As cybercrime continues to escalate across Canada, organizations face the pressing challenge of protecting critical infrastructure against increasingly sophisticated threats. For Hydro Ottawa, located in the capital city of a G7 nation, ensuring the protection and resilience of our electrical grid and systems against cyber incidents has become a top priority for our organization over the last decade.
With the rapid adoption of smart technologies such as artificial intelligence, sensors, fault detectors, advanced meters, and more, our energy systems are becoming more connected and data-driven than ever before. This evolution offers immense benefits, such as better decision-making, faster outage restoration, and seamless integration of distributed energy resources like solar and battery storage. But it also underscores a critical reality: more connectivity means heightened vulnerability to some of the most common menaces to our cyber security.
Unauthorized access to utility infrastructure is not hypothetical. Incidents like the power outages caused by cyber attacks on Ukraine’s grid in 2015 and 2016 highlight the devastating potential. For Hydro Ottawa, proactive investment in cyber security protections and controls remains essential to safeguarding our systems, ensuring reliability, and protecting our customers.
In a recent interview on Hydro Ottawa’s ThinkEnergy podcast, Jojo Maalouf, Hydro Ottawa’s Director of Cyber security and IT Infrastructure, delved into the strategies, challenges, and innovations in defending our local power grid against cyber attempts. From the integration of smarter devices to the critical importance of digital security, Maalouf sheds light on how Hydro Ottawa is staying ahead in the cyber security game while building a smarter, more resilient grid for Ottawa’s future.
Trevor Freeman (TF): We hear about state-sponsored entities, groups for profit, hackers and hacktivists. Who are the threats we’re worried about in the energy industry?
Jojo Maalouf (JM): It’s a good question, and to be honest, we worry about all of them. Depending on where they’re coming from, they could potentially possess or introduce a different type of risk. At the end of the day, our priority is to maintain a reliable power supply for our customers, regardless of any external factors. We’re committed to comprehensive protection and work to stay ahead of the curve by evolving our defenses and collaborating with industry partners to share knowledge and best practices.
TF: Can you talk to us about the risk that grid modernization brings, and how we're thinking about that?
JM: As more and more devices are connected, the potential vulnerabilities increase. So ideally, what we want to be able to do is proactively manage what those entry points are. We've talked about what grid modernization can do and there are many capabilities that's going to benefit organizations. But I think as this happens, it is crucial we simultaneously strengthen our cyber security posture to ensure the grid remains reliable and secure.
TF: How prepared is the energy industry to respond to and recover from a major cyber attack, if one were to happen on the power grid?
JM: Honestly, I think the energy sector is well prepared. As a critical infrastructure entity, the energy sector has the benefit of working with a lot of government partners…and (has an) ecosystem of partners, whether it’s through public or private relationships. I think what we’ve learned over the years is that threats are evolving, threats are changing. Testing an organization’s resiliency is something organizations can do to continue to be prepared. You never want to be complacent.
TF: What other kinds of stakeholders are we collaborating with when it comes to cyber security?
JM: There is a lot of collaboration that occurs within the industry and there are many different bodies where cyber security and critical infrastructure protection is paramount, and discussed regularly. There’s also a lot of collaboration from the provincial, national, and government side as well. In Ontario, our regulator, the Ontario Energy Board, developed the Ontario Cyber Security Framework that has been in play since 2017.
TF: Are there specific things that customers can do or should be aware of when it comes to cyber security?
JM: From a customer’s perspective, it’s realizing the importance of their information. Some simple steps to take include making sure you have a complex password that is not easily guessable and ensuring you don’t use it across multiple systems. Invest in a password manager to manage all your passwords. There are free solutions out there. Have a multi-factor authentication, which just means having a second level of authentication that’s going to challenge you to make sure you are who you say you are. Public Safety Canada has a lot of information on their website.
TF: You’re right, those basic steps really can protect us. And just so that everybody knows, this is a focus for all employees of Hydro Ottawa. As employees, we have to make sure we're protecting our systems, we're protecting our data, and all the things that you mentioned when it comes to password integrity and protecting our systems. We're focused on that on a day-to-day basis.
For more information on how to protect yourself, your data and critical information, visit our fraud awareness page or read one of our most recent blogs about navigating fraud in a digital era. For our part, Hydro Ottawa continues to invest in cyber security protections and controls for key assets and networks to prevent incidents that could compromise reliability and put our customers at risk.