Utility Rolls Out Phishing Campaign Simulation and OT-Safety Briefings After Hacktivist Alert from Federal Cyber Centre

The Challenge

When a mid-sized Canadian power utility, known here as Northern Current Energy (NCE), received an advisory from the Canadian Centre for Cyber Security (CCCS) warning of increased hacktivist activity targeting national infrastructure, the timing could not have been worse. The alert described specific tactics used by politically motivated groups attempting to compromise industrial control systems (ICS) and operational technology (OT) through deceptive phishing campaigns and social engineering.

Internally, tension rose quickly as the warning was shared among IT and operations leaders. While NCE’s IT department maintained reasonable cyber hygiene practices, awareness among field engineers and control-room operators was limited. Many employees continued to use shared credentials for SCADA logins, and few understood how targeted phishing could provide a gateway into critical OT networks.

Within days of the CCCS bulletin, NCE’s cybersecurity team detected a surge of suspicious emails disguised as “safety bulletins” from a supposed federal energy regulator. These messages contained official-looking headers, federal logos, and urgent instructions prompting recipients to “download updated procedures for electrical grid protection.” One operator clicked the attachment, which triggered an alert from the company’s endpoint detection system. Fortunately, no malware was executed, but the incident revealed a serious lack of staff awareness.

An internal review painted a concerning picture. Over 40 percent of OT-side employees had interacted with the phishing email in some way, including opening the attachment or forwarding it internally. The board began to question how many other threats might have gone unnoticed and whether the organization could still claim compliance with PIPEDA’s safeguarding requirements.

The review also uncovered deeper governance issues. Although NCE had policies aligned with federal guidance under the Canadian Energy Sector Cybersecurity Framework and CSA Z246.1, most staff were unaware these protocols even existed. Critical information about recognizing phishing attempts, reporting suspicious messages, and protecting credentials was buried in outdated training materials.

The consequences were swift and reputational. Industry regulators requested a disclosure summary, and the company’s audit committee flagged potential non-compliance with data protection and incident response obligations. Internally, trust was shaken. Employees feared disciplinary action for being “tricked,” while senior management faced scrutiny over inadequate training and oversight.

Ultimately, the CCCS warning had prevented a serious breach, but it also revealed systemic weaknesses in awareness and communication. The incident served as a clear reminder that people, not technology, often represent the greatest vulnerability in operational environments.

Our Solution

Service Area: Awareness and Communications Training (Utilities Focus)

We implemented a targeted awareness and training initiative designed to strengthen cyber resilience across both IT and OT teams. The program focused on practical education, behavioral change, and governance alignment.

Key Measures Implemented:
1. Targeted Awareness Campaign (OT and IT): Developed plain-language communications explaining the CCCS alert and outlining specific risks for different roles. Created short, 10–15 minute e-learning modules tailored to field operators, dispatchers, and engineers.
2. Controlled Phishing Simulation: Designed realistic regulator-themed phishing tests to mirror the original attack. Monitored open, click, and report rates by role and facility, followed by immediate just-in-time coaching for participants who interacted with the test emails.
3. OT Safety and Access Briefings: Conducted on-site safety briefings reinforcing rules such as not sharing SCADA credentials, enforcing multi-factor authentication, and locking workstations. Distributed quick-reference “spot-the-phish” cards to all control rooms and substations.
4. Reporting and Governance Improvements: Introduced a one-click phishing report button integrated with the Security Operations Center (SOC) and SIEM. Presented weekly awareness metrics to the risk committee and updated core policies, including Acceptable Use and Incident Reporting.
5. Third-Party and Workforce Alignment: Extended the awareness program to contractors and coordinated with the managed security service provider (MSSP) to fine-tune email detections. Worked with unions and HR to ensure a supportive, coaching-first approach to mistakes.
6. Compliance Integration: Aligned all measures with PIPEDA, CCCS advisories, CSA Z246.1, IEC 62443, and relevant Criminal Code of Canada provisions related to fraud and unauthorized access.

The Value

The initiative produced measurable improvements in both behavior and compliance posture:

– Reduced Susceptibility: Click rates on phishing simulations dropped from 18 percent to under 5 percent. Interaction rates (open, click, forward) among OT staff fell from 40 percent to 12 percent.
– Improved Detection and Reporting: Average time to report suspicious emails decreased from over eight hours to 25 minutes.
– Training Completion: Over 95 percent of employees completed the program within 30 days. All control facilities adopted quick-reference materials, and shared SCADA credentials were eliminated.
– Audit Readiness: The utility established demonstrable safeguards and governance practices, supporting PIPEDA compliance and easing regulator scrutiny.
– Cultural Shift: Employees became more confident in identifying and reporting threats, fostering a just-culture environment that emphasized learning over blame.

Implementation Roadmap

Phase 1 – Mobilization (Weeks 0–1)
– Reviewed incident details and CCCS advisories.
– Conducted a rapid awareness gap analysis.
– Formed a cross-functional OT/IT task force and established reporting dashboards.

Phase 2 – Communication and Training (Weeks 1–3)
– Released executive memos and clear, accessible bulletins.
– Launched role-based training modules and toolbox talks.
– Updated key policies and secured union and HR approvals.

Phase 3 – Testing and Coaching (Weeks 3–5)
– Conducted phishing simulations and gathered performance data.
– Delivered individualized coaching to improve awareness.
– Adjusted email filters and threat intelligence configurations.

Phase 4 – Validation and Governance (Weeks 5–8)
– Ran a second simulation round to confirm sustained improvement.
– Presented metrics to senior leadership and audit committees.
– Integrated updated controls into daily operations and contractor onboarding.

Phase 5 – Sustainment (Quarterly)
– Scheduled quarterly refresher sessions and targeted micro-simulations.
– Conducted annual cross-functional exercises to test coordination among IT, OT, and communications teams.
– Maintained compliance documentation for audits and regulatory review.

Regulatory and Policy Framework:
This roadmap adheres to PIPEDA (safeguards and accountability), CCCS critical infrastructure advisories, CSA Z246.1, IEC 62443, and relevant Criminal Code and provincial regulatory standards.