Cyber breach reverberates at Nova Scotia Power more than a week later

Nova Scotia Power is remaining tight-lipped about the details of a cyber breach that has forced the company to pause billing and led to the shutdown of its online customer portal, and hasn't said what other systems within the utility have been disrupted.

It's been more than a week since the utility, which provides electricity to more than half a million residential, commercial and industrial customers in Nova Scotia, said it first detected, on April 25, unauthorized access into parts of its network and servers.

The company has noted major billing and customer service issues, and warned the personal information of some customers has been taken, but it won't confirm whether systems such as payroll have been impacted, although a spokesperson said all employees continue to be paid. 

"This is very much an active investigation," spokesperson Kathryn O'Neill said in an email. "We cannot speculate or share unverified information while the investigation is ongoing in collaboration with external cybersecurity experts."

The International Brotherhood of Electrical Workers Local 1928, the union that represents about 1,000 Nova Scotia Power employees, said in a social media post it is aware of the possibility of issues with overtime pay. Business manager Jim Sponagle told CBC News the union is asking employees to be patient as the company works through the breach.

Ransomware attack?

Julien Richard, the vice-president of information security for Lastwall, a Fredericton-based cybersecurity firm not involved in the Nova Scotia Power case, said with few details released by the utility, it is tough to know what happened. There are a number of scenarios, he said.

In some cases, countries hostile to the West try to infiltrate critical infrastructure such as energy companies, both to observe their inner workings without being detected and to gain the ability to shut down networks if they later choose.

But given the disruption facing the business side of Nova Scotia Power, and not the electrical grid network, Richard said it's more likely the company has been hit by a ransomware attack or some other kind of incursion motivated by financial gain.

Ransomware typically prevents a person or a company from accessing computer files and systems, with criminals then demanding a ransom before they will return access. Nova Scotia Power has refused to say whether it believes it is the victim of a ransomware attack.

Richard said those behind the breach may be solely responsible for the disruptions at Nova Scotia Power, but there's also the possibility IT administrators decided to shut down some systems to "contain the blast radius of this attack."

'Worst moments of their careers'

The utility has made clear the cyber breach has not disrupted electricity generation, transmission or distribution facilities, or harmed the company's ability to deliver power to customers.

Richard said power companies typically keep their business networks separate from those that run their grids, and in Nova Scotia Power's case, it's "definitely a win" that those behind the breach were apparently not able to jump from one to the other.

One of the reasons so little information has been released is the company might not know yet exactly what happened, he said, and digital forensics can take a "long time." It's also likely those behind the attack are still lurking in the system.

"It's important to say that we need to be patient with the folk that work there," he said. "They're probably going through the worst moments of their careers.

"I can guarantee you that some of them are probably sleeping there under their desks and working."

Rebecca Brown, a spokesperson for the province's utility regulator, the Nova Scotia Energy Board, said in an email there's not yet a formal proceeding opened, "but that will come."

Such a proceeding could review the cause of the incident and Nova Scotia Power's response, the impact on the utility and ratepayers, including on customer data, compliance with reliability standards, and recommendations.

Seniors could be targeted

Claudiu Popa, the CEO of cybersecurity company Datarisk Canada, said the cyber breach appears to be "fairly serious," and is potentially an extortion attempt. 

Generally, he said, the ransomware "makes itself known" once the information criminals are after has been stolen. The language Nova Scotia Power has used — that "unusual activity" was detected — suggests that's the case.

He said the theft of financial information can often be "rectified rapidly" by banks so long as customers report it quickly. More difficult to fix is identity fraud.

Both Popa and Richard warned that customers should be wary if they receive calls or emails purporting to be from Nova Scotia Power. Popa said seniors in particular are targeted because criminals perceive them to have more disposable income and assets.

"If you've got access to their financial details, financial information, those people will be prioritized, most likely with phishing emails," he told CBC Radio's Information Morning.

A spokesperson for the Office of the Privacy Commissioner of Canada said in an email it has been notified about the situation and "is reaching out to the organization to obtain more information."