,” Jansa said. “IoT devices are designed for convenience and not for security, so how do you ensure that a technology an electricity utility secures is in fact safeguarded against cyber threats? Currently, there is no associated trust mark or certification that gives confidence associated with these devices.”
He also said the council will work with the North American Electric Reliability Corporation (NERC), which sets North American-wide utility safety procedural standards. The industrial IoT standards will be product standards.
According to Robert Wong, vice-president and CIO of Toronto Hydro, all the big provincial utilities are subject to adhering to NERC CIP standards which have requirements for both cyber and physical security. Ontario is different from most provinces in that it has local distribution companies — like Toronto Hydro — which buy electricity in bulk and resell it to customers. These LDCs don’t own or operate critical infrastructure and therefore don’t have to follow the NERC CIP standards.
Electricity is considered around the world as one of a country’s critical national infrastructure. Threats to the grid can be used for ransom or by a country for political pressure. Ukraine had its power network knocked offline in 2015 and 2016 by was were believed to be Russian-backed threat actors.
All the big provincial utilities operate “critical infrastructure” and are subject to adhering to NERC CIP (critical infrastructure protection) standards, which have requirements for both cyber and physical security. There are audited on a regular basis for compliance and can face hefty fines if they fail to meet the requirements. The LDCs in Ontario don’t own or operate “critical infrastructure” and therefore are not required to adopt NERC CIP standards (at least for now).
The CIO Strategy Council is a forum for chief information officers that is helping set standards in a number of areas. In January it announced a partnership with the Internet Society’s Canada Chapter to create standards of practice for IoT security for consumer devices. As part of the federal government’s updated national cybersecurity strategy it is also developing a national cybersecurity standard for small and medium-sized businesses. That strategy would allow SMBs to advertise to customers that they meet minimum security requirements.
“The security of Canadians and our critical infrastructure is paramount,” federal minister of natural resources Seamus O’Regan said in a statement with today’s announcement. “Cyber attacks are becoming more common and dangerous. That’s why we are supporting this innovative project to protect the Canadian electricity sector.”
The announcement was welcomed by Robert Wong, Toronto Hydro’s vice-president and CIO. “Any additional investment towards strengthening the safeguards against cyberattacks to Canada’s critical infrastructure is definitely good news. From the perspective of the electricity sector, the convergence of IT and OT (operational technology) has been happening for some time now as the traditional electricity grid has been transforming into a Smart Grid with the introduction of smart meters, SCADA systems, electronic sensors and monitors, smart relays, intelligent automated switching capabilities, distributed energy resources, and storage technologies (batteries, flywheels, compressed air, etc.).
“In my experience, many OT device and system manufacturers and vendors are still lagging the traditional IT vendors in incorporating Security by Design philosophies and effective security features into their products. This, in turn, creates greater risks and challenges for utilities to protecting their critical infrastructures and ensuring a reliable supply of electricity to its customers.”
The Ontario Energy Board, which regulates the industry in the province, has led an initiative for all utilities to adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework, along with the ES-C2M2 maturity and Privacy By Design models, he noted. Toronto Hydro has been managing its cybersecurity practice in adherence to these standards for a number of years, he said.
“Other jurisdictions, such as Israel, have invested heavily on a national level in developing its cybersecurity capabilities and are seen as global leaders. I am confident that given the availability of talent, capabilities and resources in Canada (especially around the GTA) if we get strong support and leadership at a federal level we can also emerge as a leader in this area as well.”