VAUGHAN, Ont. –The federal and provincial governments have been urging critical sectors of the economy to toughen their cybersecurity defences for at least the last eight years. However, while organizations have been working on boosting information security there are few ways progress has been publicly measured.
Ontario’s energy regulator, the Ontario Energy Board (OEB) will soon have a rough yardstick for one part of the vital electricity sector: By the end of April the province’s 65 local distribution companies (LDCs), who send power to homes and companies, will have to report on their cybersecurity and privacy maturity.
They will have to fill out annual Readiness Reports on their cyber and privacy status measured against what is called the Ontario Cyber Security Framework, which is largely based on the U.S. National Institute of Standards and Technology (NIST) cybersecurity framework, and against a separate data privacy protection standard based on Privacy by Design. Companies would then have to recommend a set of cybersecurity objectives appropriate for that level of risk.
Like NIST, the Framework lists a series of suggested security controls and a methodology for measuring an organization’s risk level against them. A self-assessment tool allows companies to identify their capability relative to the suggested controls.
In a 2017 report, board staff said “self-certification will provide the OEB with confirmation that a distributor has assessed its risk, established cyber security objectives and assessed its current capability in meeting those objectives.”
In part to show it means business the OEB last June forced distributors to fill out an interim readiness report asking CEOs to attest they at least have read the Framework and assigned resources to report on their maturity.
According to Catherine Ethier, an OEB policy advisor, no other province has such a maturity reporting requirement for power distributors.
Note the distribution companies aren’t mandated by the OEB to comply with the Framework, only to report how they rank themselves against it. Nor is there any indication the OEB will make these self-assessment reports public so Ontario residents can see the progress, although it may report generally on what it concludes.
In a letter sent six weeks ago to distributors, the OEB — which has to approve their licences — said the information in the reports “will be used to both assess the sector and individual licensee’s state of readiness in order to determine if any further action is necessary.”
In an interview Wednesday the co-chair of the Cyber Security Advisory Committee, an industry-led group which will help companies comply with the reporting obligation as well as hone the framework, said the fact utilities don’t have to comply with the Ontario Framework isn’t a weakness in part because the Framework was shaped by the industry.
“The whole establishment of the working group [which preceded the CSAC] I believe was (from) the board not getting a sense of the cyber readiness of the industry, and [it] needed some sort of mechanism to help them understand,” said Ken Craft, director of IT security and risk at Alectra Utilities Corp., one of the biggest electric distributors in the province.
It was also “to bring the industry together to develop this framework to help it understand what their obligations are from a best practices perspective.”
Still, there’s some uneasiness with the new reporting requirement. For example, Craft said, some bigger utilities that have to comply with the North American Electric Reliability Corporation (NERC) standards, which go well beyond the Framework, feel that should be enough to satisfy the OEB. So far the board hasn’t agreed. He acknowledged that the NERC standard isn’t quite the same — it doesn’t include privacy protocols to be followed.
And, Craft admitted, “there are different camps that feel very supportive [of the Framework], and there are others that ask ‘What’s the incentive? It’s not being mandated.’ It’s a burning question that continually comes up — is the OEB at some time in the future going to mandate that all LDC’s need to comply? That hasn’t been answered yet.”
When one attendee asked what the incentive is for distributors to measure their maturity against the Framework, Craft replied, “We are all interconnected through the [electric] grid, we are only as strong as our weakest link. If one utility isn’t going through the process to implement this, it could be a used as a backdoor to one of us. The fact that OEB isn’t mandating it, I would put out the challenge to each of us: It is an obligation to protect the privacy of information and the availability of the grid.”
He also suggested companies that insure distributors will be very interested to see the readiness reports.
In an interview at the conference David Leonce, acting CEO of Westario Power Inc, which provides power to some 23,000 customers in small communities in the Niagara area, said the Framework “provides us with a guide, some of the best practices we can implement to control the risk around cyber security.” It mirrors some of the policies at his utility, he said.
Asked if complying with the Framework should be made mandatory, he said “the Framework is a step in the right direction. In terms of making it mandatory, after the first reports we may see some changes within the Framework, whether it’s from the organization itself (Westario) or the Cyber Security Advisory Committee. And if these changes best satisfy the needs of all distributors …. then I see no reason for it not to be mandatory.”
The Cyber Security Advisory Committee members include Toronto Hydro, Hydro One, Westario Power, Alectra, Waterloo North Hydro, Burlington Hydro and many other distributors.
Also as part of the OEB strategy it has told the Independent Electricity System Operator (IESO), the Crown corporation responsible for operating Ontario’s bulk electrical system to help share cybersecurity threat information with the distributors.
On Thursday, Robert Gordon, executive director of the Canadian Cyber Threat Exchange, told the conference that working with the IESO it already set up an energy sector section on its platform for data and information sharing.
The OEB was asked whether the maturity reports will be made public and why it doesn’t require companies to comply with the framework. It hadn’t responded by press time.