OEC - October 2023

WITH:

DIGITAL RESILIENCE THROUGH CYBERSECURITY GOVERNANCE

Jad Elsohemy, VP of Technology & Innovation at OEC, discusses the importance of effective cybersecurity governance when protecting critical infrastructure

Delivering energy and infrastructure services to customers throughout Canada, OEC offers innovative products and services across the infrastructure, energy, gas and electricity distribution and telecommunications sectors.

With over 2,500 employees, insightful and reliable energy and infrastructure solutions are provided to clients coast-to-coast.

As Jad Elsohemy, OEC’s Vice President of Technology and Innovation, explains, protecting all of this critical infrastructure and ensuring the safety of communities has become a paramount concern.

His role today encompasses a wide range of responsibilities, including the operations, maintenance, planning, prototyping, and development of many technology systems integral to OEC’s operations.

“My enthusiasm lies in harnessing the transformative capabilities of technology to empower our organisation to achieve its greatest potential,” he describes. “I am deeply appreciative of the opportunity to play a pivotal role in realising this vision.”

Another aspect of Elsohemy’s role, he explains, revolves around fostering innovation. “Throughout my career, I’ve been fortunate to be part of organisations that wholeheartedly embrace innovation, and OEC is no exception. At OEC we aim to weave innovation into the very fabric of our daily operations.”

An engineer by training, it was during the first role of his career at ExxonMobil that Elsohemy began to appreciate the critical importance of cybersecurity. “My tenure at ExxonMobil afforded me the opportunity to work in diverse roles, allowing me to develop strong foundational knowledge across various technology domains,” he comments.

“During this time, I also came to appreciate the critical importance of cybersecurity, motivating me to seek roles where I could develop expertise in this vital area.”

With this pursuit culminating in his appointment as the Security Design Lead at ExxonMobil, at this time, Elsohemy would venture into the realm of operational

“At OEC we aim to weave innovation into the very fabric of our daily operations”

JAD ELSOHEMY VP OF TECHNOLOGY & INNOVATION AT OEC

technology cybersecurity while it was still in its infancy.

Elsohemy’s next role would see him join Thales, where he assumed responsibility for the cybersecurity of the company’s urban rail system division. “This role exposed me to the development and deployment of safety-critical train systems, underscoring the pivotal role of cybersecurity in safeguarding critical infrastructure,” he describes.

“It also enabled me to delve into emerging technologies, including 5G, and the bringing together of various sensory technologies, communications, and cybersecurity for autonomous train control.”

JAD ELSOHEMY

TITLE: VP OF TECHNOLOGY & INNOVATION

INDUSTRY: CYBER SECURITY

LOCATION: CANADA

Jad Elsohemy is the Vice President of Technology and Innovation at OEC, boasting over 15 years of experience in the technology domain. With an Engineering degree and an MBA, Jad’s career has thrived in the Energy, Transportation, and Utilities industries. His passion lies in harnessing technology’s transformative potential, be it in automation, digitization, decisionmaking, efficiency improvements, or pioneering new service opportunities to help businesses achieve their full potential. Throughout his journey, Jad has consistently recognized the critical importance of cybersecurity, honing his skills in information technology (IT) and operational technology (OT) to complement his

In March 2022, Elsohemy joined OEC. “My current role has allowed me to further leverage and expand my expertise in cybersecurity, particularly in relation to the interplay between safety and cybersecurity. It has afforded me the opportunity to use my expertise within the energy and infrastructure services, utilities and construction industries and has served as a true opportunity rich area.”

OEC: Empowering communities through comprehensive solutions

OEC consists of a group of companies dedicated to delivering end-to-end solutions for a wide range of sectors, including infrastructure, energy, renewable generation, electricity, and gas distribution. With a workforce of over 2,500 employees and a

security

Stratejm’s SECaaS offers 24/7/365 Managed Detection & Response. Built on a Cybersecurity Mesh Architecture, SECaaS can solve the security challenge while bending the cost curve.

SECaaS can help to solve the security challenge while bending the cost curve associated with best-in-class

client base spanning across Canada, OEC has grown into a trusted name within the industry.

The Company continues to invest heavily in cutting edge technology to deliver innovative solutions, including Geographic Information System (GIS) data management, and GIS-as-a-Service, use of mobile LiDAR technology for 3D scanning and analysis of assets, and location intelligence services.

One of OECs standout features is its unwavering commitment to harnessing the power of technology and cybersecurity to keep communities safe while protecting

critical underground infrastructure. “We view technology and cybersecurity as one of the means for keeping communities and people safe while protecting critical utility/underground infrastructure,” Elsohemy explains.

The crucial role of cybersecurity at OEC

In the digital age, cybersecurity is a top priority for any organisation, but for OEC, it takes on even greater significance.

“The gravity of a cybersecurity breach or incident cannot be overstated, especially

“Establishing and maintaining a robust cybersecurity programme is not merely a choice but a paramount responsibility”

OEC: Digital resilience through cybersecurity governance

when considering the critical infrastructure we operate and service,” Elsohemy describes. “Establishing and maintaining a robust cybersecurity programme is not merely a choice but a paramount responsibility.”

Establishing this programme acts as a first line of defence, positioning OEC to prevent, identify, respond, and recover from potential cybersecurity attacks.

“It’s our proactive shield against threats that could jeopardise the integrity of our services and the safety of our stakeholders.”

“Furthermore, our commitment to cybersecurity extends beyond corporate

“Our commitment to cybersecurity extends beyond corporate duty; it’s a moral and ethical obligation”

JAD ELSOHEMY VP OF TECHNOLOGY & INNOVATION AT OEC

duty; it’s a moral and ethical obligation. Safeguarding the privacy of our customers’ sensitive information and upholding the resilience of the electricity grid are fundamental principles.”

OEC’s cybersecurity programme is rooted in the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), a risk-based approach that focuses on technology, people, and processes. Elsohemy explains, “While technology solutions are undoubtedly crucial, our cybersecurity programme places equal emphasis on the other two vital pillars of a

successful cybersecurity strategy: people and processes.”

On the people front, Elsohemy’s team has established a robust cybersecurity awareness training programme, incorporating phishing simulation tests. “Recognising the diversity of roles within our organisation, we’ve tailored training to suit specific job functions. For instance, field users may receive distinct training compared to their office counterparts.

“The process pillar can be the most challenging,” he adds. “This encompasses not only the creation of cyber-specific

The OEC group of companies includes: Planview Utility Services, DPM Energy, QSP Geographics, EMB Management, UTS Consultants, Trans Power, Teraflex, El-Con

Construction, PVS Contractors, GTel, Oakville

Hydro, OEC Geo-Exchange, OEC Generation, and Golden Horseshoe Metering Services

processes like governance and access reviews but also the integration of cybersecurity into existing workflows, such as the procurement process, to safeguard against supply chain attacks.

“Our holistic approach ensures that all facets of our organisation are fortified against cyber threats, recognising the importance of bringing technology, people, and processes together within the programme.”

Innovative cybersecurity governance at OEC Establishing robust cybersecurity governance is a cornerstone of OEC’s cybersecurity programme. Cybersecurity governance defines accountability, responsibility, and oversight to ensure that cybersecurity risks are known and adequately mitigated. OEC’s approach to cybersecurity governance includes four elements:

• Establishment of Owners: Ownership of cybersecurity aligns with the operational accountability of each company within OEC, ensuring a tailored approach to cybersecurity risk management.

• Risk-Based Decision Making: OEC makes cybersecurity decisions based on risk assessment, ensuring resources are allocated to address the most critical risks effectively.

• Well-Defined Roles and Responsibilities: Clear roles and responsibilities for cybersecurity are defined and assigned, leaving no room for ambiguity.

• Measuring and Reporting on Cybersecurity Risk: OEC continuously monitors and reports on cybersecurity risk, allowing for proactive adjustments to their cybersecurity posture.

These measures are indicative of OEC’s commitment to maintaining a high level of cybersecurity governance across its diverse range of companies and industries. “Given that OEC consists of a group of 16 operating companies in a variety of industries, an adaptive cybersecurity governance approach was established to address the unique needs and risks of each company,” Elsohemy explains.

Challenges in cybersecurity and their solutions

Like many organisations today, OEC faces its fair share of challenges when it comes

to cybersecurity. Prioritising cybersecurity investments in the face of an everexpanding list of needs is always a challenge, so to overcome this, OEC relies on rigorous risk assessments.

“These risk assessments evaluate the potential threats and consider their likelihood of occurrence and the impact they could have on various aspects of the business, including safety, finances, regulations, privacy, and operations,” Elsohemy describes.

“Investments are then prioritised based on their ability to mitigate the identified intolerable risks, with higher priority given to those that address higher risks.”

Another challenge is instilling a culture of cybersecurity where every employee understands their responsibility in safeguarding the organisation. OEC addresses this by implementing a comprehensive cybersecurity awareness training programme, which is tailored to specific job functions.

This targeted training approach ensures that employees are equipped to protect against cyber threats effectively: for example, establishing Operations Technology (OT) specific cybersecurity training for those employees operating OT systems.

He adds: “Cybersecurity needs to be embedded into existing processes where possible, from procurement to human resources, so that it becomes recognised as not something that is external to day-to-day job functions.”

Stratejm: A trusted partner in cybersecurity

As a provider of critical infrastructure and services, OEC has a responsibility to monitor, identify and rapidly react to potential cybersecurity incidents 24/7.

To help make this happen, OEC has found a reliable partner in Stratejma recognised industry leader in cyber and data security. Stratejm plays a crucial role in OEC’s cybersecurity strategy by providing monitoring, response, and incident assistance across various asset classes, including endpoints, servers, operational technology, and cloud-based applications and data.

For a partnership to succeed in the realm of cybersecurity, communication and trust are paramount. OEC and Stratejm have built a relationship that functions as an extension of OEC’s internal cybersecurity team.

“When looking for a cybersecurity partner, it is important to ensure that they function as an extension of your existing cybersecurity team, and this is something

that we have managed to achieve with Stratejm,” Elsohemy says. “There is fluid communication, with a relationship built on trust.”

The road ahead: Technology and cybersecurity innovations and trends

Looking to the future, Elsohemy explains that OEC has its sights set on several key trends and innovations in the technology and cybersecurity landscape.

“In the area of cybersecurity, we are moving to a zero-trust security model whereby every asset or user, whether inside or outside the network, needs to be authenticated and authorised,” he explains.

“We are also looking at methods to achieve this, including compensating controls with increased network visibility to achieve this on our operational technology side.”

OEC is also delving into the world of AI and machine learning, with the ultimate goal to develop trained models that can solve classification and prediction problems. By capturing visual images of infrastructure and using AI to analyse these images, OEC aims to enhance processes and innovate further.

Elsohemy concludes: “The idea is to capture visual images of infrastructure, for example, and then have the software analyse the images and perform predictive analysis on the health or to help triage and identify areas of focus for manual inspection.”

As OEC advances its cybersecurity measures, the organisation is looking forward to a safer and more resilient digital world, where safety and innovation go hand in hand.