Protecting Privacy of Personal Information and the Reliable Operation of the Smart Grid in Ontario
The project was an item in the Ontario Energy Board’s 2016-19 Business Plan and its completion resulted in a policy framework that covered all of Ontario’s licensed electricity utilities. The industry-developed Ontario Cyber Security Framework was published in late 2017 and regulatory obligations were established in early 2018. These obligations include a requirement for interim reporting by all licensed electricity utilities in Ontario on their cyber security assessment(s) and progress within three months. An annual certification of cyber security capability will be launched this year.
By establishing a framework with consistent criteria, the OEB, and consumers, will have greater confidence that security risks are being properly managed.
Context and challenges
The Ontario Energy Board (OEB) is the independent regulator of Ontario’s electricity and natural gas sectors. It protects consumers and makes decisions that serve the public interest. Its goal is to promote a sustainable and efficient energy sector that provides consumers with reliable energy services at a reasonable cost. The OEB consists of full and part-time Board members and approximately 180 management and staff.
Cyber security is a growing threat in our modern world and energy infrastructure is a target. As technology evolves, so do technological threats. The energy sector’s growing reliance on new technology and automation, along with both a growing number of third-party service providers and entities that interface with power systems, increases the sector’s exposure.
Because there is no global ‘one size fits all’ cyber security standard established for the non-bulk transmission and distribution electrical system, the OEB consulted with industry, the system operator and energy stakeholders to develop a ground-breaking comprehensive Ontario Cyber Security Framework for the local non-bulk transmission and distribution system.
The objective was to work with stakeholders to create and implement the first ever cyber security framework for the local non-bulk transmission and distribution system. This objective is in keeping with the OEB’s mandate to protect the safety and reliability of the energy supply and to ensure the privacy of consumers.
A three-pronged approach was used:
- Researching current standards and best practices.
- Contracting cyber security and privacy consultants with utility sector experience to help develop a draft framework.
- Launching a policy consultation with key stakeholders.
Collaboration was key, since the framework requires utilities to provide follow-on reporting against this common peer-developed reference framework.
Two consultative bodies supported the initiative: a steering committee of senior executives and a working group of subject matter experts. Facilitation supported all consultations over an eight-month period from May to December 2016. This involved meetings, surveys and collaboration between the facilitator and internal and external subject matter experts.