The Ontario Energy Board is leading the development of a new Cybersecurity Framework for Ontario’s energy distribution sector. When launched, it will impact Ontario’s electricity and gas distributors first, but clearly have implications for virtually everyone who interfaces with the electricity distribution network. Many observers see updating the cyber security and reliability of Ontario’s power system as one of the most important initiatives in recent years. The new framework is intended to further protect consumers by strengthening the privacy and security of customer data. Recognising the complexity of cyber security (CS) challenges and the need to have a common and inclusive user framework, the OEB has established an extensive multi-phase review and policy consultation process.
The OEB is working with the distribution sector – both gas and electricity – to ensure the industry and all its stakeholders “understand their responsibilities to further protect the privacy and security of customer data, and the reliable operation of the grid.” The Board notes that, “By developing a common framework energy distributors can share learnings and leverage best practices.”
Graphic courtesy of Electric Energy Online www.electricenergyonline.com
The OEB has laid out a three-phase approach to finalizing the cyber security framework. Each phase is uniquely focused on the framework implementation by each group of regulated entities:
Phase 1 includes the release of a draft framework by the end of 2016 with a request for comments and feedback from electricity distributors. This input will be used to refine the framework into its final form for electricity distributors to implement. The final framework will be published in Q2 2017, supported by necessary OEB code changes, and electricity distributor licencing and reporting requirements.
Phase 2 will commence in Q2 2017 by initiating a policy consultation for generators, aggregators, retailers, marketers, unit sub-meter providers and sector suppliers (“3rd Parties”) who are linked and interact with both the operating and business networks of electricity distributors.
Phase 3 of the project will commence in Q1 of 2018 with a focus on extending the framework to include Ontario’s gas distribution system.
Much of this work is informed by the wide-ranging U.S. cyber security initiative known as “CIP5,” short for “Critical Infrastructure Protection version 5,” implemented by the North American Electric Reliability Corporation. For details of that process, see the NERC website and the article “NERC CIP 5 reliability requirements extended to 32 more Ontario generators,” IPPSO FACTO November 2014. Building upon the NERC groundwork, the OEB has also referenced the comprehensive NIST (National Institute of Standards and Technology standards and methodology.
The OEB expects Ontario’s energy distributors to leverage national and international cyber security practices as they are developed. Ontario’s final cyber security framework will be implemented through code and license requirements, building on ones that already exist to protect consumers and the system, and will also provide tools to support utilities in its implementation.
Although the responsibilities for implementing key elements of the framework are distributed amongst many of the key players in the sector, the OEB is the lead agency responsible for developing and enforcing it.
“We want to help stakeholders understand their role and our expectations of them, in protecting the privacy and security of customer data, and ensuring that the steps they take protect the reliable operation of the grid, though this framework. By developing a common framework that addresses the elements of defense-in-depth cyber security posture (including Identification, Protection, Detection, Response and Recovery) distributors can develop their strategy, and share experiences across the sector,” says Stuart Wright, the OEB’s lead in charge of the cyber security project.
The OEB’s goal is to establish a risk-based approach to ensure that cost efficient protection is seamless and consistently applied across the entire electrical energy sector from the bulk power system right down to individual consumer privacy.
The regulatory process began in a formal sense on February 11 when the OEB launched a policy consultation titled “Protecting Privacy of Personal Information and the Reliable Operation of the Smart Grid in Ontario” (EB-2016-0032). The initiative grew in part out of the work of the Smart Grid Advisory Committee. The initial focus of the policy consultation was to, “establish a common framework referencing recognised industry standards, policy guidelines and auditing requirements; to further define the requirements for meeting their licensing obligations for system reliability and consumer privacy in a cost efficient manner.”
As part of this consultation, the OEB has initiated a number of surveys and research projects to better understand the current situation regarding cyber security activities and knowledge. One finding concludes that where cybersecurity is embedded into the governance and risk structure of a distributor, the traditional utility goals of operational reliability and safety are reinforced through a consideration of cyber threats on the business, and its investments.
The OEB has also established two consultative bodies to support the consultation initiative: A steering committee of senior executives to help define and guide the scope of the framework, and a working group of subject matter experts. The steering committee includes representatives from Hydro One, Toronto Hydro, Oshawa PUC, Enbridge, Gowlings, IESO, EDA, Hydro Ottawa and the University of Toronto. The working group includes representatives from the Ministry of Energy, EDA, ESO, IESO, 25+ distributors representing small, medium and large LDCs and natural gas.
The OEB stresses that it is looking to establish a “timely feedback process towards ensuring a transparent Cybersecurity consultation with measurable results,” with goals of informing, consulting and involving the industry, and achieving “sector-wide sharing of actionable responses to cyber incidences.”
The working group held a workshop in June 2016 to assess the current cyber posture of the distributor community, by ‘size’. Several key learnings emerged:
• Large distributors, in both electricity and natural gas, have implemented cyber security strategies and developed significant cyber security postures.
• A sector-wide systemic sharing of actionable responses to cyber incidences is desired, to complement opportunities provided by the IESO’s Distribution Cyber Security Group and Forum.
• A significant number of distributors have performed audits and penetration testing to understand their current readiness.
A second sector-wide LDC survey is expected to be sent to all distributors in the near future.
Ontario’s cybersecurity framework will include references and linkages to recognized industry standards, OEB codes, licenses and applicable reporting requirements. The tools the OEB anticipates using include: reporting mechanisms, risk assessment methods, and minimum established requirements. The planned draft framework as it applies to distributors, to be released at the end of 2016 for comment and for issue Q2 2017, will include reference to a separate document enumerating the minimum requirements distributors will have to meet.
For over a decade the energy industry, world-wide, has been working to ensure the necessary processes and practices are in place. As the sector learns more about what needs to be done it has moved to setting mandatory requirements. Mr. Wright concludes, “It is clear to the OEB, LDCs, the IESO, governments, ministries, 3rd parties including suppliers and customers that cyber security actions of this nature are critical to protecting and securing both consumers and the energy system on which they depend.”