OEC: Digital resilience through cybersecurity governance

Jad Elsohemy, VP of Technology & Innovation at OEC, discusses the importance of effective cybersecurity governance when protecting critical infrastructure

Delivering energy and infrastructure services to customers throughout Canada, OEC offers innovative products and services across the infrastructure, energy, gas and electricity distribution and telecommunications sectors.

With over 2,500 employees, insightful and reliable energy and infrastructure solutions are provided to clients coast-to-coast. As Jad Elsohemy, OEC’s Vice President of Technology and Innovation, explains, protecting all of this critical infrastructure and ensuring the safety of communities has become a paramount concern.

His role today encompasses a wide range of responsibilities, including the operations, maintenance, planning, prototyping, and development of many technology systems integral to OEC's operations.

“My enthusiasm lies in harnessing the transformative capabilities of technology to empower our organisation to achieve its greatest potential,” he describes. “I am deeply appreciative of the opportunity to play a pivotal role in realising this vision.”

Another aspect of Elsohemy’s role, he explains, revolves around fostering innovation. “Throughout my career, I've been fortunate to be part of organisations that wholeheartedly embrace innovation, and OEC is no exception. At OEC we aim to weave innovation into the very fabric of our daily operations.”

An engineer by training, it was during the first role of his career at ExxonMobil that Elsohemy began to appreciate the critical importance of cybersecurity. “My tenure at ExxonMobil afforded me the opportunity to work in diverse roles, allowing me to develop strong foundational knowledge across various technology domains,” he comments.

“During this time, I also came to appreciate the critical importance of cybersecurity, motivating me to seek roles where I could develop expertise in this vital area.”

With this pursuit culminating in his appointment as the Security Design Lead at ExxonMobil, at this time, Elsohemy would venture into the realm of operational technology cybersecurity while it was still in its infancy.

Elsohemy’s next role would see him join Thales, where he assumed responsibility for the cybersecurity of the company’s urban rail system division. “This role exposed me to the development and deployment of safety-critical train systems, underscoring the pivotal role of cybersecurity in safeguarding critical infrastructure,” he describes.

“It also enabled me to delve into emerging technologies, including 5G, and the bringing together of various sensory technologies, communications, and cybersecurity for autonomous train control.”

In March 2022, Elsohemy joined OEC. “My current role has allowed me to further leverage and expand my expertise in cybersecurity, particularly in relation to the interplay between safety and cybersecurity. It has afforded me the opportunity to use my expertise within the energy and infrastructure services, utilities and construction industries and has served as a true opportunity rich area.”

OEC: Empowering communities through comprehensive solutions

OEC consists of a group of companies dedicated to delivering end-to-end solutions for a wide range of sectors, including infrastructure, energy, renewable generation, electricity, and gas distribution. With a workforce of over 2,500 employees and a client base spanning across Canada, OEC has grown into a trusted name within the industry.

The Company continues to invest heavily in cutting edge technology to deliver innovative solutions, including Geographic Information System (GIS) data management, and GIS-as-a-Service, use of mobile LiDAR technology for 3D scanning and analysis of assets, and location intelligence services.

One of OECs standout features is its unwavering commitment to harnessing the power of technology and cybersecurity to keep communities safe while protecting critical underground infrastructure. “We view technology and cybersecurity as one of the means for keeping communities and people safe while protecting critical utility/underground infrastructure,” Elsohemy explains.

The crucial role of cybersecurity at OEC

In the digital age, cybersecurity is a top priority for any organisation, but for OEC, it takes on even greater significance.

“The gravity of a cybersecurity breach or incident cannot be overstated, especially when considering the critical infrastructure we operate and service,” Elsohemy describes. “Establishing and maintaining a robust cybersecurity programme is not merely a choice but a paramount responsibility.”

Establishing this programme acts as a first line of defence, positioning OEC to prevent, identify, respond, and recover from potential cybersecurity attacks.

“It’s our proactive shield against threats that could jeopardise the integrity of our services and the safety of our stakeholders.”

“Furthermore, our commitment to cybersecurity extends beyond corporate duty; it's a moral and ethical obligation. Safeguarding the privacy of our customers' sensitive information and upholding the resilience of the electricity grid are fundamental principles.”

OEC's cybersecurity programme is rooted in the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), a risk-based approach that focuses on technology, people, and processes. Elsohemy explains, "While technology solutions are undoubtedly crucial, our cybersecurity programme places equal emphasis on the other two vital pillars of a successful cybersecurity strategy: people and processes.”

On the people front, Elsohemy’s team has established a robust cybersecurity awareness training programme, incorporating phishing simulation tests. “Recognising the diversity of roles within our organisation, we've tailored training to suit specific job functions. For instance, field users may receive distinct training compared to their office counterparts.

“The process pillar can be the most challenging,” he adds. “This encompasses not only the creation of cyber-specific processes like governance and access reviews but also the integration of cybersecurity into existing workflows, such as the procurement process, to safeguard against supply chain attacks.

“Our holistic approach ensures that all facets of our organisation are fortified against cyber threats, recognising the importance of bringing technology, people, and processes together within the programme.”

Innovative cybersecurity governance at OEC

Establishing robust cybersecurity governance is a cornerstone of OEC's cybersecurity programme. Cybersecurity governance defines accountability, responsibility, and oversight to ensure that cybersecurity risks are known and adequately mitigated. OEC's approach to cybersecurity governance includes four elements:

Establishment of Owners: Ownership of cybersecurity aligns with the operational accountability of each company within OEC, ensuring a tailored approach to cybersecurity risk management.
Risk-Based Decision Making: OEC makes cybersecurity decisions based on risk assessment, ensuring resources are allocated to address the most critical risks effectively.
Well-Defined Roles and Responsibilities: Clear roles and responsibilities for cybersecurity are defined and assigned, leaving no room for ambiguity.
Measuring and Reporting on Cybersecurity Risk: OEC continuously monitors and reports on cybersecurity risk, allowing for proactive adjustments to their cybersecurity posture.

These measures are indicative of OEC's commitment to maintaining a high level of cybersecurity governance across its diverse range of companies and industries. “Given that OEC consists of a group of 16 operating companies in a variety of industries, an adaptive cybersecurity governance approach was established to address the unique needs and risks of each company,” Elsohemy explains.

Challenges in cybersecurity and their solutions

Like many organisations today, OEC faces its fair share of challenges when it comes to cybersecurity. Prioritising cybersecurity investments in the face of an ever-expanding list of needs is always a challenge, so to overcome this, OEC relies on rigorous risk assessments.

“These risk assessments evaluate the potential threats and consider their likelihood of occurrence and the impact they could have on various aspects of the business, including safety, finances, regulations, privacy, and operations,” Elsohemy describes.

“Investments are then prioritised based on their ability to mitigate the identified intolerable risks, with higher priority given to those that address higher risks.”

Another challenge is instilling a culture of cybersecurity where every employee understands their responsibility in safeguarding the organisation. OEC addresses this by implementing a comprehensive cybersecurity awareness training programme, which is tailored to specific job functions.

This targeted training approach ensures that employees are equipped to protect against cyber threats effectively: for example, establishing Operations Technology (OT) specific cybersecurity training for those employees operating OT systems.

He adds: “Cybersecurity needs to be embedded into existing processes where possible, from procurement to human resources, so that it becomes recognised as not something that is external to day-to-day job functions.”

Stratejm: A trusted partner in cybersecurity

As a provider of critical infrastructure and services, OEC has a responsibility to monitor, identify and rapidly react to potential cybersecurity incidents 24/7.

To help make this happen, OEC has found a reliable partner in Stratejm - a recognised industry leader in cyber and data security. Stratejm plays a crucial role in OEC's cybersecurity strategy by providing monitoring, response, and incident assistance across various asset classes, including endpoints, servers, operational technology, and cloud-based applications and data.

For a partnership to succeed in the realm of cybersecurity, communication and trust are paramount. OEC and Stratejm have built a relationship that functions as an extension of OEC's internal cybersecurity team.

“When looking for a cybersecurity partner, it is important to ensure that they function as an extension of your existing cybersecurity team, and this is something that we have managed to achieve with Stratejm,” Elsohemy says. “There is fluid communication, with a relationship built on trust.”

The road ahead: Technology and cybersecurity innovations and trends

Looking to the future, Elsohemy explains that OEC has its sights set on several key trends and innovations in the technology and cybersecurity landscape.

“In the area of cybersecurity, we are moving to a zero-trust security model whereby every asset or user, whether inside or outside the network, needs to be authenticated and authorised,” he explains.

“We are also looking at methods to achieve this, including compensating controls with increased network visibility to achieve this on our operational technology side.”

OEC is also delving into the world of AI and machine learning, with the ultimate goal to develop trained models that can solve classification and prediction problems. By capturing visual images of infrastructure and using AI to analyse these images, OEC aims to enhance processes and innovate further.

Elsohemy concludes: “The idea is to capture visual images of infrastructure, for example, and then have the software analyse the images and perform predictive analysis on the health or to help triage and identify areas of focus for manual inspection.”

As OEC advances its cybersecurity measures, the organisation is looking forward to a safer and more resilient digital world, where safety and innovation go hand in hand.