Full Report
Emera Inc. and Nova Scotia Power announced they have discovered and are actively responding to a cybersecurity incident... The post Emera, Nova Scotia Power respond to cybersecurity breach; incident response teams mobilized appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Emera/Nova Scotia Power Network Intrusion
## Executive Summary
Emera Inc. and Nova Scotia Power discovered an incident involving unauthorized access to parts of their Canadian network and servers supporting business applications. Incident response teams were immediately mobilized, third-party experts engaged, and affected systems were isolated. Crucially, the utility's operational technology (OT) systems, including power generation, transmission, and distribution facilities, remained unaffected, preventing service disruption to customers.
## Incident Details
- **Discovery Date:** April 2025 (Reported April 30, 2025)
- **Incident Date:** Prior to April 28, 2025
- **Affected Organization:** Emera Inc. and Nova Scotia Power (Canada)
- **Sector:** Utilities: Energy & Power
- **Geography:** Canada (Nova Scotia primarily, with confirmation of no impact to U.S. or Caribbean operations)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed, prior to discovery.
- **Vector:** Unauthorized access to parts of the Canadian network and servers supporting business applications.
- **Details:** The specific initial vector (e.g., phishing, vulnerability exploit) was not detailed in the announcement.
### Lateral Movement
- Details regarding specific lateral movement were not disclosed, but unauthorized access affected "parts of their Canadian network and servers supporting certain business applications."
### Data Exfiltration/Impact
- **Impact:** Unauthorized access to IT systems supporting business applications.
- **Data Compromise:** Scope not fully detailed, but implied data stored on compromised business application servers may have been exposed or exfiltrated.
- **Operational Impact:** **No disruption** to physical operations, generation, transmission, or distribution facilities.
### Detection & Response
- **Detection:** Cyber intrusion was detected by company systems.
- **Response Actions:** Immediately activated incident response and business continuity protocols; engaged top-tier third-party cybersecurity experts; isolated affected systems to prevent further access; notified law enforcement agencies.
## Attack Methodology
- **Initial Access:** Unauthorized access achieved on the IT network segment supporting business applications. (Specific method unknown)
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Occurred within the IT network segment.
- **Collection:** Implied, targeting data on compromised servers.
- **Exfiltration:** Implied, though not confirmed as the primary outcome.
- **Impact:** Disruption and compromise of IT business applications.
## Impact Assessment
- **Financial:** Unknown, but costs associated with engaging third-party experts and investigation are anticipated.
- **Data Breach:** Unauthorized access to data on business application servers. Scope unknown.
- **Operational:** **No impact** to core physical utility operations (generation, transmission, distribution).
- **Reputational:** Public announcement required to manage customer and stakeholder confidence.
## Indicators of Compromise
*(No specific IoCs were provided in the public summary)*
- **Network indicators:** None provided.
- **File indicators:** None provided.
- **Behavioral indicators:** Unauthorized access activity.
## Response Actions
- **Containment:** Swift action taken to **isolate the affected systems** to prevent further unauthorized access.
- **Eradication:** IT team is working with experts to bring affected portions of the IT system back online (implies eradication efforts underway).
- **Recovery:** Remediation and restoration of affected IT systems are in progress.
## Lessons Learned
- The swift activation of pre-defined incident response and business continuity plans was effective in maintaining critical physical operations.
- The segregation between IT (business systems) and OT (physical operations) appears to have successfully contained the impact to IT services.
## Recommendations
- Thoroughly investigate the initial access vector to close security gaps exploited by the threat actor.
- Conduct a comprehensive review of all affected business application servers for undiscovered malware or persistence mechanisms.
- Accelerate the IT team's efforts to restore affected systems securely, leveraging third-party expertise.
- Continue close coordination with law enforcement throughout the investigation.