Imagine a scenario where a ransomware attack cripples an entire power grid, leaving thousands of residents without electricity in the middle of winter. In addition to the risks for human life, consider the impacts of that loss of electricity on the operations of businesses who not only rely on point-of-sale systems for customer transactions, but also likely have Internet of Things (IoT) devices which handle their security systems? Now consider a hospital, with its thousands of connected health devices which literally keep patients alive in addition to the network of connected systems which keep critical patient medical data that help health practitioners make informed decisions about treatment protocols and avoid doing further harm because of drug allergies or other underlying conditions.
If a ransomware attack takes over an industrial control system (ICS) and shuts down an entire transmission station, it could impact a water system, emergency services like police and hospitals, gas stations and more. These are not excerpts from Tom Clancy or Bill Clinton novels. In real life Ukraine’s power grid was the target of a cyber breach in 2015 and subsequent ones since the war began. In 2021, hackers were able to breach the operational technology centre of a water treatment plant in Florida to poison the water supply and it wasn’t the first time. In January, the same attempt was made in San Francisco. Given the ongoing war in the Ukraine, the U.S. Department of Homeland Security specifically pointed to water systems as vulnerable targets as part of multistage intrusion campaigns to destabilize the United States by Russian nation-state threat actors and their allies.1
Closer to home, here in Saskatchewan we are having an economic moment. With no one buying energy from Russia and with the Kazakhstan region destabilized from keeping pace with its uranium production, our province is enviably recession proof while many other parts of the country struggle. Add to this the fact that we are a major agricultural producer and the largest potash producer in the world and you have a province in which the economic forecast is expected to outperform the rest of Canada for the second straight year.2 Our other prairie counterparts will too.
With success comes vulnerability, especially during a time of great geopolitical tension and increasing cyber sophistication. In the rush to digitally transform critical operations during the pandemic, many of the most basic elements of cyber protections were missed and we are now in a situation where we are playing catch up in the middle of acute labor shortages in the tech sector, a European war that includes our economic competitors and a critical role in the global supply chain. It’s the perfect storm.
In the spring of 2021, the federal government moved to try to mitigate these risks by introducing Bill C26: An Act Respecting Cybersecurity (ARCS) which is currently making its way through the House of Commons and later, the Senate. This bill was created to push organizations in Canada’s critical industries: transportation, energy, telecommunications, and finance to not only to have robust cyber security policies and governance models in place—including incident response plans—but also to report cyber breaches within a specific time to the Canadian Centre for Cyber Security. Designated operators who fail to comply with the legislation, if passed, could face penalties of $1 million for individuals and $15 million for organizations.
The bill is already having an important effect by pushing boards and C-Suite executives to start asking for more robust risk assessments of their critical business systems across the four federally regulated industries. Here in landlocked Saskatchewan, our agricultural sector depends on fuel to get crops seeded, sprayed, harvested and out to market through truck or rail to port. Our producers also depend heavily on financial institutions to invest in their equipment and increasingly, that equipment is digital—critically important to precision farming and sustainable practices but is nonetheless a risk for cyber vulnerabilities. Saskatchewan not only relies on the cyber security of the critical industries, but also on the third-party vendors who make up the supply chain.
So, while Bill C26 is pushing Canada’s cyber security ecosystem to be more robust and integrated, there is still a long way to go before our collective cyber security is resilient enough to qualify as Tier 3 or Tier 4 of National Institute of Standards and Technology’s (NIST) framework for Critical Infrastructure.3 And we need to get there, fast.
Using a common language and common metrics to talk about cyber security for critical infrastructure is a start, especially since we are talking about industries who engage globally. Bill C26 is in line with legislation from the United States, the European Union, and others. And frameworks like NIST are used by cyber security professionals globally to rank and assess resilience and vulnerability so that investors and regulators can make meaningful industry comparisons.
What is needed is an intense leadership focus on building the cyber security ecosystem and ensuring its resilience. This will take legislative and regulatory controls that are harmonized and standardized across the globe, but it will also take urgent investment in post-secondary education and skills training to ensure that cyber security is an embedded part of normal operations, never mind that it is integrated—and not an add-on, after the fact—into large enterprise digital transformation initiatives. Small IT shops who struggle to compete for scarce resources and investments to upkeep legacy systems cannot do it on their own. Automation is certainly helping with detection, protection, and response, but all the stacks in the world are not enough by themselves. Cyber security is not IT’s responsibility, it is everyone’s responsibility.
Basic cyber hygiene still has a long way to go to become common parlance in most workplaces and yet it is still the single most effective and low-cost way to ensure protection against vulnerability. While Bill C26 will go a long way towards helping inform threat intelligence by forcing breach reporting, we still have much work to do to on that front to ensure that our critical industries in health care, for example, are taking a proactive approach to monitoring the threat landscape and sharing information across the sector to protect and defend those systems. Global examples like Singapore’s OT Cybersecurity Master Plan are a good place to start.
While the threat is real and the doomsday scenarios are terrifying, there is also a lot to be excited about. The evolving cyber security space is growing in demand and sophistication and will need investment from innovators to keep pace. Regions that build their cyber security ecosystem are not only going to protect their own critical industries, but they’ll also build a new critical industry whose demand is only escalating and where jobs are well paid. An investment today will pay dividends for decades to come.
References
1“US Water Supply System Being Targeted by Cybercriminals,” Forbes July 27, 2021.
2TD’s Provincial Economic Forecast, December 19, 2022
3“Framework for Improving Critical Infrastructure Security” version 1.1, April 16, 2018, NIST