Nova Scotia Power Expects Full Breach Recovery By 2026

Nova Scotia Power (NS Power), the primary electric utility serving the province, has announced that it expects to achieve full recovery from its recent cyberattack by early 2026.

The breach, which disrupted core IT systems and customer-facing services, is one of the most significant cybersecurity incidents to impact Canada’s energy sector in recent years.

The Nova Scotia Power Breach: An Overview

The cyberattack, first detected in late 2024, targeted NS Power’s enterprise systems, forcing shutdowns of customer portals, billing operations, and some aspects of grid monitoring.

While no large-scale outages were reported, the impact on operational technology (OT) systems raised concerns across the energy sector about critical infrastructure resilience.

“Full restoration for major capabilities is expected to progress through 2026,” the report reads. “Throughout, business continuity measures remain in place to mitigate impacts to customers, employees, and regulatory obligations.

The energy board, which is investigating the cyberattack, ordered Nova Scotia Power to file monthly reports on the incident. The board was critical of the first report, which was filed on Aug. 20 after a three-week delay, calling it “underwhelming” and full of information that was already publicly available.

“The Board would have expected more detail about the impact of the cybersecurity incident on its business systems and how it is affecting customers, interested parties and any ongoing regulatory matters before the Board,” a letter from the board read.

The second monthly report was filed on Oct. 1st. The next one is due on Nov. 1st and a full incident report is due by Dec. 31st.

Recovery Timeline (and Why Post-Breach Recovery is a Marathon, Not a Sprint)

According to NS Power, the road to recovery will be gradual, including:

• Short-term (2024–2025): Restoration of essential billing systems, customer portals, and enhanced network monitoring.

• Mid-term (by late 2025): Rebuilding of enterprise IT architecture with modernized cybersecurity controls and segmentation between IT and OT systems.

• Full recovery (early 2026): Complete remediation, regulatory compliance validation, and deployment of upgraded incident response frameworks.

The two-year timeline underscores the scale of the breach and the complexity of rebuilding trust and resilience within critical infrastructure.

Industry Implications for Utilities and Critical Infrastructure

The NS Power attack highlights the vulnerabilities facing utilities worldwide:

• Critical Infrastructure Risks: Energy providers are prime targets due to their role in national security and public safety.

• Operational Disruption: Even when power delivery isn’t cut, IT/OT disruptions can undermine customer trust and regulatory standing.

• Extended Recovery Windows: Full remediation from advanced persistent threats (APTs) can take years, not months.

Lessons for CISOs Cross-Industry

For CISOs in the energy and critical infrastructure sectors, NS Power’s experience offers key takeaways:

• Segmentation is non-negotiable: Clear separation of IT and OT reduces cascading risks.

• Long-term planning is essential: Incident response must account for multi-year recovery horizons.

• Communication builds trust: Transparent updates help maintain public and regulatory confidence during crises.

Conclusion

With full recovery projected by 2026, NS Power’s incident serves as a sobering reminder of the stakes in critical infrastructure cybersecurity. The path forward requires not only technical remediation but also strategic leadership to rebuild trust and resilience.

For CISOs and utility executives alike, the lesson is clear: preparing for the aftermath of an attack is as vital as preventing one.