N.S. Power approved for $1.8M cybersecurity project weeks after ransomware attack

Nova Scotia Power has gotten approval for a cybersecurity improvement project, just weeks after a ransomware attack affected the personal data of thousands of customers.

The Nova Scotia Energy Board approved the $1.8-million initiative, dubbed the Next Generation Network Security Design project, on Thursday. 

The utility submitted its application on April 7 for the project, which it said would enhance its existing information technology network and firewall infrastructure to manage cyber threats, "resolve operational complexities, and facilitate future business objectives."

Nova Scotia Power said the project will "improve cyber security capabilities and reduce the risk of a cyber incident," Roland A. Deveau, the energy board's vice-chair, wrote in a decision letter that was shared with the media.

The utility's computer systems had already been attacked by ransomware hackers when the company made its application. It has said the breach happened on March 19, but it did not discover the issue until more than a month later, on April 25.

The company disclosed the cybersecurity incident three days after that.

"Importantly, the board's approval of this project does not preclude it from assessing the adequacy of N.S. Power's IT systems as part of the board's ongoing investigation into the data breach," the board said in a news release. "At this time, it is not known whether this specific project would have prevented or mitigated the breach."

About 280,000 customers — more than half of the utility's customers in the province  — were informed by letter that their personal information, including their name, address, phone number, birthdate, driver's licence, social insurance number and banking information may have been taken in the attack.

The board said it is working with cybersecurity experts to conduct a full review of whether Nova Scotia Power acted prudently before, during and after the event.

In his letter, Deveau said the utility explained in its application "that a majority of its network equipment was considered 'end of life' in 2016," though some could still be used for "lower security needs." 

Nova Scotia Power said the upgrade is needed now as new risks emerge and critical infrastructure is increasingly targeted by bad actors.

"The complexities of N.S. Power's network and firewall infrastructure make management and security difficult to monitor, measure and enforce," the utility was quoted in the decision letter as saying.

"It is challenging to meet new and emerging security threats in a rapid manner to maintain a low risk to N.S. Power."

The utility was also approved to source the new technology for the project through its existing vendor, Cisco. It said creating an alternative system with a new provider would mean "significant time, effort, and cost."

The application showed the project has been in progress for more than a year, and will come into service this September.

The estimated life of the new technology system is 10 years, according to Nova Scotia Power.

Premier says N.S. will oppose passing any costs to customers

Nova Scotia Power CEO Peter Gregg avoided a direct answer when asked last week whether the utility would commit to covering the costs of the breach internally rather than handing the bill to ratepayers.

He said insurance would likely cover many expenses, but the utility doesn't yet know the cost of the breach, so he could not give a "yes or no answer."

On Thursday, Premier Tim Houston told reporters that the province would step in if the company asks to recover those costs from customers.

"We're not going to let the ratepayers pay for this," Houston said. "If Nova Scotia Power makes a move to try to get ratepayers to pay for it, we will oppose that very vehemently."