Priority for 2024: CYBERSECURITY - WC135 MarApr 2024 - Magazine - Page 22
Priority for 2024: CYBERSECURITY
FEATURE
This result should not be viewed
as unusual or bad. Like many other
utilities in Canada and beyond put
“We know water utilities are vulnerable to attack, and that
through a similar testing process,
cyberattacks are getting more sophisticated with the continuous
Halifax Water was found in the audit
to have several gaps in cybersecurity
advancement of AI and other factors, so we must make cybersecurity
policies and procedures. Halifax Water
a priority and use these programs.” –Robert Haller
leadership agreed with all of the 21
recommendations (see sidebar on page
21) and had started on all of them
(and completed many) by the time of
the report’s release last year.
conferences. “We know water utilities are vulnerable to attack,
Some municipalities have the resources to have a cybersecurity
and that cyberattacks are getting more sophisticated with the
assessment completed by a consulting firm. Seyed Hejazi, partner
continuous advancement of AI and other factors, so we must
in Cybersecurity & Privacy at MNP Digital, notes that these
make cybersecurity a priority and use these programs,” said
assessments involve testing people, process, and technology
Haller. “Budget is always a concern, but these new programs are
controls.
available free of charge and ready to use.”
“From awareness and knowledge of individuals accessing
Emmanuel St-Aubin, PS director of Critical Infrastructure
these systems, to how the operational technology (OT) systems
Partnerships, also strongly encourages those responsible for
interact with the back office corporate IT systems and how
water utilities from coast to coast to use these programs due to
these networks are segregated and monitored, security controls
the global rise in the number of cyber incidents affecting critical
should be reviewed and tested on a regular basis,” explains
infrastructure, including water utilities.
Hejazi. “There is ongoing demand for integrating IT and OT
As Haller points out, because it’s the norm in Canada that
environments to be able to drive reports, develop dashboards,
municipal water utility IT is managed at the higher corporate level, and provide access to remotely manage the OT networks and
those teams should be using these water-specific programs to the
systems. This increased demand increases the risk of unsecure
fullest to best protect Canada’s water and wastewater infrastructure. integration points.”
On the software front, Helen Blais, computer coordinator
Hejazi adds the approach to testing of OT networks and sysat the City of Ottawa, says she hopes in each community in
tems must differ from testing of traditional IT systems, and that
Canada, the SCADA Operational Network is isolated from
testing will vary in duration and scope depending on complexity
the main IT network by a strong firewall. She adds that “the
and size of systems.
experts in the cybersecurity world place an emphasis on ensuring
In general, for organizations in charge of water and wastewater
all patches to software have been made, and/or the software is
management, Hejazi and his colleagues recommend many actions,
running at the current version. This, along with regular system
including reviewing the current state and architecture of their
backups and a practiced data recovery plan, are some good
IT and OT networks and the integration points. Among other
defenses to put into practice.”
aspects, there should also be technical testing such as penetration
This and more were examined in the Halifax Water audit. Staff tests, ensuring that physical security controls exist, reviewing
members at water, for example, must be trained to recognize and
expectations and requirements for converging IT and OT systems
handle cybersecurity threats.
and security implications. There should also be a gradual move
to newer OT technology that has certain embedded security
Testing defenses
controls, replacing older technologies that were built with almost
As mentioned, in early 2023, the auditor general of Halifax
no security requirements.
Regional Municipality released results of a two-year cybersecurity
Newer technologies are also an area that Haller believes need
audit of Halifax Water, one which included an email test involvmore attention. Specifically, he notes that water utilities today use
ing 55 staff members. When they received this legitimate-looksubstantial amounts of remote monitoring technology – and the
ing email with a link (called a phishing email as it ‘fishes’ for
data collected needs to be monitored closely. “Securing operational
victims), the vast majority of them (45) clicked the link and
control is important,” he said. “We need software that detects
provided their credentials.
anomalies and identifies breaks in normal patterns.”
22
WATER C AN ADA • M ARCH/APRIL 2024
WAT E R C A N A D A . N E T
