Cybersecurity framework

In Canada, the Ontario Energy Board (OEB) issued a whitepaper discussing the cybersecurity framework it has developed to help provincial utilities mitigate the risk of cyber-attack.

The paper was compiled by AESI and is a conclusion of five whitepapers commissioned by OEB in developing a cybersecurity framework. The paper highlights utility efforts to improve cybersecurity portfolios and comprise recommendations forwarded to OEB towards the development of statewide cybersecurity standards and roadmap to implement cybersecurity programmes by the state’s local distribution companies (LDCs).

The paper is a compilation of findings of research conducted to understand the state’s energy landscape and utility knowledge on cybersecurity. The paper analyses the risk, advantages and disadvantages of implementing various cybersecurity frameworks. AESI worked with DLA Piper and Ritcher in conducting research regarding the nature of cybersecurity in Ontario and in developing the cybersecurity framework.

The cybersecurity framework explained in the paper has been in development since January 2016 when the OEB called for a consultation for the development of new cybersecurity standards following realisation of an increase in cyber attacks on the grid network due to increases in smart grid deployments.

AESI and DLA Piper and Ritcher claim they interacted with the Cybersecurity Working Group and the Cyber Security Steering Committee in developing the framework.

The Cybersecurity Group consist of local energy transmission and distribution system operators.

According to the paper, the Ontario Energy Board adopted the Cybersecurity framework developed by AESI using a framework developed by the US National Institute of Standards and Technology (NIST) and insights from the Department of Energy’s Cybersecurity Capability Maturity Model.

Cybersecurity framework

In deploying a cybersecurity project, the first phase of the framework recommends LDCs to implement a Risk Profile Tool in which LDCs identify their risk to cyber attacks. The risk assessment should be based on the organisation’s size, maturity and capability.

By identifying a risk profile, energy providers are then able to establish security and privacy control measures using the NIST cybersecurity framework.

The framework includes the use of Cybersecurity Exchange initiative which is funded by the energy stakeholders for utility firms and solutions providers to interact and exchange their technical resources, information and experiences in deploying security control initiatives.

The Cybersecurity Exchange will provide training, threat remediation advice, guidance and platforms for LDCs to liaise with other organisations in North America.

According to AESI, the Cybersecurity Exchange reduce costs of cybersecurity projects through sharing since financial and human resources are currently restrained in Ontario.

The framework includes LDCs implementing a metrics reporting scheme in which they can use to monitor their progress at various stages of the cybersecurity programme. For instance, the completion of a self-assessment questionnaire in stage one would help LDCs understand their progress and compliance to the NIST security controls framework.

Stage one would help LDCs to develop a baseline of security controls matching their risk profiles.

Stage two will begin with LDCs weighing the status of their security control initiatives. The assessments will aim to measure the level of success security controls were in reducing risks of cyber-attack.

 

Image Credit: Shutterstock.