001-40 WC 143 JULY-AUG25 PT - Flipbook - Page 33
to improve its cyber security, including that of critical
infrastructure. In 2018, Canada launched its National
Cyber Security Strategy (NCSS), which aims to advance
cyber security and resilience, support cyber innovation,
and foster collaboration among stakeholders. The NCSS
prompted the creation of the Canadian Centre for
Cyber Security, which works closely with domestic and
international partners and serves as a trusted resource on
cyber security. It also created the National Cybercrime
Coordination Unit of the Royal Canadian Mounted
Police (RCMP) to expand the RCMP’s capacity to investigate cybercrime.
Threats from pro-Russia hacktivists targeting water
utilities in North America and Europe were flagged in
an international advisory issued jointly by the Canadian
Centre for Cyber Security, multiple U.S. agencies, and
the United Kingdom’s National Cyber Security Centre
in May 2024.
In recognizing the risks that cyber threats create for
the water sector, the Canadian Centre for Cyber Security engaged Deloitte Canada to conduct a nation-wide
study to understand the state of cyber security within
some sectors that make up Canada’s critical infrastructure. The information provided will be used to gain an
enhanced understanding of the cyber security maturity
posture within the Canadian water sector and inform
how the Cyber Centre can better engage with the
stakeholders to increase stakeholder and collective cyber
resilience.
Turning to additional technology is one answer to
combat this threat. Advanced remote alarm notification
software allows remote operators access to only the information they need from supervisory control and data
acquisition (SCADA) and not access to the SCADA
itself or its operating system host. Such notification software is compatible with more secure, layered networks
in which a series of firewalls provide added protection
from attacks.
Remote alarm notification software offers additional
security
A report by the American Water and Works Association,
Cybersecurity Risk & Responsibility in the Water Sector
states “…Failing to address cybersecurity risk in a proactive way can have devastating results. Failing to take
reasonable measures and employ best practices to prevent, detect, and swiftly respond to cyberattacks means
that organizations and the people who run them will
face greater damage—including technical, operational,
financial and reputational harm—when the cyberattacks
occur.” This is also applicable to Canada’s water systems.
Although replacing legacy systems and networks can
be costly, it is essential to work with vendors and cybersecurity experts to implement updates and, if necessary,
overhauls of outdated systems. Invoke the help of internal or external advisors to prioritize risk and develop a
realistic approach and plan for enhancing cybersecurity.
At a minimum, comply with basic standards including
restricted physical and technical access, firewalls, logging,
and encryption.
Many SCADA systems are over-exposed to the
internet by remote desktop applications (e.g. RDP and
TeamViewer). In an attempt to provide process and
asset information to operators, organizations have given
“Acyberattackcausinganinterruptiontodrinking
waterandwastewaterservicescoulderodepublic
con昀椀dence,orworse,producesigni昀椀cantpublic
health and economic consequences.”
much more, ignoring the principle of least privilege
and opening their entire control systems and their hosts
to remote desktop access by unnecessary parties. Such
broad remote access techniques present an increased
security risk for organizations, a risk that the Regional
Municipality of Durham, ON, experienced first hand in
October when there was a digital security breach at the
Duffin Creek Water Pollution Control Plant.
Advanced remote alarm notification software allows
remote operators access to only the information they
need from SCADA and not access to the SCADA itself
or its operating system host. Such notification software
is compatible with more secure, layered networks in
which a series of firewalls provide added protection from
attacks. This is done by deploying notification solutions
alongside the SCADA system at the network’s control
level and using notification modalities that are not internet facing or distributing internet-facing notification
processes to higher levels. For example, internal email
servers, SMS modems, and voice via PBX devices allow
communication with the outside world without internet
exposure. Likewise, distributing the processes that
interface with SCADA from those that interface with
external email servers, VoIP solutions, and cloud apps
allows internet-based notifications without compromising security.
WATER C AN ADA • JULY/AUGUS T 2025
33
