With the October 1 deadline approaching, Ontario’s energy and utilities companies must comply with OEB’s cyber security standard.
With the October 1, 2024, compliance deadline looming around the corner, Ontario’s energy and utilities companies don’t have time to waste meeting the amended Ontario Energy Board (OEB) cyber security standard.
This updated standard aims to bolster the cyber security posture of energy and utilities companies, ensuring the protection of sensitive data and maintaining the integrity of their operations.
Recently, advisors in the field delivered a webinar on this topic titled Three months! Concrete steps to achieve compliance with OEB’s Cyber Security Standard, wherein they outlined the necessary actions your business needs to take to make sure you’re compliant come October.
Now, let’s break those insights down into a concise guide to help you navigate this changing landscape.
What is the OEB cyber security standard?
The standard, which was introduced in March 2024, builds upon the board’s existing cyber security framework (OCSF), which is based on the National Institute of Standards and Technology’s (NIST) cybersecurity framework.
The new standard mandates compliance with several requirements, including a subset of the OCSF controls, that aim to effectively manage cyber risks. There are currently 120 controls that exist under this framework.
To be compliant, your company needs to meet three requirements:
1. Lighthouse service
Lighthouse is a cyber security situational awareness and information sharing service provided by the Independent Electricity System Operator (IESO). Prior to the October 1 deadline, transmitters and/or distributors will need to be registered for this service, complete with a secured connection.
2. OCSF compliance: Maturity Indicator Level 2 (MIL2)
Of the 120 controls outlined in the OCSF, there are eight specific cyber security-related controls your company needs to be compliant with, in accordance with MIL2 as described by the OCSF. To meet this requirement, your organization must implement and report on your implementation of these controls. The OCSF has described what each level means and what it takes to reach various MILs when implementing each control.
3. OCSF compliance: Privacy
Your organization must comply with seven privacy-related controls within the framework. This includes implementing and reporting on the implementation of these controls. No MIL has been defined for privacy-related controls.
You might also be interested in
Why is this standard important?
Cyber threats are becoming increasingly sophisticated, targeting everything from critical infrastructure to your grandmother’s email account. And for Ontario’s energy and utility sector, these threats come with the potential to cause widespread disruption and damage.
By adhering to the OEB’s standard, your company can help protect the sector against cyber crime, ensuring the continuity and reliability of energy infrastructure.
Additionally, compliance with the updated standard can help build customer and stakeholder trust due to your dedication to safeguarding data and maintaining robust privacy and security practices.
How do I ensure my company is complying with these new requirements?
Your energy or utilities company must report on your cyber security compliance based on the OEB’s reporting and record keeping requirements (RRR). Typically, reports need to be submitted by April for the past year. However, if you have not reported compliance in April 2024, you must submit an interim report within the month of October to demonstrate your company was compliant as of the October 1, 2024, deadline.
The report includes 15 questions for you to answer. Of those 15, there are four questions that you must answer positively to demonstrate you’ve implemented the mandatory cyber security controls. Those questions are:
- Does your organization have a corporate privacy and cyber security governance program in place?
- Is the utility’s board of directors involved in the cyber security risk management process?
- Based on your organization’s risk profile, do you have privacy and cyber security risk identification and risk prioritization processes in place to support your operational risk decisions?
- Has your organization completed its onboarding into the IESO information sharing services program known as Lighthouse?
Furthermore, your organization will need to address several critical privacy requirements. Here are the seven key components:
Asset management
- The organization can identify personal information or customer proprietary information in its custody or control, its authority for the collection, use and disclosure, and the sensitivity of such information
- Responsibility for the privacy management program is established
Governance
- A policy for the collection, use and disclosure of customer personal and proprietary information, including consent and notification requirements, is established
- A policy for the retention and disposal of customer personal or proprietary information is established
- Governance and risk management processes address privacy risks
Risk assessment
- Activities and processes that involve the collection, use or disclosure of personal or customer proprietary information are identified
Risk management strategy
- Privacy impacts are considered for new processes, technologies or activities
By implementing these controls, you can make sure you’re meeting the OEB’s cyber security standard, as well as protecting sensitive information and maintaining compliance.
How can I make sure I meet the compliance deadline?
Here’s the thing: there’s no time to waste. October 1, 2024, is only weeks away.
And there are challenges many companies may be up against — like tight timelines, a lack of sufficient internal resources, or being unprepared to approach implementation. Each of these challenges can make meeting the upcoming deadline seem even more dauting.
To combat these challenges, consider the following step-by-step breakdown to ensure your organization is compliant as soon as possible.
Step 1: Assess
Examine your capabilities against the standard requirements and identify any gaps.
Estimated duration: Two weeks
Step 2: Plan
Strategize an action plan based on the assessment, ensure you consider change management, project management, and transformation needs.
Estimated duration: Two weeks
Step 3: Implement
Implement the missing controls based on the required MIL. Make sure you remain focused and tactical while also considering potential future standards and sustainability.
Estimated duration: Six to eight weeks
Step 4: Maintain
Take a future-forward approach to stay ahead of current and upcoming compliance requirements.
Estimated duration: Ongoing
Interested in learning more?
You can watch the full on-demand webinar, where we dive deeper into the requirements, how to get compliant, and what you can do to accelerate everything within your own organization:
The time to act is now
As an Ontario energy and utilities company, the urgency to achieve compliance with the OEB cyber security standard can’t be overstated. With the October 1 deadline fast approaching, it’s imperative that you take immediate action.
The good news is that the experienced advisors at MNP can help. Our team can provide you with the guidance and approach you need to not only meet compliance requirements, but to help you plan for the future of cyber security.
Reach out to cyber security team to learn more or to get started.
Connect with us to get started
Our team of dedicated professionals can help you determine which options are best for you and how adopting these kinds of solutions could transform the way your organization works. For more information, and for extra support along the way, contact our team.