Annual Audit Finds Utility’s OT Network Non-Compliant with New CCSPA Mandate; Attestation Firm Flagged Multiple Control Failures

The Challenge

NorthGrid Energy, a mid-sized provincial utility, entered its annual audit expecting a routine compliance check. The company had a strong record in financial reporting and safety, and leadership assumed its cybersecurity controls were equally mature. This year’s audit, however, incorporated updated expectations aligned to Canada’s Critical Cyber Systems Protection framework (CCSPA) for critical infrastructure, with a new focus on operational technology (OT).

The independent attestation firm approached the review using CCSPA-aligned criteria and established OT standards. Within the first week, auditors found incomplete segmentation between IT and OT, leaving legacy SCADA assets exposed to corporate network traffic. Several industrial controllers still ran unpatched firmware from 2016.

As the assessment continued, weaknesses expanded beyond technical issues. Access control documentation was inconsistent, and the organization had no formal OT risk assessment, now expected for critical infrastructure. The cybersecurity governance committee had not met for more than six months, which meant lapses in oversight and control testing.

Several deficiencies were classified as material control failures. In its report to the Board Audit Committee, the firm cited CCSPA-aligned requirements and energy-sector standards such as IEC 62443 and ISO/IEC 27019, noting that the issues posed both compliance and operational risks.

Consequences were immediate. The utility notified its provincial energy regulator, which triggered an unplanned inspection. Mentions in public oversight summaries led local media to question the utility’s ability to protect critical infrastructure. Internally, morale fell as operations teams faced scrutiny over documentation gaps and outdated patching practices. The chief executive received tough questions on governance accountability, and the cyber insurer initiated a coverage review.

By quarter end, leadership accepted that cybersecurity assurance is not a checkbox exercise but a pillar of public trust and regulatory compliance. The findings underscored that oversight in OT carries the same weight as financial integrity.

Our Solution

We executed a two-track program: Attestation Readiness to address CCSPA-aligned gaps and OT Controls Remediation to strengthen security.

– Regulatory posture and notifications: Coordinated with legal counsel on reporting obligations and prepared regulator-ready evidence packages.
– Targeted gap assessment: Mapped current-state controls against IEC 62443, ISO/IEC 27019, NIST SP 800-82, and ISO/IEC 27001. Produced a control-by-control remediation register tied to audit findings.
– IT/OT segmentation and access uplift: Designed zone and conduit architecture, implemented MFA for privileged OT access, and hardened vendor remote connections.
– Vulnerability and patch governance for OT: Built a risk-based firmware and patch process with maintenance windows and rollback plans in collaboration with OEMs and integrators.
– Monitoring and logging for OT: Enabled controller and HMI event collection, secured log retention, and anomaly alerting with clear triage runbooks.
– Governance reboot: Re-established the cybersecurity governance committee with a charter, KPIs, a RACI, and quarterly evidence reviews. Completed an OT risk assessment and privacy screening under PIPEDA where personal information might be present.
– Independent validation: Arranged third-party re-testing and pre-attestation walkthroughs to confirm control effectiveness.

The Value

• Regulatory confidence: Evidence-backed alignment to CCSPA-aligned expectations and provincial directives, lowering the risk of fines or supervisory actions.
  – Risk reduction: High and critical OT vulnerabilities (CVSS 7.0 and above) decreased by an estimated 65 to 80 percent across the initial audit sample.
  – Operational resilience: Tested backups and recovery runbooks for controllers and HMIs reduced mean time to recovery in tabletop drills by about 40 to 50 percent.
  – Assurance efficiency: An organized evidence library and control register cut external auditor follow-up requests by roughly 35 percent during readiness sessions.
  – Cost containment: Improved control posture helped avoid premium surcharges and preserved insurance coverage terms, as confirmed by broker correspondence.

Implementation Roadmap

Phase 0: Mobilize (Weeks 0–2)
– Confirm scope, including sites, assets, and data flows.
– Establish program governance and KPIs such as vulnerability closure rate, control coverage, and evidence completeness.
– Brief legal on CCSPA-aligned obligations and confirm the regulator communications plan.

Phase 1: Assess and Design (Weeks 2–6)
– Perform a rapid gap assessment against IEC 62443, ISO/IEC 27019, and NIST SP 800-82.
– Build an authoritative OT asset inventory for controllers, firmware, software, and conduits.
– Design the target segmentation model and privileged access approach.
– Draft policies and standards for OT access, change control, backup and restore, configuration baselines, and logging.

Phase 2: Remediate Core Controls (Weeks 6–14)
– Implement segmentation and firewall rules.
– Enable MFA and just-in-time access for OT administrators.
– Stand up OT patch governance with maintenance windows, validation, and rollback.
– Deploy logging and telemetry for OT with retention and chain of custody.
– Validate backup and restore for PLCs and HMIs and secure golden images.

Phase 3: Govern and Evidence (Weeks 10–16, overlapping)
– Reconstitute the cybersecurity governance committee with quarterly cadence and dashboards.
– Complete the OT risk assessment and PIPEDA privacy screening where operator or customer information may be processed.
– Populate the evidence library with policies, configurations, screenshots, tickets, and re-test results mapped to audit controls.

Phase 4: Validate and Ready (Weeks 16–20)
– Conduct independent re-testing and an attestation readiness review, then close remaining high and critical gaps.
– Run an OT-focused incident tabletop to measure recovery and communications.
– Prepare board and regulator briefings with clear remediation outcomes and the forward plan.

Industry Sector

Utilities (generation, transmission, and distribution with OT/ICS environments)

Applicable Legislation and Standards (Canada)

PIPEDA, CCSPA-aligned expectations for critical infrastructure, provincial energy regulator directives, IEC 62443, ISO/IEC 27019, NIST SP 800-82, ISO/IEC 27001 and 27002

Third Parties

Attestation and audit firm, provincial energy regulator or market operator, OT OEMs and integrators, MSSP or SOC provider, legal counsel, cyber insurer, independent testing vendor

Tags

sector:utilities, service:audit-and-attestation, compliance, governance, regulatory-change