While ransomware attacks have become commonplace in corporate and government sectors, threats against the water sector have a more malicious element. Birds swim in the waters of Lake Ontario as the Toronto skyline looms in the background on Jan. 24, 2019.Nathan Denette/The Canadian Press
The statement was carefully worded, written to tamp down any sense of panic about a major cyberattack on one of Canada’s largest waste-water treatment facilities.
The Duffin Creek Water Pollution Control Plant covers an area the size of 400 football fields and treats the waste water from 1.2 million people before pumping it into Lake Ontario. The facility being compromised could wreak untold social and environmental havoc.
Fortunately, hackers had breached “a limited component of the digital systems,” according to the news release issued last month by Durham Region, the municipality abutting Toronto’s eastern border.
Durham says it has averted worst-case scenarios by containing the breach, but questions remain about the nature of the incident and, more broadly, how prepared Canadian water utilities are for the sudden barrage of cyberattacks now striking the industry worldwide.
“The threat is real, and they need to take it seriously,” Sami Khoury, Canada’s senior official for cybersecurity, said in an interview.
While ransomware attacks – in which targets are asked to pay money to access their own files – have become commonplace in corporate and government sectors, threats against the water sector have a more malicious element.
In 2021, hackers took control of a water treatment plant in Oldsmar, Fla., briefly adjusting the sodium hydroxide to toxic levels before a vigilant employee intervened.
Last year, an Iran-backed group hacked into the Municipal Water Authority of Aliquippa, which handles water and waste water for about 22,000 people in western Pennsylvania, and shut down an Israel-made device that remotely regulates water pressure.
The screen of a Unitronics device that was hacked in Aliquippa, Pa., Nov. 25, 2023. The hacked device was in a pumping booster station owned by the Municipal Water Authority of Aliquippa.The Associated Press
In January of this year, tens of thousands of litres of water spilled from a water tower in Muleshoe, Tex., before authorities could stop it. A group called the Cyber Army of Russia Reborn later posted a video on the Telegram messaging platform outlining how they had hacked the water system and threatened further incursions.
Attacks against water utilities reached such heights that the White House and the Environmental Protection Agency issued a dire warning in March.
“Disabling cyberattacks are striking water and waste-water systems throughout the United States,” national-security adviser Jake Sullivan and EPA administrator Michael Regan wrote in a letter to state governors. “These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”
The letter identified Iran’s Islamic Revolutionary Guard Corps and a China-sponsored group called Volt Typhoon as primary culprits. Security agencies in Canada, the U.S. and Europe followed up with a joint directive calling on water utilities to harden security against Russia-aligned hackers.
“We have not seen the same volume of cyberincidents in Canada as the U.S., but that’s no reason for us to be complacent,” said Mr. Khoury, the cybersecurity czar.
In Canada, water providers fall under a broad national-security banner called critical infrastructure. But unlike other industries in that category – such as energy, banking and telecommunications – water utilities are not federally regulated.
In the absence of regulation and adequate funds, many municipal water systems forgo adequate cybersecurity measures.
“These water facilities fail to implement security controls because they don’t want to spend the budget,” said Diego Ramirez, manager of cyberintelligence at Stratejm, a Mississauga-based cybersecurity company. “But, trust me, after they have a security incident, they will find a budget for protecting digital assets.”
Cyberattacks on infrastructure often target what’s called operational technology, the term for all hardware and software involved in controlling industrial equipment. OT can be used to open and close the spillways on dams, for instance, or adjust chlorination levels of water.
OT was once considered relatively immune from cyberthreats because it was isolated from public networks. These days, water technicians rely on remote sensors and controls to manage plants that serve anywhere from single trailer parks to millions of people.
“This dependence on remote is a good and a bad thing,” said Matthew Sider, an automation specialist who co-chairs the B.C. Water and Waste Association’s OT committee. “We’re relying more on technology, but we’re opening doors for threats to get in. That’s why we’re in the spot we’re in.”
What’s more, OT doesn’t benefit from the same volume of security patches and updates as even desktop computers or smartphones.
“That’s the difficulty with critical infrastructure. Many of these systems are older, and it’s a lot more difficult to update them,” said Alexander Rudolph, a Canadian Global Affairs Institute fellow who studies cyberdefence policy.
The solutions don’t have to be expensive, or all that creative. The Aliquippa investigation found that employees may have failed to change a key password from the default, “1111.”
Canada is making preparations, just not as quickly as the U.S. “Compared to other countries, and the easiest comparison is the U.S., I’d say Canada is quite a bit behind,” Mr. Rudolph said.
Last week, the Canadian Centre for Cyber Security released a series of guidelines for critical infrastructure that includes changing default passwords, isolating OT networks and training employees in basic cybersecurity.
The Canadian Water and Wastewater Association is planning a major cybersecurity training event next year.
“Everybody has seen the news, everybody knows the threat is real,” said Robert Haller, the association’s executive director. “Until now, it’s been a financial threat with ransomware. What we need to look at more is the threat from those who want to do damage to our health or the economy by sabotaging our systems.”