A new report from the Canadian Centre for Cyber Security warns state-sponsored actors are likely developing the ability to launch cyberattacks against the country’s infrastructure and that hacked systems presents the most pressing threat to Canadians’ physical health.
The report, which is called the “National Cyber Threat Assessment 2020,” states that “(s)tate-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure, such as the supply of electricity, to further their goals.”
The report states the fusion of information technology (IT) with operational technology (OT), which it defines as “a broad term that refers to technology used to control physical processes such as dam openings, boiler activities, electricity conduction, and pipeline operations,” creates new vulnerabilities.
Exposing utilities, like water systems of the power grid, to the internet could make it accessible to attacks.
“The most pressing threats to the physical safety of Canadians are to OT and critical infrastructure,” it states.
Tom Keenan, a computer systems professor at the University of Calgary, said that risk extends to the whole of the country.
“I think it’s a 100 per cent likely that bad guys somewhere in the world are looking at critical infrastructure in Saskatchewan,” he said, speaking over Zoom from Calgary.
“We know this because they look at everything.”
The report identifies Russia, Iran, North Korea and China as the likely suspects to commit an attack and also notes the likelihood of one occurring is low.
Keenan concurs but says Canadians and Canada’s companies must prepare regardless.
“Your lights go off, your freezer doesn’t freeze anymore, it’s the middle of the winter and you can’t pump any gas at the gas station, if you shut down the power grid, the potential is there to bring your country to its knees in a couple of hours.”
He added that Canada’s ongoing diplomatic spat over China’s detention of Canadian citizens Michael Kovrig and Michael Spavor – an apparent act of retaliation for Canada arresting a high-profile Chinese national on a U.S. extradition warrant – could worsen and become the inciting incident for a cyber attack.
“What the (Communications Security Establishment, the body that oversees the cybersecurity centre) is suggesting in their report, if things got sufficiently worse, this might be one of the things that could be used as a lever against the country,” he said.
The anonymity of a cyberattack makes it appealing for states, he added.
“It’s just another weapon and it’s a good weapon to use in some ways because it’s often hard to prove who did it.”
When asked by Global News, spokespeople for SaskTel, SaskWater, SaskPower and SaskEnergy all said their systems are secure — but did not answer a question about whether they had experienced a cyberattack.
Keenan said they should be prepared for one and noting previous hacks in the international arena.
He need not look so far away. Sask PolyTech was hacked at the start of November.
He said Canadian cybersecurity requires stringent defence, national coordination and for the integration of IT and OT to be done properly, not cheaply.
“This common, off-the-shelf technology (used to make infrastructure accessible to the internet) that we’re talking about, it’s based on Eunix and other operating systems that lots of people know about, so there’s a security risk.”