Cyber-Security Risks

September 28, 2022

Like every business and most individuals these days, NOTL Hydro is exposed to cyber security risk.  Cyber security risk is the risk that a third party could gain access to, and potentially control, of your information technology systems.  This risk comes in many forms:

  • A third party could get access to confidential information on your systems.  The biggest risk in this respect is that the third party could get access to customer data to try use this for identity theft.  There is also the risk of access to company information though there is not much of what we have and do that can be considered confidential beyond employee information.
  • Ransomware is a growing risk.  Ransomware is an attack by a third party whereby they use software to take over your systems and deny you access.  The only way you get access back is by paying the ransom; usually in a crypto currency for anonymity.
  • A third party could also engage in various forms of mischief if they gain access to our systems.  This could include sending improper communications to customers or even trying to affect the NOTL Hydro electrical system itself.

The requirement to manage cyber security risk properly comes in many ways.  First, as a business engaged in providing an essential service, it is incumbent upon us to operate in a manner that protects our customers; this includes the records of our customers that we maintain.  As part of carrying out their duty, our Board requires that we demonstrate what we are doing to manage cyber security risk.  Second, our regulator, the Ontario Energy Board (OEB), is also very concerned that participants in the Ontario electricity sector are managing this risk in an appropriate way.  NOTL Hydro has reporting and attestations that need to be provided to the OEB on a regular basis.  Finally, key providers of services such as the banks and insurance companies are requiring strong cyber security risk management as part of getting their services.

NOTL Hydro is a relatively small company.  We do not have an IT department or information technology experts in-house.  Instead, we achieve the necessary controls and oversight in the following manner.  First, one of the staff has been charged with being responsible for IT security.  While this staff person is not an expert, they are fully capable with liaising with the experts we have available and with ensuring their services are utilized and their recommendations are implemented.  Having one person responsible also makes sure this important part of our business does not fall through the cracks.

Second, NOTL Hydro does use the services of a third-party supplier to manage our IT environment.  The staff at this company are all IT experts.  This includes managing and monitoring our security, managing all our IT equipment and ensuring we have the latest and most appropriate software services.  This company has recently begun providing these services to other hydro companies.  It can only help us as they gain more knowledge about our industry and the cyber security challenges within it.

Finally, NOTL Hydro uses the services of a cyber security expert to monitor all our protection.  In particular, this person monitors the level of service provided by our IT service supplier.  This may seem redundant but this individual knows the questions to ask and the things to look for in a way none of the staff at NOTL Hydro would.  The person is also the former Chief Information Officer of the Canadian operations of a large recognizable international company. This individual provides similar services to three other hydro companies.

In addition to the services above, NOTL Hydro has taken a number of actions to reduce the cyber security risk.

  • Staff training has increased.  Staff are generally considered the first and key line of defense.  Many successful cyber security attacks have been made possible by getting staff to inadvertently provide valuable access or information through “phishing” attacks.  This training focuses on getting staff to understand the risks and how to avoid falling victim to these attacks.
  • There are various controls and policies that staff must follow which are designed to help keep our IT systems safe.  These include password rules and severe restrictions on any unauthorized hardware being connected to our IT system.
  • Our customer data has been cleansed of unnecessary information.  For instance, we used to have driver license information on file from when new customers opened their accounts.  These have all been deleted.
  • We conduct an audit on our IT systems every 2-3 years.  These audits, run by an independent organization, test the cyber security of our IT systems and detail the areas in which areas for improvement are noted.  These provide vital information for the next steps in managing the IT systems and, when performed more than once, provide evidence as to whether cyber security is improving.
  • Parts of the NOTL Hydro IT systems are isolated from other parts.  This is not easy but it is possible in certain situations.  When isolated in this manner, a breach in one system will not affect the other system.
  • Technologies are constantly evolving in cyber security protection.  Our supplier and consultant try to ensure we have the most appropriate technology.  This is necessary as the underlying technologies themselves are constantly evolving as are the capabilities and practices of the cyber-criminal community.
  • The IESO has a cyber monitoring service to which NOTL Hydro has joined.  This monitors the cyber security landscape within the Ontario electricity sector and provides advisories and intelligence.
  • Our IT supplier has detailed back-up procedures for all our data.  These are monitored by our IT consultant.  If NOTL Hydro is breached the losses can be minimized.

The mantra in the cyber-security industry seems to be that it is “when” you are hacked and not “if”.  If was are hacked and any customer data is compromised, we will let our customers know and not seek to hide this fact.  As a good business practice, we are doing what we reasonably can to avoid the “when” while still preparing in case it does happen.