In April 2025, Nova Scotia Power, a major Canadian electric utility, experienced a significant cyberattack that disrupted its operations and compromised sensitive customer information. The breach, identified as a ransomware attack, affected approximately 280,000 customers, nearly half of the utility’s customer base.
Incident Overview
The cyberattack was detected on April 25, 2025, when unauthorized access to parts of Nova Scotia Power’s network and business application servers was discovered. In response, the company promptly isolated the affected servers to contain the breach. Despite these efforts, the attack led to disruptions in the utility’s IT systems, including customer care phone lines and online portals. Notably, the physical operations, such as electricity generation, transmission, and distribution facilities, remained unaffected, ensuring continuous power supply to customers.
Impact on Power Meters and Billing
While the cyberattack did not cause power outages, it disrupted the communication between power meters and Nova Scotia Power’s systems. Although the meters continued to accurately record energy consumption, the company faced challenges in retrieving this data due to the communication breakdown. Consequently, Nova Scotia Power temporarily paused customer billing and later resumed with estimated bills until the systems were fully restored and meter communications normalized.
Compromised Customer Information
The investigation revealed that the attackers accessed and exfiltrated a substantial amount of customer data. The compromised information includes:
– Names
– Dates of birth
– Email addresses
– Phone numbers
– Mailing addresses
– Power consumption data
– Payment and billing information
In some instances, more sensitive data such as driver’s license numbers, Social Insurance Numbers (SINs), and bank account details were also compromised. The breach’s extensive nature raised significant concerns about potential identity theft and financial fraud among affected customers.
Company Response and Mitigation Efforts
In response to the breach, Nova Scotia Power took several steps to mitigate the impact and support affected customers:
1. Notification and Transparency: The company promptly informed customers about the breach, detailing the types of information compromised and the potential risks involved.
2. Credit Monitoring Services: To assist customers in monitoring their financial accounts for suspicious activities, Nova Scotia Power offered five years of free credit monitoring services to all past and current customers. This was an extension from the initially offered two years, reflecting the company’s commitment to customer protection.
3. Enhanced Security Measures: The utility conducted a comprehensive review of its cybersecurity protocols and implemented additional safeguards to prevent future incidents. This included updating security software, enhancing network monitoring, and providing cybersecurity training to employees.
Broader Implications and Industry Context
The cyberattack on Nova Scotia Power underscores the growing threat of cyber incidents targeting critical infrastructure. Utilities worldwide are increasingly becoming targets for cybercriminals due to the essential services they provide and the vast amounts of sensitive data they handle.
Smart Meter Vulnerabilities
The incident also highlights potential vulnerabilities associated with smart meters. These devices, designed to provide real-time energy consumption data and enable remote management, can be susceptible to cyberattacks if not properly secured. Experts have identified several risks, including:
– Remote Exploitation: Hackers can exploit weaknesses in smart meter communication protocols to gain unauthorized access, potentially leading to data manipulation or service disruptions.
– Data Interception: Inadequate encryption can allow attackers to intercept and alter data transmitted between meters and utility systems.
– Unauthorized Control: Compromised meters can be manipulated to disconnect services or cause load imbalances, posing risks to grid stability.
Regulatory and Security Recommendations
In light of these risks, regulatory bodies and cybersecurity experts recommend several measures to enhance the security of smart meters and utility networks:
1. Security by Design: Manufacturers should integrate robust security features during the design phase of smart meters, including strong encryption, secure authentication, and regular firmware updates.
2. Regular Security Assessments: Utilities should conduct periodic security audits and penetration testing to identify and address vulnerabilities in their systems.
3. Incident Response Planning: Developing and regularly updating incident response plans can help utilities respond swiftly and effectively to cyber incidents, minimizing potential damage.
4. Customer Education: Informing customers about potential risks and encouraging proactive monitoring of their accounts can help detect and mitigate the effects of data breaches.
Conclusion
The cyberattack on Nova Scotia Power serves as a stark reminder of the critical importance of cybersecurity in the utility sector. As the industry continues to adopt advanced technologies like smart meters, ensuring robust security measures is paramount to protect both infrastructure and customer data. Utilities must remain vigilant, continuously updating their security protocols to address evolving cyber threats and safeguard the essential services they provide.
