Any widespread disruption of electricity, water or gas can have huge impact on day-to-day life. Critical infrastructure must be failsafe, protected and resilient – failure is not to be an option! But today, cyber-attackers are increasingly focused on producing serious outages, leading to service failures and even risk to personal safety.
There is no shortage of news on security issues, such as data theft, privacy breach and cyber-sabotage. A July 2017 incident, for example, led to 1.5 terabytes of data being stolen from HBO (a testament, no doubt, to the popularity of the Game of Thrones TV series!). Another recent example is the massive Yahoo data breach that was allegedly engineered by a Canadian and two Russian spies.
To respond to the increasing incidence of cyber security attacks, the Ontario Energy Board has developed and is now finalizing its new “Cyber Security Framework” (abbreviated here as OEB-CSF). The OEB-CSF helps Ontario’s Local Distribution Companies (LDCs) – the companies that distribute electricity to the “last mile” – increase their cyber maturity through use of well-defined processes and standard controls and achieve continuous improvement through auditing and reporting.
When the final version is published, the OEB-CSF documents may provide useful guidance to other organizations, both individual entities and specific sectors, that are looking to formalize and improve their approach to security and privacy.
The critical importance of security and privacy
The OEB seeks to ensure strong security and privacy practices in the Ontario LDCs. Security and privacy are core elements of any online business, but they are especially important when public safety and critical infrastructure reliability are paramount.
It’s hard to imagine that any modern system would be acceptable without strong focus on security and privacy. This is especially true with cyber-physical systems that depend on applications which control service operation. For example, a self-driving car would not work without associated software and GPS access. A power grid would either fail or degrade if its SCADA systems were not working. Most importantly, the exposure of personal information could lead to identity theft and safety concerns. Both security and privacy have never been more important, nor as critical, as they are in today’s cyber ‘Wild West’.
Not all aspects of security and privacy are equal. An unprotected text message is generally not as serious as a stolen bank password or as dangerous as a compromised power system. Most experts agree, however, that security and privacy should be designed into a system at the beginning, not bolted on afterwards. It is not sufficient to add fixes after a breach has occurred or to assume that there are no attackers looking for vulnerabilities.
For Ontario’s LDCs, security and privacy failure could affect a broad swath of the public, and the risk of serious events is growing due to the integration of IT and operational technology (OT) in Smart Grid deployment of smart meters or in the online connection of customers and suppliers.
The OEB Cyber Security Framework
Responding to security and privacy threats has traditionally been an enterprise responsibility involving little or no community or sector-level collaboration. This is beginning to change – standards are being developed, governments are setting policies and oversight is being implemented at the industry level. The OEB activity is one example of this change.
The OEB is mandated by the government to ensure that the electricity distribution system in Ontario is resilient, well-protected and up to date from a technology perspective. In 2016, the OEB determined that security and privacy practices in the LDC community needed to be more objectively monitored and managed. The OEB-CSF was developed to track the LDCs improvement efforts and to provide metrics and milestones to confirm that progress was being made.
The OEB-CSF whitepaper (which defines the process) outlines four key actionable steps:
Create an initial baseline: The OEB developed a questionnaire, called the Risk Profile Tool, to establish a risk rating for each LDC (i.e., low, medium or high risk). The set of questions, which is the same for all LDCs, allows sector-wide aggregation and creates a common foundation that individual LDCs can compare against in order to assess their maturity. Many of the 46 questions would have to be modified for use outside the LDC community, but they can serve as a starting point.
Adopt a list of functions, characteristics and guidance: The OEB-CSF is based on the NIST standard with extensions from Ontario’s Privacy by Design guidelines. The control elements are divided into five major functions: Identify, Protect, Detect, Respond and Recover. Each function is further divided into Categories and then Sub-categories, with each Sub-category supported by Informative References. The result is a valuable reference for security and privacy topics that does not dictate how the controls are to be implemented.
Define a maturity model for assessing progress: An important part of the OEB-CSF process is monitoring progress against implementation goals. Four Maturity Indicator Levels (MIL) have been specified: Not performed (MIL0), Initiated (MIL1), Repeatable (MIL2) and Managed/adaptive (MIL3). The initial starting point target for the LDCs is set at MIL1. When MIL1 has been achieved, further improvements will be required (i.e. MIL1 to MIL2/3) over time and where appropriate. This maturity model is applicable to any industry that wished to set targets for implementing security controls.
Establish an audit and reporting methodology: The OEB process would not be complete without metrics and reporting to support monitoring and process improvement. Initially, a self-assessment questionnaire is completed by the LDCs and submitted to the OEB. In the future, this may be enhanced by more formal audits with a “central compliance agency.”
Implementing the OEB-CSF
One approach to implementing the OEB-CSF would be the “do it yourself” method, which may be suitable for LDCs that are technically advanced and are well-staffed with security experts.
Another option for many LDCs would be partnering with external security specialists who have experience with the OEB-CSF and the NIST standard. Some of the Sub-category controls, such as an asset management system, could also be implemented using Security-as-a-Service offerings if provided by the partner.
According to John Menezes, CEO of Canadian Security-as-a-Service provider Stratejm Inc., the trusted partnership approach offers many benefits to the LDCs. But most importantly, it helps to address new threats that the integration of IT and OT systems can create. He believes that cloud-based services could also be the most cost-effective way to kickstart the journey to OEB-CSF compliance. Menezes noted, “security-as-a-service providers can help fill out the questionnaire objectively, can offer broad industry experience in applying the controls and can supply security services that accelerate the implementation of the OEB-CSF.” He added that “there’s nothing so unique about the OEB framework (or the NIST standard) that it could not be adapted for use in other sectors, especially when a community-based effort is important.”
The bottom line
Security and privacy have become increasingly important in a volatile world. A concerted community-based program to achieve greater cyber maturity is beneficial to everyone, but is especially important for critical infrastructures.
Publication of the OEB Cyber Security Framework and the process it espouses is a significant milestone in developing a cyber security approach for Ontario’s LDCs. However, this process can serve as a model for any organization that wants to enhance its security and privacy preparedness. Partnering with a security service provider can serve as a valuable option for kickstarting a security modernization program when time is short or internal expertise is lacking.