Soft Cybersecurity Measures and Ontario's Critical Electricity Sector

Ontario's 65 active local distribution companies (LDCs), which are responsible for supplying energy demands from the commercial, industrial, and residential sectors, are expected to provide their cybersecurity and privacy reports to the Ontario Energy Board by April of 2019. When it comes to cybersecurity matters, the electricity sector is of outmost importance. The reports in question are measured against the "soft", industry-shaped Ontario Cyber Security Framework (OCSF), which is largely based on the U.S. National Institute of Standards and Technology (NIST) cybersecurity framework and on a stand alone data privacy protection standard based on Ann Cavoukian's (former Information and Privacy Commissioner of Ontario) concept of "privacy by design".

The OCSF lists a number of suggested security controls and methodology that allows organizations to cross-reference their own risk levels, allowing them to identify and assess their own cybersecurity capabilities relative to the suggested controls. In 2018, the OEB compelled Ontario energy distributors to complete an "interim readiness report", asking CEOs to attest that at a minimum, had read the OCSF and had assigned resources to report on the status.

The OCSF itself, however, remains a "soft" measure to protect Ontario's vital electricity sector in that it only requires energy distributors to report on their cybersecurity capabilities rather than require them to comply with a list of obligations and best practices. This "soft" spot, however, is not viewed as a weakness by the Cyber Security Advisory Committee, an industry-led group that will assist energy distributors in Ontario comply with their reporting obligations. The rationale being that the OCSF was developed and shaped by the industry itself.