team collaborating in a modern office

OEB’s cyber security standard: A step-by-step guide to compliance

OEB’s cyber security standard: A step-by-step guide to compliance

Synopsis
5 Minute Read

With the October 1 deadline approaching, Ontario’s energy and utilities companies must comply with OEB’s cyber security standard. This standard aims to enhance cyber security by mandating specific controls and reporting requirements.

This article provides a concise guide to navigating these requirements, ensuring your organization meets the deadline and secures its operations.

With the October 1, 2024, compliance deadline looming around the corner, Ontario’s energy and utilities companies don’t have time to waste meeting the amended Ontario Energy Board (OEB) cyber security standard.

This updated standard aims to bolster the cyber security posture of energy and utilities companies, ensuring the protection of sensitive data and maintaining the integrity of their operations.

Recently, advisors in the field delivered a webinar on this topic titled Three months! Concrete steps to achieve compliance with OEB’s Cyber Security Standard, wherein they outlined the necessary actions your business needs to take to make sure you’re compliant come October.

Now, let’s break those insights down into a concise guide to help you navigate this changing landscape.

What is the OEB cyber security standard?

The standard, which was introduced in March 2024, builds upon the board’s existing cyber security framework (OCSF), which is based on the National Institute of Standards and Technology’s (NIST) cybersecurity framework.

The new standard mandates compliance with several requirements, including a subset of the OCSF controls, that aim to effectively manage cyber risks. There are currently 120 controls that exist under this framework.

To be compliant, your company needs to meet three requirements:

  1. Lighthouse service
  2. Lighthouse is a cyber security situational awareness and information sharing service provided by the Independent Electricity System Operator (IESO). Prior to the October 1 deadline, transmitters and/or distributors will need to be registered for this service, complete with a secured connection.

  3. OCSF compliance: Maturity Indicator Level 2 (MIL2)
  4. Of the 120 controls outlined in the OCSF, there are eight specific cyber security-related controls your company needs to be compliant with, in accordance with MIL2 as described by the OCSF. To meet this requirement, your organization must implement and report on your implementation of these controls. The OCSF has described what each level means and what it takes to reach various MILs when implementing each control.

  5. OCSF compliance: Privacy
  6. Your organization must comply with seven privacy-related controls within the framework. This includes implementing and reporting on the implementation of these controls. No MIL has been defined for privacy-related controls.

Why is this standard important?

Cyber threats are becoming increasingly sophisticated, targeting everything from critical infrastructure to your grandmother’s email account. And for Ontario’s energy and utility sector, these threats come with the potential to cause widespread disruption and damage.

By adhering to the OEB’s standard, your company can help protect the sector against cyber crime, ensuring the continuity and reliability of energy infrastructure.

Additionally, compliance with the updated standard can help build customer and stakeholder trust due to your dedication to safeguarding data and maintaining robust privacy and security practices.

How do I ensure my company is complying with these new requirements?

Your energy or utilities company must report on your cyber security compliance based on the OEB’s reporting and record keeping requirements (RRR). Typically, reports need to be submitted by April for the past year. However, if you have not reported compliance in April 2024, you must submit an interim report within the month of October to demonstrate your company was compliant as of the October 1, 2024, deadline.

The report includes 15 questions for you to answer. Of those 15, there are four questions that you must answer positively to demonstrate you’ve implemented the mandatory cyber security controls. Those questions are:

  • Does your organization have a corporate privacy and cyber security governance program in place?
  • Is the utility’s board of directors involved in the cyber security risk management process?
  • Based on your organization’s risk profile, do you have privacy and cyber security risk identification and risk prioritization processes in place to support your operational risk decisions?
  • Has your organization completed its onboarding into the IESO information sharing services program known as Lighthouse?

Furthermore, your organization will need to address several critical privacy requirements. Here are the seven key components:

icon of a magnifying glass over documents to represent assessment  Step 1: Assess

Examine your capabilities against the standard requirements and identify any gaps.

Duration: Two to three weeks

icon of a checklist to represent planning Step 2: Plan

Strategize an action plan based on the assessment, ensure you consider change management, project management, and transformation needs.

Duration: Two weeks

icon of a gear with arrows circling it to represent implementation Step 3: Implement

Implement the missing controls based on the required MIL. Make sure you remain focused and tactical while also considering potential future standards and sustainability.

Duration: Six to eight weeks

icon of a hand and a gear to represent maintenance  Step 4: Maintain

Take a future-forward approach to stay ahead of compliance requirements.

Duration: Ongoing

Interested in learning more?

You can watch the full on-demand webinar, where we dive deeper into the requirements, how to get compliant, and what you can do to accelerate everything within your own organization:

The time to act is now

As an Ontario energy and utilities company, the urgency to achieve compliance with the OEB cyber security standard can’t be overstated. With the October 1 deadline fast approaching, it’s imperative that you take immediate action.

The good news is that the experienced advisors at MNP can help. Our team can provide you with the guidance and approach you need to not only meet compliance requirements, but to help you plan for the future of cyber security.

Reach out to cyber security team to learn more.

Insights

  • Progress

    November 21, 2024

    Strategic reinvestment: Unlocking resources for municipal priorities without raising taxes

    Learn how municipalities can unlock vital resources, cut through red tape, and strategically reinvest in key priorities without increasing taxes.

  • Performance

    November 21, 2024

    Highlights from Quebec’s fall economic update

    View a summary of MNP’s highlights from the 2024 Quebec fall economic outlook.

  • Confidence

    November 21, 2024

    FAQ: Canada’s new luxury tax and dealerships

    There are many questions dealerships have about how Canada’s new Select Luxury Items Tax Act will impact their business. MNP has responded to the most common ones here, to help you adjust to and comply with the new legislation.