Consulting Firm Offers Cyber-Resilience Workshops for Utility Executives Amid Rising Hacktivist ICS Threats

The Challenge

Mounting geopolitical tensions and an uptick in hacktivist activity have put Canadian utilities under pressure. In the past six months, several mid-sized power distributors in Western Canada reported coordinated attempts to probe industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments. Although no large-scale outages occurred, internal reviews revealed a stark gap: many senior leaders did not fully grasp the technical and strategic implications of these threats.

Northern Current Consulting, a national advisory firm that supports critical infrastructure operators, introduced a Cyber-Resilience Workshop Series for executive teams and boards. The program clarifies how operational technology (OT) can be exploited, why IT–OT interdependencies matter, and how leadership decisions influence technical outcomes.

Workshops, delivered in person and virtually, presented realistic scenarios, including malware that manipulates voltage control and phishing disguised as supplier updates. Participants practiced crisis decision-making and saw how delays, poor communication, and weak oversight can compound risk. Case examples illustrated how limited visibility between IT and OT environments can let intrusions linger undetected.

During a mock breach, executives confronted a hypothetical ransomware event at a regional control centre. The exercise exposed missing escalation procedures, unclear roles, and uneven coordination across operations, legal, privacy, and communications. As one attendee noted in a post-session survey, 'Our business continuity plan does not reflect OT downtime.'

A broader governance issue also emerged. Cybersecurity had been treated as a technology problem rather than a business resilience obligation. Under PIPEDA and provincial expectations for critical infrastructure, executive leadership is accountable for protecting personal information and sustaining essential services. Failure to meet these responsibilities can trigger regulatory scrutiny and civil liability.

Regulators have signalled tighter expectations for high-risk utilities that rely on outdated governance. Even a brief operational disruption could harm customers and communities and cause lasting reputational damage. The key lesson from the workshops is clear: resilience begins in the boardroom and must be backed by informed, rehearsed decisions.

Our Solution

Northern Current Consulting delivered an Executive Awareness and Governance Uplift under its Ancillary and Value-Adding Services offering. The engagement combined:

– Targeted cyber-resilience workshops that simulate ICS/OT incidents.
– Board and C-suite briefings on executive accountability, privacy obligations under PIPEDA, and regulator communications.
– A review and refresh of the cyber charter, escalation pathways, decision rights, and business continuity triggers.
– Cross-functional tabletop exercises with operations, legal, privacy, and communications leaders.
– Third-party coordination mapping, including OEMs, SOC providers, insurers, incident response firms, and law enforcement contacts.

The work proceeded through three stages: assessment, simulation, and governance realignment. Each stage reinforced the link between leadership decisions and operational outcomes.

The Value

The program produced measurable results across participating utilities:

– Incident readiness: Executive decision accuracy during ICS simulations improved by 42%, based on scored tabletop rubrics.
– Regulatory preparedness: Alignment with PIPEDA breach notification and accountability requirements improved, cutting estimated reporting and coordination delays by up to 60%.
– Operational coordination: Cross-department response metrics improved by 35%, resulting in faster, clearer escalation.
– Leadership confidence: Nine in ten participants recommended continued simulation-based learning and reported higher confidence in cyber governance.

These outcomes repositioned cybersecurity as an enterprise resilience mandate, not solely a technical function.

Implementation Roadmap

Phase 1: Executive Risk Discovery (Weeks 1–3)
– Interview key stakeholders and assess governance maturity.
– Identify legal and compliance gaps under PIPEDA, NERC CIP, and relevant provincial energy rules.
– Map IT–OT dependencies, crown-jewel processes, and current escalation practices.

Phase 2: Awareness, Simulation, and Training (Weeks 4–8)
– Deliver workshops focused on hacktivist tactics against ICS and realistic loss-of-view and loss-of-control scenarios.
– Run live tabletop exercises with executives and functional leads.
– Capture performance data and lessons learned.

Phase 3: Governance Realignment (Weeks 9–12)
– Update escalation matrices, decision rights, and notification triggers for regulators and customers.
– Embed cyber resilience metrics in board reports, including MTTD, MTTR, exercise scores, and control health.
– Align third-party contracts with incident response and OT-aware monitoring expectations.

Phase 4: Continuous Improvement (Ongoing)
– Schedule quarterly exercises, refresh playbooks, and track progress against KPIs.
– Integrate cyber-resilience content into executive onboarding and annual training.
– Use evidence and logging standards that support investigations and potential litigation.

Applicable Legislation and Guidance

PIPEDA (federal), provincial privacy statutes where applicable, NERC CIP for Bulk Electric System entities, Canadian Centre for Cyber Security guidance, ISO/IEC 27001 for governance baselines.

Tags

sector: utilities; service: ancillary-and-value-adding-services; awareness; training; operational-resilience