Provincial Power Utility Under Scrutiny After Failing Governance Review of IT/OT Convergence
The Challenge
In late autumn, a provincial power utility serving nearly two million customers came under public and regulatory scrutiny after failing a comprehensive governance review of its Information Technology (IT) and Operational Technology (OT) convergence program.
The review, commissioned by the provincial energy regulator, was designed to assess the organization’s cyber and privacy governance maturity as it transitioned toward integrated smart grid systems and digital operational controls. What began as a routine compliance audit quickly revealed systemic weaknesses in the organization’s governance framework, leading to a full investigation into its risk management practices.
The central issue was the utility’s fragmented approach to IT and OT oversight. Historically, these environments were managed independently: IT handled data systems, while OT oversaw grid infrastructure and industrial control systems (ICS). As the organization introduced new digital monitoring and remote-control capabilities to improve efficiency, the absence of unified governance created a critical vulnerability.
Auditors found that no single individual or department was accountable for cybersecurity across both IT and OT. Risk assessments were conducted separately, with IT teams following modern frameworks and OT teams relying on outdated industrial safety standards. This inconsistency left major blind spots, particularly in areas such as access control, incident response, and third-party vendor management.
The audit also identified a continued reliance on legacy systems within critical infrastructure. Many of these systems were never designed with cybersecurity in mind and had been patched together to interface with modern platforms. In one notable finding, default passwords remained active on several control network interfaces, exposing the utility to potential external threats.
From a compliance perspective, the organization failed to demonstrate alignment with provincial energy regulations, PIPEDA requirements for personal data protection, and national guidance for critical infrastructure resilience. Although no confirmed cyberattack had yet occurred, regulators emphasized that these governance deficiencies posed serious risks to service continuity and public safety.
The fallout was immediate. Media outlets raised concerns about potential cascading power outages if systems were compromised. The provincial energy ministry ordered the utility to produce a formal remediation plan and temporarily suspended new digital integration projects until governance structures were improved.
Internally, morale declined as senior leadership faced intense scrutiny from the board and stakeholders. Employees expressed frustration over inconsistent policies and poor communication regarding cybersecurity expectations.
By the end of the review period, the utility’s long-standing reputation for reliability was at risk. The incident highlighted a growing issue within Canada’s utilities sector: without effective governance, the convergence of IT and OT systems can expose even well-established organizations to serious operational and reputational risks.
Our Solution
Service Area: Risk and Compliance Governance
Our team implemented a unified IT/OT governance remediation program built around four core workstreams:
1. Accountability and Policy Harmonization
– Appointed a single executive owner (CISO with OT oversight) and established an IT/OT Governance Council with defined accountability and authority.
– Consolidated cybersecurity, privacy, and vendor risk policies into a single control library mapped to NIST CSF 2.0, ISO/IEC 27001, and IEC 62443.
– Ensured compliance with PIPEDA and relevant provincial privacy statutes.
2. Integrated Risk and Control Baseline
– Conducted a comprehensive IT/OT risk assessment and “crown jewel” analysis for grid operations, AMI/MDM, and field assets.
– Prioritized remediation actions, including removal of default credentials, segmentation of networks, use of multi-factor authentication (MFA) for remote access, and implementation of secure change control for ICS.
3. Operational Readiness and Assurance
– Developed OT-specific incident response playbooks aligned with enterprise-wide procedures and regulatory reporting thresholds under PIPEDA.
– Introduced third-party security assurance requirements, including vendor attestations, patch management schedules, and right-to-audit clauses.
4. Reporting and Oversight
– Established board-level cybersecurity key performance indicators (KPIs) and key risk indicators (KRIs), including metrics for segmentation coverage, privileged account management, and incident response performance.
– Implemented quarterly readiness reviews with the provincial regulator.
The Value
Regulatory Stability: The utility closed all priority audit findings within 120 days. Regulators accepted the remediation plan and lifted restrictions on new digital integration projects.
Risk Reduction:
– Eliminated 95 percent of default and weak credentials on OT interfaces.
– Achieved 90 percent MFA coverage for remote administrative access.
– Secured 70 percent of control network segments under defined zoning and conduit standards during the first implementation phase.
Operational Resilience:
– Reduced mean time to detect (MTTD) for OT anomalies from undefined to less than 15 minutes through centralized logging and alerting.
– Established quarterly cross-functional incident response exercises, improving readiness and coordination.
Vendor Assurance:
– Implemented brokered remote access for all maintenance vendors with session recording and time-limited approval.
– Enforced standardized vendor attestation and patch documentation requirements.
Governance Clarity:
– Introduced a single point of accountability for cybersecurity across IT and OT domains.
– Reduced policy exceptions by over 60 percent within the first governance review cycle.
