We were cut off around the Baltic attack. Around the same time was the 2015 Ukraine attack. One of the three Baltic states—Estonia, Latvia, and Lithuania—saw its power grid attacked, but it wasn't taken down. The exact country that was attacked had not been announced publicly. The attack on the Baltics followed a similar methodology as in Ukraine.
What we are seeing here is that they are using the same playbook to disrupt different jurisdictions, but we need to respond not just individually but collectively: a federated model, a federated framework based on industry practices. I know that Google, Apple, the Department of Defence, and Homeland Security are all standardizing on NIST as a solid framework. We've had a lot of conversations along those lines. Separately, I can share with you what we are doing here in Ontario.
Overall, that attack was largely unsuccessful, but it did expose one thing: the actors' presence in the Baltic power grid. They may already be in the power grid systems, and they may have already deployed that malware. What we need to do is take the appropriate measures to validate that these systems haven't already been compromised.
For us to do so, we need to have the resources and the training, and we need to start hardening those systems. If we want to replicate it—whether it's in Estonia, Ukraine, or here in Canada—we need to speak a common language. That framework would be the foundational element that is required. My recommendation to this panel is to start considering that, and adopting it as a measure.