Safeguard.sh
Breach Analysis

Nova Scotia Power Cyber Incident: When Critical Infrastructure Gets Hit

Nova Scotia Power disclosed a cyber incident in April 2025 that compromised customer data. The attack highlights the persistent vulnerability of utility companies.

Nayan Dey
Security Analyst
6 min read

In late April 2025, Nova Scotia Power and its parent company Emera Inc. disclosed a cybersecurity incident that affected their IT network and resulted in unauthorized access to customer information. The utility, which serves approximately 540,000 customers across Nova Scotia, confirmed that personal data including names, addresses, phone numbers, email addresses, and in some cases Social Security numbers and banking information, was accessed by the attackers.

The company stated that power generation, transmission, and distribution systems were not affected — the operational technology (OT) networks that actually control the electrical grid remained operational. But the breach of customer data and the disruption to IT systems still represented a significant incident for one of Canada's major utility providers.

What Happened

Nova Scotia Power detected unauthorized access to its IT network in late April 2025. The company activated its incident response plan, engaged third-party cybersecurity experts, and notified relevant authorities including the Office of the Information and Privacy Commissioner.

Key details from the disclosure:

  • Customer data accessed: Names, addresses, email, phone numbers, customer account information, and for some customers, Social Security numbers and banking details
  • IT systems affected: Some corporate IT systems were impacted, affecting business operations and customer service
  • OT systems not affected: Power generation, transmission, and distribution continued normally
  • Billing impact: The company offered bill payment flexibility to customers during the disruption period
  • Notification: Affected customers were notified and offered credit monitoring services

The specific attack vector and threat actor were not publicly disclosed during the initial response phase, which is standard practice during active investigations.

The IT/OT Divide

Nova Scotia Power's statement that operational technology was unaffected is the critical detail in this incident. In utility companies, the IT network (corporate email, customer databases, billing systems) and the OT network (SCADA systems, power generation controls, distribution management) are supposed to be separated.

This separation — often called IT/OT segmentation — is a fundamental security control for critical infrastructure. When it works properly, a compromise of the IT network cannot reach the systems that control physical processes.

However, IT/OT segmentation is not always as robust as it appears:

  • Shared infrastructure: Some organizations share network components (firewalls, DNS, authentication) between IT and OT
  • Remote access bridges: VPN or jump-host connections that allow IT-side users to access OT systems
  • Data historians: Systems that bridge IT and OT to collect operational data for business analysis
  • Vendor access: Third-party vendors who maintain OT equipment often connect through IT networks

In the Nova Scotia Power case, the segmentation appears to have held. But this is not always the outcome. The Colonial Pipeline attack in 2021 showed what happens when a utility shuts down OT operations proactively because IT systems are compromised — even without direct OT compromise, the business impact can be enormous.

Utility Sector Threat Landscape

Utility companies face a distinctive threat landscape:

Ransomware groups

Criminal ransomware groups increasingly target utilities because:

  • Utilities are essential services with low tolerance for downtime
  • Customer databases contain valuable personal data for double extortion
  • Regulatory pressure creates additional motivation to resolve incidents quickly
  • Many utilities have limited cybersecurity budgets relative to their risk profile

Nation-state actors

State-sponsored groups from Russia, China, Iran, and North Korea have all been documented targeting utility infrastructure:

  • Russia (Sandworm/Volt Typhoon): Demonstrated capability to disrupt power grids in Ukraine
  • China (Volt Typhoon): Persistent presence in US critical infrastructure for pre-positioning
  • Iran: Targeting of water and energy infrastructure
  • North Korea: Financially motivated attacks against utilities for revenue generation

Hacktivists

Ideologically motivated attackers increasingly target utilities as symbols of government infrastructure. While their technical capabilities are generally limited, they can cause disruption through DDoS and defacement attacks.

Customer Data: The Underestimated Asset

Utility customer data is often overlooked as a security priority compared to OT systems. But utility companies hold uniquely comprehensive customer information:

  • Universal coverage: Unlike retail or banking, nearly every resident is a customer
  • Stable data: People change utility providers infrequently, so data remains current
  • Financial data: Banking information for autopay, credit data for account setup
  • Physical address verification: Utility bills are used as proof of address, making the data valuable for identity theft
  • Usage patterns: Electricity usage data can reveal occupancy patterns, daily routines, and even the presence of specific equipment

For attackers focused on identity theft, fraud, or intelligence gathering, utility customer databases are extremely high-value targets.

Regulatory and Compliance Implications

Canadian utilities operate under multiple regulatory frameworks:

  • Provincial regulators: Nova Scotia Utility and Review Board oversees Nova Scotia Power
  • PIPEDA: Federal personal information protection law
  • Provincial privacy laws: Nova Scotia's Personal Information International Disclosure Protection Act
  • NERC CIP: North American Electric Reliability Corporation Critical Infrastructure Protection standards (for bulk electric system)
  • CSA guidelines: Canadian Standards Association cybersecurity guidelines for critical infrastructure

The customer data breach triggers obligations under privacy regulations, while any impact on grid reliability would trigger NERC CIP requirements. Post-incident, Nova Scotia Power faces potential regulatory scrutiny on both fronts.

Lessons for Critical Infrastructure

Customer data security deserves equal attention to OT security

Most critical infrastructure cybersecurity discussions focus on OT — preventing attackers from disrupting physical operations. This is appropriate given the safety implications. But customer data protection needs comparable investment. The reputational, regulatory, and financial impacts of a data breach are significant even when the lights stay on.

IT incidents affect OT indirectly

Even when IT/OT segmentation holds, an IT compromise can affect OT operations through:

  • Loss of visibility into OT systems (if monitoring runs on IT infrastructure)
  • Inability to process customer billing (affecting revenue)
  • Disruption to workforce management systems (affecting staffing)
  • Precautionary OT shutdowns to contain potential spread

Incident communication for essential services

Utility customers can't switch to a competitor during an incident. This creates a different communication dynamic than retail or technology companies. Customers need to know:

  • Whether their service will be affected
  • Whether their personal data was compromised
  • What protective measures they should take
  • How billing will be handled during disruption

Proactive, clear communication is essential for maintaining public trust.

How Safeguard.sh Helps

Safeguard.sh provides critical infrastructure organizations with comprehensive visibility into their software supply chain across both IT and OT environments. The platform maintains detailed SBOMs for all software components, from customer management systems to SCADA components, enabling immediate vulnerability identification when new threats emerge.

For utilities managing the IT/OT boundary, Safeguard.sh's asset inventory and policy engine can enforce segmentation requirements, track component versions across both domains, and alert when software changes could compromise the separation between corporate IT and operational systems.

When an incident occurs, Safeguard.sh's inventory data accelerates response by providing immediate answers to critical questions: what software is running, what versions are deployed, what vulnerabilities exist, and what components are connected. This visibility reduces the time from detection to containment and helps ensure that recovery addresses root causes, not just symptoms.

Nova Scotia PowerCritical InfrastructureUtilityData BreachICS Security
Back to all articles

Related articles in Breach Analysis

Breach Analysis

Coinbase Social Engineering and Insider Threat: How Bribed Support Agents Led to a $400M Breach

Attackers bribed overseas Coinbase support agents to steal customer data, then demanded a $20M ransom. Coinbase refused to pay and disclosed everything.

May 15, 2025Read
Breach Analysis

Dior Customer Data Breach 2025: Luxury Fashion's Cybersecurity Problem

Christian Dior disclosed a breach exposing customer personal data in May 2025. The luxury sector's data protection challenges are now front and center.

May 12, 2025Read
Breach Analysis

Harrods Cyber Attack: The UK Retail Sector Under Sustained Assault

Harrods became the third major UK retailer hit by cyber attacks in weeks, following M&S and Co-op. The pattern points to coordinated campaigns targeting retail.

May 1, 2025Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.