A ransomware attack on a regulated electric utility, the anatomy of a 37-day infiltration, and the prescriptive remediation framework every energy operator should review.

In April 2025, Nova Scotia Power the regulated electric utility serving 900,000 customers across Nova Scotia, Canada suffered a ransomware attack that compromised sensitive personal data including Social Insurance Numbers, bank account information, and driver's license numbers. The attack vector was a commodity malware family. The dwell time was 37 days. The attackers destroyed backups before detonating ransomware. None of this is unusual. All of it was preventable.

This analysis dissects the Nova Scotia Power breach through two complementary technical lenses: NERC CIP (the mandatory North American bulk electric system cybersecurity standard) and IEC 62443 (the international industrial control system security framework). The goal is not to catalogue what went wrong it is to prescribe what should have been in place, and what every regulated utility should be auditing right now.

The Anatomy of the Attack: A Five-Week Infiltration

The attack unfolded across three distinct phases, each one representing a failure of a specific control domain. Understanding the sequence is essential not just to assign blame, but to prescribe the right remediation.

 FIG 1: Attack chain: SocGholish initial access → Encrypted C2 → Domain Admin escalation → Exfiltration → Ransomware detonation (Mar 19 – Apr 25, 2025)

What Was Compromised and Why It Matters

The 900,000+ affected individuals lost more than names and email addresses. The compromised dataset included Social Insurance Numbers (SINs), driver's license numbers, bank account and billing history, dates of birth, phone numbers, and mailing addresses. For an electric utility, this scope of data collection raises an uncomfortable question: why was all of this necessary?

The Office of the Privacy Commissioner of Canada raised specific concerns about the collection and retention of SINs, which are the crown jewels of Canadian identity theft. For a utility managing electricity delivery, the operational case for holding SINs in the same environment as billing systems is questionable and it points to a data minimisation failure that NERC CIP's access management controls are designed, in part, to address.

The NERC CIP Gap Analysis: What Should Have Caught This

NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is the mandatory cybersecurity standard for bulk electric system operators in North America. Standards CIP-002 through CIP-014 cover asset identification, access management, systems security, incident reporting, and personnel training. The Nova Scotia Power breach reveals meaningful gaps across several of these standards.

What is striking here is the breadth of the gaps. This was not a single control failure it was a systemic one. The attacker moved freely because the defence-in-depth layers that NERC CIP mandates were either absent, misconfigured, or not monitored effectively. A key principle for utilities is that compliance and security are not the same thing: meeting the letter of CIP standards requires active monitoring, not just policy documentation.

The IEC 62443 Lens: A Deeper Technical Assessment

IEC 62443 is the international family of standards for Industrial Automation and Control Systems (IACS) security. Unlike NERC CIP, which is compliance-oriented and North America-specific, IEC 62443 provides engineering-grade security requirements expressed through Security Levels (SL 1–4) and seven Foundational Requirements (FRs). For a utility like Nova Scotia Power which operates SCADA systems, substations, and grid management infrastructure the 62443 framework offers the most precise diagnostic language available.

IEC 62443-3-3 Foundational Requirements: Breach Impact Mapping

Security Level Assessment: Where Did Nova Scotia Power Stand?

IEC 62443 defines Security Levels from SL 1 (protecting against casual or unintentional violation) through SL 4 (protecting against sophisticated, nation-state-level attacks). For a regulated electric utility, the target is typically SL 2 protection against deliberate violation by an entity with moderate resources and motivation, such as organised cybercriminal groups.

Based on the attack chain evidence a commodity malware delivery mechanism, successful domain admin escalation, 37-day undetected dwell time, and accessible backup destruction the effective security level at the time of breach was not SL 2. The SocGholish gang is not a nation-state actor. They are a well-resourced but commercially-motivated criminal enterprise that deploys scalable, off-the-shelf initial access tools. An SL 2-compliant environment should have contained or detected this intrusion. It did not.

The IT/OT Convergence Risk That Nobody Talks About

What makes this incident particularly instructive for the broader energy sector is the convergence angle. Nova Scotia Power's breach was initially an IT event corporate billing and customer data systems, not operational technology. But the adjacency matters enormously. The same domain admin credentials that gave attackers run of the corporate network could, in an inadequately segmented environment, be a stepping stone toward SCADA systems, energy management platforms, and substation control networks.

The utility sector is still working through the implications of connecting historically air-gapped OT networks to corporate IT infrastructure for operational efficiency. Every connection that improves monitoring or remote management also creates a potential lateral movement path. IEC 62443's Zone and Conduit model enforcing SR 5.1 and SR 5.2 (zone boundary protection) exists precisely to contain this risk. A deny-by-default conduit policy between IT and OT zones would not have prevented the initial infection, but it would have prevented any eastward movement toward grid infrastructure.

The 37-Day Dwell Time Problem: Detection Is the Broken Control

The single most damaging number in this incident report is 37 days. From the initial SocGholish infection on March 19 to the ransomware detonation on April 25, attackers were inside the network for over five weeks with no automated detection. This is the classic "dwell time" problem that separates preventable breaches from catastrophic ones.

Detection capability in an OT-adjacent environment requires more than perimeter firewalls. It requires network detection and response (NDR) tools capable of reading industrial protocols, passive asset discovery that doesn't disrupt PLCs with active scan traffic, and behavioural baselines that flag anomalous lateral movement patterns. AI-driven anomaly detection is the critical differentiator attackers using legitimate admin credentials look identical to legitimate admins unless behaviour is continuously baselined.

What Good Looks Like: Prescriptive Remediation

The purpose of a post-incident analysis is not autopsy it is prevention. The following recommendations are grounded in specific NERC CIP and IEC 62443 controls that would have materially altered the outcome of this breach.

The Notification Failure: A Secondary Crisis

Beyond the technical dimensions of this breach, the handling of customer notification created a secondary reputational and regulatory crisis. While Nova Scotia Power informed the public on April 28 three days after discovery direct notifications to affected individuals arrived weeks later. Some customers were not notified until months after the initial disclosure, as additional victims were identified in subsequent forensic analysis.

For a breach involving SINs and bank account details, every day of notification delay is a day in which affected individuals cannot take protective action placing fraud alerts, freezing credit, monitoring accounts. The Office of the Privacy Commissioner received multiple complaints specifically about this delay.

From an IEC 62443 and CIP-008 perspective, the notification failure reflects an incident response plan that was not scaled for the complexity of a dual-vector attack (data exfiltration plus ransomware). The plan needed sub-playbooks for: customer notification tiering, regulatory escalation, media communication, and ongoing victim identification as forensic analysis expands scope. Nova Scotia Power's commitment to provide five years of credit monitoring for all customers extended from an initial 24 months was an appropriate remediation, but it cannot substitute for timely initial communication.

The Broader Picture: Energy Sector Under Sustained Threat

Nova Scotia Power is not an isolated case. Across North America and Europe, the energy sector is experiencing sustained targeting by both criminal ransomware operators and state-aligned threat actors. The INC Ransom group which operates a franchise model analogous to ransomware-as-a-service has explicitly targeted Western critical infrastructure. The SocGholish operators who likely conducted this intrusion are known to sell initial access to downstream ransomware affiliates, meaning the entity that dropped the ransomware and the entity that installed the initial backdoor may have been two separate organisations operating in a criminal marketplace.

This industrialisation of the attack chain has profound implications for defenders. AI is being used by attackers to craft smarter phishing, automate malware, and exploit weaknesses faster than ever. The asymmetry between attacker automation and defender manual review processes is widening. The answer is not more compliance checklists it is deploying AI-driven detection that can identify the subtle behavioural anomalies of a domain admin account that starts querying systems it has never queried before.

The Nova Scotia Power breach is a masterclass in the distance between regulatory compliance and operational resilience. NERC CIP, properly implemented, provides a meaningful baseline but the baseline requires active enforcement, continuous monitoring, and a security culture that treats detection as a first-order priority rather than an afterthought.

IEC 62443 provides the engineering vocabulary to move beyond that baseline. The Zone and Conduit model, the Security Level framework, the specific System Requirements of 62443-3-3 these are not abstract standards for auditors. They are the architectural decisions that would have kept an attacker confined to a single endpoint rather than free-ranging across a corporate network for five weeks.

For any electric utility conducting its post-incident retrospective of this breach, the most important question to ask is not "were we compliant?" It is: "if an attacker had domain admin credentials and 37 days in our network, what would they find?" If the honest answer resembles what happened in Nova Scotia, the time to act is now before the next SocGholish pop-up finds its target.

REFERENCES & FURTHER READING

•       Office of the Privacy Commissioner of Canada: Nova Scotia Power Compliance Letter (March 2026)- priv.gc.ca

•       The Cyber Express- Nova Scotia Power Data Breach Compromises Data of Over 900,000 Users (March 2026)- thecyberexpress.com

•       Industrial Cybersecurity: A Complete Guide for Critical Infrastructure Protection- shieldworkz.com

•       A Deep Dive into IEC 62443-3-3 Controls for OT Operators - shieldworkz.com

•       A Plant Head's Strategic Guide to IEC 62443 Vulnerability Management · shieldworkz.com

•       Top OT Cybersecurity Trends You Can't Ignore in 2025 · shieldworkz.com

•       ICS Cybersecurity: What's Next for the Next 5 Years · shieldworkz.com

•       Fundamentals of OT Security Training for OT Operators · shieldworkz.com

•       Building an OT Cybersecurity Program with IEC 62443 and NIST SP 800-82 · shieldworkz.com

•       CIP Standards CIP-002 through CIP-014 · nerc.com

•       IEC 62443-3-3: System Security Requirements and Security Levels · iec.ch

•       Guide to OT/ICS Security (September 2023) · nist.gov