On March 15, 2018, the Ontario Energy Board issued Notice of Amendments to the Transmission System Code (TSC) and Distribution System Code (DSC) to implement cybersecurity policy objectives that were set out in the OEB Staff’s June 2017 Report on a Cyber Security Framework. The amendments require transmitters and distributors to provide the OEB with information on the actions they are taking relative to their cyber security risks.
As we explained in a previous post, the OEB Staff Report and the Cybersecurity Framework White Paper that was issued at the same time set out a proposed Framework which is intended “to provide oversight and validation of the Cyber Security measures taken by distributors and transmitters for non-bulk assets in Ontario for the protection of consumer privacy and the electricity system infrastructure.” The Framework identifies best practices that should be built into Ontario’s smart grid to ensure reliability and consumer protection, and lays out a number of self-assessment tools to assess risk profile and preparedness at the local distribution company (LDC) and transmitter level. The Framework relies on LDC and transmitter self-assessment and self-certification to ensure that best practices are uniformly applied across Ontario’s energy sector. Importantly, the OEB Staff Report includes proposed LDC reporting requirements intended “to provide measurable assurance to the OEB, that Ontario’s electricity distributors address cyber security risks based on a consistent approach and criteria in order to meet their reliability, security and privacy obligations.”
Over the past months, the OEB has sought and received comments from stakeholders about the Framework and proposed reporting and self-certification requirements (set out in a December 2017 Notice). The relevant documents are set out on the OEB’s policy consultation webpage.
In response to comments received, the OEB has made some changes to its earlier proposals, but has maintained most of what has been proposed in the Framework and associated reporting requirements. The new provisions of the TSC and DSC (which are in force immediately) require licensed electricity utilities “to report to the Board on the status of cyber security readiness referencing the Cyber Security Framework at such times and in such a manner as may be directed by the Board.” The OEB will require an interim progress report in three months (by June 15, 2018). The form of the interim report is attached to the OEB’s December 2017 Notice. The OEB has indicated that “this initial report will ensure all licensed transmitters [and distributors] have reviewed and understood the Framework, and are taking steps to assess their cyber security readiness against the Framework.” The Board will hold all reports received in confidence, since they will contain sensitive information. Going forward, LDCs and transmitters will be required to self-certify cyber security capability on an annual basis. Presumably, the required form of self-certification will be provided in the coming months, after the initial reports have been received and reviewed.