Ontario’s institutional and legal structure for managing cyber security in the electricity sector reached an important milestone when its policy officially came into force in March 2018. At the same time, several related processes that have been under development for more than two years are close to resolving further foundational elements. APPrO President Dave Butters observes that “The main building blocks of Ontario’s Cyber Security Framework (Framework) are now in place, and longer-term processes are now in operation that will, along with key agencies and market participants, work on refinements and keep the development moving forward.”
From the IESO Cyber Security Forum Playbook on Malicious code
Development of the Framework began soon after the Ontario Energy Board issued a letter on February 11, 2016, outlining plans for an initiative that would include changes to regulatory codes, setting objectives, and facilitating collaboration and information sharing amongst the relevant agencies and parties. Since that time, extensive consultation was undertaken, and the structure now in operation was designed and developed. In principle, a three-tier structure is now in place for managing Cyber Security in Ontario:
1. The Cyber Security Advisory Committee (CSAC)
• To facilitate the establishment of a sector governance committee to manage the evolution of the framework
• Foster industry-specific intelligence with appropriate controls and agreements in place
• Comprising industry peers, LDC, Transmitters and Distributors, EDA, USF, CHEC, The Mearie Group, academia and other energy stakeholders including the OEB and IESO
• Evolved from the earlier group, the OEB’s Cyber Security Working Group.
2. The Cyber Security Information Forum (CSIF)
• To share experience and knowledge in order to improve sector cybersecurity
• Encourage the formation of communities; Develop information sharing; computer emergency response teams (CERTS)
• Comprising licensed entities, technical experts, and other stakeholders
• Evolution from the existing IESO cyber security forum.
3. Sub-sector working groups and task forces
• Numerous examples already in operation and under development
• This includes a working group for natural gas, another for waterpower.
The industry-led CSAC is responsible for the roll-out of the Framework and the progress of education to the sector. As an example, in the near future, it is expected to take an ownership position on the critical evolutionary aspects of the Framework similar to EBT (Electronic Business Transaction) standards and Regional Planning. Aspirationally , the OEB envisions the establishment of a Central Compliance Authority (CCA) that will be also be industry driven.
The IESO Cyber Security Forum (Forum) has made initial strides establishing a level of expert dialogue between key energy stakeholders. It meets on a semi-annual basis but could become more formalized. The OEB is looking to the proposed CSIF to evolve existing processes for information-sharing with regulated entities. One of the successful products has been the development of a series of Playbooks that provide guidelines on how to prepare for and manage specific types of security incidents.
Stuart Wright, the OEB’s lead Cyber Security expert, notes that some of the OEB’s key process objectives are already being met. “It’s clear that the new processes have promoted awareness, information sharing, and cooperation. Participants are benefiting from learnings acquired through the work done by others.”
However, the implementation of more formal requirements is also underway. Amongst the regulatory changes instituted by the OEB are new rules obligating licensees to provide a certification report of their “cyber posture.” Under the Transmission System Code and Distribution System Code, Ontario wires companies are now required to assess their readiness for cyber security threats and provide certification reports to the OEB annually. The first round of interim cyber security self-assessment reports is due by June 15, 2018. Mandatory annual self-certification requirements begin next year, starting on April 30th, 2019.
These reporting requirements apply to regulated entities and as such generators are not directly affected. However, the rules are expected to evolve and may affect generators in the future. Some generators who have to meet requirements under NERC regulations are likely establishing capabilities consistent with many of the new expectations. The Ontario Waterpower Association (OWA) has organized its own task force to examine how the Framework would apply in a generation context. Others may follow suit.
Mr. Wright notes that much of the current infrastructure is aging and needs to be constantly evaluated and updated to reflect the trends to Internet of Things (IoT) and rising risks associated with interconnection with the digital grid including Distributed Energy Resources (DERs). “The transformation of traditional energy networks to smart grids revolutionizes the energy industry in terms of reliability, performance, and manageability by providing bi-directional communications to operate, monitor, and control power flow and measurements.” Communication networks in smart grid configurations bring increased connectivity “with increased severe security vulnerabilities and challenges.”
Clearly, the initiative is already prompting interagency discussion and collaboration. It appears the process is well on its way to meeting the longer term goals of achieving maturity and uniformity of practice across the Ontario’s energy sector.
For more information, visit the OEB and IESO websites (search for Cyber Security and Cyber Security Forum).