A cyber security expert says Nova Scotia Power may have been one of the first utilities in Canada to be attacked by hackers, but it could start happening more often.
Hackers attacked Nova Scotia Power in April and held stolen personal information for ransom.
David Shipley, CEO and co-founder of Beauceron Security, said it’s bad that information was stolen, but it could have been worse.
“When a power utility gets hit, the worst outcome is to cripple the utility and they turn the lights off,” said Shipley.
Nova Scotia Power did not pay any money, based on advice from police, it said, but some of the information was published online. On Friday, the utility said they’re working to determine the full scope of the information stolen.
Shipley said it’s likely the attacker is from a known group that faces sanctions from the government. He says that’s why the news release from Nova Scotia Power says they did not pay the ransom because of “careful assessment of applicable sanctions laws.” That could mean the attacker is from a hostile country, like Russia, China, North Korea, Iran or others.
He said there are several countries who run ransomware gangs to generate money.
Minister of Energy Trevor Boudreau sent a letter to Nova Scotia Power on May 7, which said he was unhappy that some services were interrupted because of the hack. He also said he was unhappy about the utility’s communication.
However, Shipley says they communicated well, considering the utility’s parent company, Emera, is publicly traded, and lawyers would have been looking thoroughly at every word they published.
He says they told the public it was an attack early on and did not simply call it an IT issue.
Shipley said hackers will repeat successful business models, meaning if they hacked the utility once, they will try and do it again.
But to prevent this, Shipley said the province should focus on two things. First, the province should create legislation to make sure companies are spending enough money on cyber security. Second, the companies will also have to hire their own experts, but they may not have funding to do that, he said.
“Things are getting worse. It is unclear that we’ve equipped, legislatively, our regulators to deal with this, or resource them to have the expertise, or the capacity to bring in the expertise, to evaluate the investments being made.”
