Nova Scotia Power (NSP) and its parent company, Emera Inc., were recently targeted in a cyberattack that disrupted key digital systems. While the electric grid itself remained operational, the attack exposed several critical weaknesses in the utility's business IT infrastructure. It has sent a clear message to the energy sector: even when physical operations are secure, digital vulnerabilities can undermine trust, service continuity, and potentially safety.

Timeline of the cyberattack

On April 25, NSP discovered unauthorized access to multiple parts of its network and servers. The breach impacted the business IT systems, primarily those responsible for managing customer data, billing platforms, and internal communications. In response, the company quickly activated its pre-planned incident response plan, brought in cybersecurity experts, and worked to isolate the impacted systems to contain the blast radius.

This containment effort helped prevent the attack from spreading into operational networks, such as power generation and transmission systems. The attack did temporarily disable several customer-facing services, including online account management and phone-based support. Many customers experienced difficulty paying bills and accessing their accounts, causing public concern over the security of personal and financial information.

While the utility involved assured the public that electricity delivery was unaffected, the incident raised several red flags about the potential for cyberattacks to exploit weak points in utilities’ digital ecosystems, even when core operations are well-protected. While the attack impacted IT systems, an attack on OT systems that are relatively less secure could have had a much more devastating outcome with the recovery stretching into weeks, if not months as we have seen in the past. 

Impact on infrastructure

The most immediate and visible impacts were to the utility’s customer service capabilities:

• Customer portals were taken offline to prevent further compromise.

• Call centers experienced outages and long wait times.

• Customer trust took a hit, especially given concerns about potential data exposure.

• Internal coordination was slowed as parts of the company’s business infrastructure were shut down or operating under manual processes.

In the absence of an audit, it is difficult to say what other systems were impacted.

Though there was no evidence as of now to indicate that operational systems were compromised, the attack created many indirect operational risks. For example, delayed customer communications and a lack of access to account data could hinder outage response coordination or billing accuracy in the longer term. Further, data exfiltrated during the latest attack could be used to breach networks in the future.

What Could Have Been Done to Prevent It?

Prima facie, the breach appears to have stemmed from vulnerabilities in the business IT environment, a common, but often under-protected segment, of utility networks.  Preventive measures that could have reduced risk or impact include:

• Additional layer of protection for key systems

• IEC 62443 based audits for the overall infrastructure

• Robust network segmentation: Operational Technology (OT) systems and IT systems must be strictly segmented. While this attack didn’t breach OT, the fact that such segmentation held could possibly suggest that it may have been a saving grace.  

• Zero Trust Architecture: Zero trust assumes no user, session or device is trusted by default. By enforcing strict authentication and continuous validation, even internal actors must prove legitimacy before accessing and retaining access to sensitive systems. This approach helps contain breaches before they escalate.

• Security awareness and phishing defense: Many breaches originate in phishing. Regular training, simulated phishing campaigns, and aggressive spam filtering can reduce the risk of an employee accidentally handing over credentials or installing malware.

• Proactive Monitoring and Threat Hunting: Using Security Information and Event Management (SIEM) systems with behavioral analytics can detect unusual activity before a breach becomes widespread. Real-time detection reduces the “dwell time” of attackers in the system. On the OT side, use of a mature OT Network Detection and Response solution could aid in the early detection of threats.

• Vulnerability Management and Patch Hygiene: Unpatched software vulnerabilities are a frequent entry point. A disciplined and tracked program for updating systems, especially customer-facing web services, can close many known gaps that attackers commonly exploit.

Strengthening Utility Cybersecurity with NERC CIP and IEC 62443

To defend against increasingly sophisticated threats, utilities must align their cybersecurity programs with established regulatory and technical standards. Two of the most important standards in the energy sector are NERC CIP and IEC 62443.

NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection)

NERC CIP standards are mandatory for utilities operating the bulk electric system in North America. These standards focus on identifying, categorizing, and protecting critical cyber assets. Key areas include:

• CIP-002: Asset identification and classification (asset inventory management with security aligned asset classification)

• CIP-005: Electronic security perimeters and secure remote access

• CIP-007: System security management (patching, NDR, antivirus, etc.)

• CIP-013: Supply chain cybersecurity risk management (approaching security from a component and system lifecycle standpoint)

NERC CIP compliance ensures that electric utilities apply baseline security controls across their critical systems, helping reduce the chance of compromise and enabling faster incident response, when needed.

IEC 62443 (International Electrotechnical Commission)

IEC 62443 offers a globally recognized framework for securing industrial automation and control systems (IACS). It is vendor-neutral and provides comprehensive guidance across multiple levels:

• Policies and Procedures (e.g., IEC 62443-2-1): For asset owners to govern cybersecurity effectively through an IACS security program

• Patch management in the IACS environment: To ensure systems remain secure by addressing vulnerabilities. Recommends patch management covering patch classification and identification, prioritization (as per impact or business outcome), testing, deployment, and verification.

• System security: IEC 62443-3-2:2020 establishes requirements for defining a system under consideration (SUC) for an industrial automation and control system

• System Design (e.g., IEC 62443-3-3): For integrators to implement secure architectures backed by technical control systems in order to harden infrastructure while giving depth to security measures

• Component Security (e.g., IEC 62443-4-2): For product developers to ensure secure devices

IEC 62443 emphasizes security levels based on risk, making it flexible enough to adapt across different industries and asset classes. When implemented effectively, it can complement NERC CIP requirements and fill in gaps in process, design, and lifecycle management.

Moving Forward: A Security Blueprint for Power Companies

The NSP incident highlights an urgent truth: cybersecurity in the power sector cannot be siloed into compliance checklists or focused solely on operational networks. Attackers will exploit the weakest link, whether it’s a billing server, a third-party vendor, or an under-trained employee.

To move toward a more resilient posture, power companies should:

1. Treat IT and OT security with equal seriousness. Customer portals are just as likely to be targeted as SCADA systems, and breaches in one can threaten the other.

2. Integrate cybersecurity into the corporate risk register. Security is a board-level issue and needs to be budgeted, governed, and reviewed as such.

3. Engage in industry-wide collaboration. Sharing threat intelligence and best practices through ISACs and cross-utility partnerships can provide early warnings and accelerate recovery.

4. Adopt layered defense strategies. Firewalls, endpoint detection, identity access controls, and application hardening all have roles to play in a holistic defense plan.

The cyberattack on Nova Scotia Power serves as a wake-up call. While the company avoided a worst-case scenario involving grid disruption, the incident exposed just how vulnerable business-facing systems can be, and how those vulnerabilities can ripple into operational risk and public trust.

Utilities must go beyond minimum compliance and adopt a risk-based, standards-aligned approach to cybersecurity. By embracing both NERC CIP and IEC 62443 frameworks, and reinforcing their defenses across IT and OT, power providers can better prepare for the next wave of cyber threats and ensure the continued delivery of one of society’s most critical services: reliable, secure energy.