OEB’s cyber security standard: A step-by-step guide to compliance

With the October 1, 2024, compliance deadline looming around the corner, Ontario’s energy and utilities companies don’t have time to waste meeting the amended Ontario Energy Board (OEB) cyber security standard.

This updated standard aims to bolster the cyber security posture of energy and utilities companies, ensuring the protection of sensitive data and maintaining the integrity of their operations.

Recently, advisors in the field delivered a webinar on this topic titled Three months! Concrete steps to achieve compliance with OEB’s Cyber Security Standard, wherein they outlined the necessary actions your business needs to take to make sure you’re compliant come October.

Now, let’s break those insights down into a concise guide to help you navigate this changing landscape.

What is the OEB cyber security standard?

The standard, which was introduced in March 2024, builds upon the board’s existing cyber security framework (OCSF), which is based on the National Institute of Standards and Technology’s (NIST) cybersecurity framework.

The new standard mandates compliance with several requirements, including a subset of the OCSF controls, that aim to effectively manage cyber risks. There are currently 120 controls that exist under this framework.

To be compliant, your company needs to meet three requirements:

Lighthouse service

Lighthouse is a cyber security situational awareness and information sharing service provided by the Independent Electricity System Operator (IESO). Prior to the October 1 deadline, transmitters and/or distributors will need to be registered for this service, complete with a secured connection.

OCSF compliance: Maturity Indicator Level 2 (MIL2)

Of the 120 controls outlined in the OCSF, there are eight specific cyber security-related controls your company needs to be compliant with, in accordance with MIL2 as described by the OCSF. To meet this requirement, your organization must implement and report on your implementation of these controls. The OCSF has described what each level means and what it takes to reach various MILs when implementing each control.

OCSF compliance: Privacy

Your organization must comply with seven privacy-related controls within the framework. This includes implementing and reporting on the implementation of these controls. No MIL has been defined for privacy-related controls.

Why is this standard important?

Cyber threats are becoming increasingly sophisticated, targeting everything from critical infrastructure to your grandmother’s email account. And for Ontario’s energy and utility sector, these threats come with the potential to cause widespread disruption and damage.

By adhering to the OEB’s standard, your company can help protect the sector against cyber crime, ensuring the continuity and reliability of energy infrastructure.

Additionally, compliance with the updated standard can help build customer and stakeholder trust due to your dedication to safeguarding data and maintaining robust privacy and security practices.

How do I ensure my company is complying with these new requirements?

Your energy or utilities company must report on your cyber security compliance based on the OEB’s reporting and record keeping requirements (RRR). Typically, reports need to be submitted by April for the past year. However, if you have not reported compliance in April 2024, you must submit an interim report within the month of October to demonstrate your company was compliant as of the October 1, 2024, deadline.

The report includes 15 questions for you to answer. Of those 15, there are four questions that you must answer positively to demonstrate you’ve implemented the mandatory cyber security controls. Those questions are:

• Does your organization have a corporate privacy and cyber security governance program in place?
• Is the utility’s board of directors involved in the cyber security risk management process?
• Based on your organization’s risk profile, do you have privacy and cyber security risk identification and risk prioritization processes in place to support your operational risk decisions?
• Has your organization completed its onboarding into the IESO information sharing services program known as Lighthouse?

Furthermore, your organization will need to address several critical privacy requirements. Here are the seven key components:

  Step 1: Assess

Examine your capabilities against the standard requirements and identify any gaps.

Duration: Two to three weeks

 Step 2: Plan

Strategize an action plan based on the assessment, ensure you consider change management, project management, and transformation needs.

Duration: Two weeks

 Step 3: Implement

Implement the missing controls based on the required MIL. Make sure you remain focused and tactical while also considering potential future standards and sustainability.

Duration: Six to eight weeks

 Step 4: Maintain

Take a future-forward approach to stay ahead of compliance requirements.

Duration: Ongoing

Interested in learning more?

You can watch the full on-demand webinar, where we dive deeper into the requirements, how to get compliant, and what you can do to accelerate everything within your own organization: